Structured Pattern-Based Security Requirements Elicitation for Clouds

Beckers, Kristian; Heisel, Maritta; Côté, Isabelle; Goeke, Ludger; Güler, Selim

doi:10.1109/ares.2013.61

Cited by 15 publications

(20 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• A simple method that describes how to conduct a security analysis and to establish a cloud-specific ISMS [3]. • Tool-support for eliciting and analyzing the required informationfor an ISO 27001 certification [5]. • A catalog for Security Requirement Patterns [5].…”

Section: A the Cloudat Frameworkmentioning

confidence: 99%

“…• Tool-support for eliciting and analyzing the required informationfor an ISO 27001 certification [5]. • A catalog for Security Requirement Patterns [5]. …”

Section: A the Cloudat Frameworkmentioning

confidence: 99%

“…The ClouDAT framework is a result of the ClouDAT project 5 . The ClouDAT framework will be available as opensource for all interested parties.…”

Section: A the Cloudat Frameworkmentioning

confidence: 99%

See 2 more Smart Citations

Pattern-based and ISO 27001 compliant risk analysis for cloud systems

Alebrahim

Hatebur

Goeke³

2014

2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)

Self Cite

View full text Add to dashboard Cite

For accepting clouds and using cloud services by companies, security plays a decisive role. For cloud providers, one way to obtain customers' confidence is to establish security mechanisms when using clouds. The ISO 27001 standard provides general concepts for establishing information security in an organization. Risk analysis is an essential part in the ISO 27001 standard for achieving information security. This standard, however, contains ambiguous descriptions. In addition, it does not stipulate any method to identify assets, threats, and vulnerabilities. In this paper, we present a structured and patternbased method to conduct risk analysis for cloud computing systems. It is tailored to SMEs. Our method addresses the requirements of the ISO 27001. We make use of the cloud system analysis pattern, security requirement patterns, threat patterns, and control patterns for conducting the risk analysis. The method is illustrated by a cloud logistics application example. I. INTRODUCTIONCloud computing represents a technology as well as a business model [2]. National Institute of Standards and Technology (NIST) defines following properties for the cloud computing systems [18]: the cloud customer can require resources of the cloud provider such as storage, processing, memory, network bandwidth, and virtual machines over broad network access and on-demand and pays only for the used capabilities. Using cloud computing services is thus an economic way of acquiring IT-resources. The dynamic acquisition and scalability, yet paying only what was used, makes cloud computing an interesting alternative for a large amount of potential customers.To benefit from cloud computing and the advantages it offers, obstacles regarding the usage of clouds should be cleared. For accepting clouds and using cloud services by companies, security plays a decisive role 1 . For cloud providers, one way to obtain customers' confidence is to establish security mechanisms when using clouds by certifying their cloud computing systems. The ISO 27001 standard [13] provides general concepts for establishing information security risk management in an organization. The Annex A of the ISO 27001 standard describes the normative controls of the standard. Risk analysis provides a foundation to the security of each organization. Hence, it is an essential part of the ISO 27001 standard for achieving information security. This standard does not stipulate any method for performing risk analysis. To identify assets, threats, and vulnerabilities as essential building blocks to security risk assessment, the companies offering cloud services need structured and comprehensible methods.In this paper, we present a structured and pattern-based method to conduct risk analysis for cloud computing systems.

show abstract

Section: A the Cloudat Frameworkmentioning

confidence: 99%

“…• Tool-support for eliciting and analyzing the required informationfor an ISO 27001 certification [5]. • A catalog for Security Requirement Patterns [5]. …”

Section: A the Cloudat Frameworkmentioning

confidence: 99%

See 1 more Smart Citation

Pattern-based and ISO 27001 compliant risk analysis for cloud systems

Alebrahim

Hatebur

Goeke³

2014

2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)

Self Cite

View full text Add to dashboard Cite

show abstract

“…For instance, frameworks focusing on the supply-demand relation have been designed [16], and management systems for requirements ensuring QoS have been developed [17]. Moreover, researchers looked into methods for eliciting particular types of requirements, e.g., legal [18] or security [19]. Still, these are only niche recommendations and no comprehensive clear solution exists, addressing the cloud-specific requirements elicitation challenges.…”

Section: Related Workmentioning

confidence: 99%

“…Moreover, most existing requirements elicitation methods can only deal with a limited number of stakeholders [22]. The number of potential cloud service consumers may often go beyond what traditional methods can handle [19], and no real solutions addressing this elicitation issue have been developed so far. Market-driven techniques [27], which are usually employed when it is impossible to consider individual consumers, prove to be rather limited in the cloud, due to the lack of specific localized markets.…”

Section: Related Workmentioning

confidence: 99%

Quest for Requirements: Scrutinizing Advanced Search Queries for Cloud Services with Fuzzy Galois Lattices

Todoran

Glinz

2014

2014 IEEE World Congress on Services

View full text Add to dashboard Cite

In software and requirements engineering, requirements elicitation is considered an essential step towards building successful systems. Despite extensive existing research in the field of distributed requirements engineering, the topic of requirements elicitation for cloud systems remains still uncovered. Cloud challenges (e.g., heterogeneous and globally distributed users, volatile requirements, frequent change requests) cannot always be satisfied by existing methods. We present a new approach for eliciting requirements for cloud services by analyzing advanced search queries. Our approach builds fuzzy Galois lattices for the terms that compose advanced search queries, thus enabling a thorough analysis of stored search data. This can support cloud providers in observing requirements clusters and new classes of cloud services, identifying the threshold for achieving satisfied consumers with a minimal set of requirements implemented, and thus designing novel solutions, based on market trends. Moreover, the Galois lattices approach enables large-scale consumers' involvement and ensures the elicitation of real requirements unobtrusively. Abstract-In software and requirements engineering, requirements elicitation is considered an essential step towards building successful systems. Despite extensive existing research in the field of distributed requirements engineering, the topic of requirements elicitation for cloud systems remains still uncovered. Cloud challenges (e.g., heterogeneous and globally distributed users, volatile requirements, frequent change requests) cannot always be satisfied by existing methods. We present a new approach for eliciting requirements for cloud services by analyzing advanced search queries. Our approach builds fuzzy Galois lattices for the terms that compose advanced search queries, thus enabling a thorough analysis of stored search data. This can support cloud providers in observing requirements clusters and new classes of cloud services, identifying the threshold for achieving satisfied consumers with a minimal set of requirements implemented, and thus designing novel solutions, based on market trends. Moreover, the Galois lattices approach enables large-scale consumers' involvement and ensures the elicitation of real requirements unobtrusively.

show abstract

Issues in Applying Model Based Process Improvement in the Cloud Computing Domain

Cade

Wen

Rout

2014

Communications in Computer and Information Science

View full text Add to dashboard Cite

Cloud Computing offers organisations a range of benefits, both economic and technological. However the decision to deploy an application or service to the cloud is a not a trivial one. Organisations need to be fully aware of not only the business requirements for a given application or service, but also the technological requirements and or constraints of the cloud. Model-based process assessment and improvement has been shown to support organisational change in different domains of application, but there are few reports of application in cloud computing. As a first step in defining suitable models to support process management, the impact of working with cloud resources on existing standard processes has been examined using the techniques of behavior engineering. A path for future work is proposed.

show abstract

Structured Pattern-Based Security Requirements Elicitation for Clouds

Cited by 15 publications

References 5 publications

Pattern-based and ISO 27001 compliant risk analysis for cloud systems

Pattern-based and ISO 27001 compliant risk analysis for cloud systems

Quest for Requirements: Scrutinizing Advanced Search Queries for Cloud Services with Fuzzy Galois Lattices

Issues in Applying Model Based Process Improvement in the Cloud Computing Domain

Contact Info

Product

Resources

About