{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T04:01:34Z","timestamp":1760241694525,"version":"build-2065373602"},"reference-count":54,"publisher":"MDPI AG","issue":"8","license":[{"start":{"date-parts":[[2018,7,31]],"date-time":"2018-07-31T00:00:00Z","timestamp":1532995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Cloud computing services bring new capabilities for hosting and offering complex collaborative business operations. However, these advances might bring undesirable side-effects, e.g., introducing new vulnerabilities and threats caused by collaboration and data exchange over the Internet. Hence, users have become more concerned about security and privacy aspects. For secure provisioning of a cloud computing service, security and privacy issues must be addressed by using a risk assessment method. To perform a risk assessment, it is necessary to obtain all relevant information about the context of the considered cloud computing service. The context analysis of a cloud computing service and its underlying system is a difficult task because of the variety of different types of information that have to be considered. This context information includes (i) legal, regulatory and\/or contractual requirements that are relevant for a cloud computing service (indirect stakeholders); (ii) relations to other involved cloud computing services; (iii) high-level cloud system components that support the involved cloud computing services; (iv) data that is processed by the cloud computing services; and (v) stakeholders that interact directly with the cloud computing services and\/or the underlying cloud system components. We present a pattern for the contextual analysis of cloud computing services and demonstrate the instantiation of our proposed pattern with real-life application examples. Our pattern contains elements that represent the above-mentioned types of contextual information. The elements of our pattern conform to the General Data Protection Regulation. Besides the context analysis, our pattern supports the identification of high-level assets. Additionally, our proposed pattern supports the documentation of the scope and boundaries of a cloud computing service conforming to the requirements of the ISO 27005 standard (information security risk management). The results of our context analysis contribute to the transparency of the achieved security and privacy level of a cloud computing service. This transparency can increase the trust of users in a cloud computing service. We present results of the RestAssured project related to the context analysis regarding cloud computing services and their underlying cloud computing systems. The context analysis is the prerequisite to threat and control identification that are performed later in the risk management process. The focus of this paper is the use of a pattern at the time of design systematic context analysis and scope definition for risk management methods.<\/jats:p>","DOI":"10.3390\/fi10080072","type":"journal-article","created":{"date-parts":[[2018,8,1]],"date-time":"2018-08-01T03:10:01Z","timestamp":1533093001000},"page":"72","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["Context Analysis of Cloud Computing Systems Using a Pattern-Based Approach"],"prefix":"10.3390","volume":"10","author":[{"given":"Ludger","family":"Goeke","sequence":"first","affiliation":[{"name":"paluno \u2013 The Ruhr Institute for Software Technology, University of Duisburg-Essen, 47157 Duisburg, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9033-1476","authenticated-orcid":false,"given":"Nazila Gol","family":"Mohammadi","sequence":"additional","affiliation":[{"name":"paluno \u2013 The Ruhr Institute for Software Technology, University of Duisburg-Essen, 47157 Duisburg, Germany"}]},{"given":"Maritta","family":"Heisel","sequence":"additional","affiliation":[{"name":"paluno \u2013 The Ruhr Institute for Software Technology, University of Duisburg-Essen, 47157 Duisburg, Germany"}]}],"member":"1968","published-online":{"date-parts":[[2018,7,31]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Mell, P., and Grance, T. (2011). The NIST Definition of Cloud Computing, National Institute of Standards and Technology (NIST). Special Publication 800-145.","DOI":"10.6028\/NIST.SP.800-145"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"167","DOI":"10.1016\/j.jss.2015.02.002","article-title":"A survey study on major technical barriers affecting the decision to adopt cloud services","volume":"103","author":"Phaphoom","year":"2015","journal-title":"J. Syst. Softw."},{"key":"ref_3","unstructured":"Computer Security Institute (2011). Computer Crime and Security Survey, Computer Security Institute. Technical Report."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"371","DOI":"10.1016\/j.ins.2013.04.028","article-title":"Security and privacy for storage and computation in cloud computing","volume":"258","author":"Wei","year":"2014","journal-title":"Inf. Sci."},{"key":"ref_5","unstructured":"European Union (2016). Regulation 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation). Off. J. Eur. Union, L119, 1\u201388."},{"key":"ref_6","unstructured":"Federal Office for Information Security (2011). Security Recommendations for Cloud Computing Providers."},{"key":"ref_7","unstructured":"International Organization for Standardization (ISO), and International Electrotechnical Commission (IEC) (2011). Information Technology\u2014Security Techniques\u2014Information Security Risk Management (ISO\/IEC 27005:2011), IEC & ISO."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Beckers, K., C\u00f4t\u00e9, I., Goeke, L., G\u00fcler, S., and Heisel, M. (2014). A Structured Method for Security Requirements Elicitation Concerning the Cloud Computing Domain, IGI Global.","DOI":"10.4018\/978-1-4666-8111-8.ch041"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Zwingelberg, H., and Hansen, M. (2011). Privacy Protection Goals and Their Implications for eID Systems. IFIP PrimeLife International Summer School on Privacy and Identity Management for Life, Springer.","DOI":"10.1007\/978-3-642-31668-5_19"},{"key":"ref_10","unstructured":"(2018, June 14). International Organization for Standardization (ISO); International Electrotechnical Commission (IEC). Available online: https:\/\/www.iso.org\/standard\/54534.html."},{"key":"ref_11","unstructured":"International Organization for Standardization (ISO), and International Electrotechnical Commission (IEC) (2013). Information Technology\u2014Security Techniques\u2014Information Security Management Systems\u2014Requirements (ISO\/IEC 27001:2013), IEC & ISO."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Pohl, K. (2010). Requirements Engineering: Fundamentals, Principles, and Techniques, Springer.","DOI":"10.1007\/978-3-642-12578-2_20"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Fernandez, E.B., Yoshioka, N., Washizaki, H., and Syed, M.H. (2016). Modeling and Security in Cloud Ecosystems. Future Internet, 8.","DOI":"10.3390\/fi8020013"},{"key":"ref_14","unstructured":"Withall, S. (2007). Software Requirement Patterns, Microsoft."},{"key":"ref_15","unstructured":"Gamma, E., Helm, R., Johnson, R., and Vlissides, J. (1994). Design Patterns: Elements of Reusable Object-Oriented Software, Addison-Wesley."},{"key":"ref_16","unstructured":"Fowler, M. (2002). Patterns of Enterprise Application Architecture, Addison-Wesley."},{"key":"ref_17","unstructured":"Schumacher, M. (2003). Security Engineering with Patterns: Origins, Theoretical Models, and New Applications, Springer-Verlag, Inc."},{"key":"ref_18","unstructured":"Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., and Sommerlad, P. (2006). Patterns of Enterprise Application Architecture, Wiley."},{"key":"ref_19","unstructured":"Jackson, M. (2001). Problem Frames: Analyzing and Structuring Software Development Problems, Addison-Wesley Longman Publishing Co., Inc."},{"key":"ref_20","unstructured":"Tsumaki, T. (December, January 30). Requirements Engineering Pattern Structure. Proceedings of the 11th Asia-Pacific Software Engineering Conference, Busan, Korea."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Issa, A., and Al-Ali, A. (2010, January 7\u201310). Use Case Patterns Driven Requirements Engineering. Proceedings of the 2010 Second International Conference on Computer Research and Development, Kuala Lumpur, Malaysia.","DOI":"10.1109\/ICCRD.2010.16"},{"key":"ref_22","unstructured":"Binder, R. (1999). Testing Object-Oriented Systems: Models, Patterns, and Tools, Addison-Wesley."},{"key":"ref_23","unstructured":"(2018, July 20). Context-Patterns, Overview. Available online: http:\/\/context-patterns.info\/index.html."},{"key":"ref_24","unstructured":"(2018, July 20). Context-Patterns, Definition. Available online: http:\/\/context-patterns.info\/definitions.html."},{"key":"ref_25","unstructured":"Buschmann, F., Henney, K., and Schmidt, D. (2007). Pattern-Oriented Software Architecture\u2014Volume 5: On Patterns and Pattern Languages, Wiley Publishing."},{"key":"ref_26","unstructured":"(2018, July 13). Intel. Available online: https:\/\/software.intel.com\/en-us\/sgx\/details."},{"key":"ref_27","unstructured":"Anati, I., Gueron, S., Johnson, S.P., and Scarlata, V.R. (2013, January 23\u201324). Innovative Technology for CPU Based Attestation and Sealing. Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, Tel-Aviv, Israel."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"42","DOI":"10.1016\/j.ins.2016.04.015","article-title":"Ensuring attribute privacy protection and fast decryption for outsourced data security in mobile cloud computing","volume":"379","author":"Zhang","year":"2017","journal-title":"Inf. Sci."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Kogos, K.G., Filippova, K.S., and Epishkina, A.V. (2017, January 1\u20133). Fully homomorphic encryption schemes: The state of the art. Proceedings of the IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus), St. Petersburg, Russia.","DOI":"10.1109\/EIConRus.2017.7910591"},{"key":"ref_30","unstructured":"Chung, L. (1993, January 8\u201311). Dealing with Security Requirements During the Development of Information Systems. Proceedings of the Advanced Information Systems Engineering, CAiSE\u201993, Paris, France."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"40","DOI":"10.1049\/cce:20030108","article-title":"Misuse cases help to elicit non-functional requirements","volume":"14","author":"Alexander","year":"2003","journal-title":"Comput. Control Eng."},{"key":"ref_32","unstructured":"McDermott, J., and Fox, C. (1999, January 6\u201310). Using Abuse Case Models for Security Requirements Analysis. Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC\u201999), Phoenix, AZ, USA."},{"key":"ref_33","unstructured":"Lin, L., Nuseibeh, B., Ince, D.C., Jackson, M., and Moffett, J.D. (2003). Analysing Security Threats and Vulnerabilities Using Abuse Frames, The Open University."},{"key":"ref_34","unstructured":"Lin, L., Nuseibeh, B., Ince, D., and Jackson, M. (2004, January 10). Using abuse frames to bound the scope of security problems. Proceedings of the 12th IEEE International Requirements Engineering Conference (RE), Kyoto, Japan."},{"key":"ref_35","unstructured":"Anderson, S., Felici, M., and Bologna, S. (2002). The CORAS Framework for a Model-Based Risk Management Process. Computer Safety, Reliability and Security, Springer."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Naudet, Y., Mayer, N., and Feltus, C. (September, January 31). Towards a Systemic Approach for Information Security Risk Management. Proceedings of the 11th International Conference on Availability, Reliability and Security, ARES 2016, Salzburg, Austria.","DOI":"10.1109\/ARES.2016.76"},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"133","DOI":"10.1109\/TSE.2007.70754","article-title":"Security Requirements Engineering: A Framework for Representation and Analysis","volume":"34","author":"Haley","year":"2008","journal-title":"IEEE Trans. Softw. Eng."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Fenz, S., Goluch, G., Ekelhart, A., Riedl, B., and Weippl, E. (2007, January 17\u201319). Information Security Fortification by Ontological Mapping of the ISO\/IEC 27001 Standard. Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing (PRDC), Melbourne, Australia.","DOI":"10.1109\/PRDC.2007.29"},{"key":"ref_39","unstructured":"Kis, M. (2002, January 8\u201312). Information Security Antipatterns in Software Requirements Engineering. Proceedings of the 9th Conference on Pattern Language of Programs, Monticello, IL, USA."},{"key":"ref_40","unstructured":"Sindre, G., Firesmith, D.G., and Opdahl, A.L. (2003, January 16\u201317). A Reuse-Based Approach to Determining Security Requirements. Proceedings of the 9th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ\u201903), Klagenfurt, Austria."},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"61","DOI":"10.5381\/jot.2004.3.1.c6","article-title":"Specifying Reusable Security Requirements","volume":"3","author":"Firesmith","year":"2004","journal-title":"J. Object Technol."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"225","DOI":"10.1007\/s00766-014-0218-7","article-title":"Building a security reference architecture for cloud systems","volume":"21","author":"Fernandez","year":"2016","journal-title":"Requir. Eng."},{"key":"ref_43","unstructured":"Konrad, S., Cheng, B.H., Campbell, L.A., and Wassermann, R. (2003, January 3\u201310). Using Security Patterns to Model and Analyze Security Requirements. Proceedings of the RE\u201903 International Workshop on Requirements for High Assurance Systems, Portland, OR, USA."},{"key":"ref_44","unstructured":"Frank, U., Loucopoulos, P., Pastor, \u00d3., and Petrounias, I. (2014). Integrating Security Patterns with Security Requirements Analysis Using Contextual Goal Models. The Practice of Enterprise Modeling, Springer."},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Beckers, K., Schmidt, H., K\u00fcster, J., and Fa\u00dfbender, S. (2011, January 22\u201326). Pattern-Based Support for Context Establishment and Asset Identification of the ISO 27000 in the Field of Cloud Computing. Proceedings of the Sixth International Conference on Availability, Reliability and Security, ARES 2011, Vienna, Austria.","DOI":"10.1109\/ARES.2011.55"},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Beckers, K., C\u00f4t\u00e9, I., and Goeke, L. (2014, January 24\u201328). A catalog of security requirements patterns for the domain of cloud computing systems. Proceedings of the Symposium on Applied Computing, SAC, Gyeongju, Korea.","DOI":"10.1145\/2554850.2554921"},{"key":"ref_47","doi-asserted-by":"crossref","unstructured":"Lyubimov, A.V., Cheremushkin, D.V., Andreeva, N., and Shustikov, S. (2011, January 22\u201326). Information Security Integral Engineering Technique and its Application in ISMS Design. Proceedings of the Sixth International Conference on Availability, Reliability and Security, ARES 2011, Vienna, Austria.","DOI":"10.1109\/ARES.2011.121"},{"key":"ref_48","doi-asserted-by":"crossref","unstructured":"Montesino, R., and Fenz, S. (2011, January 22\u201326). Information Security Automation: How Far Can We Go?. Proceedings of the Sixth International Conference on Availability, Reliability and Security, ARES, Vienna, Austria.","DOI":"10.1109\/ARES.2011.48"},{"key":"ref_49","unstructured":"National Institute of Standards and Technology(NIST) (2013). Security and Privacy Controls for Federal Information Systems and Organizations, NIST."},{"key":"ref_50","doi-asserted-by":"crossref","unstructured":"Schmidt, H. (2010, January 15\u201318). Threat- and Risk-Analysis During Early Security Requirements Engineering. Proceedings of the Fifth International Conference on Availability, Reliability and Security, Krakow, Poland.","DOI":"10.1109\/ARES.2010.14"},{"key":"ref_51","doi-asserted-by":"crossref","unstructured":"Ismail, U., Islam, S., Ouedraogo, M., and Weippl, E. (2016). A Framework for Security Transparency in Cloud Computing. Future Internet, 8.","DOI":"10.3390\/fi8010005"},{"key":"ref_52","doi-asserted-by":"crossref","unstructured":"Surridge, M., Nasser, B.I., Chen, X., Chakravarthy, A., and Melas, P. (2013, January 2\u20136). Run-Time Risk Management in Adaptive ICT Systems. Proceedings of the 2013 International Conference on Availability, Reliability and Security, Regensburg, Germany.","DOI":"10.1109\/ARES.2013.20"},{"key":"ref_53","unstructured":"Surridge, M., Wilkinson, T., Stefanieand Goeke, L.W., and Gol Mohammadi, N. (2018, July 24). Deliverable D7.1\u2014RestAssured Security and Privacy Engineering Methodology. Available online: https:\/\/restassuredh2020.eu\/wp-content\/uploads\/2018\/07\/D7.1.pdf."},{"key":"ref_54","unstructured":"Shojafar, M., Cordeschi, N., and Baccarelli, E. (2016). Energy-efficient Adaptive Resource Management for Real-time Vehicular Cloud Services. IEEE Trans. Cloud Comput."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/10\/8\/72\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T15:15:31Z","timestamp":1760195731000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/10\/8\/72"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,7,31]]},"references-count":54,"journal-issue":{"issue":"8","published-online":{"date-parts":[[2018,8]]}},"alternative-id":["fi10080072"],"URL":"https:\/\/doi.org\/10.3390\/fi10080072","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2018,7,31]]}}}