• No results found

Security and Compliance in Clouds

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security and Compliance in Clouds"

Copied!
20
0
0

Loading.... (view fulltext now)

Download now ( 20 Page )

Full text

(1)

Security and Compliance in Clouds

Pattern-Based Compliance and Security Requirements Engineering

Martin Hirsch, Jan Jürjens, Jan-Christoph Küster

Fraunhofer Institut für Software- und Systemtechnologie ISST, Dortmund

iqnite 2011, Düsseldorf 24. May 2011

(2)

Architectures for Auditable Business Process Execution

(APEX)

 Tool supported methods for security and compliance checks on business processes

 Modeling time: Syntax checks of models

 Runtime: Conformance checks with log data

 Analysis based on different types of models

 BPMN2.0, UMLsec or system log data

(3)

© Fraunhofer ISST

3

Agenda

 NIST Cloud Definition Framework

 Cloud Security and Compliance Goals

 Challenges and Conflicts

 Pattern-Based Compliance and Security Engineering

 Cloud System Analysis Pattern

 Example: Cloud Online Banking Scenario

 Supporting the Information Security Standard ISO 2700x

(4)
(5)

Cloud Security Goals

(6)

Regulatory compliance

 Compliance management is a “broad term covering all activities and

methods to ensure that a company follows all policies required by an external or internal regulation”

E. K. Marwane and S. Stein, “Policy-based semantic compliance checking for business process management”, 2008.

BDSG HGB

AktG BSI-Grundschutzkatalog

MARisk

(7)

Regulatory compliance

 Compliance management is a “broad term covering all activities and

methods to ensure that a company follows all policies required by an external or internal regulation”

 Even for a small outsourcing task, a huge number of laws might become relevant

7 E. K. Marwane and S. Stein, “Policy-based semantic compliance checking for business process

management”, 2008.

BDSG HGB

AktG BSI-Grundschutzhandbuch

MARisk

ISO2700x

KWG AO

 §91, 93 AktG

 Responsibility of management to implement early warning risk management

(8)

Regulatory compliance

 Compliance management is a “broad term covering all activities and

methods to ensure that a company follows all policies required by an external or internal regulation”

E. K. Marwane and S. Stein, “Policy-based semantic compliance checking for business process management”, 2008.

BDSG HGB

AktG BSI-Grundschutzhandbuch

MARisk

ISO2700x

 §25a KWG

(9)

Regulatory compliance

 Compliance management is a “broad term covering all activities and

methods to ensure that a company follows all policies required by an external or internal regulation”

 Even for a small outsourcing task, a huge number of laws might become relevant

9 E. K. Marwane and S. Stein, “Policy-based semantic compliance checking for business process

management”, 2008.

BDSG HGB

AktG BSI-Grundschutzhandbuch

MARisk

ISO2700x

KWG AO

 §147 AO

 Archiving of documents

 Rules are still relevant, even if filing of documents is done in an electronic way

(10)

Regulatory compliance

 Compliance management is a “broad term covering all activities and

methods to ensure that a company follows all policies required by an external or internal regulation”

E. K. Marwane and S. Stein, “Policy-based semantic compliance checking for business process management”, 2008.

BDSG HGB

AktG BSI-Grundschutzhandbuch

MARisk

ISO2700x

 Forbid sharing of data with companies or governments in countries with weaker laws

(11)

Motivation

Cloud Computing is a specific case of outsourcing:

 Short term outsourcing decisions are possible

 Multiple customers on one outsourcing platform

 The scope of IT outsourcing increases

Security and Compliance:

 Identifying relevant security requirements, laws and regulations for an international cloud scenario is a challenge:

 Complex environment with many stakeholders

 Location independence

Patterns:

 Pattern-based approaches ease and provide a structured way of elicitation of security or compliance requirements

 Offer re-usability and tool-support

(12)
(13)

Example: Cloud Online Banking Scenario

A German bank plans to offer online banking services, that includes:

 Offering service access to customers in Germany via web interface

 Integrate significant scalability in terms of customers using the online banking services

 Customer data, e.g., account information, amount and transaction histories are stored in the cloud

 Task a subsidiary with the required software development

 Outsource the affected IT processes to a cloud provider in the USA

(14)
(15)

Direct Stakeholder Template

15

(16)
(17)

Context Establishment and Asset Identification in

ISO 27005

17 General Considerations Scope and Boundaries Context Establishment

Context Establishment (ISO 27005, Clause 7)

Basic Criteria …

Input Output

Asset Identification (ISO 27005, Clause 8.2.1.2)

General Considerations

Assets to be Risk Managed

Asset Identification

Business Process related to asset

(18)

Instantiated Cloud System Analysis Pattern

Context Establishment

(19)

Pattern-based Support for Context Establishment

and Asset Identification in ISO 27005

19 Asset

Identification

• Asset owner

• Types of information: • Vital

• Personal • Strategic • High-cost

(20)

Conclusion and Future Work

Conclusion:

 Conflicts of Cloud Security Goals

 Identifying of Security and Compliance Requirements challenging

 Pattern-based analysis of cloud scenarios

 Support of ISO 2700x standard

Future Work:

 Requirements engineering method for cloud security and compliance

References

Download now ( PDF - 20 Page - 1.04 MB )

Related documents

Electronic Performance Support for E-Learning Analysis and Design

The goal was to develop and validate a set of heuristics (guidelines or decision support tools) to aid instructional designers decision making during the analysis and design phases

The research on the formation mechanism of extraordinary oxidative capacity of skeletal muscle in hibernating ground squirrels (Spermophilus dauricus)

Therefore, to study the possible mechanisms that could contribute to the switch in metabolism of skeletal muscle fiber types in torpid animals, the indictors for oxygen supply, such

Macro-performance evaluation of friction stir welded automotive tailor-welded blank sheets: Part I – Material properties

As for the isotropic hardening, the Voce type work hardening law showed better curve fitting for aluminum base materials and aluminum/DP590 weld zones while, for DP590 base

Historical Evolution of the Wave Resource and Energy Production off the Chilean Coast over the 20th Century

According to the spatial distribution of the mean WEF and the COV, Valparaiso shows interesting characteristics for the deployment of a WEC and, therefore, wave data from the

Resolving Intravoxel White Matter Structures in the Human Brain Using Regularized Regression and Clustering

Resolving Intravoxel White Matter Structures in the Human Brain Resolving Intravoxel White Matter Structures in the Human Brain Using Regularized Regression and Clustering..

Transitioning to ICD-10. Ready for October 1, 2014?

Several different types of testing will be required to ensure ICD-10 compliance across internal policies, processes and systems as well as with external trading partners and

ITSM Governance In the world of cloud computing

Compliance What  audit  protocols  /  practices  does  the  vendor  have  in  place  to  ensure  compliance  to  their  internal  policies  and   processes

DELAWARE DEPARTMENT OF INSURANCE MARKET CONDUCT EXAMINATION REPORT

The Company was asked to provide: (a) a narrative statement explaining the internal control methods and audits used to ensure compliance with Delaware Insurance Laws and the