Designing Cloud Services Adhering to Government Privacy Laws

Designing Cloud Services Adhering to Government Privacy Laws

Designing Cloud Services Adhering to Government Privacy Laws

Frank Doelitzscher, Christoph Reich, and Anthony Sulistio

Faculty of Computer Science

Hochschule Furtwangen University, Germany

{frank.doelitzscher, christoph.reich, anthony.sulistio}

Abstract—Cloud computing delivers on-demand services

with flexibility and scalability on a simple pay-per-use basis.

However, major concerns regarding to security and privacy

hinder a broad adoption by users, especially small- and

medium-sized enterprises (SMEs). This is because existing

guidelines, IT standards and laws on security and privacy do

not take virtual environments into account. Thus, they present

a significant challenge for cloud providers to comply with. As

a result, the cloud providers are unable to provide SMEs with

an assurance.

In order to address these privacy and security issues, this

paper presents the Cloud Data Security (CloudDataSec) project

that aims to design cloud services adhering to government

privacy laws. In particular, this paper introduces a six-layer

security model for cloud computing and three level of security

assurance for SMEs to take advantage of. Finally, Security

Management as a Service (SMaaS) modules, as proposed in

this paper, enable users to apply necessary security and privacy

operations, based on the sensitivity of their data.

Keywords-cloud computing, IT compliance, privacy, data



Cloud computing delivers on-demand services with flexibility

and scalability on a simple pay-per-use basis. For

small- and medium-sized enterprises (SMEs), cloud computing

enables them to avoid over-provisioning of IT infrastructure

and training personnel. For example, online applications

offered by cloud providers or known as Software

as a Service (SaaS), such as Google docs and Salesforce

customer relationship management, are relieving SMEs from

software, hardware and maintenance costs that are associated

with using these applications.

Although cloud computing provides the aforementioned

advantages, there are several issues need to be addressed by

cloud providers, such as privacy, security and IT governance

in compliance to the legal framework [1]. For SMEs, they

need to wary of several security risks when using cloud

services, such as where the cloud providers store their

clients’ data, how the cloud providers isolate their clients’

data from others, and how the cloud providers are committed

to investigating inappropriate or illegal activities [2].

According to Sotto et al. [3], storing data in the cloud

may elicit various federal and state privacy and data security

law requirements, such as US Health Insurance Portability

and Accountability Act, and EU Data Protection Directive.

For example, Articles 25 and 26 of the EU Data Protection

Directive prohibit transfers of personal data to countries

outside of European Economic Area (EEA), unless these

countries have an adequate level of data protection [4]. Thus,

privacy and data security laws present a significant challenge

for cloud providers to comply with. As a result, the cloud

providers are unable to provide SMEs with an assurance.

In order to address these privacy and security issues,

this paper presents the Cloud Data Security (CloudDataSec)

project that aims to design cloud services adhering to government

privacy laws. In particular, this paper introduces a

six-layer security model for cloud computing and three level

of security assurance for SMEs to take advantage of. Finally,

Security Management as a Service (SMaaS) modules, as

proposed in this paper, enable users to apply necessary

security and privacy operations, based on the sensitivity of

their data.

The rest of the paper is organized as follows. Section II

presents a problem definition that we are trying to address.

Section III introduces the CloudDataSec project, and one of

its core components, i.e. SMaaS, is presented in Section IV.

Section V provides some related work. Finally, Section VI

concludes the paper and gives future work.


IT governance and IT compliance rulesets, as well as

governmental laws, describe in details the security and

privacy requirements for data centers. In this section, we

explain how relevant and applicable they are for cloud


IT Infrastructure Library (ITIL) [5] provides an auditable

best practices catalog for IT Service Management (ITSM).

In addition, ISO Standard 27001:2005 [6] provides international

auditable requirements for information security.

ISO/IEC 27002 gives best practice recommendations on

information security management. However, in cloud computing,

IT resources are no longer solely in their own data

center. Therefore, it is the discretion of a cloud provider to

follow ITSM and ISO standards.

Germany’s Federal Data Protection Act [7] specifies the

acquisition, processing and storage of personal data. It is

known to be the strictest data protection law within Europe.

§4b (2) and (3) of the Act define that personal data can

only be transferred for processing into countries with the

same adequate level of privacy protection laws. In addition,

§4 (3) and §4 (16) of the Act specify that whenever

personal data are acquired and/or processed by third-party

instances, the affected person has to be notified. Finally,

§11 (1) states that where other bodies are commissioned to

collect, process or use personal data, the responsibility for

compliance with the provisions of this Act and with other

data protection provisions shall rest with the principal [7].

From the interpretation of this Act, users must know the

exact location of their data are and their cloud providers’

court of jurisdiction. Unfortunately, this violates one of the

cloud computing principles to host services wherever free

resources are available.

Although existing recommendations, standards and laws

provide well-established security and privacy rulesets for

data center providers, it is becoming clear that they are

not designed for virtual environments. Hence, a privacy and

security framework is needed that proves the validity and

applicability of existing laws to cloud computing. Therefore,

in this paper, we identify the following privacy problems and

address them:

• Compliance with laws and policies: customers are

responsible for security and integrity of their data, even

if the data are being outsourced elsewhere.

• Privilege Access Control: storing or processing sensible

data outside introduces additional risk. Cloud

computing offers are controlled by external personnel

(i.e. the cloud providers’ administrators). Restricted

access control for administrators is necessary to control

the access to customers’ data.

• Data Segmentation: data of the customers are generally

stored on the same physical hard disk, but are

separated by the use of virtualization. To protect the

data from unauthorized access, cloud providers need to

prove a seamless support of data encryption. Moreover,

an evidence of an audited implementation is needed,

since failures and/or losses of encryption information

may lead to a total data disappearance.

• Incident investigation: at present, cloud providers do

not offer a support in case of a security incident, e.g.

a data loss due to an industrial spying. This is because

access to a public cloud infrastructure is only regulated

by the property of a credit card. Therefore, hackers are

able to explore customers’ environment without classic

barriers that a protected data center provides. Recording

a permanently changing environment, where virtual

machines (VMs) are started and terminated by many

customers is a challenging task. Thus, only logging of

a customer’s activity within the cloud is offered for the

purpose of an incident investigation.


To incorporate security and trust functionalities that complies

with EU and government privacy laws, we establish the

Figure 1. Six layers of security and privacy for cloud computing.

CloudDataSec project. In addition, this project complements

our work in building a cloud infrastructure [8] [9].

In this project, we introduce a six-layer security model, as

depicted in Figure 1. The top layer, Risk Analysis, establishes

a process on the management level to evaluate the risk of

outsourcing certain services into a cloud environment. Thus,

sensitive services that are indentified need to stay within an

organization. The Security Guidelines layer describes legal

and policy constraints. Hence, intensive examination of existing

laws and policies result in guidelines on how policies

for real data centers are applicable to cloud environments

and how they could be applied.

Service Level Agreements (SLAs) between customers and

a cloud provider specify Quality of Service (QoS) requirements

regarding to privacy and security. In addition, SLA

guarantees a contract certainty and it has to be monitored.

Therefore, we define another layer for QoS Monitoring, as

shown in Figure 1. In order to provide a high level of data

security, we have Data Encryption and Logging layers for

a comprehensive logging of user activity and a seamless

data encryption, respectively. The Encrypted Communication

layer uses standard protocols, such as Encryption Control

Protocol (ECP), SSH, Internet Protocol security (IPsec) and

their implementations, e.g. Virtual Private Network (VPN),

to encrypt internal and external network communications.

Applying this six-layer security model to the privacy problems,

as mentioned in Section II, the Security Guidelines

and Data Encryption layers with a specific SLA, e.g. data

must be stored in Germany, are applied in accordance to

compliance with laws and policies and data segmentation

requirements. In addition, the Logging layer provides a solution

to access control and incident investigation. Finally,

the Encrypted Communication layer provides a communication

encryption to prevent data loss due to eavesdropping

attacks, such as man-in-the-middle [10].

Three Levels of Security Assurance

To give users more control about their security needs, we

introduce a three-level of assurance, as shown in Table I.

The assurance levels are differentiated by their functionalities.

The following example explains the different levels of

Basic Advanced Premium

VM location Open Pool Domain specific Private host

Identification E-Mail, Credit Card Letter Third party identification

VM Firewall � � �

Administration Firewall GUI Firewall GUI Firewall GUI

Protocol Monitor – � �

Application Level Firewall – � �

Quarantine for compromised systems – � �

Restart of service – secure VM gets started (up to 3x) free selection

Quarantine access – ssh ssh, terminal

External Network

Internal Cloud network

Encrypted Data Storage

Crypto Module

Customer PKI

Table I


Cloud-Host 1


VM 1


3 4



Security Hypervisor (e.g. Dom0)



(SM-VM) Security Monitor (SM-H)


Data Leakage Prevention




Policy Module

assurance. Suppose a security manager Bob wants to use

cloud computing to outsource his company services. After

performing a risk analysis on the services, the following

levels of assurance are identified:

• Basic level for the development of the company’s website.

No sensitive data are stored on the development

web server. If the system gets compromised, it will only

have some minor consequences.

• Advanced level for hosting the company’s website.

There are no restrictions of co-located VMs hosted on

the same physical VM host, but only domain specific

VMs should be allowed. This is because the risk

analysis showed that the availability of the company’s

website has a direct impact in generating its revenue.

In the event of a security incident, the compromised

VM is moved into a quarantine environment, and a

clean web server image gets deployed to provide a

high availability. Bob gets informed about the security

incident and he can access the compromised VM stored

in the quarantine environment by ssh.

• Premium level for hosting an online store that contains

customer data. The online shop backend contains

sensible user data. The risk analysis showed that in an

Cloud-Host 2


VM 1


3 4



Security Hypervisor (e.g. Dom0)



(SM-VM) Security Monitor (SM-H)



Intrustion Detection


Security Managament and

Monitoring as a Service (SMaaS)

Figure 2. SMaaS in a cloud environment.




User Security Monitor

Security Level

event of data leakage, it will damage the company’s

reputation. Permanent monitoring and domain specific

communication profiles detect a possible security incident.

To prevent data leakage, the system is moved

to a quarantine environment. Since it is likely that the

problem leading to the security incident exists on the

“clean” backup image as well, no backup VM is started

to prevent the replay of the attack. The integrity of the

service has a higher priority than its availability.

An implementation the described scenarios involves the

development of several modules. One core element is the

Security Management and Monitoring as a Service (SMaaS)

module, which will be presented in details next.



Figure 2 presents the SMaaS architecture in a simplified

cloud environment of one user domain. SMaaS consists of

the following modules:

• Crypto Module. If it is switched on, the stored data

are encrypted.

• Customer Public Key Infrastructure

(PKI) for users’ authentication and data segmentation.



Figure 3. SMaaS modules in correlation to the security and privacy layers.

• SLA Monitoring for guaranteeing QoS attributes.

• Policy Module for monitoring configuration, data

access and system state (e.g. patch level). Moreover,

it generates audit reports about status of the user’s


• Data Leakage Prevention (DLP) Module

for monitoring data flows.

• Logging for providing seamless logging of events and

data access. It includes a time stamp service to provide

tamper-proof and legal-compliant logging entries.

• Intrusion Detection System (IDS) for

monitoring unauthorized access. It works closely

together with the DLP module.

Figure 3 shows how SMaaS modules are correlated to the

six layers of security and privacy. As SMaaS is still part

of on-going development, only Crypto and Customer

Public Key Infrastructure modules are presented

in more detail.

Crypto Module

Storage of encrypted data in an untrusted storage medium,

e.g. a database that is not administered by the data owner,

is possible using well-established techniques, such as encfs,

LUKS and dmcrypt. Public well-established cryptographic

standards, such as AES and Blowfish are used. This would

be sufficient for a plain storage cloud. However, as soon as

the data need to be processed, they need to be decrypted and

copied into systems’ main memory. Therefore, a full system

encryption is needed.

Due to its early research status, a full homorphic encryption

system, e.g. as discussed in [11], is not yet considered

as a possibility. Hence, a trusted hardware solution, such as

Trusted Platform Module (TPM), is a possible alternative.

TPM is a computer chip that securely stores artifacts, such

as certificates and encryption keys, to authenticate a platform

or computing device [12]. Thus, TPM provides a better

protection from software attacks.

Customer Public Key Infrastructure

A Public Key Infrastructure (PKI) [13] is a system or

an infrastructure that is responsible for issuing, distributing

and verifying certificates based on asymmetric cryptography.

The certificates are used to identify and to protect users and

systems. A PKI system can also be utilized to distribute

symmetric keys (known as hybrid encryption), which are

used for the encryption of communication and data. Various

PKI sub-components and their relation to cloud computing

are explained next.

Certificates: Certificates are used for user and machine

identification, and for encryption of data and communications

in the cloud. The structure of certificates are defined in

the ITU standard X.509v3 [14]. In a certificate, the structure

is determined by when and until when the certificate is valid,

information on the subject or issuer of the certificate, the

signature of the certificate issuer, etc.

Certificate Callbacks: The revocation of certificates or

blocking them is an important task. This is necessary if the

private key has been compromised or the certificates are not

longer needed or it turns out that the identity verification is

not true [15].

Today there are many extensions to the ITU standard. The

most important ones are the extensions of the IETF Public

Key Infrastructure X.509 (PKIX) Working Group [16], such

as the Certification Revocation Lists (CRL) and Online Certification

Status Protocol (OCSP). The revoked certificates

are published in the CRL. Thus, these two extensions address

the handling of certificate callbacks and enable a browser to

automatically check whether the certificates used are still

valid and have not been revoked.

In a cloud infrastructure, the best way is checking the

certificate revocation using OCSP [17]. With OCSP, an

OCSP responder must know the most recent CRL, since

a client requests a certificate each time it is needed. The

respond to a client is the information, e.g. if the certificate

has been revoked or it is still valid. The URL to the relevant

OCSP responder can also be stored in the certificate extension.

Since only one OCSP server needs to be updated, the

revocation of a certificate is spread easily. Therefore, using

OCSP in cloud computing environment is of advantage.

Certificate Authority: The Certification Authority (CA)

generates and signs certificates. It is also responsible for

generating a CRL. A CA can have several intermediate CAs

or sub-CAs, as shown in Figure 4. An intermediate CA can

be useful if it is exclusively in charge of an organization.

This is solved easily because the entire X.500 certificate

subject contain one entry.

Most CAs support exclusively the hierarchical trust

model. One reason is the specification of the hierarchical

model in the use of X.500 and X.500 to X.509. This trust

model assumes that all participants trust the root certificate.

Hence, all generated and verified certificates of the root CA

can be assured. In general, there are two types of CAs:

• Online CA: can be reached via a network and are able

to sign new certificates immediately.

• Offline CA: can not be reached online. Thus, new

certificates are issued only by an administrator who has








Cloud Provider



Cloud Provider






Figure 4. Provider CA with sub CAs.

an authorized access to a server hosting this CA. As a

result, this CA is very well-protected against external

influences and physical access. This CA is the most

common type certificates for large vendors.

For the CloudDataSec project, we propose to mix online

and offline CAs, where the offline CAs are operated by a

cloud provider. These offline CAs are used only to create

certificates for the cloud provider and intermediate CAs

for their customers. Then, the intermediate CA’s customers

are operated as online CAs, with the limitation on the

name space of the customer. Therefore, it is possible with

the customer’s intermediate CA to create only certificates

for their instances and users, as shown in Figure 4. A

disadvantage of this approach is that new customers can

use only intermediate CAs after a comprehensive test of

their identification. This would slow down the usage of

cloud computing. The customer of a cloud provider may

lose plenty of time in waiting before a service can be used.

If the cloud provider requires an extended identity test, such

as Extended Validation (EV) certificates, it may take much

longer than the standard test. This is because an extended

identity test should be performed on all cases, where legal

certainty is addressed.


Research on data privacy for cloud computing is still

in its early stages. Other works are mainly describing the

need for security and privacy, and their efforts in defining

guidelines [1] [18]. The Cloud Security Alliance (CSA)

develops a security guidance that identifies several key

security domains or topics, such as compliance and audit,

incident report and encryption [1]. In addition, CSA describes

several recommendations on each domain. On the

other hand, Pearson [18] proposes several design guidelines

for delivering cloud services, such as using a privacy impact

assessment, allowing user choice and providing feedback.

The advocacies provided by CSA are similar to the aims

of the CloudDataSec project. Moreover, the three levels

of security assurance for cloud services offered by the

CloudDataSec project address the design guidelines.

Existing SaaS offers mostly refer to deliver traditional

security applications as an Internet-based service. Vendors,

such as McAfee, offer cloud virus scanning or email spam

filtering [19]. Although McAfee’s service is certified on the

Payment Card Industry Data Security standards, compliance

to the EU and German data protection laws are necessary

for customers. The CloudDataSec project is started with

adhering to EU and German data protection laws in mind.

An approach which follows the idea of the CloudDataSec

project is presented in [20], where the authors propose the

use of cryptographic co-processors to achieve tamper-proof

storage and processing of data stored in a cloud environment.

The prototype confirms the use of a TPM to achieve a full

system encryption. They also agree that it is compulsory to

provide customer with privacy feedback about all operations

applied on their data to relieve security and privacy concerns.

The adoption of the TPM is widespread, as it is used for

different purposes. Berger et al. [21] virtualizes the TPM to

all VMs running a platform. Similarly, Terra [22], a flexible

architecture for trusted computing, integrates the TPM with

the virtual machine monitor (VMM) to a trusted VMM

(TVMM). In contrast, Pearson et al. [23] leverages the TPM

on a client machine to provide encryption services and to

investigate the integrity of a privacy manager.

Sadeghi et al. [24] introduce an European Multilateral Secure

Computing Base (EMSCB), which combines unmodified

existing operating systems (OS) with the PERSEUS [25]

software and TPM hardware, to provide a trusted computing

base. An important role in establishing trust in SMaaS is

that customers get information about the security status of

their (rented) systems. However, the presented PERSEUS

software does not provide any monitoring capabilities.

Hu and Klein state in [26] that security and privacy

issues of traditional web applications are also valid for cloud

environments. Furthermore, they agree that encryption is a

feasible solution to the problems mentioned in Section II.

Assuming databases are used to store data in the cloud, they

showed that encryption will cause a performance overhead

depending on the transaction. While read, update and delete

statements of encrypted data do not affect performance

significantly, create statements result in a four-fold increase

of write time compared to its unencrypted equivalent.


The applicability of existing security and privacy policies

to cloud computing environments needs to be validated.

Therefore, the CloudDataSec project presents a six-layer

architecture addressing the most important privacy concerns.

Moreover, the CloudDataSec project provides users with

more control about deploying their cloud services according

to three levels of security assurance. Finally, Security

Management as a Service (SMaaS) modules, as proposed

in this paper, enable users to apply necessary security and

privacy operations, based on the sensitivity of their data.

For example, a Crypto module enables data encryption

at file and database level, whereas a Customer Public

Key Infrastructure module automates the generation

of certificates needed for new customers.

The CloudDataSec project is in its early stages. A formal

validity for the proposed six-layer security model and an

analysis of its applicability to major cloud computing risks

will be considered. Ongoing implementation and evaluation

of the presented SMaaS modules described are work in

progress. Finally, a security catalog comparing existing German

security and privacy laws, and their possible conversion

and implementation by the SMaaS modules will be created.


[1] Cloud Security Alliance, “Security Guidance for Critical

Areas of Focus in Cloud Computing v2.1,” December 2009.

[2] Gartner, “Assessing the Security Risks of Cloud Computing,”

June 2008.

[3] L. J. Sotto, B. C. Treacy, and M. L. McLellan, “Privacy

and Data Security Risks in Cloud Computing,” in Electronic

Commerce & Law Report, Feb. 2010.

[4] Council Directive 2002/58/EC, “On the protection of individuals

with regard to the processing of personal data and on

the free movement of such data,” Official Journal L 281 pp.

31–50, October 24, 1995.

[5] IT Infrastructure Library,, February 2010.

[6] International Organisation on Standardization, “Iso

27001:2005,”, February 2010.

[7] German Parliament, German Data Protection Act. ISBN:

3406561632: Deutscher Taschenbuch Verlag, February 2010.

[8] Anthony Sulistio and Christoph Reich and Frank Dölitzscher,

Cloud Infrastructure & Applications - CloudIA,” in Proceedings

of the 1st International Conference on Cloud Computing

(CloudCom’09), Beijing, China, Dec. 1–4 2009.

[9] Frank Doelitzscher and Anthony Sulistio and Christoph Reich

and Hendrik Kuijs and David Wolf, “Private Cloud for

Collaboration and e-Learning Services: from IaaS to SaaS,”

Hochschule Furtwangen University, Tech. Rep. CRL-2010-

01, Feb. 2010.

[10] H. F. Tipton and M. Krause, Information security management

handbook, 6th ed., H. F. Tipton and M. Krause, Eds.

Auerbach Publications, 2008, vol. 2.

[11] Craig Centry, “A Fully Homorphic Encryption Scheme,”

Ph.D. dissertation, Stanford University, September 2009.

[12] Trusted Computing Group, “Trusted Platform Module (TPM)

Summary,” Whitepaper, April 2008.

[13] K. Schmeh, Kryptografie Verfahren, Protokolle, Infrastrukturen.

dpunkt-Verlag Heidelberg, 2007.

[14] D. Cooper et al., “X.509 PKI Certificate and

Certificate Revocation List (CRL) Profile, RFC 5280,”, May 2008.

[15] German National Research and Education Network,

“Zertifizierungsrichtlinie der dfn-pki v2.2,” CP v22.pdf,

February 2010.

[16] Internet Engineering Task Force, “Public-Key Infrastructure,”,

September 2009.

[17] M. Myers, R. Ankney, A. Malpani, S. Galperin, and

C. Adams, “X.509 internet public key infrastructure

online certificate status protocol - ocsp,” rfc 2560

(proposed standard), internet engineering task force,”

[18] S. Pearson, “Taking Account of Privacy when Designing

Cloud Computing Services,” in Proceedings of the ICSE

Workshop on Software Engineering Challenges of Cloud

Computing, Vancouver, Canada, May 23 2009.

[19] McAfee, “Effective Management of Anti-Virus and Security

Solutions for Smaller Businesses,” Whitepaper, 2004.

[20] W. Itani, A. Kayssi, and A. Chehab, “Privacy as a Service:

Privacy-Aware Data Storage and Processing in Cloud

Computing Architectures,” in Proceedings of the International

Workshop on Security in Cloud Computing (SCC’09),

Chengdu, China, Dec. 12–14 2009.

[21] S. Berger, R. Cáceres, K. A. Goldman, R. Perez, R. Sailer,

and L. van Doorn, “vTPM: Virtualizing the Trusted Platform

Module,” in Proceedings of the 15th conference on USENIX

Security Symposium, July 31 – August 04 2006.

[22] T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh,

“Terra: A Virtual Machine-Based Platform for Trusted Computing,”

ACM SIGOPS Operating Systems Review, vol. 37,

no. 5, pp. 193–206, 2003.

[23] S. Pearson, Y. Shen, and M. Mowbray, “A Privacy Manager

for Cloud Computing,” in Proceedings of the 1st International

Conference on Cloud Computing (CloudCom’09), Beijing,

China, Dec. 1–4 2009.

[24] A.-R. Sadeghi, C. Stüble, and N. Pohlmann, “European Multilateral

Secure Computing Base - Open Trusted Computing

for You and Me,” Datenschutz und Datensicherheit, vol. 09,

pp. 548–554, 2004.

[25] B. Pfitzmann, J. Riordan, C. Stübe, and M. Waidner, “The

perseus system architecture,” IBM Research Division, Tech.

Rep., 2001.

[26] J. Hu and A. Klein, “A Benchmark of Transparent Data

Encryption for Migration of Web Applications in the Cloud,”

in Proceedings of the International Workshop on Security in

Cloud Computing (SCC’09), Chengdu, China, Dec. 12–14


More magazines by this user
Similar magazines