Deutsch deutsch


Project description



Project description

With this project an open-source tool (ClouDAT) for the documentation and security evaluation of Cloud-Computing systems should be developed.

The goal is to support a method for the planning, documentation and evaluation of security requirements and security measures in Cloud-Computing systems. This tool will be realized on the basis of existing tools, for example UML-editors, which are open-source tools as well. With the use of an appropriate licence model, concepts and source code fragments of ClouDAT can easily be adopted by other tool developers, who can reuse them for similar tools. A free open-source-tool also reduces the entrance costs for SMB and makes it possible for universities to use the tool for research and teaching. An open-source tool can be adjusted by its users and avoids dependence on other organizations. Particularly in the field of SMB, an open-source basis is often an inalienable requirement for the successful distribution of software, since potential customers often do not want to be dependent on small software producers (who can offer less guarantee for the continuity of their own business than bigger providers). By offering consulting and support services the open-source software is a promising business model especially for providers of the KMU-sector.

By using ClouDAT it is possible to document Cloud-Computing systems, which consist of SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) and IaaS (Infrastucture-as-a-Service), as well as all relevant business processes, for the expertise of a third party. With the development of Cloud-Computing systems various risks can be revealed. Risks are, for example, that confidential data become publicly available, employees of Cloud-Computing providers gain access to data without authority, services are changed from the outside, or that the service is not continuously available. The approach will be applicable to open Cloud-Computing infrastructures (“public clouds”), as well as to intra-company Cloud-Computing systems (“private clouds”).

For the documentation of the determined requirements of Cloud-Computing systems the German law in the field of IT security and the compliance with, for example, the German data protection act (BDSG) have to be adhered to by the Cloud-Computing provider. With the help of the requirements that are generated by the Cloud-Computing provider, a potential Cloud-Computing user should be able to decide if the provided service meets his requirements. With this project we will develop a catalogue of requirements, which allows for a certification of IaaS, PaaS and SaaS according to, for example, ISO 27001. In addition to requirements from legislative texts or standards, individual security requirements of the KMUs should also be taken into account. ClouDAT will provide patterns for the documentation of the requirements. Concrete requirements can be instantiated from these patterns by insertion of concrete elements. The inserted elements and their relationships to one another can be specified with ClouDAT. For the specification of the relationships we will use a standard notation from software engineering (UML) and extend it in an appropriate way. For the extension we will use problem frames (patterns and language of the documentation of requirements). By using an automated tool for security analysis, a certification will be cost-efficient enough to be also attractive to KMUs.

Cloud-Computing providers are often not willing to reveal their security measures toward their customers and particularly not toward their competitors on the market. A Cloud-Computing provider also does not want to reveal in public which (certified) security components are used. Therefore only an external expert can check in how far the measurements are appropriate to meet the requirements sufficiently. ClouDAT allows the Cloud-Computing provider to have a first validation according to these questions. If Cloud-Computing providers use, for example, their own protocols and not only standardized components, they can also be analyzed by ClouDAT using external analyzing tools. For the specification of the measures we will use a standard notation from software engineering (UML), which has to be extended in an appropriate way. For the extension we will use elements from UMLsec (security extention for UML).

For the certifier ClouDAT will generate reports that describe the requirements and measurements. The relationships of the requirements and measurements will also be shown in a comprehensible way. Hence, the certifier can check the validations of the provider with little effort. In the context of a certification audit of a Cloud-Computing service it is the certifier’s main task to check if the documented measurements have been realized properly.

The certification will support further distribution of Cloud-Computing used by SMBs in Germany by creating trust in Cloud-Computing providers. In addition to that, jobs for IT-certifier will be created. Companies, which want to provide a Cloud-Computing offer directed to the German market, will particularly gain an advantage in competition because of the certification. This will maybe even motivate further companies to join the Cloud-Computing business.

ClouDAT supports consulting activities in the field of security. With an appropriate tool new customers can be reached in this field, and the quality of the guidance services will increase massively. The tool can also be used for teaching to help organizing the education of security engineers in a more practical and demonstrative way.