Options
2014
Book Article
Titel
Automatic data protection certificates for cloud-services based on secure logging
Abstract
Cloud services promise numerous advantages for companies over traditional in-house data processing in terms of flexibility and cost efficiency. These cloud services vary considerably with respect to the security mechanisms provided. As a result, many security-aware companies have strong concerns in using such services, e. g., with respect to confidentiality, data protection, availability, and control. Moreover, they complain the lack of transparency concerning the security measures and processes the cloud provider has installed. As a solution for the latter one, auditors may evaluate cloud providers and issue certificates attesting whether or not the cloud provider meets certain security requirements or legal regulations. However, due to the characteristics of cloud computing, on-site inspections in the data centers of a cloud provider do not seem to be realistic. In this paper we present a technical solution of an automatically generated data processing certificate for cloud services. Formal policies containing the security requirements the cloud service must comply with are the basis for this certificate. Our contribution uses secure log files as a trustworthy data base for the e valuation of a cloud service. We introduce a secure logging method which is resistant against internal manipulation attempts and that creates tamper-proof and confidential log data. Thus, the logging method is very well suited for the application in the data center of a potential untrustworthy cloud provider.