access icon free Service level agreement-based GDPR compliance and security assurance in (multi)Cloud-based systems

Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and security assurance are currently two major challenges of Cloud-based systems. GDPR compliance implies both privacy and security mechanisms definition, enforcement and control, including evidence collection. This study presents a novel DevOps framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include the necessary privacy and security controls for ensuring transparency to end-users, third parties in service provision (if any) and law enforcement authorities. The framework relies on the risk-driven specification at design time of privacy and security level objectives in the system service level agreement and in their continuous monitoring and enforcement at runtime.

Inspec keywords: security of data; quality assurance; data protection; cloud computing; contracts; formal specification

Other keywords: service level agreement; security assurance; security level objectives; law enforcement authorities; multicloud-based systems; privacy controls; service provision; European General Data Protection Regulation; DevOps framework; evidence collection; GDPR compliance; security controls

Subjects: Legal aspects of computing; Formal methods; Internet software; Data security

References

    1. 1)
      • 11. Cloud Standards Customer Council, OMG: ‘Practical Guide to Cloud Service Agreements V2.0’. Available at https://www.omg.org/cloud/deliverables/practical-guide-to-cloud-service-agreements.htm, accessed 17 December 2018.
    2. 2)
      • 24. Rios, E., Iturbe, E., Palacios, M.C.: ‘Self-healing multi-cloud application modelling’. Proc. Int. Conf. on Availability, Reliability and Security, Reggio Calabria, Italy, 2017(No. 93).
    3. 3)
      • 19. Diamantopoulou, V., Pavlidis, M., Mouratidis, H.: ‘Privacy level agreements for public administration information systems’, 2017. Available at http://eprints.brighton.ac.uk/17145/, accessed 17 December 2018.
    4. 4)
      • 21. Liu, H., Bu, F., Cai, H.: ‘SLA-based service composition model with semantic support’. IEEE Asia-Pacific Proc. Services Computing Conf. (APSCC), Guilin, China, 2012, pp. 374379.
    5. 5)
      • 32. Springer: ‘Digitalization Cases: How Organizations Rethink Their Business for the Digital Age’. Available at https://www.springer.com/us/book/9783319952727, accessed 17 December 2018.
    6. 6)
      • 2. ETSI: ‘Interoperability and security in cloud computing, ETSI SR 003 391 v2.0.0’, 2015. Available at http://csc.etsi.org/resources/WP3-Report/STF486 WP3 Report-v2.0.0.pdf, accessed 17 December 2018.
    7. 7)
      • 20. Cloud Security Alliance (CSA): ‘Code of Conduct for GDPR Compliance’. Available at https://gdpr.cloudsecurityalliance.org/wp-content/uploads/sites/2/2018/06/CSA-Code-of-Conduct-for-GDPR-Compliance.pdf, accessed 17 December 2018.
    8. 8)
      • 31. Dorfmann, M.S.: ‘Introduction to risk management and insurance’ (Prentice Hall, Upper Saddle River, NJ, 1997, 6th edn.).
    9. 9)
      • 7. Casola, V., De Benedictis, A., Modic, J., et al: ‘Per-service security SLA: a new model for security management in clouds’. Proc. IEEE 25th Int. Conf. on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Paris, France, 2016, pp. 8388.
    10. 10)
      • 9. SLA-READY project: Making Cloud SLAs readily usable in the EU private sector (2015–2016). Available at http://www.sla-ready.eu, accessed 17 December 2018.
    11. 11)
      • 5. Rios, E., Iturbe, E., Mallouli, W., et al: ‘Dynamic security assurance in multi-cloud DevOps’. 2017 IEEE Conf. on Communications and Network Security (CNS), October 2017, pp. 467475.
    12. 12)
      • 17. Conley, E., Pocs, M.: ‘GDPR compliance challenges for interoperable health informaon exchanges (HIEs) and trustworthy research environments (TREs)’, Eur. J. Biomed. Inf., 2018, 14, (3), pp. 4861.
    13. 13)
      • 29. Baah, A.: ‘Agile quality assurance: deliver quality software-providing great business value’ (Book Baby, 2017).
    14. 14)
      • 23. Rak, M.: ‘Security assurance of (multi-) cloud application with security SLA composition’. Proc. Int. Conf. on Green, Pervasive, and Cloud Computing, Cetara, Italy, 2017, pp. 786799.
    15. 15)
      • 27. ‘The STRIDE Threat Model’. Available at https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx, accessed 17 Dec 2018.
    16. 16)
      • 14. Cloud Control Matrix (CCM) Alliance, C.S.: Cloud security alliance, cloud controls matrix v3.0.1 (9–1-17 Update). Available at https://cloudsecurityalliance.org/group/cloud-controls-matrix/, accessed 17 December 2018.
    17. 17)
      • 28. Ripolles, O., Muntes, V., Matthews, P., et al: ‘Agile risk management for multi-cloud software development’, IET Softw., 2018, doi: 10.1049/iet-sen.2018.5295.
    18. 18)
      • 25. ‘How Visibility of the Attack Surface Minimizes Risk’. Available at https://www.sans.org/reading-room/whitepapers/cloud/visibility-attack-surface-minimizes-risk-38540, accessed 17 December 2018.
    19. 19)
      • 22. Zappatore, M., Longo, A., Bochicchio, M.A.: ‘SLA composition in service networks’. Proc. of the 30th Annual ACM Symp. on Applied Computing – SAC ‘15, Salamanca, Spain, 2015, pp. 12191224.
    20. 20)
      • 4. ENACT project: Development, Operation, and Quality Assurance of Trustworthy Smart IoT Systems (2018–2020). Available at http://www.enact-project.eu, accessed 17 December 2018.
    21. 21)
      • 26. ‘OWASP Risk Rating Methodology’. Available at https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology, accessed 17 December 2018.
    22. 22)
      • 10. SLALOM project: Service Level Agreement – Legal and Open Model (2015–2016). Available at http://www.slalom-project.eu/, accessed 17 December 2018.
    23. 23)
      • 8. SPECS project: Secure Provisioning of Cloud Services based on SLA management (2013–2016). Available at http://www.specs-project.eu, accessed 17 December 2018.
    24. 24)
      • 13. National Institute of Standards and Technology (NIST): ‘Security and Privacy Controls for Information Systems and Organizations’. NIST SP-800–53, revison 5 Draft.
    25. 25)
      • 6. Rios, E., Rak, M., Iturbe, E., et al: ‘SLA-based continuous security assurance in multi-cloud DevOps’. CEUR Workshop Proc., Oslo, Norway, 2017. Available at http://ceur-ws.org/Vol-1977/, accessed 17 December 2018.
    26. 26)
      • 30. Cloud Security Alliance: ‘Consensus Assessments Initiative Questionnaire v3.0.1’. Available at https://cloudsecurityalliance.org/download/consensus-assessments-initiative-questionnaire-v3-0-1/, accessed 17 December 2018.
    27. 27)
      • 1. Deloitte: ‘Measuring the economic impact of cloud computing in Europe, smart number: 2014/0031’, April 2016. Available at http://ec.europa.eu/newsroom/document.cfm?doc_id=41184, accessed 17 December 2018.
    28. 28)
      • 15. Casola, V., Benedictis, A.D., Rak, M., et al: ‘A security metric catalogue for cloud applications’. Proc. Int. Conf. on Complex, Intelligent, and Software Intensive Systems (CISIS), Torino, Italy, July 2017, pp. 854863.
    29. 29)
      • 3. MUSA project: Multi-cloud Secure Applications (2015–2017). Available at https://www.musa-project.eu, accessed 17 December 2018.
    30. 30)
      • 16. NIST Cloud Computing Program Information Technology Laboratory: ‘Cloud Computing Service Metrics Description NIST SP-500–307’, 2015.
    31. 31)
      • 18. Ahmadian, A.S., Jürjens, J.: ‘Supporting model-based privacy analysis by exploiting privacy level agreements’. Proc. Int Conf. Cloud Computing Technology and Science (CloudCom), Luxembourg, 2016, pp. 360365.
    32. 32)
      • 12. Casola, V., De Benedictis, A., Rak, M., et al: ‘Automatically enforcing security SLAs in the cloud’, IEEE Trans. Serv. Comput., 2016, 10, (5), pp. 741755.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-sen.2018.5293
Loading

Related content

content/journals/10.1049/iet-sen.2018.5293
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading