ClouDAT
(EU & NRW funded)

ClouDAT develops an open source tool for documentation and assessment of security requirements and controls in cloud computing services and for generation of documentation conforming to given standards.
The project aims at supporting small and medium-sized enterprises in certification of their cloud solutions.

Project Description

---

Goal of the project is the development of a provider independent approach for planning, documenting and checking of security requirements and controls in cloud computing systems. The approach will be implemented as an open source tool which in turn is based on existing tools such as UML editors.

With ClouDAT we can document cloud computing systems on the different service levels including SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) and IaaS (Infrastructure-as-a-Service) as well as the relevant business processes. These documentation will allow third parties to assess the given systems. Risks and threats, e.g. that secret data can be accessed by the cloud provider's staff, can be located and countermeasures documented. Our approach is applicable to public and private cloud systems.

The documentation process will consider the different legal regulations such as the German data protection law. A potential cloud customer will be enabled to assess whether a provided service fulfills his individual requirements. Therefore, ClouDAT develops a catalog of requirements, which enables a certification for IaaS, PaaS and SaaS, e.g. following the ISO 27001 standard. Besides legal requirements it will be possible to define individual requirements of small and medium-sized enterprises. For the documentation, ClouDAT provides a set of patterns, which allow users to specify concrete requirements by inserting concrete elements. The whole approach is based on standard notations such as UML and allows intergration into development processes. The use of an automated analysis tool will finally support a reasonably priced certification of cloud computing systems, which makes it attractive also for smaller enterprises.

Partners

---

Publications

---

• J. Jürjens, A.S. Ahmadian: Model-based Security Analysis and Applications to Security Economics (Invited Talk). In: International Workshop on Security and Privacy in Model Based Engineering (SPIE 2015), 2015. In conjunction with the International Conference on Model-Driven Engineering and Software Development (MODELSWARD 2015).
  @InProceedings{spie15, author = {J.~{J}{\"u}{r}jens and A.S.~Ahmadian}, title = {Model-based Security Analysis and Applications to Security Economics (Invited Talk)}, booktitle = {International Workshop on Security and Privacy in Model Based Engineering (SPIE 2015)}, note={In conjunction with the International Conference on Model-Driven Engineering and Software Development (MODELSWARD 2015).}, OPTpages = {}, year = {2015}, OPTeditor = {}, OPTvolume = {}, OPTnumber = {}, OPTseries = {}, OPTorganization = {}, file = {preprint:http\://rgse.uni-koblenz.de/web/pages/research/projects/cloudat/publications/spie_15.pdf:URL;slides:http\://rgse.uni-koblenz.de/web/pages/research/projects/cloudat/publications/SPIE2015_slides.pdf:URL}, keywords = {hotOffThePress, invitedTalk, invitedWorkshop} }

   BibTeX   preprint   slides 
• A.S. Ahmadian, F. Coerschulte, J. Jürjens: Supporting the Security Certification of Cloud-Computing-Infrastructures (Invited Paper). In: Fifth International Symposium on Business Modeling and Software Design (BMSD 2015), 2015.
  @InProceedings{bmsd15, author = {A.S.~Ahmadian and F. ~Coerschulte and J.~{J}{\"u}{r}jens}, title = {Supporting the Security Certification of Cloud-Computing-Infrastructures (Invited Paper)}, booktitle = {Fifth International Symposium on Business Modeling and Software Design (BMSD 2015)}, OPTpages = {}, year = {2015}, OPTeditor = {}, OPTvolume = {}, OPTnumber = {}, OPTseries = {}, OPTorganization = {}, file = {preprint:http\://rgse.uni-koblenz.de/web/pages/research/projects/cloudat/publications/bmsd15.pdf:URL}, keywords = {hotOffThePress, invitedTalk, invitedWorkshop} }

   BibTeX   preprint 
• J. Jürjens: Modellbasiertes Sicherheits-Testen für Cloud-basierte Prozesse. In: iqnite 2015, 2015.
  @INPROCEEDINGS{iqnite15, author = {J.~{J}{\"u}{r}jens}, title = {{Modellbasiertes Sicherheits-Testen f\"ur Cloud-basierte Prozesse}}, booktitle = {iqnite 2015}, year = {2015}, keywords = {hotOffThePress, nonEnglish}, file = {slides:https://rgse.uni-koblenz.de/web/pages/research/projects/cloudat/publications/iqnite15.pdf:URL}, url = {http://www.iqnite-conferences.com/de} }

   BibTeX   URL   slides 
• T. Humberg, C. Wessel, D. Poggenpohl, S. Wenzel, T. Ruhroth, J. Jürjens: Using Ontologies to Analyze Compliance Requirements of Cloud-Based Processes. In: Cloud Computing and Services Science (selected best papers), Springer, Communications in Computer and Information Science, vol. 453, pp. 1-16, 2014.
  @INPROCEEDINGS{closer13selected, author = {T.~Humberg and C.~Wessel and D.~Poggenpohl and S.~Wenzel and T.~Ruhroth and J.~J\"urjens}, title = {Using Ontologies to Analyze Compliance Requirements of Cloud-Based Processes}, booktitle = {Cloud Computing and Services Science (selected best papers)}, year = {2014}, volume = {453}, series = {Communications in Computer and Information Science}, publisher = {Springer}, keywords = {hotOffThePress, secureSoftwareEngineeringSecureService/CloudBasedSystems}, file = {preprint:http\://rgse.uni-koblenz.de/web/pages/research/projects/cloudat/publications/closer13selected.pdf:URL}, pages = {1--16}, }

   BibTeX   preprint 
• J. Jürjens: Geschäftsprozesse in der Cloud - aber sicher ! (... und compliant). In: Software Engineering + Architecture (SEACON 2014), 2014.
  @INPROCEEDINGS{seacon14J, author = {J.~{J}{\"u}{r}jens}, title = {Gesch\"aftsprozesse in der Cloud -- aber sicher ! (... und compliant)}, booktitle = {Software Engineering + Architecture (SEACON 2014)}, year = {2014}, keywords = {hotOffThePress, nonEnglish}, file = {slides:http\://rgse.uni-koblenz.de/web/pages/research/projects/cloudat/publications/seacon_14.pdf:URL;audio:http\://rgse.uni-koblenz.de/web/pages/people/juerjens/publications/audio/seacon14.wav:URL}, url = {http://www.sea-con.de} }

   BibTeX   URL   slides   audio 
• J. Jürjens: Sicherheit und Compliance in der Cloud 3. Cyber-Sicherheits-Tag für Teilnehmer der Allianz für Cyber-Sicherheit 2013
  @MISC{cybersicherheit13, author = {J.~{J}{\"u}{r}jens}, title = {Sicherheit und Compliance in der Cloud}, howpublished = {3. Cyber-Sicherheits-Tag f\"ur Teilnehmer der Allianz f\"ur Cyber-Sicherheit}, year = {2013}, file = {slides:http\://rgse.uni-koblenz.de/web/pages/research/projects/cloudat/publications/cybersicherheit_13.pdf:URL}, keywords = {nonEnglish} }

   BibTeX   slides 
• T. Humberg, C. Wessel, D. Poggenpohl, S. Wenzel, T. Ruhroth, J. Jürjens: Ontology-Based Analysis of Compliance and Regulatory Requirements of Business Processes, Technical Report, also published in 3rd International Conference on Cloud Computing and Services Science (Closer 2013) pp. 553-561 TU Dortmund2013 (Technical Report)
  Despite its significant potential benefits, the concept of Cloud Computing is still regarded with skepticism in most companies. One of the main obstacle is posed by concerns about the systems security and compliance issues. Examining system and process models for compliance manually is time-consuming and error-prone, in particular due to the mere extent of potentially relevant sources of security and compliance concerns that have to be considered. This paper proposes techniques to ease these problems by providing support in identifying relevant aspects, as well as suggesting possible methods (from an existing pool of such) to actually check a given model. We developed a two-step approach: At first, we build an ontology to formalize rules from relevant standards, augmented with additional semantic information. This ontology is then utilized in the analysis of an actual model of a system or a business process in order to detect possible compliance obligations.

   Abstract 

  @TECHREPORT{closer13WHWPRJ, author = {T.~Humberg and C.~Wessel and D.~Poggenpohl and S.~Wenzel and T.~Ruhroth and J.~J\"urjens}, title = {Ontology-Based Analysis of Compliance and Regulatory Requirements of Business Processes, Technical Report, also published in 3rd International Conference on Cloud Computing and Services Science (Closer 2013) pp. 553--561}, institution = {TU Dortmund}, year = {2013}, editor = {F.~Desprez and D.~Ferguson and E.~Hadar and F.~Leymann and M.~Jarke and M.~Helfert}, publisher = {SciTePress}, keywords = {hotOffThePress, secureSoftwareEngineeringSecureService/CloudBasedSystems}, abstract = {Despite its significant potential benefits, the concept of Cloud Computing is still regarded with skepticism in most companies. One of the main obstacle is posed by concerns about the systems security and compliance issues. Examining system and process models for compliance manually is time-consuming and error-prone, in particular due to the mere extent of potentially relevant sources of security and compliance concerns that have to be considered. This paper proposes techniques to ease these problems by providing support in identifying relevant aspects, as well as suggesting possible methods (from an existing pool of such) to actually check a given model. We developed a two-step approach: At first, we build an ontology to formalize rules from relevant standards, augmented with additional semantic information. This ontology is then utilized in the analysis of an actual model of a system or a business process in order to detect possible compliance obligations.}, file = {paper:http\://rgse.uni-koblenz.de/web/pages/research/projects/cloudat/publications/cloudsecgov13HWPWRJ.pdf:URL}, pages = {553--561} }

   BibTeX   paper 
• J. Jürjens: Sicherheit und Compliance in der Cloud (Eingeladener Vortrag), technischer Bericht, auch vorgestellt auf dem microfin Jahresempfang 2013 TU Dortmund2013 (Technical Report)
  @TECHREPORT{microfin13J, author = {J.~{J}{\"u}{r}jens}, title = {Sicherheit und Compliance in der Cloud (Eingeladener Vortrag), technischer Bericht, auch vorgestellt auf dem microfin Jahresempfang 2013}, institution = {TU Dortmund}, year = {2013}, address = {Frankfurt}, file = {slides:http\://rgse.uni-koblenz.de/web/pages/research/projects/cloudat/publications/microfin13.pdf:URL}, keywords = {hotOffThePress,nonEnglish} }

   BibTeX   slides 
• J. Jürjens: Informationssicherheit im Cloud Computing. In: Web-Konferenz des Anwenderkreis Informationstechnik und Telekommunikation (AKIT), 2012.
  @INPROCEEDINGS{akit2012, author = {J.~{J}{\"u}{r}jens}, title = {Informationssicherheit im Cloud Computing}, booktitle = {Web-Konferenz des Anwenderkreis Informationstechnik und Telekommunikation (AKIT)}, year = {2012}, file = {slides:http\://rgse.uni-koblenz.de/web/pages/research/projects/cloudat/publications/vortrag_bsi.pdf:URL}, keywords = {nonEnglish} }

   BibTeX   slides