Clouditor

Using the cloud saves users time and money. With modern cloud services, even complex applications can be set up easily and quickly — which is why so many innovative businesses choose this path as a way to remain competitive and successful. 
However, the cloud also brings an added layer of complexity: Maintaining control over abstract cloud resources is challenging and complex. Because of this, small and medium-sized businesses in particular often rely on compliance tools to conquer any cloud-related challenges.

Often, important questions like “Is my application protected against attacks in the cloud?” or “Does a service behave as promised in the SLA?” do not have clear answers. This is where the Clouditor — an assurance tool that automatically poses critical questions to your products and applications and precisely evaluates the results — comes in. It carries out automated tests on your cloud services, before storing and visualizing the results so that they can be processed for a certification audit, for example.

What is the Clouditor?

The Clouditor is an assurance tool that checks whether cloud-based services and applications are securely configured: customized checks are carried out on an ongoing basis, which allows for a high degree of accuracy and precise statements on the settings required. The results are available straight after the checks have been carried out, allowing for a prompt reaction to any discrepancies detected.

The Clouditor currently supports numerous checks for Amazon Web Services (AWS) and Microsoft Azure. It is based on security best practices, which are classifications from configuration catalogs that can be adapted to user definitions.

What does the Clouditor do?

With the Clouditor, you can continuously check and verify that your cloud services fulfil the agreed security or compliance requirements. The requirements can be obtained from the Cloud Control Matrix (CCM) of the Cloud Security Alliance (CSA) or the Cloud Computing Compliance Controls Catalogue (C5) of the German Federal Office for Information Security (BSI). The information from the Clouditor can be added to ISMS tools with the aim of providing application-specific security information.

This allows for security, trust and transparency, improves client relations and minimizes your business risk. In addition, it can significantly reduce the cost of preparing audits — this applies for multi-cloud systems in particular.

The Clouditor checks typical data security requirements, such as:

• secure communication encryption with state-of-the-art TLS
• encryption of sensitive data stored in the cloud, such as on AWS S3 and Azure storage accounts
• encryption of data stored in databases, e.g., Azure SQL
• exclusive authorized access to sensitive data
• correctly implemented security guidelines in AWS S3 bucket policies
• adherence with guaranteed data availability
• deletion of personal data within a specific time period (in conformance with the EU Data Protection Regulation — GDPR)

The Clouditor also checks geographical location requirements, such as:

• compliant allocation of cloud resources to regions in AWS and Azure
• compliant configuration of geo-replicas, e.g., Azure SQL
• localization of a service, e.g., using GeoIP
• identification of a change in geographical location using machine learning.

What’s more, the Clouditor can review identity and access management requirements:

• correct implementation and configuration of single sign-on systems, e.g., based on OAuth 2.0
• secure life cycle management of access authorizations, e.g., appropriate password rotation
• correct configuration of access controls for network-based cloud resources, e.g., security groups, network ALCs and firewalls.

What does our service include?

We are offering interested companies several opportunities to work with us:

• joint planning of the use of the Clouditor in the company
• consultation during the security analysis of the cloud service
• joint development of a comprehensive security concept and consultation during the further development of existing concepts.

Unlike vendor-specific compliance services, the Clouditor is characterized by neutrality and transparency. Based on an open source design, it is now also available as a community edition: https://github.com/clouditor  

Interested? Please contact us!

• C. Banse, I. Kunz, N. Haas, and A. Schneider. “A Semantic Evidence-based Approach to Continuous Cloud Service Certification.“ In: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing (SAC). March 2023.
• P. Stephanow, M. Moein and C. Banse. “Continuous Location Validation of Cloud Service Components”. In: Proceedings of the 9th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2017 (presentation slides  ).
• I. Kunz and P. Stephanow. “A process model to support continuous certification of cloud services”. In: 31th International Conference on Advanced Information Networking and Applications (AINA). IEEE, 2017.
• P. Stephanow and C. Banse. “Evaluating the performance of continuous test-based cloud service certification”. In: 17th International Symposium on Cluster, Cloud and Grid Computing (CCGrid). IEEE, 2017.
• P. Stephanow and K. Khajehmoogahi. “Towards continuous security certification of Software-as-a-Service applications using web application testing”. In: 31th International Conference on Advanced Information Networking and Applications (AINA). IEEE, 2017.
• P. Stephanow, G. Srivastava and J. Schütte. “Test-based cloud service certification of opportunistic providers”. In: The 8th IEEE International Conference on Cloud Computing (CLOUD), June 2016.
• P. Stephanow, C. Banse and J. Schütte. "Generating Threat Profiles for Cloud Service Certification Systems". In: 17th IEEE High Assurance Systems Engineering Symposium (HASE), January 2016.