Abstract
This paper introduces the concept of moving security and compliance policy automation for Cloud applications and mashups into the Cloud. This way, Cloud applications and mashups can be protected more seamlessly within the Cloud computing paradigm, and the secure software development lifecycle for Cloud applications is improved and simplified. The policy automation aspects covered in this paper include policy configuration, technical policy generation using model-driven security, application authorization management, and incident reporting. Policy configuration is provided as a subscription-based Cloud service to application development tools, and technical policy generation, enforcement and monitoring is embedded into Cloud application development and runtime platforms. OpenPMF Security & Compliance as a Service (“ScaaS”), a reference implementation using ObjectSecurity OpenPMF, is also presented. The paper argues that security and compliance policy management for agile distributed application landscapes such as Cloud mashups needs to be model-driven and automated in order to be agile, manageable, reliable, and scalable.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alford, Ted and Morton, Gwen. The Economics of Cloud Computing: Addressing the Benefits of Infrastructure in the Cloud, Booz Allen Hamilton, 2009
Bernard Golden, The Case Against Cloud Computing, January 2009, http://www.cio.com/article/print/477473
CCRA, Common Criteria v3., 2006. www.commoncriteriaportal.org
Cloud Security Alliance. Security Guidance for Critical areas of Focus in Cloud Computing V2.1, December 2009
Davis, M. et al. SOA Information Assurance Concerns (presentation), ISSA/The Security Network. 2008. http://www.sdissa.org/, ISSA/SecurityNetwork Cyber Security Collaboration Summit (www.igouge.com)
US Department of Defense. Department of Defense Architecture Framework (DoDAF). 2007. www.architectureframework.com/dodaf
Forrester Research, Enterprise And SMB Hardware Survey, North America And Europe, Q3 2009
Heiser, Jay and Nicolett, Mark. Assessing the Security Risks of Cloud Computing, Gartner, June 2008, (ID: G00157782)
Wagner, R. et al. (Gartner, Inc.). Cool Vendors in Application Security and Authentication, 2008” (G00156005). 2008. www.gartner.com
Plummer, Daryl and Bittman, Thomas, et al. Cloud Computing: Defining and Describing an Emerging Phenomenon. 17 June 2008 (ID: G00156220)
Intalio, Intalio Website, www.intalio.com, 2010
Karp, Alan H.; Haury, Harry; Davis, Michael H. From ABAC to ZBAC: The Evolution of Access Control Models. 2009. (HPL-2009-30)
ObjectSecurity. Model Driven Security blog, www.modeldrivensecurity.org
Lang, Ulrich and Schreiner, Rudolf. Developing Secure Distributed Systems with CORBA. Artech House, 288 pages, February 2002, ISBN 1-58053-295-0
Lang, Ulrich and Schreiner, Rudolf. SOA Security Concerns and Recommendations, (PDF eBook v2.0), December 2008 (based on the Secure SOA project secure-soa.info)
Lang, Ulrich and Schreiner, Rudolf. Security Policy Management with Model Driven Security - A new security management approach applied to SOA (PDF eBook v2.0), November 2009
Lang, Ulrich and Schreiner, Rudolf. Model Driven Security Accreditation (MDSA) For Agile, Interconnected IT Landscapes. The 1st ACM Workshop on Information Security Governance, November 13, 2009, Hyatt Regency Chicago, Chicago, USA
Lang, Ulrich and Schreiner, Rudolf. Model Driven Security Accreditation (MDSA) For Agile, Interconnected IT Landscape (PDF eBook), June 2009
Lang, Ulrich and Schreiner, Rudolf. Cloud Application Security, January 2010, (PDF eBook)
The NIST Definition of Cloud Computing Authors: Peter Mell and Tim Grance Version 15, 10-7-09 National Institute of Standards and Technology, Information Technology Laboratory, http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.html
UK Ministry of Defence. The MOD Architecture Framework Version 1.2. 2008. www.modaf.com
OASIS Consortium (editor: Moses, Tim). eXtensible Access Control Markup Language (XACML) Version 2.0. 1 Feb 2005 (ID: oasis-access_control-xacml-2.0-core-spec-os)
ObjectSecurity. ObjectSecurity OpenPMF website, www.openpmf.com
Watson, A., and al. Object Management Group Overview and guide to OMG’s architecture, 2003. www.omg.org/mda, document omg/03-06-01 (MDA Guide V1.0.1)
Open Crowd, Cloud Computing Taxonomy, 2010 (http://www.opencrowd.com/views/cloud.php)
Ritter, Tom, and Schreiner, Rudolf, and Lang, Ulrich. Integrating Security Policies via Container Portable Interceptors in IEEE Distributed Systems Online, vol. 7, no. 7, 2006, art. no. 0607-o7001 (Best Paper Award, ARM2005).
UK Government, Government ICT Strategy, Smarter, cheaper, greener (p23ff), 2010, (http://www.cabinetoffice.gov.uk/media/317444/ict_strategy4.pdf)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Vieweg+Teubner Verlag | Springer Fachmedien Wiesbaden GmbH
About this chapter
Cite this chapter
Lang, U. (2011). Cloud & SOA Application Security as a Service. In: Pohlmann, N., Reimer, H., Schneider, W. (eds) ISSE 2010 Securing Electronic Business Processes. Vieweg+Teubner. https://doi.org/10.1007/978-3-8348-9788-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-8348-9788-6_6
Publisher Name: Vieweg+Teubner
Print ISBN: 978-3-8348-1438-8
Online ISBN: 978-3-8348-9788-6
eBook Packages: EngineeringEngineering (R0)