Towards Auditing of Cloud Provider Chains Using CloudTrust Protocol
Although cloud computing can be considered mainstream today, there is still a lack of trust in cloud providers, when it comes to the processing of private or sensitive data. This lack of trust is rooted in the lack of transparency of the provider's data handling practices, security controls and their technical infrastructures. This problem worsens when cloud services are not only provisioned by a single cloud provider, but a combination of several independent providers. The main contributions of this paper are: we propose an approach to automated auditing of cloud provider chains with the goal of providing evidence-based assurance about the correct handling of data according to pre-defined policies. We also introduce the concepts of individual and delegated audits, discuss policy distribution and applicability aspects and propose a lifecycle model. Our previous work on automated cloud auditing and Cloud Security Alliance's (CSA) CloudTrust Protocol form the basis for the proposed system for provider chain auditing.
Rübsamen T., Hölscher D., Reich Ch., "Towards Auditing of Cloud Provider Chains Using CloudTrust Protocol", Proceedings of CLOSER 2016, Rome, Italy, 2016, Volume 1, Pages 83-94, ISBN: 978-989-758-182-3.