A Structured Method for Security Requirements Elicitation concerning the Cloud Computing Domain

Cloud computing systems offer an attractive alternative to traditional IT-systems, because of economic benefits that arise from the cloud's scalable and flexible IT-resources. The benefits are of particular interest for SME's. The reason is that using Cloud Resources allows an SME to focus on its core business rather than on IT-resources. However, numerous concerns about the security of cloud computing services exist. Potential cloud customers have to be confident that the cloud services they acquire are secure for them to use. Therefore, they have to have a clear set of security requirements covering their security needs. Eliciting these requirements is a difficult task, because of the amount of stakeholders and technical components to consider in a cloud environment. Therefore, the authors propose a structured, pattern-based method supporting eliciting security requirements and selecting security measures. The method guides potential cloud customers to model the application of their business case in a cloud computing context using a pattern-based approach. Thus, a potential cloud customer can instantiate our so-called Cloud System Analysis Pattern. Then, the information of the instantiated pattern can be used to fill-out our textual security requirements patterns and individual defined security requirement patterns, as well. The presented method is tool-supported. Our tool supports the instantiation of the cloud system analysis pattern and automatically transfers the information from the instance to the security requirements patterns. In addition, they have validation conditions that check e.g., if a security requirement refers to at least one element in the cloud. The authors illustrate their method using an online-banking system as running example.

[1]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[2]  Ji-Ren Lee,et al.  How High-Technology Start-Up Firms May Overcome Direct and Indirect Network Externalities , 2003, Int. J. IT Stand. Stand. Res..

[3]  R Day,et al.  The eclipse open-development platform , 2008 .

[4]  Martin Fowler,et al.  Analysis patterns - reusable object models , 1996, Addison-Wesley series in object-oriented software engineering.

[5]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[6]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[7]  Stephen Withall Software Requirement Patterns , 2007 .

[8]  Kalle Lyytinen,et al.  A Framework to Build Process Theories of Anticipatory Information and Communication Technology (ICT) Standardizing , 2008, Int. J. IT Stand. Stand. Res..

[9]  M. Hafiz A collection of privacy design patterns , 2006, PLoP '06.

[10]  Geerten van de Kaa,et al.  The Challenge of Establishing a Recognized Interdisciplinary Journal: A Citation Analysis of the International Journal of IT Standards and Standardization Research , 2013, Int. J. IT Stand. Stand. Res..

[11]  Max Jacobson,et al.  A Pattern Language: Towns, Buildings, Construction , 1981 .

[12]  Egon Berghout,et al.  Information technology standards and standardization: A global perspective , 2000, Eur. J. Inf. Syst..

[13]  Scott Wilson,et al.  Community-Driven Specifications: XCRI, SWORD, and LEAP2A , 2010, Int. J. IT Stand. Stand. Res..

[14]  Luis Rodero-Merino,et al.  A break in the clouds: towards a cloud definition , 2008, CCRV.

[15]  Fenareti Lampathaki,et al.  A Taxonomy of Scientific Areas Driving Assessment of Organisations Readiness , 2014 .

[16]  Michael A. Jackson,et al.  Problem Frames - Analysing and Structuring Software Development Problems , 2000 .

[17]  Yesha Y. Sivan Knowledge age standards: a brief introduction to their dimensions , 2000 .

[18]  M. Lynne Markus,et al.  Comparing the Standards Lens with Other Perspectives on IS Innovations: The Case of CPFR , 2006, Int. J. IT Stand. Stand. Res..

[19]  Eduardo B. Fernández,et al.  Security Patterns for Voice over IP Networks , 2007, 2007 International Multi-Conference on Computing in the Global Information Technology (ICCGI'07).

[20]  Michael B. Spring,et al.  Selected intellectual property issues in standardization , 2000 .

[21]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[22]  Kristian Beckers,et al.  Pattern-Based Support for Context Establishment and Asset Identification of the ISO 27000 in the Field of Cloud Computing , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[23]  Charles Oppenheim,et al.  Social, Ethical and Policy Implications of Information Technology , 2004, J. Documentation.

[24]  DongBack Seo Analysis of Various Structures of Standards Setting Organizations (SSOs) that Impact Tension among Members , 2013, Int. J. IT Stand. Stand. Res..

[25]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[26]  Hideyasu Sasaki Information Technology for Intellectual Property Protection: Interdisciplinary Advancements , 2011 .

[27]  Geerten van de Kaa Responsible Innovation and Standardization: A New Research Approach? , 2013, Int. J. IT Stand. Stand. Res..

[28]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[29]  Maritta Heisel,et al.  A Foundation for Requirements Analysis of Dependable Software , 2009, SAFECOMP.

[30]  Thomas Wagner,et al.  Standardising the Internet of Things: : What the Experts Think , 2011, Int. J. IT Stand. Stand. Res..

[31]  Mirko Luca Lobina,et al.  Masking Models and Watermarking: A Discussion on Methods and Effectiveness , 2008 .

[32]  Aura Soininen,et al.  Patents and Standards in the ICT Sector: Are Submarine Patents a Substantive Problem or a Red Herring? , 2008 .

[33]  Kristian Beckers,et al.  A Foundation for Requirements Analysis of Privacy Preserving Software , 2012, CD-ARES.

[34]  Frank Gens,et al.  Cloud Computing Benefits, risks and recommendations for information security , 2010 .