Towards Building an Automated Security Compliance Tool for the Cloud

Security, especially security compliance, is a major concern that is slowing down large scale adoption of cloud computing in the enterprise environment. Governmental regulations, business requirements and trust are among the reasons why enterprises require certain levels of security compliance from cloud providers. So far, security compliance or auditing information has been generated manually by security specialists. This involves manual data collection and assessment, which is slow and expensive. Thus, there is a need for an automated security compliance tool (ASCT) to verify and express the compliance of various cloud providers. Such a tool can reduce the human intervention and eventually reduce the cost and time by verifying the compliance automatically. Also, the tool will enable transparency of the cloud vendors to the customers which in turn will help grow confidence on the cloud vendors. Having these goals in mind, we have developed an architecture to build an ASCT for a cloud computing platform. We have also outlined four possible approaches to achieve this automation. These possible four approaches refer to four data collection mechanisms to collect data from the cloud systems and these are: API, vulnerability scanning, log analysis and manual entry. Finally, we have implemented a proof-of-concept prototype of this ASCT based on the proposed architecture. The prototype is integrated with OpenStack cloud platform and the results are exposed using the CloudAudit API.