A catalog of security requirements patterns for the domain of cloud computing systems

Beckers, Kristian; Côté, Isabelle; Goeke, Ludger

doi:10.1145/2554850.2554921

Cited by 21 publications

(9 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In another paper, Beckers et al [46] provided a catalog of security requirement patterns that are relevant for cloud computing. To order these security requirement patterns, different domains were defined.…”

Section: Related Workmentioning

confidence: 99%

Context Analysis of Cloud Computing Systems Using a Pattern-Based Approach

2018

Self Cite

View full text Add to dashboard Cite

Cloud computing services bring new capabilities for hosting and offering complex collaborative business operations. However, these advances might bring undesirable side-effects, e.g., introducing new vulnerabilities and threats caused by collaboration and data exchange over the Internet. Hence, users have become more concerned about security and privacy aspects. For secure provisioning of a cloud computing service, security and privacy issues must be addressed by using a risk assessment method. To perform a risk assessment, it is necessary to obtain all relevant information about the context of the considered cloud computing service. The context analysis of a cloud computing service and its underlying system is a difficult task because of the variety of different types of information that have to be considered. This context information includes (i) legal, regulatory and/or contractual requirements that are relevant for a cloud computing service (indirect stakeholders); (ii) relations to other involved cloud computing services; (iii) high-level cloud system components that support the involved cloud computing services; (iv) data that is processed by the cloud computing services; and (v) stakeholders that interact directly with the cloud computing services and/or the underlying cloud system components. We present a pattern for the contextual analysis of cloud computing services and demonstrate the instantiation of our proposed pattern with real-life application examples. Our pattern contains elements that represent the above-mentioned types of contextual information. The elements of our pattern conform to the General Data Protection Regulation. Besides the context analysis, our pattern supports the identification of high-level assets. Additionally, our proposed pattern supports the documentation of the scope and boundaries of a cloud computing service conforming to the requirements of the ISO 27005 standard (information security risk management). The results of our context analysis contribute to the transparency of the achieved security and privacy level of a cloud computing service. This transparency can increase the trust of users in a cloud computing service. We present results of the RestAssured project related to the context analysis regarding cloud computing services and their underlying cloud computing systems. The context analysis is the prerequisite to threat and control identification that are performed later in the risk management process. The focus of this paper is the use of a pattern at the time of design systematic context analysis and scope definition for risk management methods.

show abstract

Section: Related Workmentioning

confidence: 99%

Context Analysis of Cloud Computing Systems Using a Pattern-Based Approach

2018

Self Cite

View full text Add to dashboard Cite

show abstract

“…New risks from the reliance on virtualization technologies, which have their own unique risk profiles, have been explored as well [8]. The organization of threat data is improving as technical security concepts have been cataloged to facilitate the identification of secure cloud requirements [9].…”

Section: B Threat Considerationsmentioning

confidence: 99%

Managing Cloud Computing risks in financial services institutions

Rohmeyer

Ben-Zvi

2015

2015 Portland International Conference on Management of Engineering and Technology (PICMET)

View full text Add to dashboard Cite

The integration of Cloud Computing with information systems architectures continues to grow at a rapid pace due to the availability of high quality, low cost computing services and organizational efforts to improve efficiency and productivity. Enterprises are increasingly comfortable turning to the Cloud for IT solutions, where teams of dedicated, specialized experts deliver important capabilities and outcomes, instead of investing in the development of internal architectures. While data and systems security concerns remain, for many firms the economic arguments are so compelling in favor of Cloud deployments that adoption tends to proceed regardless of security and assurance worries. As a result, enterprise IT functions find themselves managing an array of risk issues in an environment of diminished transparency and with limited opportunities to directly treat observed risks. The mechanisms for managing technology risks associated with Cloud models differ from traditional approaches taken to control risk in internal architectures. This paper examines emerging threats in Cloud Computing within a financial services organization.This includes consideration of insider threats, data leakage, insecure software, and new Cloud attack patterns. The nature and characteristics of the threats are explained and the paper explores the risk treatment options chosen by the sample organization. The authors' observations are synthesized in a general model that describes Cloud Risks and Controls for financial services institutions.

show abstract

“…1. Overview of the pattern-based risk analysis method C. The Security Requirement Patterns In this step, we describe our security requirement patterns (SRP) [4]. The resulting security requirements are related to elements in the CSAP instance.…”

Section: List Of Threatsmentioning

confidence: 99%

“…The creation of security requirements for an asset is simplified by instantiating the relevant security requirement patterns that are referenced by the appropriate Threat Patterns. For more information regarding SRP, we refer to our previous work [4].…”

Section: E Phase 5: Instantiate Security Requirementsmentioning

confidence: 99%

“…We make use of the Cloud System Analysis Pattern (CSAP) [7] for defining the scope and boundaries of the ISMS, Threat Patterns (TP) for identifying threats, Security Requirement Patterns (SRP) [4] for eliciting security requirements, and Control Patterns (CP) based on the ISO 27002 standard [15] and the CSA Cloud Control Matrix (CCM) 3 for fulfilling identified security requirements in order to treat the unacceptable risks. We embed the patterns that we apply in a method that guides the companies through the process of risk analysis in a structured manner.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Pattern-based and ISO 27001 compliant risk analysis for cloud systems

Alebrahim

Hatebur

Goeke³

2014

2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)

Self Cite

View full text Add to dashboard Cite

For accepting clouds and using cloud services by companies, security plays a decisive role. For cloud providers, one way to obtain customers' confidence is to establish security mechanisms when using clouds. The ISO 27001 standard provides general concepts for establishing information security in an organization. Risk analysis is an essential part in the ISO 27001 standard for achieving information security. This standard, however, contains ambiguous descriptions. In addition, it does not stipulate any method to identify assets, threats, and vulnerabilities. In this paper, we present a structured and patternbased method to conduct risk analysis for cloud computing systems. It is tailored to SMEs. Our method addresses the requirements of the ISO 27001. We make use of the cloud system analysis pattern, security requirement patterns, threat patterns, and control patterns for conducting the risk analysis. The method is illustrated by a cloud logistics application example. I. INTRODUCTIONCloud computing represents a technology as well as a business model [2]. National Institute of Standards and Technology (NIST) defines following properties for the cloud computing systems [18]: the cloud customer can require resources of the cloud provider such as storage, processing, memory, network bandwidth, and virtual machines over broad network access and on-demand and pays only for the used capabilities. Using cloud computing services is thus an economic way of acquiring IT-resources. The dynamic acquisition and scalability, yet paying only what was used, makes cloud computing an interesting alternative for a large amount of potential customers.To benefit from cloud computing and the advantages it offers, obstacles regarding the usage of clouds should be cleared. For accepting clouds and using cloud services by companies, security plays a decisive role 1 . For cloud providers, one way to obtain customers' confidence is to establish security mechanisms when using clouds by certifying their cloud computing systems. The ISO 27001 standard [13] provides general concepts for establishing information security risk management in an organization. The Annex A of the ISO 27001 standard describes the normative controls of the standard. Risk analysis provides a foundation to the security of each organization. Hence, it is an essential part of the ISO 27001 standard for achieving information security. This standard does not stipulate any method for performing risk analysis. To identify assets, threats, and vulnerabilities as essential building blocks to security risk assessment, the companies offering cloud services need structured and comprehensible methods.In this paper, we present a structured and pattern-based method to conduct risk analysis for cloud computing systems.

show abstract

A catalog of security requirements patterns for the domain of cloud computing systems

Cited by 21 publications

References 6 publications

Context Analysis of Cloud Computing Systems Using a Pattern-Based Approach

Context Analysis of Cloud Computing Systems Using a Pattern-Based Approach

Managing Cloud Computing risks in financial services institutions

Pattern-based and ISO 27001 compliant risk analysis for cloud systems

Contact Info

Product

Resources

About