A catalog of security requirements patterns for the domain of cloud computing systems

Cloud computing systems offer an attractive alternative to traditional IT-systems, because of economic benefits that arise from the cloud's scalable and flexible IT-resources. The benefits are of particular interest for SME's. The reason is that using Cloud Resources allows an SME to focus on its core business rather than on IT-resources. However, numerous concerns about the security of cloud computing services exist. Potential cloud customers have to be confident that the cloud services they acquire are secure for them to use. Therefore, they have to have a clear set of security requirements covering their security needs. Eliciting these requirements is a difficult task, because of the amount of stakeholders and technical components to consider in a cloud environment. Therefore, the authors propose a structured, pattern-based method supporting eliciting security requirements and selecting security measures. The method guides potential cloud customers to model the application of their business case in a cloud computing context using a pattern-based approach. Thus, a potential cloud customer can instantiate our so-called Cloud System Analysis Pattern. Then, the information of the instantiated pattern can be used to fill-out our textual security requirements patterns and individual defined security requirement patterns, as well. The presented method is tool-supported. Our tool supports the instantiation of the cloud system analysis pattern and automatically transfers the information from the instance to the security requirements patterns. In addition, they have validation conditions that check e.g., if a security requirement refers to at least one element in the cloud. The authors illustrate their method using an online-banking system as running example.

Download Full-text

Modelling Secure Cloud Computing Systems from a Security Requirements Perspective

Trust, Privacy and Security in Digital Business - Lecture Notes in Computer Science ◽

10.1007/978-3-319-44341-6_4 ◽

2016 ◽

pp. 48-62 ◽

Cited By ~ 4

Author(s):

Shaun Shei ◽

Christos Kalloniatis ◽

Haralambos Mouratidis ◽

Aidan Delaney

Keyword(s):

Cloud Computing ◽

Security Requirements ◽

Computing Systems ◽

Secure Cloud Computing

Download Full-text

A Pattern-Based and Tool-Supported Risk Analysis Method Compliant to ISO 27001 for Cloud Systems

International Journal of Secure Software Engineering ◽

10.4018/ijsse.2015010102 ◽

2015 ◽

Vol 6 (1) ◽

pp. 24-46

Author(s):

Azadeh Alebrahim ◽

Denis Hatebur ◽

Stephan Fassbender ◽

Ludger Goeke ◽

Isabelle Côté

Keyword(s):

Cloud Computing ◽

Information Security ◽

Risk Analysis ◽

Computing System ◽

Security Requirements ◽

Analysis Method ◽

Computing Systems ◽

Cloud Systems ◽

Cloud Computing System ◽

Iso 27001

To benefit from cloud computing and the advantages it offers, obstacles regarding the usage and acceptance of clouds have to be cleared. For cloud providers, one way to obtain customers' confidence is to establish security mechanisms when using clouds. The ISO 27001 standard provides general concepts for establishing information security in an organization. Risk analysis is an essential part in the ISO 27001 standard for achieving information security. This standard, however, contains ambiguous descriptions. In addition, it does not stipulate any method to identify assets, threats, and vulnerabilities. In this paper, the authors present a method for cloud computing systems to perform risk analysis according to the ISO 27001. The authors' structured method is tailored to SMEs. It relies upon patterns to describe context and structure of a cloud computing system, elicit security requirements, identify threats, and select controls, which ease the effort for these activities. The authors' method guides companies through the process of risk analysis in a structured manner. Furthermore, the authors provide a model-based tool for supporting the ISO 27001 standard certification. The authors' tool consists of various plug-ins for conducting different steps of their method.

Download Full-text

A Structured Method for Security Requirements Elicitation concerning the Cloud Computing Domain

International Journal of Secure Software Engineering ◽

10.4018/ijsse.2014040102 ◽

2014 ◽

Vol 5 (2) ◽

pp. 20-43 ◽

Cited By ~ 6

Author(s):

Kristian Beckers ◽

Isabelle Côté ◽

Ludger Goeke ◽

Selim Güler ◽

Maritta Heisel

Keyword(s):

Cloud Computing ◽

System Analysis ◽

Economic Benefits ◽

Cloud Services ◽

Security Requirements ◽

Cloud System ◽

Security Requirement ◽

Analysis Pattern ◽

It Resources ◽

Requirements Patterns

Cloud computing systems offer an attractive alternative to traditional IT-systems, because of economic benefits that arise from the cloud's scalable and flexible IT-resources. The benefits are of particular interest for SME's. The reason is that using Cloud Resources allows an SME to focus on its core business rather than on IT-resources. However, numerous concerns about the security of cloud computing services exist. Potential cloud customers have to be confident that the cloud services they acquire are secure for them to use. Therefore, they have to have a clear set of security requirements covering their security needs. Eliciting these requirements is a difficult task, because of the amount of stakeholders and technical components to consider in a cloud environment. Therefore, the authors propose a structured, pattern-based method supporting eliciting security requirements and selecting security measures. The method guides potential cloud customers to model the application of their business case in a cloud computing context using a pattern-based approach. Thus, a potential cloud customer can instantiate our so-called Cloud System Analysis Pattern. Then, the information of the instantiated pattern can be used to fill-out our textual security requirements patterns and individual defined security requirement patterns, as well. The presented method is tool-supported. Our tool supports the instantiation of the cloud system analysis pattern and automatically transfers the information from the instance to the security requirements patterns. In addition, they have validation conditions that check e.g., if a security requirement refers to at least one element in the cloud. The authors illustrate their method using an online-banking system as running example.

Download Full-text

A Pattern-Based and Tool-Supported Risk Analysis Method Compliant to ISO 27001 for Cloud Systems

Transportation Systems and Engineering ◽

10.4018/978-1-4666-8473-7.ch037 ◽

2015 ◽

pp. 730-747

Author(s):

Azadeh Alebrahim ◽

Denis Hatebur ◽

Stephan Fassbender ◽

Ludger Goeke ◽

Isabelle Côté

Keyword(s):

Cloud Computing ◽

Information Security ◽

Risk Analysis ◽

Computing System ◽

Security Requirements ◽

Analysis Method ◽

Computing Systems ◽

Cloud Systems ◽

Cloud Computing System ◽

Iso 27001

To benefit from cloud computing and the advantages it offers, obstacles regarding the usage and acceptance of clouds have to be cleared. For cloud providers, one way to obtain customers' confidence is to establish security mechanisms when using clouds. The ISO 27001 standard provides general concepts for establishing information security in an organization. Risk analysis is an essential part in the ISO 27001 standard for achieving information security. This standard, however, contains ambiguous descriptions. In addition, it does not stipulate any method to identify assets, threats, and vulnerabilities. In this paper, the authors present a method for cloud computing systems to perform risk analysis according to the ISO 27001. The authors' structured method is tailored to SMEs. It relies upon patterns to describe context and structure of a cloud computing system, elicit security requirements, identify threats, and select controls, which ease the effort for these activities. The authors' method guides companies through the process of risk analysis in a structured manner. Furthermore, the authors provide a model-based tool for supporting the ISO 27001 standard certification. The authors' tool consists of various plug-ins for conducting different steps of their method.

Download Full-text

A Structured Method for Security Requirements Elicitation Concerning the Cloud Computing Domain

Computer Systems and Software Engineering ◽

10.4018/978-1-5225-3923-0.ch031 ◽

2017 ◽

pp. 782-805

Author(s):

Kristian Beckers ◽

Isabelle Côté ◽

Ludger Goeke ◽

Selim Güler ◽

Maritta Heisel

Keyword(s):

Cloud Computing ◽

System Analysis ◽

Business Case ◽

Security Requirements ◽

Cloud System ◽

Security Requirement ◽

Security Measures ◽

Analysis Pattern ◽

It Resources ◽

Requirements Patterns

Cloud computing systems offer an attractive alternative to traditional IT-systems, because of economic benefits that arise from the cloud's scalable and flexible IT-resources. The benefits are of particular interest for SME's. The reason is that using Cloud Resources allows an SME to focus on its core business rather than on IT-resources. However, numerous concerns about the security of cloud computing services exist. Potential cloud customers have to be confident that the cloud services they acquire are secure for them to use. Therefore, they have to have a clear set of security requirements covering their security needs. Eliciting these requirements is a difficult task, because of the amount of stakeholders and technical components to consider in a cloud environment. Therefore, the authors propose a structured, pattern-based method supporting eliciting security requirements and selecting security measures. The method guides potential cloud customers to model the application of their business case in a cloud computing context using a pattern-based approach. Thus, a potential cloud customer can instantiate our so-called Cloud System Analysis Pattern. Then, the information of the instantiated pattern can be used to fill-out our textual security requirements patterns and individual defined security requirement patterns, as well. The presented method is tool-supported. Our tool supports the instantiation of the cloud system analysis pattern and automatically transfers the information from the instance to the security requirements patterns. In addition, they have validation conditions that check e.g., if a security requirement refers to at least one element in the cloud. The authors illustrate their method using an online-banking system as running example.

Download Full-text