[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content
Springer Nature Link
Log in

Cloud Security Auditing: Major Approaches and Existing Challenges

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11358))

Included in the following conference series:

Abstract

Cloud computing is emerging as a promising IT solution for enabling ubiquitous, convenient, and on-demand accesses to a shared pool of configurable computing resources. However, the widespread adoption of cloud is still being hindered by security and privacy concerns. Various cloud security and privacy issues have been addressed in the literature. However, the mere existence of such security mechanisms is usually insufficient to fully relieve cloud tenants from their security and privacy concerns. To increase tenants’ trust in cloud, it is of paramount importance to provide adequate auditing mechanisms and tools to verify the security postures of their applications. However, there are currently many challenges in the area of cloud auditing and compliance validation. There exists a significant gap between the high-level recommendations provided in most cloud-specific standards and the low-level logging information currently available in existing cloud infrastructures. Furthermore, the unique characteristics of cloud computing may introduce additional complexity to the task, e.g., the use of heterogeneous solutions for deploying cloud systems may complicate data collection and processing and the sheer scale of cloud, together with its self-provisioning, elastic, and dynamic nature. In this paper, we conduct a survey on the existing cloud security auditing approaches. Additionally, we propose a taxonomy identifying the classifications based on auditing objectives and auditing techniques. We further devise a systematic process flow for cloud security auditing. Also, we conduct a comparative study on existing works to identify their strengths and weaknesses. Finally, we report existing challenges in cloud security auditing.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 47.99
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 59.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Alimohammadifar, A., et al.: Stealthy probing-based verification (SPV): an active approach to defending software defined networks against topology poisoning attacks. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11099, pp. 463–484. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98989-1_23

    Chapter  Google Scholar 

  2. Amazon Web Services: Security at scale: logging in AWS. Technical report, Amazon (2013)

    Google Scholar 

  3. Bjørner, N., Jayaraman, K.: Checking cloud contracts in Microsoft Azure. In: Natarajan, R., Barua, G., Patra, M.R. (eds.) ICDCIT 2015. LNCS, vol. 8956, pp. 21–32. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-14977-6_2

    Chapter  Google Scholar 

  4. Bleikertz, S., Vogel, C., Groß, T.: Cloud radar: near real-time detection of security failures in dynamic virtualized infrastructures. In: Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC), pp. 26–35. ACM (2014)

    Google Scholar 

  5. Bleikertz, S., Vogel, C., Groß, T., Mödersheim, S.: Proactive security analysis of changes in virtualized infrastructures. In: Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC), pp. 51–60. ACM (2015)

    Google Scholar 

  6. Cloud Security Alliance: Security guidance for critical areas of focus in cloud computing v3.0 (2011)

    Google Scholar 

  7. Cloud Security Alliance: Cloud control matrix CCM v3.0.1 (2014). https://cloudsecurityalliance.org/research/ccm/. Accessed 14 Feb 2018

  8. Cloud Security Alliance: CSA STAR program and open certification framework in 2016 and beyond (2016). https://downloads.cloudsecurityalliance.org/star/csa-star-program-cert-prep.pdf. Accessed 14 Feb 2018

  9. CUMULUS: Certification infrastructure for multi-layer cloud services project (CUMULUS). EU project (2012)

    Google Scholar 

  10. Distributed Management Task Force, Inc.: Cloud auditing data federation (2016). https://www.dmtf.org/standards/cadf

  11. Doelitzscher, F.: Security Audit Compliance for Cloud Computing. PhD thesis, Plymouth University (2014)

    Google Scholar 

  12. Doelitzscher, F., Fischer, C., Moskal, D., Reich, C., Knahl, M., Clarke, N.: Validating cloud infrastructure changes by cloud audits. In: Eighth World Congress on Services (SERVICES), pp. 377–384. IEEE (2012)

    Google Scholar 

  13. Dolzhenko, E., Ligatti, J., Reddy, S.: Modeling runtime enforcement with mandatory results automata. Int. J. Inf. Secur. 14(1), 47–60 (2015)

    Article  Google Scholar 

  14. ENISA: European union agency for network and information security (2016). https://www.enisa.europa.eu

  15. Foley, S.N., Neville, U.: A firewall algebra for OpenStack. In: Conference on Communications and Network Security (CNS), pp. 541–549. IEEE (2015)

    Google Scholar 

  16. Ghosh, N., Chatterjee, D., Ghosh, S.K., Das, S.K.: Securing loosely-coupled collaboration in cloud environment through dynamic detection and removal of access conflicts. IEEE Trans. Cloud Comput. 4, 1 (2014)

    Google Scholar 

  17. Gouglidis, A., Mavridis, I.: domRBAC: an access control model for modern collaborative systems. Comput. Secur. 31, 540–556 (2012)

    Article  Google Scholar 

  18. Gouglidis, A., Mavridis, I., Hu, V.C.: Security policy verification for multi-domains in cloud systems. Int. J. Inf. Secur. 13(2), 97–111 (2014)

    Article  Google Scholar 

  19. Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: Proceedings of 2015 Annual Network and Distributed System Security Symposium (NDSS 2015), February 2015

    Google Scholar 

  20. IBM: Safeguarding the cloud with IBM security solutions. Technical report, IBM Corporation (2013)

    Google Scholar 

  21. Ismail, Z., Kiennert, C., Leneutre, J., Chen, L.: Auditing a cloud provider’s compliance with data backup requirements: a game theoretical analysis. IEEE Trans. Inf. Forensics Secur. 11(8), 1685–1699 (2016)

    Article  Google Scholar 

  22. ISO Std IEC. ISO 27017. Information technology- Security techniques- Code of practice for information security controls based on ISO/IEC 27002 for cloud services (DRAFT) (2012). http://www.iso27001security.com/html/27017.html. Accessed 14 Feb 2018

  23. Kai, H., et al.: An efficient public batch auditing protocol for data security in multi-cloud storage. In: 8th ChinaGrid Annual Conference (ChinaGrid), pp. 51–56. IEEE (2013)

    Google Scholar 

  24. Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur. (TISSEC) 12(3), 19 (2009)

    Article  Google Scholar 

  25. Ligatti, J., Reddy, S.: A theory of runtime enforcement, with results. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 87–100. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_6

    Chapter  Google Scholar 

  26. Lu, Z., Wen, Z., Tang, Z., Li, R.: Resolution for conflicts of inter-operation in multi-domain environment. Wuhan Univ. J. Nat. Sci. 12(5), 955–960 (2007)

    Article  Google Scholar 

  27. Luo, Y., Luo, W., Puyang, T., Shen, Q., Ruan, A., Wu, Z.: OpenStack security modules: a least-invasive access control framework for the cloud. In: IEEE 9th International Conference on Cloud Computing (CLOUD) (2016)

    Google Scholar 

  28. Madi, T., et al.: ISOTOP: auditing virtual networks isolation across cloud layers in OpenStack. ACM Trans. Priv. Secur. (TOPS) 22, 1 (2018)

    Article  Google Scholar 

  29. Madi, T., Majumdar, S., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L.: Auditing security compliance of the virtualized infrastructure in the cloud: application to OpenStack. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (CODASPY), pp. 195–206. ACM (2016)

    Google Scholar 

  30. Majumdar, S., et al.: Proactive verification of security compliance for clouds through pre-computation: application to OpenStack. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 47–66. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45744-4_3

    Chapter  Google Scholar 

  31. Majumdar, S., et al.: LeaPS: learning-based proactive security auditing for clouds. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 265–285. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_15

    Chapter  Google Scholar 

  32. Majumdar, S., et al.: Security compliance auditing of identity and access management in the cloud: application to OpenStack. In: 7th International Conference on Cloud Computing Technology and Science (CloudCom), pp. 58–65. IEEE (2015)

    Google Scholar 

  33. Majumdar, S., et al.: User-level runtime security auditing for the cloud. IEEE Trans. Inf. Forensics Secur. 13(5), 1185–1199 (2018)

    Article  Google Scholar 

  34. Narain, S.: Network configuration management via model finding. In: Proceedings of the 19th Conference on Large Installation System Administration Conference (LISA), pp. 15–15 (2005)

    Google Scholar 

  35. NIST. SP 800–53. Recommended Security Controls for Federal Information Systems (2003)

    Google Scholar 

  36. Open Data Center Alliance: Open data center alliance usage: Cloud based identity governance and auditing rev. 1.0. Technical report, Open Data Center Alliance (2012)

    Google Scholar 

  37. OpenStack: OpenStack Congress (2015). https://wiki.openstack.org/wiki/Congress. Accessed 14 Feb 2018

  38. OpenStack: OpenStack open source cloud computing software (2015). http://www.openstack.org. Accessed 14 Feb 2018

  39. OpenStack: OpenStack user survey (2016). https://www.openstack.org/assets/survey/October2016SurveyReport.pdf. Accessed 14 Feb 2018

  40. Petcu, D., Craciun, C.: Towards a security SLA-based cloud monitoring service. In: Proceedings of the 4th International Conference on Cloud Computing and Services Science (CLOSER), pp. 598–603 (2014)

    Google Scholar 

  41. Ren, K., Wang, C., Wang, Q.: Security challenges for the public cloud. IEEE Internet Comput. 16(1), 69–73 (2012)

    Article  MathSciNet  Google Scholar 

  42. Schneider, F.B.: Enforceable security policies. Trans. Inf. Syst. Secur. (TISSEC) 3(1), 30–50 (2000)

    Article  Google Scholar 

  43. Skowyra, R., et al.: Effective topology tampering attacks and defenses in software-defined networks. In: Proceedings of the 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2015), June 2018

    Google Scholar 

  44. Solanas, M., Hernandez-Castro, J., Dutta, D.: Detecting fraudulent activity in a cloud using privacy-friendly data aggregates. Technical report, arXiv preprint (2014)

    Google Scholar 

  45. Tabiban, A., Majumdar, S., Wang, L., Debbabi, M.: PERMON: an openstack middleware for runtime security policy enforcement in clouds. In: Proceedings of the 4th IEEE Workshop on Security and Privacy in the Cloud (SPC 2018), June 2018

    Google Scholar 

  46. Tang, B., Sandhu, R.: Extending OpenStack access control with domain trust. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) NSS 2014. LNCS, vol. 8792, pp. 54–69. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11698-3_5

    Chapter  Google Scholar 

  47. Ullah, K.W., Ahmed, A.S., Ylitalo, J.: Towards building an automated security compliance tool for the cloud. In: 12th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1587–1593. IEEE (2013)

    Google Scholar 

  48. Wang, C., Chow, S.S., Wang, Q., Ren, K., Lou, W.: Privacy-preserving public auditing for secure cloud storage. IEEE Trans. Comput. 62(2), 362–375 (2013)

    Article  MathSciNet  Google Scholar 

  49. Wang, Y., et al.: TenantGuard: scalable runtime verification of cloud-wide VM-level network isolation. In: Proceedings of 2017 Annual Network and Distributed System Security Symposium (NDSS 2017), February 2017

    Google Scholar 

  50. Wang, Y., Wu, Q., Qin, B., Shi, W., Deng, R.H., Hu, J.: Identity-based data outsourcing with comprehensive auditing in clouds. IEEE Trans. Inf. Forensics Secur. 12(4), 940–952 (2017)

    Article  Google Scholar 

  51. Yau, S.S., Buduru, A.B., Nagaraja, V.: Protecting critical cloud infrastructures with predictive capability. In: 8th International Conference on Cloud Computing (CLOUD), pp. 1119–1124. IEEE (2015)

    Google Scholar 

Download references

Acknowledgement

The authors thank the anonymous reviewers for their valuable comments. This work is partially supported by the Natural Sciences and Engineering Research Council of Canada and Ericsson Canada under CRD Grant N01823 and by PROMPT Quebec.

Author information

Authors and Affiliations

  1. Information Security and Digital Forensics, University at Albany, Albany, NY, USA

    Suryadipta Majumdar

  2. CIISE, Concordia University, Montreal, QC, Canada

    Taous Madi, Lingyu Wang & Mourad Debbabi

  3. Ericsson Security Research, Ericsson Canada, Montreal, QC, Canada

    Yosr Jarraya & Makan Pourzandi

Authors
  1. Suryadipta Majumdar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Taous Madi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yosr Jarraya
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Makan Pourzandi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lingyu Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Mourad Debbabi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Suryadipta Majumdar .

Editor information

Editors and Affiliations

  1. Dalhousie University, Halifax, NS, Canada

    Nur Zincir-Heywood

  2. École des Mines de Nancy, Nancy, France

    Guillaume Bonfante

  3. Concordia University, Montreal, QC, Canada

    Mourad Debbabi

  4. Telecom SudParis, Evry, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Majumdar, S., Madi, T., Jarraya, Y., Pourzandi, M., Wang, L., Debbabi, M. (2019). Cloud Security Auditing: Major Approaches and Existing Challenges. In: Zincir-Heywood, N., Bonfante, G., Debbabi, M., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2018. Lecture Notes in Computer Science(), vol 11358. Springer, Cham. https://doi.org/10.1007/978-3-030-18419-3_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-18419-3_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-18418-6

  • Online ISBN: 978-3-030-18419-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation