Building on the success of the first workshop and its alignment within the IEEE World Congress on Services, the Cloud Security Auditing Workshop provides a unique setting for the exchange of research and development practices for the detection, prevention, mitigation, and reporting of security attacks in the cloud. The concepts surrounding security auditing cover issues related to cloud architectures, tenant services and resources, service interactions, privacy, and standards, where meta-information must be captured, shared, and monitored across the cloud.

More information, including submission dates, paper templates, and the Call for Papers can be found at www.csaworkshop.org. The Call for Papers can also be downloaded directly here.

The workshop is being organized and Chaired by Rose Gamble from the University of Tulsa, gamble@utulsa.edu, Indrakshi Ray from Colorado State University, iray@cs.colostate.edu, and Keesook J. Han from the Air Force Research Laboratory, keesook.han@rl.af.mil. Any questions or problems accessing workshop information should be directed to the workshop chairs at the email addresses above.

To be held in association with IEEE 9th World Congress on Services this one day workshop will bring together researchers and practitioners to explore and assess varied and viable technologies for capturing security relevant events throughout the cloud and performing monitoring and analyses on the captured information to detect, prevent, and mitigate security threats.

More information, including submission dates, paper templates, and the Call for Papers can be found at http://www.csaw2013.org. The Call for Papers can also be downloaded directly here.

The workshop is being organized and Chaired by Rose Gamble from the University of Tulsa, gamble@utulsa.edu, Indrakshi Ray from Colorado State University, iray@cs.colostate.edu, and Keesook J. Han from the Air Force Research Laboratory, keesook.han@rl.af.mil. Any questions or problems accessing workshop information should be directed to the workshop chairs at the email addresses above or to the SEAT/CSAW2013 webmaster matt-hale@utulsa.edu.

Risk Propagation of Security SLAs in the Cloud (M. Hale & R. Gamble) was presented by Matt Hale at the IEEE Globecom workshop for Management and Security technologies for Cloud Computing. This work represents an initial step towards embedding risk into SLAs for the purpose of organizational awareness and acceptance. More specifically the paper establishes an algorithmic process for handling dynamic risk evaluations in the cloud. This novel risk evaluation and renegotiation algorithm handles cases where service providers alter their terms of service or can no longer meet their SLA-bound security parameters. In such events, the algorithm searches for alternative services, selects the lowest risk, most compatible replacement and calculates and informs previous services, all the way back to the original requester, of the updated risk valuations.

It sparked a series of discussions with other researches in the field and was a great experience overall.

A Tiered Strategy for Auditing in the Cloud (R. Xie & R. Gamble) was part of the work-in-progress presentations at IEEE CLOUD 2012. This work documented initial scoping rules for audit assets formed within the cloud. An example compilation process showed how the audit assets can be filtered and combined within and across scopes to provide specific perspectives of audit trails to detect temporal behaviors related to attack patterns.  The work initiated discussion on the accumulation and use of audit asset from foreign clouds as part of a federation, tying into the SecAgreement work to establish expectations of cloud responses as part of an SLA. Work to combine these two areas has begun.

SecAgreement: Advancing Security Risk Calculations in Cloud Services (M. Hale & R. Gamble) was presented in the Security and Privacy Engineering track at IEEE SERVICES 2012. This work focused on the question “How can cloud service providers SLAs be augmented meet the security needs of organizational consumers?” Our approach extends WS-Agreement for SLA creation, negotiation, and formation to allow for security risk to be understood as part of service level objectives and service description terms.  The result is SecAgreement that embeds the security requirements expectations. We presented a matchmaking algorithm capable of matching SLA requests against SLA offers within the SecAgreement provided by cloud services to choose the least risk cloud to fulfill the request.

Architecting Web Service Attack Detection Handlers (A. Andrekanic & R. Gamble) was presented in the research track at ICWS 2012 and described the  design, implementation, and evaluation of two attack handler architectures. The handlers reside locally at the web service to intercept messages and detect the potential for specific forms of attacks. The detection generates a detailed SOAP fault that can be logged locally at the service for later determination of problems within a web service composition. XML rewriting and DoS attacks are addressed. After the talk, Dr. Gamble met with Christian Mainka (Hst Gortz Institute for IT-Security (HGI) at Ruhr-University Bochum, Germany) whose work on WS penetration testing can be applied to the the services with attack handlers to see if the detection mechanism responds appropriately. This testing will begin in the fall as an extension to the WS attack detection research.

Dr. Gamble presented papers at the IEEE Int’l Conference on Web Services (ICWS) , IEEE CLOUD 2012, and IEEE SERVICES 2012, all co-located in Honolulu, HI, where the new IEEE Cloud Initiative was launched.   The three papers from SEAT are all part of research in making web services security-aware and building a calculus to verify their security compliance.

The conferences were a great medium for idea exchange and collaboration, and we are looking forward to the next phase of research to incorporate the feedback we received from the presentations! We’ll be posting some information on each paper and conference shortly

© SEAT 2012 Software Engineering Architecture Team Suffusion theme by Sayontan Sinha