Risiko in der Wolke? : Die Sicherheitsanalyse von Cloud-Anwendungen
Für Cloud-Kund*innen ergeben sich durch die Nutzung von Cloud-Computing-Diensten verschiedene Vorteile. So entfallen beispielsweise die Kosten für den Betrieb einer eigenen IT-Infrastruktur, und der Umfang der genutzten Ressourcen kann je nach Bedarf flexibel angepasst werden. Die Nutzung von Cloud-Computing-Diensten bringt allerdings auch Risiken mit sich.
We present a structured method for
performing risk analysis for cloud
applications according to the ISO
27001 standard. Our method relies
on patterns to describe the context
and structure of a cloud computing
system (using CSAP), to identify
threats, to elicit the security requirements,
and to select controls. Our
ClouDA tool supports the application
of this method. Our approach
delivers the following main benefits:
• Systematic pattern-based identification
of threats using threat patterns
and their relationship to CSAP
elements, which facilitates and accelerates
the threat analysis
• Systematic pattern-based identification
of security requirements to be
fulfilled by appropriate controls
using security requirement patterns
and their relationship to threat patterns
• Systematic pattern-based identification
of controls using their relationship
to security requirement
patterns
• Tool support for our approach
• Increased effectiveness of risk analysis
by applying the method and
reduced documentation effort by
hierarchical refinement of assets.
In the future, we want to extend the
tool for supporting other types of
patterns for performing risk analysis.
In addition, we intend to enrich the
tool so as to check the complete and
coherent instantiation of the patterns.