Towards Model-Based Security Assessment of Cloud Applications

Security issues are still posing limitations to the full exploitation of the potential of the cloud computing paradigm, and cloud developers are more and more required to take security into account from the very beginning of the development process. Unfortunately, the application of classical security best practices may be not enough due to the involvement of cloud services provided by third-parties and out of the control of the developer. In this paper, to overcome this issue, we introduce and discuss a model-based process for the security assessment of cloud applications. In particular, we suggest a complete process that can be executed within the lifecycle of a cloud application, from the requirement elicitation up to the validation (both static and dynamic through the generation and execution of suitable test cases) of the final deployment against security requirements. In this work, we sketch the process main phases and illustrate the high-level modelling languages that have been defined to describe an application at different levels of abstraction and to formalize both security requirements of applications and security features offered by existing cloud services. A running example involving the assessment of a simple yet realistic cloud application is used throughout the paper to better illustrate the proposal and to demonstrate its feasibility and effectiveness.