Towards an Architecture for Collaborative Cross-Organizational Security Requirements Management

Organizations increasingly adopt or consider adopting external services hoping for higher flexibility and reduced costs. However, currently existing deficiencies of processes and tools force service consumers to renounce from the expected advantages and to trade off profitability against security. These security and compliance concerns are predominately due to negligence or manual resolution of security policy and configuration dependencies, caused by distinct terminologies, languages and tools used at both the service provider and service customer. To overcome these kind of problems in the collaborative cross–organizational security management, we have developed CoSeRMaS, a collaborative and semi–automated tool to manage, define and validate inter- and cross–organizational security requirements. This paper introduces the CoSeRMaS prototype and gives an overview of the features that have been developed.

[1]  Paul Hofmann,et al.  Cloud Computing: The Limits of Public Clouds for Business Applications , 2010, IEEE Internet Computing.

[2]  Erik Elmroth,et al.  Unifying Cloud Management: Towards Overall Governance of Business Level Objectives , 2011, 2011 11th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing.

[3]  Nikolay Borissov,et al.  Cloud Computing – A Classification, Business Models, and Research Directions , 2009, Bus. Inf. Syst. Eng..

[4]  Xue Jing,et al.  A Brief Survey on the Security Model of Cloud Computing , 2010, 2010 Ninth International Symposium on Distributed Computing and Applications to Business, Engineering and Science.

[5]  Michael Amberg,et al.  Governance, Risk & Compliance (GRC) Status Quo and Software Use: Results from A Survey Among Large Enterprises , 2010 .

[6]  Balachandra Reddy Kandukuri,et al.  Cloud Security Issues , 2009, 2009 IEEE International Conference on Services Computing.

[7]  Ronald Maier,et al.  Challenges in Cross-Organizational Security Management , 2012, 2012 45th Hawaii International Conference on System Sciences.

[8]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[9]  Ruth Breu,et al.  Managing legal compliance through security requirements across service provider chains: A case study on the German Federal Data Protection Act , 2012, GI-Jahrestagung.

[10]  Marcus Spies A Software Assurance Evidence Approach to Cloud Security , 2011, 2011 22nd International Workshop on Database and Expert Systems Applications.

[11]  Richard Wolski,et al.  The Eucalyptus Open-Source Cloud-Computing System , 2009, 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid.

[12]  Murat Kantarcioglu,et al.  Impact of security risks on cloud computing adoption , 2011, 2011 49th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[13]  Edgar R. Weippl,et al.  IT Governance, Risk & Compliance (GRC) Status Quo and Integration: An Explorative Industry Case Study , 2011, 2011 IEEE World Congress on Services.

[14]  Liang-Jie Zhang,et al.  CCOA: Cloud Computing Open Architecture , 2009, 2009 IEEE International Conference on Web Services.

[15]  John C. Mitchell,et al.  A Formalization of HIPAA for a Medical Messaging System , 2009, TrustBus.

[16]  Tharam S. Dillon,et al.  Service Level Agreement for Distributed Services: A Review , 2011, 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing.

[17]  Sajjad Haider,et al.  Security threats in cloud computing , 2011, 2011 International Conference for Internet Technology and Secured Transactions.

[18]  MinChao Wang,et al.  A Conceptual Platform of SLA in Cloud Computing , 2011, 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing.

[19]  Thomas Sandholm,et al.  What's inside the Cloud? An architectural map of the Cloud landscape , 2009, 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing.

[20]  S. Singhal,et al.  Outsourcing Business to Cloud Computing Services: Opportunities and Challenges , 2009 .

[21]  Gail-Joon Ahn,et al.  Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.

[22]  Anthony Tarantino,et al.  Governance, Risk, and Compliance Handbook: Technology, Finance, Environmental, and International Guidance and Best Practices , 2008 .

[23]  Edgar R. Weippl,et al.  Governance, Risk & Compliance (GRC) Software - An Exploratory Study of Software Vendor and Market Research Perspectives , 2011, 2011 44th Hawaii International Conference on System Sciences.

[24]  Meina Song,et al.  Notice of Retraction A Governance Model for Cloud Computing , 2010, MASS 2010.

[25]  Lalana Kagal,et al.  Preserving Privacy Based on Semantic Policy Tools , 2010, IEEE Security & Privacy.

[26]  Ruth Breu Ten Principles for Living Models - A Manifesto of Change-Driven Software Engineering , 2010, 2010 International Conference on Complex, Intelligent and Software Intensive Systems.

[27]  Annie I. Antón,et al.  Ensuring compliance between policies, requirements and software design: a case study , 2006, Fourth IEEE International Workshop on Information Assurance (IWIA'06).

[28]  Ruth Breu,et al.  Living Security - Collaborative Security Management in a Changing World , 2011 .

[29]  Lech J. Janczewski,et al.  Governance Life Cycle Framework for Managing Security in Public Cloud: From User Perspective , 2011, 2011 IEEE 4th International Conference on Cloud Computing.

[30]  Felix Klaedtke,et al.  Monitoring security policies with metric first-order temporal logic , 2010, SACMAT '10.