Abstract
Migrating organisational services, data and application on the Cloud is an important strategic decision for organisations due to the large number of benefits introduced by the usage of cloud computing, such as cost reduction and on-demand resources. Despite, however, many benefits, there are challenges and risks for cloud adaption related to (amongst others) data leakage, insecure APIs and shared technology vulnerabilities. These challenges need to be understood and analysed in the context of an organisation’s security and privacy goals and relevant cloud computing deployment models. Although the literature provides a large number of references to works that consider cloud computing security issues, no work has been provided, to our knowledge, which supports the elicitation of security and privacy requirements and the selection of an appropriate cloud deployment model based on such requirements. This work contributes towards this gap. In particular, we propose a requirements engineering framework to support the elicitation of security and privacy requirements and the selection of an appropriate deployment model based on the elicited requirements. Our framework provides a modelling language that builds on concepts from requirements, security, privacy and cloud engineering, and a systematic process. We use a real case study, based on the Greek National Gazette, to demonstrate the applicability of our work.
Similar content being viewed by others
References
Microsoft Technical Report (2009) Privacy in the cloud computing era, a Microsoft perspective. Microsoft Corp, Redmond
Islam S, Mouratidis H, Weippl E (2012) A goal-driven risk management approach to support security and privacy analysis of cloud-based system. In: Rosado DG, Mellado D, Fernández-Medina E, Piattini M (eds) Security engineering for cloud computing: approaches and tools. IGI Global Publication, Hershey
Version one survey results: cloud confusion amongst IT professionals. http://www.versionone.co.uk/news/cloud-of-confusion-amongst-it-professionals.php. 24 June 2009
Pearson S, Benameur A (2010) Privacy, security and trust issues arising from cloud computing. In: 2nd IEEE International conference on cloud computing technology and science, IEEE Computer Society, UK, pp 693–702
Grobauer B, Walloschek T, Stocker E (2011) Understanding cloud computing vulnerabilities. IEEE Security Priv Mag 9(2):50–57
Kalloniatis C, Kavakli E, Gritzalis S (2008) Addressing privacy requirements in system design: the PriS method. Requir Eng 13(3):241–255
Houmb SH, Islam S, Knauss E, Jürjens J, Schneider K (2010) Eliciting security requirements and tracing them to design: an integration of common criteria, heuristics, and UMLsec. Requir Eng J 15(1):63–93
Islam S, Mouratidis H, Kalloniatis C., Hudic A, Zechner L, (2012a). Model based process to support security and privacy requirements engineering. Int J Secur Softw Eng 3(3):1–22, IGI Global Publication
Sindre G, Opdahl AL (2005) Eliciting security requirements with misuse cases. Requir Eng J 10(1):34–44
Khajeh-Hosseini A, Sommerville I, Bogaerts J, Teregowda P (2011) Decision support tools for cloud migration in the enterprise. In: proceeding of IEEE 4th international conference on cloud computing. IEEE Computer Society
Baburajan R The rising cloud storage market opportunity strengthens vendors. infoTECH, August 24, 2011 It.tmcnet.com. Retrieved 2011-12-02
Kerravala Z, Yankee Group Migrating to the cloud is dependent infrastructure, Tech Target. Convergedinfrastructure.com. Retrieved 2011-12-02
Voorsluys W, Broberg J, Buyya R (2011) Introduction to cloud computing. In: Buyya R, Broberg J, Goscinski A (eds) A cloud computing: principles and paradigms. Wiley, New York, pp 1–44 ISBN 978-0-470-88799-8
Bruening PJ, Treacy BC (2009) Privacy & security law report: privacy, security issues raised by cloud computing. The Bureau of National Affairs, Virginia
Yu E (1995) Modelling strategic relationships for process reengineering, PhD thesis, Department of computer science, University of Toronto, Canada
Mouratidis H, Giorgini P (2006) Secure tropos: a security-oriented extension of the tropos methodology. Int J Softw Eng Knowl Eng 17(2):285–309 © World Scientific Publishing Company
Kavakli E, Gritzalis S, Kalloniatis C (2007) Protecting privacy in system design: the electronic voting case. Transform Gov People Process Policy 1(4):307–332
Gong C, Liu J, Zhang Q, Chen H Gong Z (2010) The Characteristics of Cloud Computing. In: proceedings of the 2010 39th International Conference on Parallel Processing Workshops, IEEE Computer Society Washington
Mouratidis H, Kalloniatis C, Islam S,Huget MP, Gritzalis S (2012) Aligning security and privacy to support the development of secure information systems. J of Univers Comput Sci 18(12):1608–1627
Kalloniatis C, Kavakli E, Gritzalis S (2005) Dealing with privacy issues during the system design process In: Serpanos D et al. (eds), Proceedings of the ISSPIT’05 5th IEEE International symposium on signal processing and information technology. Dec 2005, Athens, Greece, IEEE CPS Conference Publishing Services pp 546–551
Kalloniatis C, Kavakli E, Gritzalis S, Methods for designing privacy aware information systems: a review, In: Chrysikopoulos V, Alexandris N, Douligeris C, Sioutas S (eds), Proceedings of the PCI 2009 13th Pan-Hellenic conference on informatics, Sept 2009, Corfu, Greece, IEEE CPS Conference Publishing Services pp.185–194
Islam S, Mouratidis H, Wagner S (2010) Toward a framework to elicit and manage security and privacy requirements from laws and regulation, In: Proceeding of requirements engineering: foundation for software quality(REFSQ), Lecture notes in computer science, Vol 6182/2010, pp 255–261
Massey AK, Otto PN, Hayward LJ, Antón AI (2010) Evaluating existing security and privacy requirements for legal compliance. Requir Eng J 15(1):119–137
Mulazzani M, Schrittwieser S, Leithner M, Huber M, Weippl E (2011). Dark clouds on the horizon: using cloud storage as attack vector and online slack space. In: Proceedings of Usenix Security
Vivas JL, Agudo I, Lopez J (2011) A methodology for security assurance-driven system development. Requir Eng 16(1):55–73. doi:10.1007/s00766-010-0114-8
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix 1: Cloud deployment scenario template
Appendix 2: Public cloud deployment scenario for GNG
Appendix 3: Private cloud deployment scenario for GNG
Rights and permissions
About this article
Cite this article
Kalloniatis, C., Mouratidis, H. & Islam, S. Evaluating cloud deployment scenarios based on security and privacy requirements. Requirements Eng 18, 299–319 (2013). https://doi.org/10.1007/s00766-013-0166-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00766-013-0166-7