Skip to main content

2013 | OriginalPaper | Buchkapitel

4. Understanding Cloud Audits

verfasst von : Frank Doelitzscher, Christoph Reich, Martin Knahl, Nathan Clarke

Erschienen in: Privacy and Security for Cloud Computing

Verlag: Springer London

Aktivieren Sie unsere intelligente Suche um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Audits of IT infrastructures can mitigate security problems and establish trust in a provider’s infrastructure and processes. Cloud environments especially lack trust due to non-transparent architectures and missing security and privacy measures taken by a provider. But traditional audits do not cover cloud computing-specific security. To provide a secure and trustable cloud environment, audit tasks need to have knowledge about their environment and cloud-specific characteristics. Furthermore, they need to be automated whenever possible to be able to run on a regular basis and immediately if a certain infrastructure event takes place, like deployment of a new cloud instance. In this chapter, research about cloud-specific security problems and cloud audits gets presented. An analysis about how traditional audits need to change to address cloud-specific attributes is given. Additionally, the agent-based “Security Audit as a Service” architecture gets presented as a solution to the identified problems.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Anhänge
Nur mit Berechtigung zugänglich
Fußnoten
2
If a private cloud scenario is considered, costs come down to zero in currency terms, and just the available resources count.
 
Literatur
2.
Zurück zum Zitat Spring, J.: Monitoring cloud computing by layer, Part 1. Secur. Privacy IEEE 9(2), 66–68 (2011). March–April 2011CrossRef Spring, J.: Monitoring cloud computing by layer, Part 1. Secur. Privacy IEEE 9(2), 66–68 (2011). March–April 2011CrossRef
3.
Zurück zum Zitat Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. O’Reilly Media, Sebastopol, CA (2009) Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. O’Reilly Media, Sebastopol, CA (2009)
4.
Zurück zum Zitat Brunette, G., Mogull, R.: Security guidance for critical areas of focus in Cloud ComputingV2. 1. CSA (Cloud Security Alliance), USA. Online: http://www.cloudsecurityalliance.org/guidance/csaguide.v2 (2009) Brunette, G., Mogull, R.: Security guidance for critical areas of focus in Cloud ComputingV2. 1. CSA (Cloud Security Alliance), USA. Online: http://​www.​cloudsecurityall​iance.​org/​­guidance/csaguide.v2 (2009)
5.
Zurück zum Zitat Dölitzscher, F., Reich, C., Sulistio, A.: Designing cloud services adhering to government privacy laws. In: Proceedings of 10th IEEE International Conference on Computer and Information Technology (CIT 2010), Bradford, West Yorkshire, UK, 29 June–1 July 2010, pp. 930–935 (2010) Dölitzscher, F., Reich, C., Sulistio, A.: Designing cloud services adhering to government privacy laws. In: Proceedings of 10th IEEE International Conference on Computer and Information Technology (CIT 2010), Bradford, West Yorkshire, UK, 29 June–1 July 2010, pp. 930–935 (2010)
7.
Zurück zum Zitat Sotto, L.J., Treacy, B.C., McLellan, M.L.: Privacy and data security risks in cloud computing. Electron. Comm. Law Rep. Feb 2010 (2010) Sotto, L.J., Treacy, B.C., McLellan, M.L.: Privacy and data security risks in cloud computing. Electron. Comm. Law Rep. Feb 2010 (2010)
8.
Zurück zum Zitat Chen, Y., Paxson, V., Katz, R.H.: What’s new about cloud computing security? EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS-2010-5, Jan 2010 (2010) Chen, Y., Paxson, V., Katz, R.H.: What’s new about cloud computing security? EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS-2010-5, Jan 2010 (2010)
9.
Zurück zum Zitat European Network and Information Security Agency: Cloud Computing Security Risk Assessment. Tech. Rep., Nov 2009 (2009) European Network and Information Security Agency: Cloud Computing Security Risk Assessment. Tech. Rep., Nov 2009 (2009)
10.
Zurück zum Zitat Grobauer, B., Walloschek, T., Stocker, E.: Understanding cloud computing vulnerabilities. Secur. Privacy IEEE 9(2), 50–57 (2011). March–April 2011CrossRef Grobauer, B., Walloschek, T., Stocker, E.: Understanding cloud computing vulnerabilities. Secur. Privacy IEEE 9(2), 50–57 (2011). March–April 2011CrossRef
11.
Zurück zum Zitat Liebermann Software: 2011 Survey of IT Professionals Password Practices and Outcomes. Tech. Rep., 2011 (2011) Liebermann Software: 2011 Survey of IT Professionals Password Practices and Outcomes. Tech. Rep., 2011 (2011)
12.
Zurück zum Zitat Amazon Web Services: AWS achieves PCI DSS level 1 compliance and ISO 27001 certification. http://aws.amazon.com/de/about-aws/newsletters/2010/12/15/december-2010—pci-compliance-and-iso27001-certification//187-6806868-8856222 (2010, Dec) [Online] Amazon Web Services: AWS achieves PCI DSS level 1 compliance and ISO 27001 certification. http://​aws.​amazon.​com/​de/​about-aws/​newsletters/​2010/​12/​15/​december-2010—pci-compliance-and-iso27001-certification//187-6806868-8856222 (2010, Dec) [Online]
16.
Zurück zum Zitat Federal Office for Information Security: Security recommendations for cloud computing provider. Tech. Rep., 2011 (2011) Federal Office for Information Security: Security recommendations for cloud computing provider. Tech. Rep., 2011 (2011)
17.
Zurück zum Zitat German Parliament: German Data Protection Act. Deutscher Taschenbuch Verlag, Munich (2010). ISBN: 3406561632 German Parliament: German Data Protection Act. Deutscher Taschenbuch Verlag, Munich (2010). ISBN: 3406561632
19.
Zurück zum Zitat Spafford, E.H., Zamboni, D.: Intrusion detection using autonomous agents. Comput. Netw. 34(4), 547–570 (2000) (Recent Advances in Intrusion Detection Systems)CrossRef Spafford, E.H., Zamboni, D.: Intrusion detection using autonomous agents. Comput. Netw. 34(4), 547–570 (2000) (Recent Advances in Intrusion Detection Systems)CrossRef
20.
Zurück zum Zitat Ries, T., Fusenig, V., Vilbois, C., Engel, T.: Verification of data location in cloud networking, In: 2011 Fourth IEEE International Conference on Utility and Cloud Computing (UCC), Melbourne, Australia, Dec 2011. pp. 439–444 Ries, T., Fusenig, V., Vilbois, C., Engel, T.: Verification of data location in cloud networking, In: 2011 Fourth IEEE International Conference on Utility and Cloud Computing (UCC), Melbourne, Australia, Dec 2011. pp. 439–444
21.
Zurück zum Zitat Massonet, P., Naqvi, S., Ponsard, C., Latanicki, J., Rochwerger, B., Villari, M.: A monitoring and audit logging architecture for data location compliance in federated cloud infrastructures. In: 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and PhD Forum (IPDPSW), Anchorage, Alaska, May 2011, pp. 1510–1517 Massonet, P., Naqvi, S., Ponsard, C., Latanicki, J., Rochwerger, B., Villari, M.: A monitoring and audit logging architecture for data location compliance in federated cloud infrastructures. In: 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and PhD Forum (IPDPSW), Anchorage, Alaska, May 2011, pp. 1510–1517
22.
Zurück zum Zitat Spring, J.: Monitoring cloud computing by layer, part 2. Secur. Privacy IEEE 9(3), 52–55 (2011). May–JuneCrossRef Spring, J.: Monitoring cloud computing by layer, part 2. Secur. Privacy IEEE 9(3), 52–55 (2011). May–JuneCrossRef
23.
Zurück zum Zitat Tancock, D., Pearson, S., Charlesworth, A.: A privacy impact assessment tool for cloud computing. In: 2010 IEEE Second International Conference on Cloud Computing Technology and Science (CloudCom), Indianapolis, IN, 30 Nov–3 Dec 2010, pp. 667–676 Tancock, D., Pearson, S., Charlesworth, A.: A privacy impact assessment tool for cloud computing. In: 2010 IEEE Second International Conference on Cloud Computing Technology and Science (CloudCom), Indianapolis, IN, 30 Nov–3 Dec 2010, pp. 667–676
24.
Zurück zum Zitat Wang, C., Wang, Q., Ren, K., Lou, W.: Privacy-preserving public auditing for data storage security in cloud computing. In: INFOCOM, 2010 Proceedings IEEE, San Diego, CA, March 2010, pp. 1–9 Wang, C., Wang, Q., Ren, K., Lou, W.: Privacy-preserving public auditing for data storage security in cloud computing. In: INFOCOM, 2010 Proceedings IEEE, San Diego, CA, March 2010, pp. 1–9
25.
Zurück zum Zitat Zhu, Y., Ahn, G., Hu, H., Yau, S., An, H., Chen, S.: Dynamic audit services for outsourced storages in clouds. IEEE Trans. Serv. Comput. 99, 1 (2011) Zhu, Y., Ahn, G., Hu, H., Yau, S., An, H., Chen, S.: Dynamic audit services for outsourced storages in clouds. IEEE Trans. Serv. Comput. 99, 1 (2011)
26.
Zurück zum Zitat Office of Government Commerce: Service Operation Book (Itil). The Stationery Office, London (2007). No. 978-0113310463 Office of Government Commerce: Service Operation Book (Itil). The Stationery Office, London (2007). No. 978-0113310463
28.
Zurück zum Zitat Vaquero, L., Rodero-Merino, L., Morán, D.: Locking the sky: a survey on IAAS cloud security. Computing 91, 93–118 (2011)CrossRefMATH Vaquero, L., Rodero-Merino, L., Morán, D.: Locking the sky: a survey on IAAS cloud security. Computing 91, 93–118 (2011)CrossRefMATH
31.
Zurück zum Zitat Lundin, M.: Industry issues and standards – effectively addressing compliance requirements. ISACA San Francisco Chapter, Consumer Information Protection Event (2009, April) Lundin, M.: Industry issues and standards – effectively addressing compliance requirements. ISACA San Francisco Chapter, Consumer Information Protection Event (2009, April)
39.
Zurück zum Zitat Youseff, L., Butrico, M., Da Silva, D.: Toward a unified ontology of cloud computing. In: Grid Computing Environments Workshop, 2008. GCE’08, Austin, TX, Nov 2008, pp. 1–10 (2008) Youseff, L., Butrico, M., Da Silva, D.: Toward a unified ontology of cloud computing. In: Grid Computing Environments Workshop, 2008. GCE’08, Austin, TX, Nov 2008, pp. 1–10 (2008)
40.
Zurück zum Zitat Doelitzscher, F., Reich, C., Knahl, M., Clarke, N.: An autonomous agent based incident detection system for cloud environments. In: Proceedings of 3rd IEEE International Conference on Cloud Computing Technology and Science (IEEE CloudCom 2011), Athens, Greece, 29 Nov–1 Dec (2011) Doelitzscher, F., Reich, C., Knahl, M., Clarke, N.: An autonomous agent based incident detection system for cloud environments. In: Proceedings of 3rd IEEE International Conference on Cloud Computing Technology and Science (IEEE CloudCom 2011), Athens, Greece, 29 Nov–1 Dec (2011)
41.
Zurück zum Zitat Bradshaw, J.M.: An Introduction to Software Agents. MIT Press, Cambridge, MA (1997) Bradshaw, J.M.: An Introduction to Software Agents. MIT Press, Cambridge, MA (1997)
43.
Zurück zum Zitat Cucurull, J., Martí, R., Navarro-Arribas, G., Robles, S., Overeinder, B., Borrell, J.: Agent mobility architecture based on IEEE-FIPA standards. Comput. Commun. 32(4), 712–729 (2009)CrossRef Cucurull, J., Martí, R., Navarro-Arribas, G., Robles, S., Overeinder, B., Borrell, J.: Agent mobility architecture based on IEEE-FIPA standards. Comput. Commun. 32(4), 712–729 (2009)CrossRef
44.
Zurück zum Zitat Sulistio, A., Reich, C., Dölitzscher, F.: Cloud infrastructure & applications – CloudIA. In: Proceedings of the 1st International Conference on Cloud Computing (CloudCom’09), Beijing, China, December (2009) Sulistio, A., Reich, C., Dölitzscher, F.: Cloud infrastructure & applications – CloudIA. In: Proceedings of the 1st International Conference on Cloud Computing (CloudCom’09), Beijing, China, December (2009)
45.
Zurück zum Zitat Halpert, B.: Auditing Cloud Computing: A Security and Privacy Guide. Wiley, Hoboken (2011). No. 978-0470874745CrossRef Halpert, B.: Auditing Cloud Computing: A Security and Privacy Guide. Wiley, Hoboken (2011). No. 978-0470874745CrossRef
Metadaten
Titel
Understanding Cloud Audits
verfasst von
Frank Doelitzscher
Christoph Reich
Martin Knahl
Nathan Clarke
Copyright-Jahr
2013
Verlag
Springer London
DOI
https://doi.org/10.1007/978-1-4471-4189-1_4