CloudSecGov 2013 Abstracts


Full Papers
Paper Nr: 1
Title:

Negotiating and Brokering Cloud Resources based on Security Level Agreements

Authors:

Jesus Luna Garcia, Tsvetoslava Vateva-Gurova, Neeraj Suri, Massimiliano Rak and Loredana Liccardo

Abstract: Cloud users often motivate their choice of Cloud Service Provider (CSP) based on requirements related with the offered Service Level Agreements (SLA) and costs. Unfortunately, while security has started to play an important role in the decision of using the Cloud, it is quite uncommon for CSPs to specify the security levels associated with their services. This often results in users without the means (i.e., tools and semantics) to negotiate their security requirements with CSPs, in order to choose the one that best suits their needs. However, the recent industrial efforts on specification of Cloud security parameters in SLAs, also known as “Security Level Agreements” or SecLAs is a positive development. In this paper we propose a practical approach to enable the user-centric negotiation and brokering of Cloud resources, based on both the common semantic established by the use of SecLAs and, its quantitative evaluation. The contributed techniques and architecture are the result of jointly applying the security metrology-related techniques being developed by the EU FP7 project ABC4Trust and, the framework for SLA-based negotiation and Cloud resource brokering proposed by the EU FP7 mOSAIC project. The proposed negotiation approach is both feasible and well-suited for Cloud Federations, as demonstrated in this paper with a real-world case study. The presented scenario shows the negotiation of a user’s security requirements with respect to a set of CSPs SecLAs, using both the information available in the Cloud Security Alliance’s “Security, Trust & Assurance Registry” (CSA STAR) and the WS-Agreement standard.
Download

Paper Nr: 3
Title:

An Analysis of Software Quality Attributes and Their Contribution to Trustworthiness

Authors:

Nazila Gol Mohammadi, Sachar Paulus, Mohamed Bishr, Andreas Metzger, Holger Koennecke, Sandro Hartenstein and Klaus Pohl

Abstract: Whether a software, app, service or infrastructure is trustworthy represents a key success factor for its use and adoption by organizations and end-users. The notion of trustworthiness, though, is actually subject to individual interpretation, e.g. organizations require confidence about how their business critical data is handled whereas end-users may be more concerned about the usability. These concerns manifest as trustworthiness requirements towards modern apps and services. Understanding which Software Quality Attributes (SQA) foster trustworthiness thus becomes an increasingly important piece of knowledge for successful software development. To this end, this paper provides a first attempt to identify SQA, which contribute to trustworthiness. Based on a survey of the literature, we provide a structured overview on SQA and their contribution to trustworthiness. We also identify potential gaps with respect to attributes whose relationship to trustworthiness is understudied such as e.g. accessibility, level of service, etc. Further, we observe that most of the literature studies trustworthiness from a security perspective while there exist limited contributions in studying the social aspects of trustworthiness in computing. We expect this work to contribute to a better understanding of which attributes and characteristics of a software system should be considered to build trustworthy systems.
Download

Paper Nr: 4
Title:

Ontology-based Analysis of Compliance and Regulatory Requirements of Business Processes

Authors:

Thorsten Humberg, Christian Wessel, Daniel Poggenpohl, Sven Wenzel, Thomas Ruhroth and Jan Jürjens

Abstract: Despite its significant potential benefits, the concept of Cloud Computing is still regarded with skepticism in most companies. One of the main obstacle is posed by concerns about the systems’ security and compliance issues. Examining system and process models for compliance manually is time-consuming and error-prone, in particular due to the mere extent of potentially relevant sources of security and compliance concerns that have to be considered. This paper proposes techniques to ease these problems by providing support in identifying relevant aspects, as well as suggesting possible methods (from an existing pool of such) to actually check a given model. We developed a two-step approach: At first, we build an ontology to formalize rules from relevant standards, augmented with additional semantic information. This ontology is then utilized in the analysis of an actual model of a system or a business process in order to detect possible compliance obligations.
Download

Paper Nr: 5
Title:

Addressing the Terms-of-Service Threat - Client-side Security and Policy Control for Free File Storage Services

Authors:

Geir M. Køien and Vladimir A. Oleshchuk

Abstract: In this paper we describe and identify the so-called terms-of-service (ToS) threat. This threat is concerned with asymmetry in the power between a service producer (SP) and the service consumer (SC) and is expressed in ToS which allows the SC to change the ToS at will. Our context is the free file synchronization services, and we will analyze the relationships between the service producer and the service consumer. There are pronounced control asymmetries and potential conflicts of interest between the parties, including user privacy and content ownership control. Our proposal for addressing these problems hinges on a two pronged approach, including defining a service policy manager surveillance tool and a client side presentation manager to enforce local security and privacy policies. Our Umbrella Architecture is still very much work in progress, but we are optimistic about usefulness the approach.
Download