a reference architecture for cloud computing and its security applications [PDF]

Table 5: Vendor responsibility for PCI DSS Requirement Mapping matrix [Das12] . ...... 3.2.Compliance approaches in indu

0 downloads 6 Views 2MB Size

Recommend Stories


Security Issues for cloud computing
This being human is a guest house. Every morning is a new arrival. A joy, a depression, a meanness,

Cloud Computing Security
The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together.

Cloud Computing Security
I cannot do all the good that the world needs, but the world needs all the good that I can do. Jana

cloud computing & security
Those who bring sunshine to the lives of others cannot keep it from themselves. J. M. Barrie

New mechanism for Cloud Computing Storage Security
Those who bring sunshine to the lives of others cannot keep it from themselves. J. M. Barrie

Cloud Programming Paradigms for Technical Computing Applications
Ego says, "Once everything falls into place, I'll feel peace." Spirit says "Find your peace, and then

DoD Cloud Computing Security Challenges
Just as there is no loss of basic energy in the universe, so no thought or action is without its effects,

Reference Architecture: EMC Backup for Microsoft Cloud
When you talk, you are only repeating what you already know. But if you listen, you may learn something

Security and Privacy in Cloud Computing
If you are irritated by every rub, how will your mirror be polished? Rumi

Introducing a Security Governance Framework for Cloud Computing
I want to sing like the birds sing, not worrying about who hears or what they think. Rumi

Idea Transcript


COMPLIANCE ISSUES IN CLOUD COMPUTING SYSTEMS by Dereje Yimam

A Dissertation Submitted to the Faculty of The College of Engineering and Computer Science In Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy

Florida Atlantic University Boca Raton, FL December 2015

Copyright 2015 by Dereje Yimam

ii

ACKNOWLEDGEMENTS I would like to thank my advisor, Dr. Eduardo B. Fernandez, for his guidance during my research. His advice on my research as well as on my career have been invaluable. I would also like to thank my committee members, Dr. Michael Van Hilst, Dr. Ionut Cardei, and Dr. Mehrdad Nojoumian for all their valuable advice and feedback. A special thanks to my family and friends for their support and encouragement.

iv

ABSTRACT Author:

Dereje Yimam

Title:

Compliance Issues in Cloud Computing Systems

Institution:

Florida Atlantic University

Dissertation Advisor:

Dr. Eduardo B. Fernandez

Degree:

Doctor of Philosophy

Year:

2015 Appealing features of cloud services such as elasticity, scalability, universal access,

low entry cost, and flexible billing motivate consumers to migrate their core businesses into the cloud. However, there are challenges about security, privacy, and compliance. Building compliant systems is difficult because of the complex nature of regulations and cloud systems. In addition, the lack of complete, precise, vendor neutral, and platform independent software architectures makes compliance even harder. We have attempted to make regulations clearer and more precise with patterns and reference architectures (RAs). We have analyzed regulation policies, identified overlaps, and abstracted them as patterns to build compliant RAs. RAs should be complete, precise, abstract, vendor neutral, platform independent, and with no implementation details; however, their levels of detail and abstraction are still debatable and there is no commonly accepted definition about what an RA should contain. Existing approaches to build RAs lack structured templates and systematic procedures. In addition, most approaches do not take full advantage of patterns and best practices that promote architectural quality. We have developed a five-step v

approach by analyzing features from available approaches but refined and combined them in a new way. We consider an RA as a big compound pattern that can improve the quality of the concrete architectures derived from it and from which we can derive more specialized RAs for cloud systems. We have built an RA for HIPAA, a compliance RA (CRA), and a specialized compliance and security RA (CSRA) for cloud systems. These RAs take advantage of patterns and best practices that promote software quality. We evaluated the architecture by creating profiles. The proposed approach can be used to build RAs from scratch or to build new RAs by abstracting real RAs for a given context. We have also described an RA itself as a compound pattern by using a modified POSA template. Finally, we have built a concrete deployment and availability architecture derived from CSRA that can be used as a foundation to build compliance systems in the cloud.

vi

COMPLIANCE ISSUES IN CLOUD COMPUTING SYSTEMS TABLES ............................................................................................................................. x FIGURES ........................................................................................................................... xi 1. INTRODUCTION ........................................................................................................ 1 2. BACKGROUND .......................................................................................................... 6 2.1.

Regulations and Standards ................................................................................... 6

2.1.1.

HIPAA .......................................................................................................... 7

2.1.2.

PCI-DSS ........................................................................................................ 8

2.1.3.

SOX............................................................................................................... 9

2.1.4.

GLBA .......................................................................................................... 10

2.1.5.

FISMA ........................................................................................................ 10

2.2.

Cloud Service Models ........................................................................................ 11

2.3.

Cloud Deployment Models ................................................................................ 12

2.4.

Compliance in cloud computing ........................................................................ 13

2.5.

Patterns, Reference Models (RMs) and RAs ..................................................... 14

2.6.

Software architectures ........................................................................................ 15

2.7.

Ontologies .......................................................................................................... 16

3. A SURVEY OF COMPLIANCE ISSUES IN CLOUD COMPUTING .................... 17 3.1.

Compliance issues in cloud computing .............................................................. 17

3.2.

Compliance approaches in industry ................................................................... 24

3.3.

Summary of compliance issues and recommendations ...................................... 26

3.3.1.

Complexity of Regulations ......................................................................... 26

3.3.2.

Regulation Overlaps.................................................................................... 27

3.3.3.

Lack of standard Reference Architectures (RAs) ....................................... 27

3.3.4.

Lack of full control and transparency ......................................................... 28

3.3.5.

Security threats............................................................................................ 28

3.4.

Conclusions ........................................................................................................ 29 vii

4. TOWARDS COMPLIANT REFERENCE ARCHITECTURES BY FINDING ANALOGIES AND OVERLAPS IN COMPLIANCE REGULATIONS ................. 31 4.1.

Introduction ........................................................................................................ 31

4.2.

Analogy .............................................................................................................. 33

4.3.

Overlap ............................................................................................................... 37

4.4.

Conclusions ........................................................................................................ 40

5. REGULATION PATTERNS...................................................................................... 42 5.1.

HIPAA privacy rule ........................................................................................... 42

5.2.

HIPAA security rule ........................................................................................... 47

5.3.

HIPAA transactions and Code Sets Rule ........................................................... 53

5.4.

HIPAA unique Identifiers Rule (National Provider Identifier (NPI))................ 58

5.5.

HIPAA enforcement Rule .................................................................................. 61

5.6.

Compliance policy management point ............................................................... 63

5.7.

Compliance report management point ............................................................... 67

5.8.

Compliance analyzer management point ........................................................... 71

6. AN APPROACH TO BUILD REFERENCE ARCHITECTURES (RAs)................. 77 6.1.

Introduction ........................................................................................................ 77

6.2.

Available approaches to build RAs .................................................................... 79

6.2.1.

Reference Model (RM) approach ............................................................... 79

6.2.2.

Viewpoint approach .................................................................................... 80

6.2.3.

Pattern-based approach ............................................................................... 80

6.2.4.

Other approaches ........................................................................................ 80

6.3.

An approach to build RAs .................................................................................. 81

6.3.1.

A metamodel for RAs ................................................................................. 82

6.3.2.

Steps to build RAs ...................................................................................... 85

6.4.

Building compliance RA (CRA) ...................................................................... 100

6.5.

Conclusions ...................................................................................................... 101

7. BUILDING

COMPLIANCE

AND

SECURITY

REFERENCE

ARCHITECTURES (CSRA) FOR CLOUD SYSTEMS ......................................... 104 7.1.

Introduction ...................................................................................................... 104

7.2.

Steps to build CSRA for cloud systems ........................................................... 106 viii

7.3.

Compliance deployment, storage, and availability .......................................... 116

7.4.

Conclusions ...................................................................................................... 116

8. REFERENCE ARCHITECTURE AS COMPOUND PATTERN ........................... 118 8.1.

A template to describe an RA for HIPAA........................................................ 119

8.2.

Conclusions ...................................................................................................... 124

9. CASE

STUDY:

BUILDING

CONCRETE

DEPLOYMENT

AND

AVAILABILITY ARCHITECTURES FOR CLOUD SYSTEMS .......................... 125 10. RELATED WORK ................................................................................................... 130 11. CONCLUSIONS AND FUTURE WORK ............................................................... 133 APPENDIX ..................................................................................................................... 137 REFERENCES ............................................................................................................... 147

ix

TABLES Table 1: Summary of service sectors with their corresponding regulations ..................... 11 Table 2: GLBA, HIPAA, PCI DSS and SOX report comparison table [Mir08] .............. 19 Table 3: Threats to compliance mapping .......................................................................... 20 Table 4: Vendor responsibility for HIPAA Requirement Mapping matrix [Das12] ........ 22 Table 5: Vendor responsibility for PCI DSS Requirement Mapping matrix [Das12] ...... 22 Table 6: RA metamodel components ................................................................................ 83 Table 7: HIPAA rules to abstract patterns ........................................................................ 92 Table 8: Mappings between OWL and UML elements [Bro06] [Kal10] ........................ 93 Table 9: HIPAA RA validation......................................................................................... 99 Table 10 : Mapping PCI policies with CRA components............................................... 103 Table 11: CSRA components and patterns .................................................................... 110

x

FIGURES Figure 1: Pattern generation [Fer00] ................................................................................. 35 Figure 2: A partial model of HIPAA ................................................................................ 36 Figure 3: A model for parts of SOX ................................................................................. 36 Figure 4: A model for secured SOX ................................................................................. 39 Figure 5: Class diagram for HIPAA’s Privacy rule .......................................................... 45 Figure 6: Use case: show a PHI of a patient to a non-covered entity ............................... 45 Figure 7: Class diagram for HIPAA’s Security Rule........................................................ 50 Figure 8: Use case “Access a PHI in a Covered Entity”................................................... 50 Figure 9: Class model for Transactions and Code Sets Rule ............................................ 55 Figure 10: Class diagram for compliance policy management point ............................... 65 Figure 11: Sequence diagram to add a new policy .......................................................... 66 Figure 12: Class diagram for compliance report management point ................................ 69 Figure 13: Sequence diagram to generate user activities report ....................................... 70 Figure 14: Class diagram for compliance analyzer management point ............................ 73 Figure 15: A sequence diagram to access compliance analysis results ............................ 75 Figure 16: Workflow to build RAs ................................................................................... 83 Figure 17: RA metamodel ................................................................................................. 84 Figure 18: Sequence diagram to build RAs ...................................................................... 84 Figure 19: HIPAA use cases ............................................................................................. 87 Figure 20: HIPAA ontology snippet ................................................................................. 90 xi

Figure 21: RM for HIPAA ................................................................................................ 91 Figure 22: HIPAA security and privacy components derived from ontology. ................ 94 Figure 23: HIPAA RA stakeholder components derived from HIPAA ontology ........... 94 Figure 24: An RA for HIPAA ........................................................................................... 95 Figure 25: Sequence diagram to read PHI records ........................................................... 96 Figure 26: Sequence diagram to update PHI records........................................................ 97 Figure 27: Compliance RA (CRA) ................................................................................ 102 Figure 28: Compliance and security use case for cloud systems .................................... 107 Figure 29: Compliant model for cloud systems ............................................................. 109 Figure 30: A CSRA for SaaS service provider perspective ............................................ 112 Figure 31: A sequence diagram to read PHI from SaaS service provider perspective ... 113 Figure 32: A CSRA from IaaS covered entity perspective ............................................. 114 Figure 33: A sequence diagram to upload PHI from IaaS covered entity perspective ... 115 Figure 34: Regulations cloud deployment, storage, and availability .............................. 117 Figure 35: Deployment and availability concrete architecture for cloud systems derived from CSRA .................................................................................................. 129

xii

1. INTRODUCTION Cloud services have become popular in the last few years. According to the International />

/>

Range property snippet from HIPAA ontology:

93

enforcePrivacy PrivacyPattern(s)

HIPAA privacy mapped to PrivacyPattern(s) using step 3

enforceSecurity ComplianceReferenceMonitor

SecurityPattern(s)

Compliance management mapped to ComplianceReferenceMonitor using step 3

HIPAA security mapped to SecurityPattern(s) using step 3

Figure 22: HIPAA security and privacy components derived from ontology. We can build RA stakeholders components from section of HIPAA stakeholder ontology as shown in Figure 23. The snippet for stakeholders are as follows:

. Stakeholder

Patient

Covered Entity

Law enforcement Business associate

Auditor

Figure 23: HIPAA RA stakeholder components derived from HIPAA ontology By the same token, we can build the overall architecture by transforming an ontology to UML/OCL and by applying abstract patterns from Step 3 as shown in Figure 24. As an example, we develop a sequence diagram to read PHI and update PHI in Figure 25 and 26 respectively. The architecture can be used to derive multiple concrete architectures on a given context. In addition, identified abstract patterns may require a few changes to fit a given context. A concrete architecture derived from an RA for HIPAA can include one or more abstract patterns based on the company compliance and security policies.

94

HIPAA Policy Repository

use

Compliance policy pattern

monitor transaction

manage policies

HIPAA Transaction Management Point

use enforce security

Security pattern(s)

enforce privacy notify

logs

use Privacy pattern(s)

Compliance Notification

Compliance Reference Monitor

Security Policy Repository

Privacy Policy Repository

Stakeholder manage activities

SecLoggerAuditor

95 Compliance report pattern

Patient

Generate report

Covered Entity

Law enforcement

analyze ?> ]>

138



143

Smile Life

When life gives you a hundred reasons to cry, show life that you have a thousand reasons to smile

Get in touch

© Copyright 2015 - 2024 PDFFOX.COM - All rights reserved.