Improving Security Assurance of Services through Certificate Profiles

Cloud and Web Services technologies offer a powerful cost-effective and fast growing approach to the provision of infrastructure, platform and software as services. However, these technologies still raise significant concerns regarding security assurance and compliance of data and software services offered. A new trend of a service security certification has been recently proposed to overcome the limitations of existing security certificates by representing security certification in a structured, machine-processable manner that will enable automated reasoning for certified security features in security-critical domains. However, the richness and flexibility of the underlying certificate models and languages comes with the price of increased

complexity

in processing and comparing those certificates and related security claims in practice. In this paper, we propose the concept of

certificate profile

to provide a mechanism to address processability and interoperability of service security certificates. We present a conceptual model and a concrete realization of the model within the context of the European project ASSERT4SOA.