Structured Pattern-Based Security Requirements Elicitation for Clouds

Economic benefits make cloud computing systems a very attractive alternative to traditional IT-systems. However, numerous concerns about the security of cloud computing services exist. Potential cloud customers have to be confident that the cloud services they acquire are secure for them to use. Therefore, they have to have a clear set of security requirements covering their security needs. Eliciting these requirements is a difficult task, because of the amount of stakeholders and technical components to consider in a cloud environment. That is why we propose a structured, pattern-based method supporting eliciting security requirements. The method guides a potential cloud customer to model a cloud system via our cloud system analysis pattern. The instantiated pattern establishes the context of a cloud scenario. Then, the information of the instantiated pattern can be used to fill-out our textual security requirements patterns. The presented method is tool-supported. Our tool supports the instantiation of the cloud system analysis pattern and automatically transferes the information from the instance to the security requirements patterns. In addition, we have validation conditions that check e.g., if a security requirement refers to at least one element in the cloud. We illustrate our method using an online-banking system as running example.