An architecture for cross-cloud auditing

Xie, Rui; Gamble, Rose F.

doi:10.1145/2459976.2459981

Cited by 3 publications

(6 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These policies are threatened by a number of security risks including local (pairwise between services) and global (end-to-end of service composition) violations of data integrity, data confidentiality, and service availability which are introduced when services exchange information as part of the execution of a cloud application. These risks stem from trust [6,9] and communication [3,6,9] issues that may exist between services in compositions.…”

Section: Relevant Researchmentioning

confidence: 99%

“…Managing Sessions To reason about service cloud issues our infrastructure includes a Session Manager [6] cloud service. The Session Manager orchestrates service compositions by enabling proxies of advertised services to facilitate communication via channels.…”

Section: Amentioning

confidence: 99%

“…In addition, the Session Manager can capture audit records generated by the services and port them to a monitoring component to determine if there are security threats, such as information flow control and message communication attacks. Xie and Gamble [6] show that the use of a Session Manager as an intermediary cloud service adds significant overhead, but the evidence captured for security monitoring far outweighs the overhead cost.…”

Section: Amentioning

confidence: 99%

“…Service clouds [1] provide a set of re-usable resource templates, in the form of composed web services [4][5][6], virtual machine (VM) images [4,7], and database schema [8], to application developers using APIs that promote scalability and usage metering. For developers, leveraging multi-tenant cloud resources to construct web applications allows for increased monetary opportunities through increased service delivery efficiency, improved resource use, and decreased costs.…”

Section: Introductionmentioning

confidence: 99%

“…Research has examined auditing as it relates to session management [6] and has explored the role of Service Level Agreements (SLAs) [5,11,12] for monitoring cloud application properties to guarantee security constraints. Auditing approaches focus on detecting anomalies with respect to service operations across compositions, while combining the different auditing perspectives that exist in the cloud into a single perspective and ways to use this information, together with real time monitoring, to proactively improve cloud service offerings and facilitate incident reporting [6]. Difficulty arises in proper representation and monitoring across the service composition when each service may create a local audit trail to log specific events visible only from its perspective.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

A Design and Verification Framework for Service Composition in the Cloud

Hale

Gamble

2013

2013 IEEE Ninth World Congress on Services

View full text Add to dashboard Cite

Abstract-The service cloud model allows hosted services to be dynamically provisioned and composed as part of larger, more complex cloud applications. Compatibility of interaction and quality of service are important to provisioning similar services available in the cloud to a client request. Auditing individual services, the composition and its outcome, and the overall cloud resources, used for monetary assessment or to ensure critical operations, also provide properties for reasoning over service and composition capabilities. Security policies and potential violations pose a threat to the composition since sensitive data may be leaked if information flow control guarantees cannot be proven. Service engineering lacks design principles and an expression infrastructure for formal representation and reasoning within a service cloud model. Reasoning over service compositions requires a formal language that can express multiple service and cloud properties. In this paper, we use coordination language techniques to express services, their interaction capabilities and information sharing constraints, and the infrastructure of a service cloud model in which services can be accurately provisioned, composed and reasoned over to provide necessary guarantees. We discuss lessons learned from the process of formulating the service representation and cloud model infrastructure.

show abstract

Section: Relevant Researchmentioning

confidence: 99%

Section: Amentioning

confidence: 99%

Section: Amentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

A Design and Verification Framework for Service Composition in the Cloud

Hale

Gamble

2013

2013 IEEE Ninth World Congress on Services

View full text Add to dashboard Cite

show abstract

Diagnosing Vulnerability Patterns in Cloud Audit Logs

Xie

Gamble

Ahmed

2013

High Performance Cloud Auditing and Applications

View full text Add to dashboard Cite

Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards

Hale

Gamble

2017

Requirements Eng

View full text Add to dashboard Cite

Companies and government organizations are increasingly compelled, if not required by law, to ensure that their information systems will comply with various federal and industry regulatory standards, such as the NIST Special Publication on Security Controls for Federal Information Systems (NIST SP-800-53), or the Common Criteria (ISO 15408-2). Such organizations operate business or mission critical systems where a lack of or lapse in security protections translates to serious confidentiality, integrity, and availability risks that, if exploited, could result in information disclosure, loss of money, or, at worst, loss of life. To mitigate these risks and ensure that their information systems meet regulatory standards, organizations must be able to (a) contextualize regulatory documents in a way that extracts the relevant technical implications for their systems, (b) formally represent their systems and demonstrate that they meet the extracted requirements following an accreditation process, and (c) ensure that all third-party systems, which may exist outside of the information system enclave as web or cloud services also implement appropriate security measures consistent with organizational expectations. This paper introduces a step-wise process, based on semantic hierarchies, that systematically extracts relevant security requirements from control standards to build a certification baseline for organizations to use in conjunction with formal methods and service agreements for accreditation. The approach is demonstrated following a case study of all audit-related controls in the SP-800-53, ISO 15408-2, and related documents. Accuracy, applicability, consistency, and efficacy of the approach were evaluated using controlled qualitative and quantitative methods in two separate studies.

show abstract

An architecture for cross-cloud auditing

Cited by 3 publications

References 9 publications

A Design and Verification Framework for Service Composition in the Cloud

A Design and Verification Framework for Service Composition in the Cloud

Diagnosing Vulnerability Patterns in Cloud Audit Logs

Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards

Contact Info

Product

Resources

About