Modeling security requirements for cloud‐based system development

The Cloud Computing paradigm provides a new model for the more flexible utilization of computing and storage services. However, such enhanced flexibility, which implies outsourcing the data and business applications to a third party, may introduce critical security issues. Therefore, there is a clear necessity of new security paradigms able to face all the problems introduced by the cloud approach. Although, in the last years, several solutions have been proposed, the implementation of secure cloud applications and services is still a complex and far from consolidated task. Starting from these considerations, this work fosters the development of a methodology that considers security concerns as an integral part of cloud‐based applications design and implementation. Accordingly, we present a set of stereotypes that defines a vocabulary for annotating Unified Modeling Language based models with information relevant for integrating the specification of security requirements into cloud architectures. This approach can be used to significantly improve productivity and overall success in the development of secure distributed cloud applications and systems. Copyright © 2014 John Wiley & Sons, Ltd.

[1]  John P. McDermott,et al.  Abuse-case-based assurance arguments , 2001, Seventeenth Annual Computer Security Applications Conference.

[2]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[3]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[4]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[5]  Gary McGraw,et al.  From the Ground Up: The DIMACS Software Security Workshop , 2003, IEEE Secur. Priv..

[6]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[7]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[8]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[9]  Haralambos Mouratidis,et al.  When security meets software engineering: a case of modelling secure information systems , 2005, Inf. Syst..

[10]  Dianxiang Xu,et al.  Integrating functional and security requirements with use case decomposition , 2006, 11th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'06).

[11]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[12]  Dianxiang Xu,et al.  Integrating functional and security requirements with use case decomposition , 2006 .

[13]  Mohammad Zulkernine,et al.  Integrating software specifications into intrusion detection , 2007, International Journal of Information Security.

[14]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .

[15]  Mohammad Zulkernine,et al.  AsmLSec: An Extension of Abstract State Machine Language for Attack Scenario Specification , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[16]  Mohammad Zulkernine,et al.  Intrusion detection aware component-based systems: A specification-based framework , 2007, J. Syst. Softw..

[17]  M. A. Hadavi,et al.  Security Requirements Engineering; State of the Art and Research Challenges , 2008 .

[18]  Karen A. Scarfone,et al.  Technical Guide to Information Security Testing and Assessment , 2008 .

[19]  Christoph Meinel,et al.  Intrusion Detection in the Cloud , 2009, 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing.

[20]  Jörg Schwenk,et al.  On Technical Security Issues in Cloud Computing , 2009, 2009 IEEE International Conference on Cloud Computing.

[21]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[22]  Marlon Dumas,et al.  Towards Model Transformation between SecureUML and UMLsec for Role-based Access Control , 2010, DB&IS.

[23]  Carlos Becker Westphall,et al.  SLA Perspective in Security Management for Cloud Computing , 2010, 2010 Sixth International Conference on Networking and Services.

[24]  Jin Tong,et al.  NIST Cloud Computing Reference Architecture , 2011, 2011 IEEE World Congress on Services.

[25]  Bernd Grobauer,et al.  Understanding Cloud Computing Vulnerabilities , 2011, IEEE Security & Privacy.

[26]  Irfan Gul,et al.  Distributed Cloud Intrusion Detection Model , 2011 .

[27]  Fang Liu,et al.  NIST Cloud Computing Reference Architecture , 2011, 2011 IEEE World Congress on Services.

[28]  Per Håkon Meland Service Injection: A Threat to Self-Managed Complex Systems , 2011, 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing.

[29]  Bernard Coulette,et al.  Secure Component Based Applications through Security Patterns , 2012, 2012 IEEE International Conference on Green Computing and Communications.

[30]  Mazdak Zamani,et al.  A survey on security issues of federated identity in the cloud computing , 2012, 4th IEEE International Conference on Cloud Computing Technology and Science Proceedings.

[31]  Saeko Matsuura,et al.  UML based Security Function Policy Verification Method for Requirements Specification , 2013, 2013 IEEE 37th Annual Computer Software and Applications Conference.

[32]  Jie Xu,et al.  A novel intrusion severity analysis approach for Clouds , 2013, Future Gener. Comput. Syst..

[33]  Carsten Magerkurth,et al.  IoT Reference Architecture , 2013 .

[34]  Christian Esposito,et al.  Interconnecting Federated Clouds by Using Publish-Subscribe Service , 2013, Cluster Computing.

[35]  Harit Shah,et al.  Security Issues on Cloud Computing , 2013, ArXiv.

[36]  Nicola Mazzocca,et al.  Developing Secure Cloud Applications , 2014, Scalable Comput. Pract. Exp..

[37]  Zahir Tari,et al.  Security and Privacy in Cloud Computing , 2014, IEEE Cloud Computing.

[38]  J. M. Kizza System Intrusion Detection and Prevention , 2015 .