Jump to Navigation


Latest articles

Security Incident Information Exchange for Cloud Services

The complex provider landscape in cloud computing makes incident handling difficult, as Cloud Service Providers (CSPs) with end-user customers do not necessarily get sufficient information about incidents that occur at upstream CSPs. In this paper, we argue the need for commonly agreed-upon incident information exchanges between providers as a means to improve accountability of CSPs. The discussion considers several technical challenges and non-technical aspects related to improving the situation for incident response in cloud computing scenarios.

I'll trust you - for now

The pervasiveness of cloud computing paired with big data analytics is fueling privacy fears among the more paranoid users. Cryptography-based solutions such as fully homomorphic encryption and secure multiparty computation are trying to address these fears, but still do not seem to be ready for prime time. This paper presents an alternative approach using encrypted cloud storage by one provider, supplemented by cloud processing of cleartext data on one or more different cloud providers.

Read more in A4CLOUD Publications.

Evidence Collection in Cloud Provider Chains

With the increasing importance of cloud computing, compliance concerns get into the focus of businesses more often. Furthermore, businesses still consider security and privacy related issues to be the most prominent inhibitors for an even more widespread adoption of cloud computing services. Several frameworks try to address these concerns by building comprehensive guidelines for security controls for the use of cloud services.

Towards Auditing of Cloud Provider Chains Using CloudTrust Protocol

Although cloud computing can be considered mainstream today, there is still a lack of trust in cloud providers, when it comes to the processing of private or sensitive data. This lack of trust is rooted in the lack of transparency of the provider's data handling practices, security controls and their technical infrastructures. This problem worsens when cloud services are not only provisioned by a single cloud provider, but a combination of several independent providers.

Automated Log Audits for Privacy Compliance Validation: A Literature Survey

Log audits are the technical means to retrospectively reconstruct and analyze system activities for determining if the system events are in accordance with the rules. In the case of privacy compliance, compliance by detection approaches are promoted for achieving data protection obligations such as accountability and transparency. However significant challenges remain to fulfill privacy requirements through these approaches. This paper presents a systematic literature review that reveals the theoretical foundations of the state-of-art detective approaches for privacy compliance.

Evidence Collection for Security and Privacy Assurance in Cloud Ecosystems

This paper is concerned with the problem of assurance in cloud eco-systems. Currently, different technologies are used and deployed in order to guar-antee security and privacy in cloud supply chains. Although research and industry practices have contributed to the evaluation of the effectiveness of such technol-ogies, it is yet challenging to assess them in a systemic way. Therefore, it is nec-essary to device methodologies and technologies for providing assurance of whether security and privacy technologies are effective and appropriate for spe-cific cloud supply chains.

Enhanced Assurance about Cloud Service Provision Promises

It is envisaged that in future cloud service providers will increasingly be using a Privacy Level Agreement (PLA) to disclose their data protection practices. However, this is just a self-assessment relating to data protection compliance. Many cloud customers may wish for greater ease in comparing PLAs fromdifferent providers, as well as increased assurance about what is being claimed.

A Technique for Enhanced Provision of Appropriate Access to Evidence across Service Provision Chains

Transparency and verifiability are necessary aspects of accountability, but care needs to be taken that auditing is done in a privacy friendly way. There are situations where it would be useful for certain actors to be able to make restricted views within service provision chains on accountability evidence, including logs, available to other actors with specific governance roles.

Applying Privacy by Design in Software Engineering - An European Perspective

Privacy by Design (PbD) is an approach to protect privacy by embedding it into the design specifications of technologies, business practices, and physical infrastructures. However, despite its many advantages, many organizations struggle with incorporating these practices in their existing software engineering processes. This paper evaluates the current state-of-the-art related to PbD in software engineering and analyzes the impact of the proposed European data protection legislation on this process.

A Data Protection Impact Assessment Methodology for Cloud

We propose a data protection impact assessment (DPIA) method based on successive questionnaires for an initial screening and for a full screening for a given project. These were tailored to satisfy the needs of Small and Medium Enterprises (SMEs) that intend to process personal data in the cloud. The approach is based on legal and socio-economic analysis of privacy issues for cloud deployments and takes into consideration the new requirements for DPIAs within the European Union (EU) as put forward by the proposed General Data Protection Regulation (GDPR).