Evidence Collection in Cloud Provider Chains

Thomas Rübsamen, Christoph Reich, Nathan Clarke, Martin Knahl


With the increasing importance of cloud computing, compliance concerns get into the focus of businesses more often. Furthermore, businesses still consider security and privacy related issues to be the most prominent inhibitors for an even more widespread adoption of cloud computing services. Several frameworks try to address these concerns by building comprehensive guidelines for security controls for the use of cloud services. However, assurance of the correct and effective implementation of such controls is required by businesses to attenuate the loss of control that is inherently associated with using cloud services. Giving this kind of assurance is traditionally the task of audits and certification. Cloud auditing becomes increasingly challenging for the auditor the more complex the cloud service provision chain becomes. There are many examples for Software as a Service (SaaS) providers that do not own dedicated hardware anymore for operating their services, but rely solely on other cloud providers of the lower layers, such as platform as a service (PaaS) or infrastructure as a service (IaaS) providers. The collection of data (evidence) for the assessment of policy compliance during a technical audit is aggravated the more complex the combination of cloud providers becomes. Nevertheless, the collection at all participating providers is required to assess policy compliance in the whole chain. The main contribution of this paper is an analysis of potential ways of collecting evidence in an automated way across cloud provider boundaries to facilitate cloud audits. Furthermore, a way of integrating the most suitable approaches in the system for automated evidence collection and auditing is proposed.


  1. Amazon Web Services (2016). Amazon cloudwatch. https: //aws.amazon.com/de/cloudwatch/.
  2. Azraoui, M., Elkhiyaoui, K., Onen, M., Bernsmed, K., De Oliveira, A., and Sendor, J. (2015). A-ppl: An accountability policy language. In Garcia-Alfaro, J., Herrera-Joancomartí, J., Lupu, E., Posegga, J., Aldini, A., Martinelli, F., and Suri, N., editors, Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance, volume 8872 of Lecture Notes in Computer Science, pages 319-326. Springer International Publishing.
  3. Azraoui, M., Elkhiyaoui, K., Onen, M., Bernsmed, K., Santana De Oliveira, A., and Sendor, J. (2014). A-PPL: An accountability policy language. In DPM 2014, 9th International Workshop on Data Privacy Management, September 10, 2014, Wroclaw, Poland, Wroclaw, POLAND.
  4. Bitkom Research GmbH (2015). Cloud Monitor 2015. https://www.kpmg.com/DE/de/Documents/ cloudmonitor%202015 copyright%20 sec neu.pdf.
  5. Cloud Security Alliance (2013). Top threats to cloud computing survey results update 2012. https://downloads. cloudsecurityalliance.org/initiatives/top threats/ Top Threats Cloud Computing Survey 2012.pdf.
  6. Cloud Security Alliance (2014). Cloud Controls Matrix. https://cloudsecurityalliance.org/research/ccm/.
  7. Cloud Security Alliance (2015). Security, Trust & Assurance Registry. https://cloudsecurityalliance.org/star/.
  8. Cloud Security Alliance (2016). Cloud Trust Protocol. https://cloudsecurityalliance.org/research/ctp.
  9. Ganglia (2015). Ganglia. http://ganglia.sourceforge.net/.
  10. Information Systems Audit and Control Association (2012). Control Objectives for Information and Related Technology (COBIT) 5. http://www.isaca.org/cobit/.
  11. ISO (2005). ISO27001:2005. http://www.iso.org/iso/ catalogue detail?csnumber=42103.
  12. JADE (2014). Java Agent DEvelopement framework. http: //jade.tilab.com.
  13. Katsaros, G., Kousiouris, G., Gogouvitis, S. V., Kyriazis, D., Menychtas, A., and Varvarigou, T. (2012). A self-adaptive hierarchical monitoring mechanism for clouds. Journal of Systems and Software, 85(5):1029 - 1041.
  14. Kertesz, A., Kecskemeti, G., Oriol, M., Kotcauer, P., Acs, S., Rodríguez, M., Merc è, O., Marosi, A., Marco, J., and Franch, X. (2013). Enhancing federated cloud management with an integrated service monitoring approach. Journal of Grid Computing, 11(4):699- 720.
  15. Liu, F., Tong, J., Mao, J., Bohn, R., Messina, J., Badger, L., and Leaf, D. (2011). Nist cloud computing reference architecture. http://www.nist.gov/customcf/ get pdf.cfm?pub id=909505.
  16. Massonet, P., Naqvi, S., Ponsard, C., Latanicki, J., Rochwerger, B., and Villari, M. (2011). A monitoring and audit logging architecture for data location compliance in federated cloud infrastructures. In Parallel and Distributed Processing Workshops and Phd Forum (IPDPSW), 2011 IEEE International Symposium on, pages 1510-1517.
  17. Montes, J., Sánchez, A., Memishi, B., Pérez, M. S., and Antoniu, G. (2013). Gmone: A complete approach to cloud monitoring. Future Generation Computer Systems, 29(8):2026 - 2040.
  18. Muller, C., Oriol, M., Rodriguez, M., Franch, X., Marco, J., Resinas, M., and Ruiz-Cortes, A. (2012). Salmonada: A platform for monitoring and explaining violations of ws-agreement-compliant documents. In Principles of Engineering Service Oriented Systems (PESOS), 2012 ICSE Workshop on, pages 43-49.
  19. Nagios Enterprises, LLC (2014). nagios.org/.
  20. National Institute of Standards and Technology (2011). Guidelines on security and privacy in public cloud computing. http://csrc.nist.gov/publications/nistpubs/ 800-144/SP800-144.pdf.
  21. National Institute of Standards and Technology) (2013). Security and privacy controls for federal information systems and organizations. http://nvlpubs.nist.gov/ nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.
  22. PCI Security Standards Council (2015). Payment Card Industry Data Security Standard (PCI-DSS). https: //www.pcisecuritystandards.org/.
  23. Povedano-Molina, J., Lopez-Vega, J. M., Lopez-Soler, J. M., Corradi, A., and Foschini, L. (2013). Dargos: A highly adaptable and scalable monitoring architecture for multi-tenant clouds. Future Generation Computer Systems, 29(8):2041 - 2056.
  24. Rackspace (2016). Rackspace cloud monitoring. http: //www.rackspace.com/cloud/monitoring.
  25. Rübsamen, T., Pulls, T., and Reich, C. (2015). Secure Evidence Collection and Storage for Cloud Accountability Audits. In CLOSER 2015 - Proceedings of the 5th International Conference on Cloud Computing and Services Science, Lisbon, Portugal, May 20 - 22, 2015. SciTePress.
  26. Rübsamen, T. and Reich, C. (2013). Supporting cloud accountability by collecting evidence using audit agents. In Cloud Computing Technology and Science (CloudCom), 2013 IEEE 5th International Conference on, volume 1, pages 185-190.
  27. Rübsamen, T. and Reich, C. (2014). An Architecture for Cloud Accountability Audits. In 1. BadenWürttemberg Center of Applied Research Symposium on Information and Communication Systems SInCom 2014.
  28. Rübsamen, T., Reich, C., Wlodarczyk, T., and Rong, C. (2013). Evidence for accountable cloud computing services. http://dimacs.rutgers.edu/Workshops/TAFC/ TAFC\ a4cloud.pdf.
  29. Scientific Working Groups on Digital Evidence and Imaging Technology (2015). SWGDE and SWGIT Digital & Multimedia Evidence Glossary. https://www.swgde.org/documents/Current% 20Documents/2015-05-27%20SWGDE-SWGIT% 20Glossary%20v2.8.
  30. Tom Cook (2015). Dropbox at AWS re:Invent 2014. https://blogs.dropbox.com/tech/2014/12/ aws-reinvent-2014/.
  31. U.S. General Services Administration (2014). Federal Risk and Authorization Program. http://www.fedramp.gov.
  32. Xie, R. and Gamble, R. (2012). A tiered strategy for auditing in the cloud. In Cloud Computing (CLOUD), 2012 IEEE 5th International Conference on, pages 945-946.
  33. Xie, R. and Gamble, R. (2013). An architecture for crosscloud auditing. In Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop, CSIIRW 7813, pages 4:1-4:4, New York, NY, USA. ACM.
  34. Xie, R., Gamble, R., and Ahmed, N. (2014). Diagnosing vulnerability patterns in cloud audit logs. In Han, K. J., Choi, B.-Y., and Song, S., editors, High Performance Cloud Auditing and Applications, pages 119- 146. Springer New York.

Paper Citation

in Harvard Style

Rübsamen T., Reich C., Clarke N. and Knahl M. (2016). Evidence Collection in Cloud Provider Chains . In Proceedings of the 6th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-758-182-3, pages 59-70. DOI: 10.5220/0005788700590070

in Bibtex Style

author={Thomas Rübsamen and Christoph Reich and Nathan Clarke and Martin Knahl},
title={Evidence Collection in Cloud Provider Chains},
booktitle={Proceedings of the 6th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},

in EndNote Style

JO - Proceedings of the 6th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - Evidence Collection in Cloud Provider Chains
SN - 978-989-758-182-3
AU - Rübsamen T.
AU - Reich C.
AU - Clarke N.
AU - Knahl M.
PY - 2016
SP - 59
EP - 70
DO - 10.5220/0005788700590070