More Web Proxy on the site http://driver.im/

research-article

Service level agreement‐based GDPR compliance and security assurance in(multi)Cloud‐based systems

Authors:

Xabier Larrucea,

Massimiliano Rak,

Wissam Mallouli,

Jacek Dominiak,

Victor Muntés,

Peter Matthews,

Luis GonzalezAuthors Info & Claims

IET Software, Volume 13, Issue 3

Pages 213 - 222

https://doi.org/10.1049/iet-sen.2018.5293

Published: 01 June 2019 Publication History

Abstract

Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and security assurance are currently two major challenges of Cloud‐based systems. GDPR compliance implies both privacy and security mechanisms definition, enforcement and control, including evidence collection. This study presents a novel DevOps framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include the necessary privacy and security controls for ensuring transparency to end‐users, third parties in service provision (if any) and law enforcement authorities. The framework relies on the risk‐driven specification at design time of privacy and security level objectives in the system service level agreement and in their continuous monitoring and enforcement at runtime.

10 References

[1]

Deloitte : ‘Measuring the economic impact of cloud computing in Europe, smart number: 2014/0031’, April 2016. Available at http://ec.europa.eu/newsroom/document.cfm?doc_id=41184, accessed 17 December 2018

[2]

ETSI : ‘Interoperability and security in cloud computing, ETSI SR 003 391 v2.0.0’, 2015. Available at http://csc.etsi.org/resources/WP3-Report/STF486 WP3 Report-v2.0.0.pdf, accessed 17 December 2018

[3]

MUSA project: Multi-cloud Secure Applications (2015–2017). Available at https://www.musa-project.eu, accessed 17 December 2018

[4]

ENACT project: Development, Operation, and Quality Assurance of Trustworthy Smart IoT Systems (2018–2020). Available at http://www.enact-project.eu, accessed 17 December 2018

[5]

Rios, E., Iturbe, E., Mallouli, W., et al.: ‘Dynamic security assurance in multi-cloud DevOps’. 2017 IEEE Conf. on Communications and Network Security (CNS), October 2017, pp. 467–475

[6]

Rios, E., Rak, M., Iturbe, E., et al.: ‘SLA-based continuous security assurance in multi-cloud DevOps’. CEUR Workshop Proc., Oslo, Norway, 2017. Available at http://ceur-ws.org/Vol-1977/, accessed 17 December 2018

[7]

Casola, V., De Benedictis, A., Modic, J., et al.: ‘Per-service security SLA: a new model for security management in clouds’. Proc. IEEE 25th Int. Conf. on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Paris, France, 2016, pp. 83–88

[8]

SPECS project: Secure Provisioning of Cloud Services based on SLA management (2013–2016). Available at http://www.specs-project.eu, accessed 17 December 2018

[9]

SLA-READY project: Making Cloud SLAs readily usable in the EU private sector (2015–2016). Available at http://www.sla-ready.eu, accessed 17 December 2018

[10]

SLALOM project: Service Level Agreement – Legal and Open Model (2015–2016). Available at http://www.slalom-project.eu/, accessed 17 December 2018

[11]

Cloud Standards Customer Council, OMG : ‘Practical Guide to Cloud Service Agreements V2.0’. Available at https://www.omg.org/cloud/deliverables/practical-guide-to-cloud-service-agreements.htm, accessed 17 December 2018

[12]

Casola, V., De Benedictis, A., Rak, M., et al.: ‘Automatically enforcing security SLAs in the cloud’, IEEE Trans. Serv. Comput., 2016, 10, (5), pp. 741–755

[13]

National Institute of Standards and Technology (NIST) : ‘Security and Privacy Controls for Information Systems and Organizations’. NIST SP-800–53, revison 5 Draft

[14]

Cloud Control Matrix (CCM) Alliance, C.S.: Cloud security alliance, cloud controls matrix v3.0.1 (9–1-17 Update). Available at https://cloudsecurityalliance.org/group/cloud-controls-matrix/, accessed 17 December 2018

[15]

Casola, V., Benedictis, A.D., Rak, M., et al.: ‘A security metric catalogue for cloud applications’. Proc. Int. Conf. on Complex, Intelligent, and Software Intensive Systems (CISIS), Torino, Italy, July 2017, pp. 854–863

[16]

NIST Cloud Computing Program Information Technology Laboratory : ‘Cloud Computing Service Metrics Description NIST SP-500–307’, 2015

[17]

Conley, E., Pocs, M.: ‘GDPR compliance challenges for interoperable health informaon exchanges (HIEs) and trustworthy research environments (TREs)’, Eur. J. Biomed. Inf., 2018, 14, (3), pp. 48–61

[18]

Ahmadian, A.S., Jürjens, J.: ‘Supporting model-based privacy analysis by exploiting privacy level agreements’. Proc. Int Conf. Cloud Computing Technology and Science (CloudCom), Luxembourg, 2016, pp. 360–365

[19]

Diamantopoulou, V., Pavlidis, M., Mouratidis, H.: ‘Privacy level agreements for public administration information systems’, 2017. Available at http://eprints.brighton.ac.uk/17145/, accessed 17 December 2018

[20]

Cloud Security Alliance (CSA) : ‘Code of Conduct for GDPR Compliance’. Available at https://gdpr.cloudsecurityalliance.org/wp-content/uploads/sites/2/2018/06/CSA-Code-of-Conduct-for-GDPR-Compliance.pdf, accessed 17 December 2018

[21]

Liu, H., Bu, F., Cai, H.: ‘SLA-based service composition model with semantic support’. IEEE Asia-Pacific Proc. Services Computing Conf. (APSCC), Guilin, China, 2012, pp. 374–379

[22]

Zappatore, M., Longo, A., Bochicchio, M.A.: ‘SLA composition in service networks’. Proc. of the 30th Annual ACM Symp. on Applied Computing – SAC ‘15, Salamanca, Spain, 2015, pp. 1219–1224

[23]

Rak, M.: ‘Security assurance of (multi-) cloud application with security SLA composition’. Proc. Int. Conf. on Green, Pervasive, and Cloud Computing, Cetara, Italy, 2017, pp. 786–799

[24]

Rios, E., Iturbe, E., Palacios, M.C.: ‘Self-healing multi-cloud application modelling’. Proc. Int. Conf. on Availability, Reliability and Security, Reggio Calabria, Italy, 2017 (No. 93)

[25]

‘How Visibility of the Attack Surface Minimizes Risk’. Available at https://www.sans.org/reading-room/whitepapers/cloud/visibility-attack-surface-minimizes-risk-38540, accessed 17 December 2018

[26]

‘OWASP Risk Rating Methodology’. Available at https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology, accessed 17 December 2018

[27]

‘The STRIDE Threat Model’. Available at https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx, accessed 17 Dec 2018

[28]

Ripolles, O., Muntes, V., Matthews, P., et al.: ‘Agile risk management for multi-cloud software development’, IET Softw., 2018.

[29]

Baah, A.: ‘Agile quality assurance: deliver quality software-providing great business value’ (Book Baby, 2017)

[30]

Cloud Security Alliance : ‘Consensus Assessments Initiative Questionnaire v3.0.1’. Available at https://cloudsecurityalliance.org/download/consensus-assessments-initiative-questionnaire-v3-0-1/, accessed 17 December 2018

[31]

Dorfmann, M.S.: ‘Introduction to risk management and insurance’ (Prentice Hall, Upper Saddle River, NJ, 1997, 6th edn.)

[32]

Springer : ‘Digitalization Cases: How Organizations Rethink Their Business for the Digital Age’. Available at https://www.springer.com/us/book/9783319952727, accessed 17 December 2018

Cited By

Granata DMastroianni MRak MCantiello PSalzillo G(2024)GDPR compliance through standard security controlsJournal of High Speed Networks10.3233/JHS-23008030:2(147-174)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.3233/JHS-230080
Bountakas PFysarakis KKyriakakis TKarafotis PAristeidis STasouli MAlcaraz CAlexandris GAndronikou VKoutsouri TYatagha RSpanoudakis GIoannidis SMartinelli FIlliashenko O(2024)SYNAPSE - An Integrated Cyber Security Risk & Resilience Management Platform, With Holistic Situational Awareness, Incident Response & Preparedness Capabilities: SYNAPSEProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3669924(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3669924
Bueno Momcilovic TBalta D(2024)Emergent Needs in Assuring Security-Relevant Compliance of Information SystemsProceedings of the 2024 European Interdisciplinary Cybersecurity Conference10.1145/3655693.3655708(46-49)Online publication date: 5-Jun-2024
https://dl.acm.org/doi/10.1145/3655693.3655708
Show More Cited By

Recommendations

GDPR Compliance: Proposed Guidelines for Cloud-Based Health Organizations
Computer Security
Abstract
In this paper, we investigate the implications of the General Data Protection Regulation (GDPR) on the design of a Cloud-based Health System. Keeping secure healthcare information and protecting patients’ privacy is a major responsibility of all ...
Ontology of Secure Service Level Agreement
HASE '15: Proceedings of the 2015 IEEE 16th International Symposium on High Assurance Systems Engineering

Maintaining security and privacy in the Cloud is a complex task. The task is made even more challenging as the number of vulnerabilities associated with the cloud infrastructure and applications are increasing very rapidly. Understanding the security ...
A Unified Framework for GDPR Compliance in Cloud Computing
ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security

In parallel with the rapid development of Information and Communication technologies and the digitization of information in every aspect of daily life, the enforcement of the GDPR, in May 2018, brought significant changes to the processes that ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image IET Software

IET Software Volume 13, Issue 3

June 2019

61 pages

EISSN:1751-8814

DOI:10.1049/sfw2.v13.3

Issue’s Table of Contents

© 2019 The Institution of Engineering and Technology.

Publisher

John Wiley & Sons, Inc.

United States

Publication History

Published: 01 June 2019

Author Tags

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Granata DMastroianni MRak MCantiello PSalzillo G(2024)GDPR compliance through standard security controlsJournal of High Speed Networks10.3233/JHS-23008030:2(147-174)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.3233/JHS-230080
Bountakas PFysarakis KKyriakakis TKarafotis PAristeidis STasouli MAlcaraz CAlexandris GAndronikou VKoutsouri TYatagha RSpanoudakis GIoannidis SMartinelli FIlliashenko O(2024)SYNAPSE - An Integrated Cyber Security Risk & Resilience Management Platform, With Holistic Situational Awareness, Incident Response & Preparedness Capabilities: SYNAPSEProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3669924(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3669924
Bueno Momcilovic TBalta D(2024)Emergent Needs in Assuring Security-Relevant Compliance of Information SystemsProceedings of the 2024 European Interdisciplinary Cybersecurity Conference10.1145/3655693.3655708(46-49)Online publication date: 5-Jun-2024
https://dl.acm.org/doi/10.1145/3655693.3655708
Barati MAdu-Duodu KRana OAujla GRanjan R(2023)Compliance Checking of Cloud Providers: Design and ImplementationDistributed Ledger Technologies: Research and Practice10.1145/35855382:2(1-20)Online publication date: 8-Jun-2023
https://dl.acm.org/doi/10.1145/3585538
Hernández RMoros BNicolás J(2023)Requirements management in DevOps environments: a multivocal mapping studyRequirements Engineering10.1007/s00766-023-00396-w28:3(317-346)Online publication date: 1-Sep-2023
https://dl.acm.org/doi/10.1007/s00766-023-00396-w

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents