Conference Paper

Towards Continuous Certification of Infrastructure-as-a-Service Using Low-Level Metrics

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Existing certification schemes followed the evolution of ICT systems [2], first focusing on the certification of traditional software-based systems (e.g., [10]) and then focusing on the certification of service-based and cloud-based systems in virtually any domains (e.g., [3], [4], [6], [11]). Two main approaches to evidence collection have been proposed to support existing certification schemes: i) test-based evidence collection, where evidence is collected as the result of testing activities performed by the Certification Authority (CA) on the target of certification [3], [4], [6]; ii) monitor-based evidence collection, where evidence is collected in the form of metrics retrieved by monitoring service execution [11]- [19]. ...
... Existing certification schemes followed the evolution of ICT systems [2], first focusing on the certification of traditional software-based systems (e.g., [10]) and then focusing on the certification of service-based and cloud-based systems in virtually any domains (e.g., [3], [4], [6], [11]). Two main approaches to evidence collection have been proposed to support existing certification schemes: i) test-based evidence collection, where evidence is collected as the result of testing activities performed by the Certification Authority (CA) on the target of certification [3], [4], [6]; ii) monitor-based evidence collection, where evidence is collected in the form of metrics retrieved by monitoring service execution [11]- [19]. These approaches have been then applied in additional scenarios, including compliance with Service-Level Agreements [13], [16], [17], [20]- [23], verification-as-a-service in grid computing [24], behavioral analysis of Network Virtualization Functions [25], as well as data integrity in cloud-edge datastores [26]. ...
... A3) Certificates awarded to services according to their software artifacts only. The certification scheme builds its evaluation, and corresponding certificate award, on evidence collected by analyzing the software artifacts of the target of certification [3], [4], [6], [11]. In other words, evidence is collected by testing and monitoring the software artifacts of the target service, ignoring additional information coming from, for example, the development process. ...
Article
Full-text available
The cloud computing has deeply changed how distributed systems are engineered, leading to the proliferation of ever/evolving and complex environments, where legacy systems, microservices, and nanoservices coexist. These services can severely impact on individuals' security and safety, introducing the need of solutions that properly assess and verify their correct behavior. Security assurance stands out as the way to address such pressing needs, with certification techniques being used to certify that a given service holds some non/functional properties. However, existing techniques build their evaluation on software artifacts only, falling short in providing a thorough evaluation of the non/functional properties under certification. In this paper, we present a multi/dimensional certification scheme where additional dimensions model relevant aspects (e.g., programming languages and development processes) that significantly contribute to the quality of the certification results. Our multi/dimensional certification enables a new generation of service selection approaches capable to handle a variety of user's requirements on the full system life cycle, from system development to its operation and maintenance. The performance and the quality of our approach are thoroughly evaluated in several experiments.
... Recently, researchers and practitioners have started to investigate how to innovate the process of certifying cloud services to address the challenges of an ever-changing cloud service infrastructure and to increase the reliability of issued cloud service certifications (e.g., EuroCloud's StarAudit or CSA's Security, Trust & Assurance Registry). These efforts have generated innovative specifications of architectures, processes, and prototypes that enable certification authorities to continually certify cloud services (Anisetti, Ardagna, & Damiani, 2015;Lins, Schneider, & Sunyaev, 2018;Stephanow & Fallenbeck, 2015). Continuous service certification (CSC) involves consistently gathering and assessing certification-relevant information about cloud service operations to validate whether they adhere to ongoing certification criteria. ...
... Monitoring-based CSC Cloud service providers monitor their service infrastructure to collect and provide certification-relevant information to certification authorities. Krotsiani et al. (2015), Krotsiani (2016), Stephanow & Fallenbeck (2015) This study ...
... For example, researchers developed a prototypical monitoring-based CSC infrastructure (called "CUMULUS") to, for instance, verify database user identification to validate certification criteria (Krotsiani et al., 2015;Krotsiani, 2016). Likewise, prior research has shown that certification authorities can use various monitoring metrics and key performance indicators (e.g., availability and resource management indicators and hypervisor security metrics) for monitoring-based CSC purposes (Stephanow & Fallenbeck, 2015). While test-and monitoring-based CSC methodologies complement each other because certification authorities can use them in parallel to collect diverse evidence about certification adherence, both CSC methodologies have advantages and disadvantages. ...
Article
Full-text available
Continuous service certification (CSC) involves the consistently gathering and assessing certification-relevant information about cloud service operations to validate whether they continue to adhere to certification criteria. Previous research has proposed test-based CSC methodologies that directly assess the components of cloud service infrastructures. However, test-based certification requires that certification authorities can access the cloud infrastructure, which various issues may limit. To address these challenges, cloud service providers need to conduct monitoring-based CSC; that is, monitor their cloud service infrastructure to gather certification-relevant data by themselves and then provide these data to certification authorities. Nevertheless, we need to better understand how to design monitoring systems to enable cloud service providers to perform such monitoring. By taking a design science perspective, we derive universal meta-requirements and design guidelines for CSC monitoring systems based on findings from five expert focus group interviews with 33 cloud experts and 10 one-to-one interviews with cloud customers. With this study, we expand the current knowledge base regarding CSC and monitoring-based CSC. Our derived design guidelines contribute to the development of CSC monitoring systems and enable monitoring-based CSC that overcomes issues of prior test-based approaches.
... Recently, researchers and practitioners have started to investigate how to innovate the process of certifying cloud services to address the challenges of an ever-changing cloud service infrastructure and to increase the reliability of issued cloud service certifications (e.g., EuroCloud's StarAudit or CSA's Security, Trust & Assurance Registry). These efforts have generated innovative specifications of architectures, processes, and prototypes that enable continuous certification of cloud services by certification authorities (Anisetti, Ardagna, & Damiani, 2015;Lins, Schneider, & Sunyaev, 2018;Stephanow & Fallenbeck, 2015). Continuous service certification (CSC) involves consistent gathering and assessing of certification-relevant information about cloud service operation to validate ongoing certification criteria adherence. ...
... Anisetti et al., 2017;Ardagna et al., 2018;Katopodis, Spanoudakis, & Mahbub, 2014;Lins, Thiebes, Schneider, & Sunyaev, 2015;Stephanow & Banse, 2017;Stephanow, Srivastava, & Schütte, 2016 Monitoring-based CSC Cloud service providers monitor their service infrastructure to collect and provide certification-relevant information to certification authorities. Krotsiani et al., 2015;Krotsiani, 2016;Stephanow & Fallenbeck, 2015 This study ...
... For example, a prototypical monitoring-based CSC infrastructure (called 'CUMULUS') was developed to, for instance, verify database user identification to validate certification criteria (Krotsiani et al., 2015;Krotsiani, 2016). Likewise, prior research has shown that various monitoring metrics and key performance indicators of cloud services can be used for monitoring-based CSC purposes, including availability and resource management indicators and hypervisor security metrics (Stephanow & Fallenbeck, 2015). ...
Article
Full-text available
Continuous service certification (CSC) involves the consistent gathering and assessing of certification-relevant information about cloud service operation to validate ongoing certification criteria adherence. Previous research has proposed test-based CSC methodologies that directly assess components of the cloud service infrastructure. However, test-based certification requires access to the cloud infrastructure by certification authorities, which may be limited due to various issues. To address these challenges, cloud service providers have to monitor their cloud service infrastructure to gather certification-relevant data by themselves, and then provide these data to certification authorities, which is referred to monitoring-based CSC. Nevertheless, we require a better understanding of how to design monitoring systems to enable monitoring-based CSC of cloud services. By taking a design science perspective, we derive universal meta-requirements and design guidelines for CSC monitoring systems based on findings from five expert focus group interviews with 33 cloud experts and 10 one-to-one interviews with cloud customers. With this study, we have expanded the current knowledge base regarding CSC and monitoring-based CSC. Our derived design guidelines contribute to the development of CSC monitoring systems and enable monitoring-based CSC that overcomes issues of prior test-based approaches.
... Prior research mostly focused on developing CSC prototypes, processes and concepts (e.g., Stephanow and Fallenbeck (2015)) and neglected to understand why stakeholders (i.e., certification authorities and CSP) are actually willing to adopt those continuous assessment approaches. As CSC exhibits unique characteristics, including an independent third party that performs continuous assessments and a high technological complexity, applying previous research findings in CSC contexts might be limited (Quinting et al. 2017;Teigeler et al. 2018). ...
... Existing cloud service certifications represent only a retrospective look at the fulfilment of technical and organizational measures at the time of their issuing (Lins et al. 2016a). Conditions and requirements of certifications may no longer be met throughout these validity periods because cloud services are confronted with an ever-changing environment (Lins et al. 2016b;Stephanow and Fallenbeck 2015). CSC is required to deal with the ever-changing environment, and to assure continuously reliable certifications and trustworthy, secure cloud services. ...
... Current certification practices are mostly based upon manual auditing operations, for example, performing interviews and manual security tests. The transition to CSC requires an automation of certification processes and an adjustment of cloud monitoring systems, thus CSC is less compatible to current certification approaches (Lins et al. 2016b;Stephanow and Fallenbeck 2015). Experimentation with Innovations. ...
Conference Paper
Full-text available
Recent research efforts resulted in innovative prototypes that enable certification authorities to continuously certify cloud service providers (CSP). Performing continuous service certification (CSC) is beneficial for CSP and certification authorities, and has the potential to reduce security and privacy concerns of customers that hamper the adoption of cloud services. Yet, CSC is currently lacking wide-scale diffusion due to the 'chicken and egg problem': certification authorities demand a critical mass of consumers before they consider entering the market. Yet, CSC services are desperately needed to establish this critical mass of consumers in the first place. Hence, to enable diffusion of CSC, certification authorities (as CSC provider) and CSP (as CSC consumer) have to be motivated both to adopt the CSC innovation. We build on the technology-push and market-pull theories to identify factors that drive CSC diffusion. We take a holistic perspective in particular as we analyze the adoption intention of CSP and certification authorities simultaneously from a technology-push and market-pull perspective to resolve the 'chicken and egg problem'.
... Several cloud service certifications have evolved that attempt to assure a high level of security, reliability and legal compliance over a validity period of one to three years. To increase the reliability and trustworthiness of issued certifications and to overcome drawbacks of traditional certifications in dynamic cloud environments (see [3]), researchers (i.e., [4][5][6]) and organizations (i.e., Cloud Security Alliance [7] and EuroCloud [8]) just recently started to develop and design innovative continuous cloud services certification processes. Continuous cloud service certification enables certification authorities to immediately react to changes or events concerning the cloud service and to adjust their certification reports based on an assessment of these changes and events [3]. ...
... On the one hand these characteristics make cloud computing an attractive alternative to traditional IT usage for organizations [22]. On the other hand they challenge contemporary security and privacy risk assessment approaches [5,23,24]. Therefrom, cloud computing faces a broad range of risks including lack of accessibility and reliability, virtualization and application vulnerabilities, privacy and control issues as well as issues related to data integrity, segregation and confidentiality [25][26][27]. ...
... However, interviews revealed that customers do not like a fully automated certification process, instead they demand manual validation checks of certification results by the certification authority (4). Fifth, CSC can provide customers (and certification authorities) with the means to perform on-demand certification checks to validate provider's adherence to certification requirements at any time (5). Customers might be able to start automated certification procedures on demand by using a web interface. ...
Conference Paper
Full-text available
Continuous service certification (CSC) of cloud services enables certification authorities to immediately react to changes or events concerning the cloud service and to adjust their certification reports based on assessment of these changes and events. Performing CSC is beneficial for cloud providers, certification authorities and customers altogether. Yet, CSC currently remains underexplored and evaluated in trials only, and is therefore on its pre-diffusion stage. To enhance the diffusion of CSC, I'm trying to identify characteristics of CSC that will influence cloud service customers during my dissertation. Therefore, I'm developing an explanatory theoretical model that describes and explains the effects of CSC on customers' perceptions by applying a mixed method research approach. Initial findings reveal that CSC exhibits unique characteristics (i.e., timeliness of results, scope and risks) that influence customers' perceptions about a certification and the certified cloud service.
... Several CSC (e.g., CSA STAR) and cloud certification schemes in particular (e.g., ISO 27017) have emerged to assure a high level of security, reliability, and legal compliance of cloud services. Recent research suggests that CA is required to deal with the ever-changing environment of cloud services and to increase trustworthiness of CSC [6,16,17]. ...
... Ardagna et al. (2012) propose a machine-readable certification, which is issued to the service after validating its reliability properties [29]. Stephanow and Fallenbeck (2015) demonstrate how metrics can serve to support continuous validation of generic CSC criteria [17,30,31]. Lins et al. (2015) reviewed various automated auditing and monitoring methodologies, and briefly evaluate their applicability in the context of cloud computing [12]. ...
... To deal with this individualism, auditors should develop a comprehensive metric and key performance indicator collection (see for example [17]), which can be used to evaluate criteria adherence based on different data inputs. Metrics might be derived and classified according the goal question metric method in a systematic top-down fashion by defining the goal to analyze cloud computing system designs and questions that help achieving corresponding goals [78]. ...
Article
Cloud service certifications (CSC) attempt to assure a high level of security and compliance. However, considering that cloud services are part of an ever-changing environment, multi-year validity periods may put in doubt reliability of such certifications. We argue that continuous auditing (CA) of selected certification criteria is required to assure continuously reliable and secure cloud services, and thereby increase trustworthiness of certifications. CA of cloud services is still in its infancy, thus, we conducted a thorough literature review, interviews, and workshops with practitioners to conceptualize an architecture for continuous cloud service auditing. Our study shows that various criteria should be continuously audited. Yet, we reveal that most of existing methodologies are not applicable for third party auditing purposes. Therefore, we propose a conceptual CA architecture, and highlight important components and processes that have to be implemented. Finally, we discuss benefits and challenges that have to be tackled to diffuse the concept of continuous cloud service auditing. We contribute to knowledge and practice by providing applicable internal and third party auditing methodologies for auditors and providers, linked together in a conceptual architecture. Further on, we provide groundings for future research to implement CA in cloud service contexts.
... While research on CSC has progressed in past years, it has to date yielded mainly conceptual findings that focus on process models (e.g., Kunz and Stephanow, 2017;Lins et al., 2016a), architectures (e.g., Krotsiani et al., 2015;Lins et al., 2018), and techniques (e.g., Stephanow et al., 2016;Anisetti et al., 2017;Lins et al., 2015) for achieving CSC. One recent research stream proposes the use of monitoring data to achieve CSC and to address the imminent need to provide continuous assurances to cloud consumers (Krotsiani et al., 2015;Stephanow and Fallenbeck, 2015;Lins et al., 2019). This monitoringbased service certification (MSC) approach seeks to extract and synthesize cloud environments' monitoring data that is routinely gathered by providers, followed by providing aggregated certification-relevant data to certification authorities to enable ongoing data analyses . ...
... Yet, prior research has mostly focused on achieving and applying test-based CSC (e.g., Stephanow and Banse, 2017;Anisetti et al., 2015). The extant research on MSC has proven its feasibility by developing prototypes (e.g., Krotsiani et al., 2015;Krotsiani, 2016), and has provided recommendations on which cloud properties to monitor (e.g., Stephanow and Fallenbeck, 2015). We still require a deeper understanding of how to design more sophisticated MSC systems to address the risk of data manipulation and the challenging interplay between certification authorities and cloud providers. ...
Conference Paper
Full-text available
Given cloud services growing diffusion in business environments, cloud providers are searching for novel ways to provide effective assurances to cloud consumers. Continuous service certification (CSC) recently emerged as a promising way to address cloud consumers' assurance needs, which stem from the inherent complexity and dynamics of today's cloud environments. One CSC approach is to use the monitoring data of a provider's cloud infrastructure for (semi-)automated certification processes. While a monitoring-based CSC approach has the potential to provide ongoing assurances concerning key properties of a cloud infrastructure (e.g., service availability and security), research to date lacks guidance on how to design and implement monitoring-based CSC. Following the design science paradigm with an exploratory inductive research approach, we contribute to the design knowledge base for CSC by proposing meta-requirements and design principles based on comprehensive interviews with cloud experts, and by offering insights into the development and evaluation of a prototypical artefact in a realistic scenario of a German cloud provider. Continuing our research will provide the design knowledge needed by cloud providers to implement monitoring-based CSC and thus will help address the deficiencies and assurance needs of today's cloud environments.
... Even when the number of active service users reaches its peak, the cloud service has to fulfil certification performance requirements. Consequently, certification authorities might apply a continuous certification approach [16,60] in the context of cloud gaming. Continuous service certification involves consistent gathering and assessing of certificationrelevant information about cloud service operation to validate ongoing certification criteria adherence [61]. ...
Conference Paper
Cloud services have already become an elementary part of our everyday lives. Nowadays even computer games are executed on powerful cloud servers. These cloud gaming services have many benefits for users, yet they have to fulfil high quality requirements to satisfy users' needs because even minimal performance losses are directly observable and worsen the gaming experience. Traditionally, cloud service providers undergo certifications to increase transparency and address users' quality concerns. However, existing certifications are not applicable in the context of cloud gaming to prove a high service quality, and it remains unclear which requirements a cloud gaming service has to fulfil. We conduct a thorough literature review to identify requirements for cloud gaming services as well as extensively review existing cloud service certifications. At the same time, we pay special attention to the interdependencies between the individual stages of the cloud service provisioning chain. With our study, we advance the understanding of cloud gaming services by providing a synthesis and discussion of requirements that providers need to fulfil to ensure user satisfaction. We guide future research as well as practitioners towards a new generation of cloud service certification for cloud gaming services.
... If signal consistency is high, and thus consumers' reviews are communicating the same quality level, a high signal reliability can be assumed. Similarly, in the context of web assurance seals, researchers have recently begun to propose innovative certification approaches that continuously verify cloud service provider's adherence to the assurance requirements (Anisetti et al. 2017;Lins et al. 2016b;Stephanow et al. 2016;Stephanow and Fallenbeck 2015), and might counteract issues regarding a low signaling fit or signaler's honesty. Future research is needed to analyze how signal reliability and effectiveness can be increased over time in detail. ...
Conference Paper
Full-text available
Signaling theory has compellingly demonstrated that embedding internet signals (i.e., web assurance seals, privacy policies, consumer feedback) by cloud service providers can be considered as credible indicators of provider's attributes, thereby reducing uncertainties and information asymmetries in cloud service markets. However, cloud service providers are operating in a dynamic environment characterized by fast technology life cycles , ongoing service improvements, and a steady emergence of new environmental vul-nerabilities. Those dynamics might threaten the long-term reliability of embedded inter-net signals. We believe that traditional assumptions of signaling theory might not be necessarily applicable to cloud service markets, and thus try to investigate how signal reliability can be ensured in the long run in dynamic environments. In particular, we argue that signal reliability will decline over time as cloud service providers constantly have to cope with emerging changes in the market environment resulting in a low signaling fit or low signaler's honesty.
... In the last few years, cloud service providers as well as researchers have spent a lot of effort in designing and developing security assurance solutions and guidelines to fill in this security gaps [4], [5]. This effort brought to the definition of different audit, certification, and compliance standards and techniques increasing cloud transparency and trustworthiness [6], [7], [8], [2]. Current assurance techniques provide continuous evaluation based on trustworthy and verifiable evidence collected at all layers of the cloud stack. ...
... Stephanow et al. [16] also presented an approach to continuous certification based on a set of metrics at infrastructure layer. These metrics, which collect evidence of service changes, represent the basis for continuous certification and can be integrated within our certification process to further reduce the need of human intervention. ...
Article
Traditional assurance solutions for software-based systems rely on static verification techniques and assume continuous availability of trusted third parties. With the advent of cloud computing, these solutions become ineffective since services/applications are flexible, dynamic, and change at run time, at high rates. Although several assurance approaches have been defined, cloud requires a step-change moving current assurance techniques to fully embrace the cloud peculiarities. In this paper, we provide a rigorous and adaptive assurance technique based on certification, towards the definition of a transparent and trusted cloud ecosystem. It aims to increase the confidence of cloud customers that every piece of the cloud (from its infrastructure to hosted applications) behaves as expected and according to their requirements. We first present a test-based certification scheme proving non-functional properties of cloud-based services. The scheme is driven by non-functional requirements defined by the certification authority and by a model of the service under certification. We then define an automatic approach to verification of consistency between requirements and models, which is at the basis of the chain of trust supported by the certification scheme. We also present a continuous certificate life cycle management process including both certificate issuing and its adaptation to address contextual changes. Finally, we describe our certification framework and an experimental evaluation of its performance, quality, applicability, and practical usability in a real industrial scenario, which considers Engineering Ingegneria Informatica S.p.A. ENGpay online payment system.
... Certification authorities must establish CSC and management systems to support the certification planning, management, operation and scheduling activities, develop new certification processes and train their employees. In order to reduce the complexity of the CSC, authorities can build on existing monitoring systems and processes of the provider to gather certification-relevant data [25]. For example, certification authorities might access an interface that enables the secure and reliable transmission of relevant data. ...
Conference Paper
Full-text available
Cloud certifications are a good means to assure users of high level of security and reliability of certified cloud services. However, cloud environments are highly dynamic due to the challenging cloud characteristics and fast technology life-cycles. We believe that current certifications fail to cope with an ever-changing cloud environment because assessments are based only on manual expert assessments and periodic spot checks. We argue that continuous service certification (CSC) is required to assure reliable and trustworthy cloud services. To understand and enhance CSC's rate of adoption, we examine the adoption process of CSC from the perspective of certification authorities by building on the Diffusion of Innovations theory and the Technology-Organization-Environment framework. Our findings reveal that the innovation's characteristics, organizational and environmental influences will affect the adoption of CSC by certification authorities. We advance the understanding of the CSC adoption process by providing a synthesis and discussion of important factors.
... Currently, various research projects have evolved, which deal with the development and evaluation of innovative techniques and tools to enable third parties to continuously audit and assess cloud service behaviour (e.g., NGCert (2015), and CUMULUS (2012)). Therefrom, different cutting-edge approaches to enable third party auditing are proposed in the context of cloud computing just recently, for example, methodologies to enable external auditors to simultaneously verify the integrity of multiple users' data (Wang et al., 2014) as well as architectures and metrics to support continuous validation of generic cloud (certification) requirements (Stephanow et al., 2016;Stephanow and Fallenbeck, 2015). Likewise, organizations such as Cloud Security Alliance and EuroCloud have just started to develop innovative processes and techniques for CATP of cloud services. ...
Conference Paper
Full-text available
Using cloud services empowers organizations to achieve various financial and technical benefits. Nonetheless, customers are faced with a lack of control since they cede control over their IT resources to the cloud providers. Independent third party assessments have been recommended as good means to counteract this lack of control. However, current third party assessments fail to cope with an ever-changing cloud computing environment. We argue that continuous auditing by third parties (CATP) is required to assure continuously reliable and secure cloud services. Yet, continuous auditing has been applied mostly for internal purposes, and adoption of CATP remains lagging behind. Therefore, we examine the adoption process of CATP by building on the lenses of diffusion of innovations theory as well as conducting a scientific database search and various interviews with cloud service experts. Our findings reveal that relative advantages, a high degree of compatibility and observability of CATP would strongly enhance adoption, while a high complexity and a limited trialability might hamper diffusion. We contribute to practice and research by advancing the understanding of the CATP adoption process by providing a synthesis of relevant attributes that influence adoption rate. More importantly , we provide recommendations on how to enhance the adoption process.
Chapter
Cloud computing can be used to access and storing data and delivery of different services over the internet. Using cloud storage, users can remotely store their data. Cloud service provider (CSP) provides data owners to store and access their valuable data in the cloud server and offers them to make use of on-demand data access without maintaining a local copy of their data. Even though this service avoids the data owners from making use of their third-party auditor, it certainly possesses serious security threats in maintaining the data owners cloud data. In addition, integrity is also an important issue in maintaining the data owners data stored in the cloud server. This survey presents an overview of integrity check and continuous auditing. The review work based on creating secure clouds by continuous auditing and cloud certification system (CCS) is used for high level security. This survey helps to provide the security by continuous auditing and overcome the integrity issues and to avoid the attacks by integrity checking algorithm and key validation mechanism. In this survey paper, various researchers’ ideas based on integrity checking and key schemes have been analyzed as literature review.
Chapter
Dieses Kapitel beschreibt Anforderungen und Handlungsempfehlungen zur Durchführung von kontinuierlichen Zertifizierungsverfahren aus einer rechtlichen, technischen und organisatorischen Perspektive. Zudem werden mögliche Grenzen und Risiken einer kontinuierlichen Zertifizierung diskutiert.
Chapter
Die Durchführung von monitoring-basierten Zertifizierungsverfahren birgt einige Vorteile, jedoch gilt es einige Herausforderungen bei der Umsetzung zu überwinden. Aus diesem Grund werden in diesem Kapitel Anforderungen an Monitoring-Systeme und Richtlinien zum Design von Monitoring-Systemen zur kontinuierlichen Zertifizierung vorgestellt. Abschließend wird die Machbarkeit durch die Entwicklung eines Prototypens evaluiert.
Chapter
Dieses Kapitel beschreibt das Problem eines hoch dynamischen Cloud-Service-Umfelds und die dadurch entstehenden Herausforderungen für bestehende Zertifizierungsprozesse. Denn die Durchführung von traditionellen Zertifizierungsprozessen erfordert eine gewisse Stabilität des Cloud-Services, damit davon ausgegangen werden kann, dass die Prüfergebnisse über die gesamte Geltungszeitspanne identisch bleiben. Da sich Cloud-Services durch dynamische Charakteristiken, einer schnelllebigen Technologie und einer sich stetig verändernden Umwelt auszeichnen, ist jedoch die Einhaltung von Zertifizierungskriterien über die Geltungszeitspanne stark gefährdet. Zur Lösung wird ein kontinuierlicher Zertifizierungsprozess vorgestellt, welcher automatisierte Überwachungs- und Auditierungstechniken umfasst, um eine fortlaufende Ermittlung, Bewertung und Entscheidung zu ermöglichen, sowie Mechanismen zur transparenten Bereitstellung von zertifizierungsrelevanten Informationen beinhaltet, um die Einhaltung der Zertifizierungskriterien kontinuierlich zu bestätigen. Zudem wird der Umfang kontinuierlicher Zertifizierungsprozesse diskutiert und das veränderte Wertschöpfungsnetzwerk dargelegt.
Book
Dieses Buch liefert ein Rahmenwerk zur Zertifizierung von Services in der Cloud. Herzstück dabei ist ein umfangreicher Kriterienkatalog zum Assessment von Cloud-Services, der im Forschungsprojekt „Value4Cloud“, gefördert vom Bundesministerium für Wirtschaft und Technologie, entwickelt wurde. Cloud-Service-Anwender werden bei der Bewertung, dem Vergleich und der Auswahl von Services unterstützt. Das Buch eignet sich auch für Cloud-Service-Anbieter zum Self-Assessment und zur Verbesserung der eigenen Services. Neu in der 2. Auflage Um die Glaubwürdigkeit ausgestellter Zertifikate zu erhöhen, führt die 2. Auflage dieses Buches in das innovative Verfahren der kontinuierlichen Zertifizierung ein. Kontinuierliche Zertifizierungen ermöglichen es, kritische Anforderungen an Cloud-Services fortlaufend und (teil-)automatisiert zu überprüfen. Insbesondere werden Grundlagen, Metriken, Messmethoden und Gestaltungsrichtlinien zur kontinuierlichen und (teil-)automatisierten Zertifizierung von Cloud-Services vorgestellt, die im Forschungsprojekt „Next Generation Certification“, gefördert vom Bundesministerium für Bildung und Forschung, entwickelt wurden. Der Inhalt - Grundlagen zur (kontinuierlichen) Zertifizierung von Cloud-Services - Gestaltungsempfehlungen für Cloud-Service-Zertifizierungen - Kriterienkatalog zur Zertifizierung von Cloud-Services - Messverfahren zur Durchführung von kontinuierlichen Zertifizierungen - Marktpotenzial einer kontinuierlichen Zertifizierung
Article
Although intended to ensure cloud service providers' security, reliability, and legal compliance, current cloud service certifications are quickly outdated. Dynamic certification, on the other hand, provides automated monitoring and auditing to verify cloud service providers' ongoing adherence to certification requirements.
Conference Paper
Full-text available
The need of a certification process for cloud-based services is emerging as a way to address some of the remaining obstacles facing the effective development and diffusion of the cloud-computing paradigm. In this paper we move the first steps towards a complete approach containing a conceptual framework where the specifications of basic, hybrid and incremental certification models for cloud-based services can be given. Specifically, we focus on the definition of a unifying meta-model to provide representational guidelines for (i) the definition of the security properties to be certified (ii) the types of evidence underlying them (iii) the phases of the certificate life cycle, as well as of all mechanisms for generating supporting evidence.
Article
Full-text available
A large number of distributed applications requires continuous and timely processing of information as it flows from the periphery to the center of the system. Examples include intrusion detection systems which analyze network traffic in real-time to identify possible attacks; environmental monitoring applications which process raw data coming from sensor networks to identify critical situations; or applications performing online analysis of stock prices to identify trends and forecast future values. Traditional DBMSs, which need to store and index data before processing it, can hardly fulfill the requirements of timeliness coming from such domains. Accordingly, during the last decade, different research communities developed a number of tools, which we collectively call Information flow processing (IFP) systems, to support these scenarios. They differ in their system architecture, data model, rule model, and rule language. In this article, we survey these systems to help researchers, who often come from different backgrounds, in understanding how the various approaches they adopt may complement each other. In particular, we propose a general, unifying model to capture the different aspects of an IFP system and use it to provide a complete and precise classification of the systems and mechanisms proposed so far.
Article
Full-text available
The goal of this short paper is twofold: 1) it briefly describes a new performance monitoring tool, XenMon, that we built for the Xen-based virtual environment, and 2) it presents a performance case study that demonstrates and explains how different metrics reported by XenMon can be used in gaining insight into an application’s performance and its resource usage/requirements, especially in the case of I/O intensive applications.
Conference Paper
Full-text available
Cloud computing represents a novel on-demand computing approach where resources are provided in compliance to a set of predefined non-functional properties specified and negotiated by means of Service Level Agreements (SLAs). In order to avoid costly SLA violations and to timely react to failures and environmental changes, advanced SLA enactment strategies are necessary, which include appropriate resource-monitoring concepts. Currently, Cloud providers tend to adopt existing monitoring tools, as for example those from Grid environments. However, those tools are usually restricted to locality and homogeneity of monitored objects, are not scalable, and do not support mapping of low-level resource metrics e.g., system up and down time to high-level application specific SLA parameters e.g., system availability. In this paper we present a novel framework for managing the mappings of the Low-level resource Metrics to High-level SLAs (LoM2HiS framework). The LoM2HiS framework is embedded into FoSII infrastructure, which facilitates autonomic SLA management and enforcement. Thus, the LoM2HiS framework detects future SLA violation threats and can notify the enactor component to act so as to avert the threats. We discuss the conceptual model of the LoM2HiS framework, followed by the implementation details. Finally, we present the first experimental results and a proof of concept of the LoM2HiS framework.
Conference Paper
Cloud is becoming fast a critical infrastructure. However, several recent incidents regarding the security of cloud services clearly demonstrate that security rightly remains one of the major concerns of enterprises and the general public regarding the use of the cloud. Despite advancements of research related to cloud security, we are still not in a position to provide a systematic assessment of cloud security based on real operational evidence. As a step towards addressing this problem, in this paper, we propose a novel approach for certifying the security of cloud services. Our approach is based on the incremental certification of security properties for different types of cloud services, including IaaS, PaaS and SaaS services, based on operational evidence from the provision of such services gathered through continuous monitoring. An initial implementation of this approach is presented.
Open Source Host-based Intrusion Detection System (OSSEC)
  • Trend Micro
Cisco IOS LAN Switching: Show VLAN Information
  • Ios Cisco
  • Lan
  • Switching
A density-based algorithm for discovering clusters in large spatial databases with noise
  • M Ester
  • H.-P Kriegel
  • J Sander
  • X Xu