A Framework for Compliance and Security Coverage Estimation for Cloud Services: A Cloud Insurance Model

Many organizations are adopting cloud services to reduce their computing cost and increase the flexibility of their IT infrastructure. As cloud services are moving to the mainstream to meet major computing needs, the issues of ownership and chain of custody of customer data are becoming primary responsibilities of providers. Therefore, security requirements are essential for all service models (while the degree of defensive measures may vary) along with satisfying industry standard compliances. The authors develop an insurance framework called MEGHNAD for estimating the security coverage based on the type of cloud service and the level of security assurance required. This security coverage estimator may be useful to cloud providers (offering Security as a Service), cloud adopters, and cloud insurers who want to incorporate or market cloud security insurance. This framework allows the user/operator to choose a cloud service (such as Saas, Paas, IaaS) and other pertinent information in order to determine the appropriate level of security insurance coverage. This chapter describes an extension to the MEGHNAD (version 2.0) framework by incorporating security-related compliances. The compliance for each sector requires specific protection for online data such as transparency, respect for context, security, focused collection, accountability, access, and accuracy. The MEGHNAD tool can also generate a SLA document that can be used for monitoring by a certified Third-Party Assessment Organization (3PAO). Dipankar Dasgupta University of Memphis, USA Durdana Naseem University of Memphis, USA

[1]  Joan Hash,et al.  SP 800-66 Rev. 1. An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule , 2008 .

[2]  Marianne Winslett,et al.  Requirements of Secure Storage Systems for Healthcare Records , 2007, Secure Data Management.

[3]  Kalyanmoy Deb,et al.  A fast and elitist multiobjective genetic algorithm: NSGA-II , 2002, IEEE Trans. Evol. Comput..

[4]  Chia-Chu Chiang,et al.  Cloud-Enabled Software Testing Based on Program Understanding , 2013 .

[5]  Nancy A. Lawson,et al.  The HIPAA Privacy Rule: An Overview of Compliance Initiatives and Requirements; the Privacy Rule Contains a Maze of Mandates and Exceptions Requiring That Entities Covered by HIPAA Need the Best of Health Care Counsel , 2003 .

[6]  S. Srinivasan Security, Trust, and Regulatory Aspects of Cloud Computing in Business Environments , 2014 .

[7]  Piyush Kumar Shukla,et al.  Networked Multimedia Communication Systems , 2015 .

[8]  Antonio J. Nebro,et al.  jMetal: A Java framework for multi-objective optimization , 2011, Adv. Eng. Softw..

[9]  Fawzy Soliman Business Transformation and Sustainability through Cloud System Implementation , 2014 .

[10]  Michael Losavio,et al.  Regulatory Aspects of Cloud Computing in Business Environments , 2015 .

[11]  Tyler Moore,et al.  The economics of cybersecurity: Principles and policy options , 2010, Int. J. Crit. Infrastructure Prot..

[12]  Yushi Shen,et al.  Cloud Computing Networks: Utilizing the Content Delivery Network , 2014 .

[13]  Kashif Munir,et al.  Handbook of Research on Security Considerations in Cloud Computing , 2015 .

[14]  Dipankar Dasgupta,et al.  Estimating Security Coverage for Cloud Services , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[15]  Dean Gonsowski Compliance in the Cloud and the Implications on Electronic Discovery , 2015 .

[16]  Dipankar Dasgupta,et al.  A framework for estimating security coverage for cloud service insurance , 2011, CSIIRW '11.