Evidence Collection in Cloud Provider Chains

With the increasing importance of cloud computing, compliance concerns get into the focus of businesses more often. Furthermore, businesses still consider security and privacy related issues to be the most prominent inhibitors for an even more widespread adoption of cloud computing services. Several frameworks try to address these concerns by building comprehensive guidelines for security controls for the use of cloud services. However, assurance of the correct and effective implementation of such controls is required by businesses to attenuate the loss of control that is inherently associated with using cloud services. Giving this kind of assurance is traditionally the task of audits and certification. Cloud auditing becomes increasingly challenging for the auditor the more complex the cloud service provision chain becomes. There are many examples for Software as a Service (SaaS) providers that do not own dedicated hardware anymore for operating their services, but rely solely on other cloud providers of the lower layers, such as platform as a service (PaaS) or infrastructure as a service (IaaS) providers. The collection of data (evidence) for the assessment of policy compliance during a technical audit is aggravated the more complex the combination of cloud providers becomes. Nevertheless, the collection at all participating providers is required to assess policy compliance in the whole chain. The main contribution of this paper is an analysis of potential ways of collecting evidence in an automated way across cloud provider boundaries to facilitate cloud audits. Furthermore, a way of integrating the most suitable approaches in the system for automated evidence collection and auditing is proposed.

[1]  Chunming Rong,et al.  Evidence for Accountable Cloud Computing Services , 2013 .

[2]  Timothy Grance,et al.  Guidelines on Security and Privacy in Public Cloud Computing | NIST , 2012 .

[3]  Rose F. Gamble,et al.  A Tiered Strategy for Auditing in the Cloud , 2012, 2012 IEEE Fifth International Conference on Cloud Computing.

[4]  Tobias Pulls,et al.  Secure Evidence Collection and Storage for Cloud Accountability Audits , 2015, CLOSER.

[5]  Antonio Corradi,et al.  DARGOS: A highly adaptable and scalable monitoring architecture for multi-tenant Clouds , 2013, Future Gener. Comput. Syst..

[6]  Abhay Bhargav Payment Card Industry Data Security Standard (PCI-DSS) , 2014 .

[7]  Rose F. Gamble,et al.  An architecture for cross-cloud auditing , 2013, CSIIRW '13.

[8]  T Valère,et al.  Control Objectives for Information and related Technology : Su... , 2013 .

[9]  Rose F. Gamble,et al.  Diagnosing Vulnerability Patterns in Cloud Audit Logs , 2014 .

[10]  Benny Rochwerger,et al.  A Monitoring and Audit Logging Architecture for Data Location Compliance in Federated Cloud Infrastructures , 2011, 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum.

[11]  Xavier Franch,et al.  SALMonADA: A platform for monitoring and explaining violations of WS-agreement-compliant documents , 2012, 2012 4th International Workshop on Principles of Engineering Service-Oriented Systems (PESOS).

[12]  Karin Bernsmed,et al.  A-PPL: An Accountability Policy Language , 2014, DPM/SETOP/QASA.

[13]  Xavier Franch,et al.  Enhancing Federated Cloud Management with an Integrated Service Monitoring Approach , 2013, Journal of Grid Computing.

[14]  Fang Liu,et al.  NIST Cloud Computing Reference Architecture , 2011, 2011 IEEE World Congress on Services.

[15]  Jesús Montes,et al.  GMonE: A complete approach to cloud monitoring , 2013, Future Gener. Comput. Syst..

[16]  A W Fowler,et al.  Ganglia , 1927, Autonomic Neuroscience.

[17]  Christoph Reich,et al.  Supporting Cloud Accountability by Collecting Evidence Using Audit Agents , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[18]  Dimosthenis Kyriazis,et al.  A Self-adaptive hierarchical monitoring mechanism for Clouds , 2012, J. Syst. Softw..