An Integrated Method for Pattern-Based Elicitation of Legal Requirements Applied to a Cloud Computing Example

Considering legal aspects during software development is a challenging problem, due to the cross-disciplinary expertise required. The problem is even more complex for cloud computing systems, because of the international distribution, huge amounts of processed data, and a large number of stakeholders that own or process the data. Approaches exist to deal with parts of the problem, but they are isolated from each other. We present an integrated method for elicitation of legal requirements. A cloud computing online banking scenario illustrates the application of our methods. The running example deals with the problem of storing personal information in the cloud and based upon the BDSG (German Federal Data Protection Act). We describe the structure of the online banking cloud system using an existing pattern-based approach. The elicited information is further refined and processed into functional requirements for software development. Moreover, our method covers the analysis of security-relevant concepts such as assets and attackers particularly with regard to laws. The requirements artifacts then serve as inputs for existing patterns for the identification of laws relevant for the online banking cloud system. Finally, our method helps to systematically derive functional as well as security requirements that realize the previously identified laws.