| Companies and government organizations are increasingly compelled, if not required by law, to ensure that their information systems will comply with various federal and industry regulatory standards, such as the Health Insurance Portability and Accountability Act (HIPAA), the NIST Special Publication on Security Controls for Federal Information Systems (NIST SP-800-53), or the Common Criteria (ISO 15408-2). Such organizations operate business or mission critical systems where a lack of or lapse in security protections translates to serious confidentiality, integrity, and availability risks that, if exploited, could result in information disclosure, loss of money, or, at worst, loss of life. To mitigate these risks and ensure that their information systems meet regulatory standards, organizations must be able to a) contextualize regulatory documents in a way that extracts the relevant technical implications for their systems, b) formally represent their systems and demonstrate that they meet the extracted requirements following an accreditation process, and c) ensure that all third party systems, which may exist outside of the information system enclave as third-party web services in the cloud, also implement appropriate security measures consistent with organizational expectations.;Each part of this process has specific challenges associated with it. First, regulatory documents, originally designed with locally managed "in house" information systems in mind, are being interpreted and scaled to a cloud context without the formal underpinnings necessary for their common expression. Second, current system certification processes rely on a static system model that is not realistic for organizational systems on the cloud. Finally, organizations using third party web services cannot assess their regulatory compliance. They can neither inspect third party service designs nor replace a trusted service if it goes down, since there is no current method to assess vertical security compatibility. To resolve these issues, this work advocates a common expression methodology that consistently extracts technical requirements from regulatory documents in a way that is amenable to the cloud and facilitates both contextualization and reuse by other organizations following the same regulatory standard. A new formal design language, called Cloud X-UNITY, extends existing coordination language models to allow for reasoning over extracted regulatory requirements to prove a cloud's compliance with security expectations. Finally, a Service Level Agreement framework, called SecAgreement, and two accompanying matchmaking algorithms are developed for attaching compliance requirements and risk analysis information to cloud web services and automatically selecting the service that best meets consumer compliance requirements. Overall the combination forms a single compliance assessment approach. |
