Automated Cloud Service Certification

Sebastian Lins


Cloud service certifications (CSC) are good means to establish trust, increase transparency of the cloud market, and allow providers to improve their processes and systems. Several CSCs, such as ‘CSA STAR’, ‘EuroCloud Star Audit’ or ‘TÜV Cloud Security’, have recently evolved. However, cloud services (CSs) are part of an ever-changing environment, resulting from fast technology life cycles and inherent cloud computing characteristics, like on-demand provisioning and entangled supply chains. Hence, such long validity periods may put in doubt the reliability of issued certificates. Conditions and requirements of CSCs may no longer be met throughout these periods, for instance, due to configuration changes or major security incidents. Continuous monitoring and auditing of selected certification criteria (henceforth defined as dynamic certification) is required to assure continuously reliable and secure CSs, and to establish a trustworthy CSC, after the initial certification process is accomplished. Dynamic certification is still in its beginning, literature concerning the usage of (semi) automated methods is scarce, and automated methods have to be evaluated regarding their practical feasibility. To address these research gaps, this thesis aims to answer the question Which automated monitoring and auditing methods can be used in practice to assure ongoing CSC adherence? (RQ 1). To answer this question, this thesis first focuses on the question Which CSC criteria should be continuously monitored and audited? (RQ 2). Moreover, for each CSC criterion an auditing frequency is determined (e.g., monthly or quarterly). After defining a set of CSC criteria appropriate, automated monitoring and auditing methods are identified. In addition, these methods are evaluated regarding their applicability in CS contexts, hence, answering the question Which (semi) automated monitoring and auditing methods exist and are applicable in the context of cloud computing? (RQ 3). Identified methods are discussed with practitioners involved in conducting CSC audits, to ensure applicability in auditing practice, therefore answering the question Which monitoring and auditing methods can be applied in practice? (RQ 4). Based upon these discussions and assessments, design recommendations and guidelines for dynamic CSCs are derived, and a first conceptual model of dynamic CSC is developed to answer the research question What needs to be considered when designing dynamic certifications? (RQ 5). Finally, on the basis of this model of dynamic certification, CSC criteria are mapped to applicable methods, hence, answering the question Which CSC criteria can be monitored and audited by which methods? (RQ 6).

cloud computing continuous certification certification dynamic certification security data protection
Research Methods
literature review interview field observation

Publication Data

Author: Sebastian Lins
Thesis Type: Master's Thesis
Pages: 127
Language: English
About the Author:
Major / Study Program: Information Systems
Primary Field of Study:
Additional Study Interests:
License: CC BY-NC-ND 4.0
Date of Publication: 02/22/22
Status: Available
Date of Grading: 10/29/14
Institution: University of Cologne (University of Cologne, Germany)


# Name Details Endorsement
Prof. Dr. Ali Sunyaev
12:00:00 AM

Thesis Documents and Supplemental Materials

05/27/24 06:46:29 PM
# Description Type Upload Date Location
1 Thesis Document PDF (7.93MB) 02/22/22 12:00:00 AMIPFS Download Raw