Evidence Collection in Cloud Provider Chains

Thomas Rübsamen; Christoph Reich; Nathan Clarke; Martin Knahl

doi:10.5220/0005788700590070

Evidence Collection in Cloud Provider Chains

Thomas Rübsamen, Christoph Reich, Nathan Clarke, Martin Knahl

2016

Abstract

With the increasing importance of cloud computing, compliance concerns get into the focus of businesses more often. Furthermore, businesses still consider security and privacy related issues to be the most prominent inhibitors for an even more widespread adoption of cloud computing services. Several frameworks try to address these concerns by building comprehensive guidelines for security controls for the use of cloud services. However, assurance of the correct and effective implementation of such controls is required by businesses to attenuate the loss of control that is inherently associated with using cloud services. Giving this kind of assurance is traditionally the task of audits and certification. Cloud auditing becomes increasingly challenging for the auditor the more complex the cloud service provision chain becomes. There are many examples for Software as a Service (SaaS) providers that do not own dedicated hardware anymore for operating their services, but rely solely on other cloud providers of the lower layers, such as platform as a service (PaaS) or infrastructure as a service (IaaS) providers. The collection of data (evidence) for the assessment of policy compliance during a technical audit is aggravated the more complex the combination of cloud providers becomes. Nevertheless, the collection at all participating providers is required to assess policy compliance in the whole chain. The main contribution of this paper is an analysis of potential ways of collecting evidence in an automated way across cloud provider boundaries to facilitate cloud audits. Furthermore, a way of integrating the most suitable approaches in the system for automated evidence collection and auditing is proposed.

Download

Paper Citation

in Harvard Style

Rübsamen T., Reich C., Clarke N. and Knahl M. (2016). Evidence Collection in Cloud Provider Chains . In Proceedings of the 6th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-758-182-3, pages 59-70. DOI: 10.5220/0005788700590070

in Bibtex Style

@conference{closer16,
author={Thomas Rübsamen and Christoph Reich and Nathan Clarke and Martin Knahl},
title={Evidence Collection in Cloud Provider Chains},
booktitle={Proceedings of the 6th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},
year={2016},
pages={59-70},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005788700590070},
isbn={978-989-758-182-3},
}

in EndNote Style

TY - CONF
JO - Proceedings of the 6th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - Evidence Collection in Cloud Provider Chains
SN - 978-989-758-182-3
AU - Rübsamen T.
AU - Reich C.
AU - Clarke N.
AU - Knahl M.
PY - 2016
SP - 59
EP - 70
DO - 10.5220/0005788700590070