Using Risk Patterns to Identify Violations of Data Protection Policies in Cloud Systems

Cloud services and cloud infrastructures become increasingly complex and dynamic: many different physical and virtual machines, applications and their components interact and all of these entities may be differently reconfigured, deployed, and migrated during run time. In addition, a multitude of stakeholders may be involved in cloud service offering and usage; e.g., service consumers, cloud providers, data subjects, data controllers, and actual end users. Thus, checking whether cloud services comply with data protection policies when storing or processing sensitive data becomes a challenge due to the involved complexity and dynamicity. We present a model-based approach for identifying violations of data protection policies at run-time. Key elements of our approach are (1) a run-time model to represent the actual cloud system and its stakeholders at runtime, and (2) risk patterns that commonly appear in the context of data protection issues. Our approach aims to find instances of these risk patterns in the run-time model. If an instance of a risk pattern is found, this indicates a risk of data protection violation. We demonstrate the applicability of our approach by using an industry scenario.

[1]  Andreas Metzger,et al.  Optimized Cloud Deployment of Multi-tenant Software Considering Data Protection Concerns , 2017, 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID).

[2]  Luciano Baresi,et al.  A comparison framework for runtime monitoring approaches (journal-first abstract) , 2018, SANER.

[3]  Mário M. Freire,et al.  Security issues in cloud environments: a survey , 2014, International Journal of Information Security.

[4]  Ernesto Damiani,et al.  From Security to Assurance in the Cloud , 2015, ACM Comput. Surv..

[5]  Ibrahim Sogukpinar,et al.  Scalable risk assessment method for cloud computing using game theory (CCRAM) , 2015, Comput. Stand. Interfaces.

[6]  Salima Benbernou,et al.  A view-based monitoring for usage control in web services , 2014, Distributed and Parallel Databases.

[7]  Paul T. Jaeger,et al.  Identifying the security risks associated with governmental use of cloud computing , 2010, Gov. Inf. Q..

[8]  Paul Watson,et al.  Multi-level Security for Deploying Distributed Applications on Clouds, Devices and Things , 2014, 2014 IEEE 6th International Conference on Cloud Computing Technology and Science.

[9]  George Spanoudakis,et al.  Advanced service monitoring configurations with SLA decomposition and selection , 2011, SAC '11.

[10]  Yong Wang,et al.  A Streaming Intrusion Monitoring and Classification System for IaaS Cloud , 2016, 2016 IEEE 9th International Conference on Cloud Computing (CLOUD).

[11]  Jin Shao,et al.  A Runtime Model Based Monitoring Approach for Cloud , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[12]  Klaus Pohl,et al.  A Runtime Model Approach for Data Geo-location Checks of Cloud Services , 2014, ICSOC.

[13]  Albert Y. Zomaya,et al.  A Survey of Mobile Device Virtualization , 2016, ACM Comput. Surv..

[14]  Jeffrey O. Kephart,et al.  The Vision of Autonomic Computing , 2003, Computer.

[15]  Frank Teuteberg,et al.  Decision-making in cloud computing environments: A cost and risk based approach , 2011, Information Systems Frontiers.

[16]  Brice Morin,et al.  Towards Model-Driven Provisioning, Deployment, Monitoring, and Adaptation of Multi-cloud Systems , 2013, 2013 IEEE Sixth International Conference on Cloud Computing.

[17]  Philip S. Yu,et al.  Fast Graph Pattern Matching , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[18]  Luciano Baresi,et al.  A comparison framework for runtime monitoring approaches , 2017, J. Syst. Softw..

[19]  Zoltán Ádám Mann Optimization in computer engineering – Theory and applications , 2011 .

[20]  Antonio Pescapè,et al.  Cloud monitoring: A survey , 2013, Comput. Networks.

[21]  Klaus Pohl,et al.  Runtime Model-Based Privacy Checks of Big Data Cloud Services , 2015, ICSOC.

[22]  Alena Buchalcevova,et al.  Introducing OSSF: A framework for online service cybersecurity risk management , 2017, Comput. Secur..

[23]  Antonio Brogi,et al.  SeaClouds: An Open Reference Architecture for Multi-cloud Governance , 2016, ECSA.

[24]  Rajkumar Buyya,et al.  Ensuring Security and Privacy Preservation for Cloud Data Services , 2016, ACM Comput. Surv..

[25]  Rajiv Ranjan,et al.  An overview of the commercial cloud monitoring tools: research dimensions, design issues, and state-of-the-art , 2013, Computing.

[26]  Wilhelm Hasselbring,et al.  Architectural run-time models for operator-in-the-loop adaptation of cloud applications , 2015, 2015 IEEE 9th International Symposium on the Maintenance and Evolution of Service-Oriented and Cloud-Based Environments (MESOCA).

[27]  Karim Djemame,et al.  A Risk Assessment Framework for Cloud Computing , 2016, IEEE Transactions on Cloud Computing.

[28]  Rajkumar Buyya,et al.  Article in Press Future Generation Computer Systems ( ) – Future Generation Computer Systems Cloud Computing and Emerging It Platforms: Vision, Hype, and Reality for Delivering Computing as the 5th Utility , 2022 .

[29]  Zoltán Ádám Mann,et al.  Approximability of virtual machine allocation: much harder than bin packing , 2015 .