Skip to main content
SpringerLink
Log in

A pattern-based method for establishing a cloud-specific information security management system

Establishing information security management systems for clouds considering security, privacy, and legal compliance

  • Req. Engineering for Security, Privacy & Services in Cloud Environments
  • Published:
Requirements Engineering Aims and scope Submit manuscript

An Erratum to this article was published on 04 July 2013

Abstract

Assembling an information security management system (ISMS) according to the ISO 27001 standard is difficult, because the standard provides only very sparse support for system development and documentation. Assembling an ISMS consists of several difficult tasks, e.g., asset identification, threat and risk analysis and security reasoning. Moreover, the standard demands consideration of laws and regulations, as well as privacy concerns. These demands present multi-disciplinary challenges for security engineers. Cloud computing provides scalable IT resources and the challenges of establishing an ISMS increases, because of the significant number of stakeholders and technologies involved and the distribution of clouds among many countries. We analyzed the ISO 27001 demands for these multi-disciplinary challenges and cloud computing systems. Based on these insights, we provide a method that relies upon existing requirements engineering methods and patterns for several security tasks, e.g., context descriptions, threat analysis and policy definition. These can ease the effort of establishing an ISMS and can produce the necessary documentation for an ISO 27001 compliant ISMS. We illustrate our approach using the example of an online bank.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24
Fig. 25
Fig. 26
Fig. 27
Fig. 28
Fig. 29
Fig. 30
Fig. 31
Fig. 32
Fig. 33
Fig. 34

Similar content being viewed by others

Notes

  1. http://www-304.ibm.com/isv/library/pdfs/cloud_idc.pdf.

  2. http://blogs.msdn.com/b/windowsazure/archive/2011/12/19/windows-azure-achieves-is0-27001-certification-from-the-british-standards-institute.aspx.

  3. http://www.windowsazure.com/en-us/support/trust-center/compliance/.

  4. http://aws.amazon.com/security/.

  5. http://googleenterprise.blogspot.com.br/2012/05/google-apps-receives-iso-27001.html.

  6. http://www.computerweekly.com/news/2240150882/Google-Apps-for-Business-wins-ISO-27001-certification.

  7. http://www.salesforce.com/platform/cloud-infrastructure/security.jsp.

  8. http://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Minimum_information/SecurityRecommendationsCloudComputingProviders.pdf.

  9. http://www.iso27001security.com/html/27017.html.

  10. http://www.iso27001security.com/html/iso27k_toolkit.html.

  11. http://www.uml4pf.org/cloudtool/cloudSystemAnalysisTool.zip.

  12. According to http://thesaurus.com/browse/Nefarious?s=t.

  13. http://www.uml4pf.org/law/lawtool.html.

  14. http://www.pwc.de/en/prozessoptimierung/trotz-einiger-bedenken-der-virtuellen-datenverarbeitung-gehoert-die-zukunft.jhtml.

  15. http://www.uni-due.de/swe/apf12.shtml.

References

  1. ISO/IEC (2009) Common criteria for information technology security evaluation. ISO/IEC 15408, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)

  2. Cloud Security Alliance (CSA) (2010) Top threats to cloud computing v1.0. http://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

  3. Gartner (2008) Assessing the security risks of cloud computing. http://www.gartner.com/id=685308

  4. ISO/IEC (2005) Information technology—Security techniques—Information security management systems—Requirements. ISO/IEC 27001, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)

  5. Armbrust M, Fox A, Griffith R, Joseph AD, Katz RH, Konwinski A, Lee G, Patterson DA, Rabkin A, Stoica I, Zaharia M (2009) Above the clouds: A berkeley view of cloud computing. Technical report, EECS Department, University of California, Berkeley

  6. Mell P, Grance T (2009) The NIST definition of cloud computing. Working Paper of the National Institute of Standards and Technology (NIST)

  7. Vaquero LM, Rodero-Merino L, Caceres J, Lindner M (2008) A break in the clouds: Towards a cloud definition. Special Interest Group Data Commun (SIGCOMM) Comput Commun Rev 39(1):50–55

    Article  Google Scholar 

  8. Buyya R, Ranjan R, Calheiros RN (2009) Modeling and simulation of scalable cloud computing environments and the cloudsim toolkit: Challenges and opportunities. In: Proceedings of the international conference von high performance computing and simulation (HPCS). IEEE Computer Society

  9. Beckers K, Küster JC, Faßbender S, Schmidt H (2011) Pattern-based support for context establishment and asset identification of the ISO 27000 in the field of cloud computing. In: Proceedings of the international conference on availability, reliability and security (ARES). IEEE Computer Society, pp 327–333

  10. Jackson M (2001) Problem frames: analyzing and structuring software development problems. Addison-Wesley, Reading, MA

    Google Scholar 

  11. Fowler M (1996) Analysis patterns: reusable object models. Addison-Wesley, Reading, MA

    Google Scholar 

  12. Gamma E, Helm R, Johnson R, Vlissides J (1994) Design patterns: elements of reusable object-oriented software. Addison-Wesley, Reading, MA

    Google Scholar 

  13. Schumacher M, Fernandez-Buglioni E, Hybertson D, Buschmann F, Sommerlad P (2006) Security patterns: integrating security and systems engineering. Wiley, New York

    Google Scholar 

  14. Calder A (2009) Implementing Information Security based on ISO 27001/ISO 27002: A Management Guide. Haren Van Publishing

  15. ISO/IEC (2009) Information technology—Security techniques—Information security management systems—Overview and Vocabulary. ISO/IEC 27000, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)

  16. Klipper S (2010) Information security risk management mit ISO/IEC 27005: Risikomanagement mit ISO/IEC 27001, 27005 und 31010. Vieweg+ Teubner

  17. UML Revision Task Force. OMG Unified Modeling Language (UML), Superstructure. http://www.omg.org/spec/UML/2.3/Superstructure/PDF

  18. IETF (1997) Hmac: keyed-hashing for message authentication. IETF rfc 2104, Internet Engineering Task Force (IETF)

  19. Jansen WA (2011) Cloud hooks: Security and privacy issues in cloud computing. In: HICSS. IEEE Computer Society, pp 1–10

  20. Chang F, Dean J, Ghemawat S (2006) Bigtable: A distributed storage system for structured data. Technical report, Google

  21. Chow R, Golle P, Jakobsson M, Shi E, Staddon J, Masuoka R, Molina J (2009) Controlling data in the cloud: outsourcing computation without outsourcing control. In: CCSW. ACM, pp 85–90

  22. Scarfone KA, Souppaya MP, Hoffman P (2011) Sp 800-125. guide to security for full virtualization technologies. Technical report, NIST, Gaithersburg, MD, USA

  23. Government H (2012) It infrastructure library (ITIL). http://www.itil-officialsite.com/home/home.aspx

  24. Fabian B, Gürses S, Heisel M, Santen T, Schmidt H (2010) A comparison of security requirements engineering methods. Requir Eng 15(1):7–40

    Article  Google Scholar 

  25. Opdahl AL, Sindre G (2009) Experimental comparison of attack trees and misuse cases for security threat identification. Inf Softw Technol 51:916–932

    Article  Google Scholar 

  26. Deng M, Wuyts K, Scandariato R, Preneel B, Joosen W (2011) A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir Eng 16:3–32

    Article  Google Scholar 

  27. Lund MS, Solhaug B, Stølen K (2010) Model-driven risk analysis: the CORAS approach, 1st edn. Springer, Berlin

  28. American National Standards Institute (ANSI) (2004) American national standard for information technology—role based access control. Ansi incits, pp 359–2004, ANSI

  29. OASIS (2005) extensible Access Control Markup Language TC v2.0 (XACML). OASIS. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf

  30. McGraw G (2006) Software security: building security in. Addison-Wesley, Reading, MA

    Google Scholar 

  31. VMWARE. Vmware ha. http://www.vmware.com/de/products/datacenter-virtualization/vsphere/high-availability.html

  32. VMWARE. Vmware vmotion. http://www.vmware.com/files/pdf/VMware-VMotion-DS-EN.pdf

  33. Beckers K, Faßbender S, Küster JC, Schmidt H (2012) A pattern-based method for identifying and analyzing laws. In: Proceedings of the international working conference on requirements engineering: foundation for software quality (REFSQ). In: LNCS. Springer, pp 256–262

  34. Beckers K, Faßbender S, Schmidt H (2012) An integrated method for pattern-based elicitation of legal requirements applied to a cloud computing example. In: Proceedings of the international conference on availability, reliability and security (ARES)—2nd international workshop on resilience and it-risk in social infrastructures (RISI 2012). IEEE Computer Society, pp 463–472

  35. Biagioli C, Mariani P, Tiscornia D (1987) Esplex: a rule and conceptual model for representing statutes. In: ICAIL. ACM, pp 240–251

  36. Duisberg A (2011) Gelöste und ungelöste Rechtsfragen im IT-Outsourcing und Cloud Computing. In: Picot A, Götz T, Hertz U (eds) Trust in IT, Springer, Berlin, pp 49–70

    Chapter  Google Scholar 

  37. Gürses SF, Santen T (2006) Contextualizing security goals: a method for multilateral security requirements elicitation. In: Dittmann J (ed.), Sicherheit 2006: Sicherheit—Schutz und Zuverlässigkeit, Beiträge der 3. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.v. (GI), pp 20–22. Februar 2006 in Magdeburg, vol 77 of LNI., pp 42–53. GI

  38. OECD (1980) OECD guidelines on the protection of privacy and transborder flows of personal data. Technical report, Organisation for Economic Co-operation and Development (OECD)

  39. Beckers K, Heisel M (2012) A foundation for requirements analysis of privacy preserving software. In: Proceedings of the International Cross Domain Conference and Workshop (CD-ARES 2012). Lecture Notes in Computer Science, Springer, pp 93–107

  40. Beckers K, Faßbender S, Heisel M, Meis R (2012) A problem-based approach for computer aided privacy threat identification. In: Privacy Forum 2012. Lecture Notes in Computer Science, Springer. Accepted for Publication

  41. Côté I, Hatebur D, Heisel M, Schmidt H (2011) UML4PF—a tool for problem-oriented requirements analysis. In: Proceedings of the international conference on requirements engineering (RE), IEEE Computer Society, pp 349–350

  42. Pfitzmann A, Hansen M (2011) A terminology for talking about privacy by data minimization: Anonymity, unlinkability, unobservability, pseudonymity, and identity management—version v0.34. Technical report, TU Dresden and ULD Kiel

  43. Clauß S, Kesdogan D, Kölsch T (2005) Privacy enhancing identity management: protection against re-identification and profiling. In: Proceedings of the 2005 workshop on Digital identity management. DIM ’05, ACM, pp 84–93

  44. Kersten H, Reuter J, Schröder KW (2011) IT-Sicherheits management nach ISO 27001 und Grundschutz. Vieweg+Teubner

  45. Cheremushkin DV, Lyubimov AV (2010) An application of integral engineering technique to information security standards analysis and refinement. In: Proceedings of the international conference on Security of information and networks. SIN ’10, ACM, pp 12–18

  46. Lyubimov A, Cheremushkin D, Andreeva N, Shustikov S (2011) Information security integral engineering technique and its application in isms design. In: Proceedings of the international conference on availability, reliability and security (ARES), IEEE Computer Society, pp 585–590

  47. Montesino R, Fenz S (2011) Information security automation: how far can we go? In: Proceedings of the international conference on availability, reliability and security (ARES), IEEE Computer Society, pp 280–285

  48. Fenz S, Goluch G, Ekelhart A, Riedl B, Weippl E (2007) Information security fortification by ontological mapping of the ISO/IEC 27001 standard. In: Proceedings of the international symposium on dependable computing, IEEE Computer Society, pp 381–388

  49. Auty M, Creese S, Goldsmith M, Hopkins P (2010) Inadequacies of current risk controls for the cloud. In: Proceedings of the 2010 IEEE second international conference on cloud computing technology and science. CLOUDCOM ’10, IEEE Computer Society, pp 659–666

  50. ISO/IEC (2005) Information technology - Security techniques—code of practice for information security management. ISO/IEC 27002, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)

  51. Shaikh F, Haider S (2011) Security threats in cloud computing. In: Internet technology and secured transactions (ICITST), 2011 international conference for, pp 214 –219

  52. Greenwood D, Sommerville I (2011) Responsibility modeling for identifying sociotechnical threats to the dependability of coalitions of systems. In: System of systems engineering (SoSE), 2011 6th international conference on, pp 173 –178

  53. Grobauer B, Walloschek T, Stocker E (2011) Understanding cloud computing vulnerabilities. Secur Priv, IEEE 9(2):50–57

    Article  Google Scholar 

  54. ISO/IEC (2008) Information technology—security techniques—information security risk management. ISO/IEC 27005, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)

  55. Breaux TD, Vail MW, Antón AI (2006) Towards regulatory compliance: Extracting rights and obligations to align requirements with regulations. In: RE, IEEE Computer Society, pp 46–55

  56. Breaux TD, Antón AI (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Softw Eng 34(1):5–20

    Article  Google Scholar 

  57. Bench-Capon T, Robinson G, Routen T, Sergot M (1987) Logic programming for large scale applications in law: a formalization of supplementary benefit legislation. In: ICAIL, ACM, pp 190–198

  58. Siena A, Perini A, Susi A (2008) From laws to requirements. In: RELAW, IEEE Computer Society, pp 6–10

  59. Hohfeld WN (1917) Fundamental legal conceptions as applied in judicial reasoning. Yale Law J 26(8):710–770

    Article  Google Scholar 

  60. Siena A, Perini A, Susi A, Mylopoulos J (2009) A meta-model for modelling law-compliant requirements. In: Proceedings of the international workshop on requirements engineering and law (RELAW), IEEE Computer Society, pp 45–51

  61. Álvarez JAT, Olmos A, Piattini M (2002) Legal requirements reuse: a critical success factor for requirements quality and personal data protection. In: Proceedings of the international conference on requirements engineering (RE), IEEE Computer Society, pp 95–103

  62. Kalloniatis C, Kavakli E, Gritzalis S (2008) Addressing privacy requirements in system design: the PriS method. Requir Eng 13:241–255

    Article  Google Scholar 

  63. Hafiz M (2006) A collection of privacy design patterns. In: Proceedings of the 2006 conference on pattern languages of programs. PLoP ’06, ACM, pp 7:1–7:13

  64. UML Revision Task Force (2010) OMG object constraint language: reference

Download references

Acknowledgments

This research was partially supported by the EU project Network of Excellence on Engineering Secure Future Internet Software Services and Systems (NESSoS, ICT-2009.1.4 Trustworthy ICT, Grant No. 256980) and the Ministry of Innovation, Science, Research and Technology of the German State of North Rhine-Westphalia and EFRE (Grant No. 300266902 and Grant No. 300267002).

Author information

Authors and Affiliations

  1. Paluno, The Ruhr Institute for Software Technology, University of Duisburg-Essen, Oststrasse 99, 47057, Duisburg, Germany

    Kristian Beckers, Stephan Faßbender & Maritta Heisel

  2. ITESYS Institute for Technical Systems GmbH, Emil-Figge-Str. 76, 44227, Dortmund, Germany

    Isabelle Côté

  3. Network Integration Services Department, Amadeus Data Processing GmbH, Berghamer Straße 6, 85435, Erding, Germany

    Stefan Hofbauer

Authors
  1. Kristian Beckers
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Isabelle Côté
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stephan Faßbender
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Maritta Heisel
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Stefan Hofbauer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kristian Beckers.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Beckers, K., Côté, I., Faßbender, S. et al. A pattern-based method for establishing a cloud-specific information security management system. Requirements Eng 18, 343–395 (2013). https://doi.org/10.1007/s00766-013-0174-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-013-0174-7

Keywords

Search

Navigation