Towards Auditing of Cloud Provider Chains using CloudTrust Protocol

Thomas Rübsamen, Dirk Hölscher, Christoph Reich

2016

Abstract

Although cloud computing can be considered mainstream today, there is still a lack of trust in cloud providers, when it comes to the processing of private or sensitive data. This lack of trust is rooted in the lack of transparency of the provider's data handling practices, security controls and their technical infrastructures. This problem worsens when cloud services are not only provisioned by a single cloud provider, but a combination of several independent providers. The main contributions of this paper are: we propose an approach to automated auditing of cloud provider chains with the goal of providing evidence-based assurance about the correct handling of data according to pre-defined policies. We also introduce the concepts of individual and delegated audits, discuss policy distribution and applicability aspects and propose a lifecycle model. Our previous work on automated cloud auditing and Cloud Security Alliance's (CSA) CloudTrust Protocol form the basis for the proposed system for provider chain auditing.

References

  1. Cloud Security Alliance (2013). The notorious nine - cloud computing top threats in 2013. https://downloads.cloudsecurityalliance.org/initiatives /top threats/The Notorious Nine Cloud Computing Top Threats in 2013.pdf.
  2. Cloud Security Alliance (2015). Cloud Trust Protocol. https://cloudsecurityalliance.org/research/ctp.
  3. Distributed Management Task Force, Inc. (DMTF) (2014). Cloud auditing data federation (cadf) - data format and interface definitions specification. http://www.dmtf.org/sites/default/files/standards/docu ments/DSP0262 1.0.0.pdf.
  4. Doelitzscher, F., Reich, C., Knahl, M., Passfall, A., and Clarke, N. (2012). An Agent Based Business Aware Incident Detection System for Cloud Environments. Journal of Cloud Computing: Advances, Systems and Applications, 1(1):9.
  5. Doelitzscher, F., Rübsamen, T., Karbe, T., Reich, C., and Clarke, N. (2013). Sun behind clouds - on automatic cloud security audits and a cloud audit policy language. International Journal On Advances in Networks and Services, 6(1 & 2).
  6. FedRAMP (2015). Federal Risk and Authorization Program. http://www.fedramp.gov.
  7. Gonzales, D., Kaplan, J., Saltzman, E., Winkelman, Z., and Woods, D. (2015). Cloud-trust - a security assessment model for infrastructure as a service (iaas) clouds. Cloud Computing, IEEE Transactions on, PP(99):1- 1.
  8. ISO (2013). ISO27001:2013 - Information technology - Security techniques - Information security management systems - Requirements. http://www.iso.org/iso/catalogue detail?csnumber=54 534.
  9. ISO (2014). ISO/IEC FDIS 27018 - Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. http://www.iso.org/iso/catalogue detail.htm?csnum ber=61498.
  10. ISO (2015). ISO/IEC FDIS 27017 - Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services. http://www.iso.org/iso/catalogue detail?csnumber=43 757.
  11. Knode, R. (2009). Digital trust in the cloud. http://assets1.csc.com/cloud/downloads/Digital Trust in the Cloud.pdf.
  12. Liu, F., Tong, J., Mao, J., Bohn, R., Messina, J., Badger, L., and Leaf, D. (2011). Nist cloud computing reference architecture. http://www.nist.gov/customcf/get pdf.cfm?pub id=90 9505.
  13. Lopez, J., Rübsamen, T., and Westhoff, D. (2014). Privacyfriendly cloud audits with somewhat homomorphic and searchable encryption. In Innovations for Community Services (I4CS), 2014 14th International Conference on, pages 95-103.
  14. Marty, R. (2011). Cloud application logging for forensics. In Proceedings of the 2011 ACM Symposium on Applied Computing, SAC 7811, pages 178-184, New York, NY, USA. ACM.
  15. Massonet, P., Naqvi, S., Ponsard, C., Latanicki, J., Rochwerger, B., and Villari, M. (2011). A monitoring and audit logging architecture for data location compliance in federated cloud infrastructures. In Parallel and Distributed Processing Workshops and Phd Forum (IPDPSW), 2011 IEEE International Symposium on, pages 1510-1517.
  16. Microsoft Developer Network (2014). The Stride Threat Model. https://msdn.microsoft.com/enUS/library/ee823878(v=cs.20).aspx.
  17. Rizvi, S., Ryoo, J., Liu, Y., Zazworsky, D., and Cappeta, A. (2014). A centralized trust model approach for cloud computing. In Wireless and Optical Communication Conference (WOCC), 2014 23rd, pages 1-6.
  18. Rübsamen, T., Pulls, T., and Reich, C. (2015). Secure Evidence Collection and Storage for Cloud Accountability Audits. In CLOSER 2015 - Proceedings of the 5th International Conference on Cloud Computing and Services Science, Lisbon, Portugal, May 20 - 22, 2015. to appear.
  19. Rübsamen, T. and Reich, C. (2013). Supporting cloud accountability by collecting evidence using audit agents. In Cloud Computing Technology and Science (CloudCom), 2013 IEEE 5th International Conference on, volume 1, pages 185-190.
  20. Saleh, M. (2014). Construction of agent-based trust in cloud infrastructure. In Utility and Cloud Computing (UCC), 2014 IEEE/ACM 7th International Conference on, pages 941-946.
Download


Paper Citation


in Harvard Style

Rübsamen T., Hölscher D. and Reich C. (2016). Towards Auditing of Cloud Provider Chains using CloudTrust Protocol . In Proceedings of the 6th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-758-182-3, pages 83-94. DOI: 10.5220/0005860500830094


in Bibtex Style

@conference{closer16,
author={Thomas Rübsamen and Dirk Hölscher and Christoph Reich},
title={Towards Auditing of Cloud Provider Chains using CloudTrust Protocol},
booktitle={Proceedings of the 6th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},
year={2016},
pages={83-94},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005860500830094},
isbn={978-989-758-182-3},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 6th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - Towards Auditing of Cloud Provider Chains using CloudTrust Protocol
SN - 978-989-758-182-3
AU - Rübsamen T.
AU - Hölscher D.
AU - Reich C.
PY - 2016
SP - 83
EP - 94
DO - 10.5220/0005860500830094