ARCHITECTURE FOR COMPLIANCE ANALYSIS

OF DISTRIBUTED SERVICE BASED SYSTEMS

Jonathan Sinclair, Benoit Hudzia, Maik Lindner

SAP Research, Belfast, Northern Ireland, U.K.

Alan Stewart, Terry Harmer

School of EEECS, Queen’s University Belfast, Belfast, Northern Ireland, U.K.

Keywords:

Compliance, Auditing, Enterprise cloud computing, Data protection.

Abstract:

Businesses today are required to comply with a litany of legislation, regulations and standards. However,

with an increasing utilisation of the internet for delivering products as services, challenges arise in assessing

and maintaining compliance. We propose to deﬁne an architecture that attempts to leverage the dynamism of

service-based infrastructures in order to process the real-time compliance state of a system.

1 INTRODUCTION

With the advancement of web-based infrastructures it

is perceived that computing resource will become the

5th utility after water, electricity, gas and telephony

(Baumann et al., 2010; Buyya et al., 2008). Busi-

ness economics is the main driver of this transfor-

mation which enables companies to radically trans-

form their business processes and operations. It al-

lows them to streamline the delivery and consump-

tion of their products and solutions over a network

infrastructure. This new business model and mech-

anisms for integrating services and IT resources in a

seamless and ubiquitous is known as Internet of Ser-

vices (IoS) (Heuser et al., 2008). IoS endeavours to

reduce TCO for customers by making complex soft-

ware a commodity (Janiesch et al., 2009). IoS pro-

vides a business model in which IT is evolving into a

service driven ecosystem with outsourced distributed

computing resources, such as cloud, providing an eco-

nomical way of acquiring hardware.

However, companies willing to leverage this new

business model have to abide by the current state of

legislation which hampers its adoption even though

cloud offers beneﬁts such as elasticity and rapid de-

ployment, improving companies’ efﬁciencies in times

of economic hardship. The risk and ﬁnancial penalty

associated with non-compliance is too great for busi-

nesses to ignore. The main source of these legal issues

is third-party trust, as companies are ultimately res-

ponsible for demonstrating data compliance.

This research contributes to reducing the legal-

technical issues that hinder adoption of cloud-based

environments for enterprises, by addressing the assur-

ance of legal risk by way of facilitating compliance

auditing. In this paper we propose an architecture for

enabling an automated semi real time monitoring, au-

dit and compliance service (MACS) for veriﬁcation

of services provided within cloud environment.

The MACS is provided with the speciﬁcation of

the compliance associated with the services and is ca-

pable of observing and logging the relevant service

generated events, in order to determine if the actions,

events are consistent within the domain of compliance

associated. MACS rely on a set of rules that provides

constructs to specify what rights, obligation and pro-

hibitions become active and inactive after the occur-

rence of events related to the service lifecycle. Our

solution is speciﬁcally targeted for audit and compli-

ance veriﬁcation of composite services within cloud

environments.

We will ﬁrst discuss in the subsequent section the

fundamentals of auditing and compliance. Then we

will describe a simple and composite service use case

and the difﬁculty associated them . In Section 4, we

will identify and generalize the challenges of auditing

the compliance of regulations for distributed service

based architectures. Finally, we outline the design for

an auditing service that leverages the capabilities of

such architecture.

286

Sinclair J., Hudzia B., Lindner M., Stewart A. and Harmer T..

ARCHITECTURE FOR COMPLIANCE ANALYSIS OF DISTRIBUTED SERVICE BASED SYSTEMS.

DOI: 10.5220/0003448702860292

In Proceedings of the 1st International Conference on Cloud Computing and Services Science (CLOSER-2011), pages 286-292

ISBN: 978-989-8425-52-2

 2011 SCITEPRESS (Science and Technology Publications, Lda.)

2 FUNDAMENTALS OF

AUDITING AND COMPLIANCE

In this section we will ﬁrst introduce the fundamental

of auditing then provide compliance background.

2.1 Background of Auditing

Auditing of information systems is the process of col-

lecting and evaluating evidence to determine whether

it safeguards assets, maintains its data integrity while

achieving organizational goals effectively and con-

sumes resources efﬁciently (Weber, 1998). Tradition-

ally auditing is a semi-manual operation where the

data is collected for a determined time period and

then analyzed according the legal / regulatory require-

ments in order to determine whether or not statutory

requirements have been met. This process is time-

consuming and error-prone, and for most companies,

compliance audits are carried out on static and rigid

services. However, as the IT service move to a more

dynamic and distributed environment the classic au-

diting process cannot be applied anymore.

2.2 Background of Compliance

Compliance is deﬁned as being in accordance with

relevant government or industrial legislation, regu-

lations, and standards. Companies breaching com-

pliance rules incur either or both legal and ﬁnancial

penalties. Due to this risk, compliance management

has become very important and technology is having

a ever increasing signiﬁcance and impact on virtually

every phase of the audit process (Flint, 2009; Jan-

vrin, 2007). As a result it becomes critical with the

increased reliance on cloud computing for organiza-

tions and consumers to be aware of their responsibil-

ity related to determining who is accessing data, what

actions are being performed and where data is stored

(Pearson, 2009; Moreau et al., 2008; Morrison et al.,

2000).

The complexity of such compliance requirements

is increased due to the platform and infrastructure de-

tails being abstracted making them invisible to the

service model (SaaS). As a result it becomes ex-

tremely difﬁcult to take full responsibility for who can

access data, who sees it and how it is stored, since the

premise of the cloud is that customers don’t necessar-

ily need to know or care where their data is (Wood,

2009). This paradigm being in contradiction with

compliance legislation such as the EU Directive (Par-

liament, 1995) which require companies to be aware

of the jurisdiction in which their data is processed. As

a result the necessity to provide third party complian-

ce veriﬁcation system emerges in order to remove the

burden and facilitate the adoption of a service con-

sumption model.

2.3 Related Work

Current approaches to auditing involve the aspect of

managing governance, risk and compliance (Silveira

et al., 2010; Cederquist et al., 2007). Typical auditing

methodologies require the most relevant data related

to an event. However this approach does not ensure

that the legislation/regulation has been upheld. In or-

der to be able to conduct an audit of system compli-

ance it is necessary to have a machine interpretable

formalisation of the legislation, previous research has

been done in this area (Baumann et al., 2010; Con-

rad et al., 2007). Typical auditing tools, however, rely

on the manual input of data. In contrast by apply-

ing software such as complex event processing (CEP),

events can be ﬁltered, transformed and aggregated to

provide new interpretations of data that were not pre-

viously possible (Etzion and Niblett, 2010). These

formalisations can be used in conjunction with Ser-

vice Level Agreements (SLA’s) to provide input for

the compliance auditing architecture (Brandic et al.,

2010; Skene, 2007).

3 CLOUD COMPLIANCE

CHALLENGES

As the customer base only consumes the ﬁnal prod-

uct over internet connection, the geographical local-

ity of services provided through cloud is relatively

limited. As a result, the cloud provider may choose

the geographic placement of data centres based on

various cost beneﬁts, including energy. However the

physical location of data being accessed, stored, pro-

cessed or transferred is of critical importance to the

applications of data protection legislation such as EU

Directive (Parliament, 1995). Hence, cross-country

legal aspects become common place and are a ma-

jor challenge for IoS. Data transfer related legislation

may or may not be enforced or reported depending on

the source or destination of the transfer (Jaeger et al.,

2009). Geographic locality challenges audit and com-

pliance in the following forms:

3.1 Cross-jurisdictional Services

Enforcement

Multi-national companies experience increasing dif-

ﬁculty simultaneously complying with a number of

ARCHITECTURE FOR COMPLIANCE ANALYSIS OF DISTRIBUTED SERVICE BASED SYSTEMS

287

conﬂicting data protection requirements at the same

time. Enforcing geographical deployment of a ser-

vice within a jurisdiction that meets all requirements

requires an efﬁcient compliance evaluation system for

the assessment of distributed services.

By example, a company may deploy a composite

CRM system. This system is split and the database

is stored separately to comply with ﬁnancial com-

pliance requirement for processing and storing data

on independent physical machines within the same

geographical region (Council, 2004; 107th United

States Congress, 2002; 106th United States Congress,

1999). However, the company is also required to

backup this data in a different geographic region

(Swanson et al., 2010). As a result, the company

needs to guarantee the physical distribution of its ser-

vice and associated backup.

3.2 Performance and Availability

Enforcement

Services may have to be deployed in data-centres of a

particular geographical region in order to satisfy legal

conditions. The resulting deployment might restrict

the performance / availability between the deployed

service and the user which can result in breach of de-

ﬁned SLAs.

3.3 Disaster Recovery/Backup

Implications

Legislation (Law, 2000) and regulatory requirements

for various industries (Swanson et al., 2010; on Bank-

ing Supervision, 2009) deﬁne that the data be suit-

ability backed up for disaster recovery purposes in a

different geographic region. On the other hand, other

legal conditions can restrict deployment to a solitary

geographic region, therefore a major conﬂiction is im-

posed, in which the consumer is required to take re-

medial action.

3.4 Data Accessibility Aspects

Data access is another point of contention with re-

spect to compliance. Who can access data? What

data can be accessed? How should data be accessed?

In IoS the aspect of service auditing must consider the

compliance requirements of all consumers in terms of

both company and systems multi-tenancy (Alliance,

2009; Mell and Grance, 2009; Sotto et al., 2010).

User Multi-tenancy. A company may accept to de-

ploy their system virtually co-located on the same

physical machine as other companies’ deployments

(Li et al., 2010). This may raise concern in the

context that data from both companies is stored on

the same physical device, regulations exist forbidding

such setup for critical customer or company data.

Service and Systems Multi-tenancy. To achieve

efﬁciency and cost-savings, a company can co-locate

several virtual systems on the same physical re-

source. However certain regulations such as the Pay-

ment Card Industry Data Security Standard (PCI-

DSS) (Council, 2004), speciﬁes under requirement 3

that cardholder data needs to be stored and processed

independently in different physical devices. There-

fore as deﬁned in the use case a composite on-demand

service would be best suited in fulﬁlling these require-

ments. However this scenario has many aspects of

compliance that require to be ensured. By example,

a cloud provider may migrate a virtual machine host-

ing a service to a physical server already hosting an-

other service that should not be co-located with one

another. As a result, such action undertaken without

the customer awareness will breach the compliance of

both services.

4 USE CASE - CUSTOMER

RELATIONSHIP

MANAGEMENT

In this section we highlight the compliance aspect a

business is required to make when deciding on the

deployment method of a service. There are 3 de-

ployment scenarios, on premise, on demand and hy-

brid. On top of the deployment model, a service can

be either a single atomic service or a composition of

smaller services exposed as a unique one. Table ??

shows the various compliance areas that need to be

considered for each variation of the use case we de-

scribe in the following paragraph.

We use a typical CRM application as a founda-

tional base for our scenario. We ﬁrst analyse the inter-

actions in order to determine their relevance for com-

pliance monitoring for the 3 following deployment

scenarios Figure 1:

1. The CRM and respective database is deployed on

premise. As a result, both the customer and em-

ployee interact directly with the system. All data

access, processing, storage and transfer are man-

aged within the system which makes any physical

access to the system a controlled variable by the

company.

CLOSER 2011 - International Conference on Cloud Computing and Services Science

288

2. For hybrid deployment, the CRM and database

are deployed independently, one on premise and

the other as a remote service. In this scenario not

only does the compliance data access, processing

and physical access have to be managed in two

distributed sites but also compliance of both data

transfer between sites and the geographical local-

ity of the remote service are important.

3. Finally with full on-demand procurement there

are two scenarios to consider, deployment of the

CRM and database as a singleton, or indepen-

dently. In both scenarios compliance of data ac-

cess, processing, storage and physical access are

required, but data transfer is only important in the

case of service composition.

Figure 1: Use Case Deployment.

Service composition is seen as a key beneﬁt for

IoS. By composing a selection of simple services to

create a more complex offering, companies can cre-

ate and offer specialized services dynamically, adding

new economic value (Blau et al., 2009). This ﬂexibil-

ity, however, creates new legal challenges for audit-

ing compliance, as this new service has to adhere to

a composition of compliance requirements. In certain

extreme cases, two compliance regulations can have

contradictory interpretations. Therefore at the service

composition design stage an agreement for the com-

pliance requirements of the new service has to be de-

rived in order to prevent conﬂict in the auditing pro-

cess. Moreover, composite services inherently reduce

the visibility within the internal operation of the com-

posite. As a result the audit process suffers from an

increased complexity due to the difﬁculty of tracing

and verifying the origin of the information. By exam-

ple, in the use case we presented: the CRM system

stores the personal data collected by the company. As

a result, the consumer may not be able to control who

can access this information.

5 COMPLIANCE AUDITING

ARCHITECTURE

Figure 2 represents the architecture of MACS. MACS

architecture is comprised of ﬁve distinct layers, each

managing a different aspect of the audit and compli-

ance engine:

Event Source. The data and logs returned from var-

ious logical, physical or virtual components in the

system. The source may be a sensor, application,

messaging framework, business process, data store,

client applications. Each source is authenticated and

uses secure means of communication. In the best

case scenario every source would be veriﬁed using a

system similar to trusted platform computing (TPC)

(Santos et al., 2009).

Event Transport. Typically an enterprise service

bus (ESB) (Schmidt et al., 2005) controls how data is

routed to the event processing engine, in a standard-

ized format. This allows the MACS system to have a

reliable and uniform delivery system that can be used

as an interface between the source and the MACS but

also for internal communication.

Event Processing Engine. This layer processes

events in three levels each with increasing process-

ing complexity but decreasing event throughput. Each

level is a ﬁlter and information enhancer for the next

one. By removing unwanted events, aggregating them

we increase the degree of information and lower the

amount of data to be processed.

• Anomalous Filtering. Removes data that is not

relevant to the compliance process. The opera-

tions at this level receive a high throughput of data

or event rate but are of low complexity and will be

typically executed by complex event processing

engine (Mulo et al., 2010; Rozsnyai et al., 2007).

• Temporal Filtering. Synchronizes time and event

type inconsistencies and correlates events, aggre-

gating data over a window of time. The operations

at this level receive medium throughput of data or

event rate but are of medium complexity.

• Compliance Filtering. Event streams are com-

pared and evaluated against business rules that

have been derived from the legalization for which

compliance is being assessed. The operations at

this level receive low throughput of data or event

rate but are of high complexity. This level will

be using rule based engine (Chesani et al., 2009)

as well as more complex solution as case based

ARCHITECTURE FOR COMPLIANCE ANALYSIS OF DISTRIBUTED SERVICE BASED SYSTEMS

289

Table 1.

Service Type On Premise Hybrid On Demand

Singleton Physical Access, Data Access

and Retention

N/A Geographic Locality, Physical

Access, Data Access and Re-

tention

Composite Physical Access, Data Access

and Retention

Geographic Locality (remote

service only), Physical Access,

Data Access, Data Transfer and

Retention

Geographic Locality ,Physical

Access, Data Access, Data

Transfer and Retention

Figure 2: Logical Architecture.

evaluation engine and semantics evaluation tools

- (Elgammal et al., 2010).

However as we increase the value of the informa-

tion as we move up the layer the amount of processing

increases as we decrease the throughput of informa-

tion to process. The advantage of this approach means

that we are able to efﬁciently handle the data storm

of events and logs pushed while intelligently ﬁltering

and cherry picking only the relevant information for

(semi) real time auditing and compliance checks.

Event Storage. MACS stores all event data in per-

sistent storage such as Hadoop and HBase (Zhang

et al., 2010) for storage, log analysis, and pattern dis-

covery/analysis. This enables us to process historic

queries and results from event correlation which en-

able us in future works to provide predictive analysis

for early warning of compliance deviation.

Event Management and Analysis. Queries can be

deﬁned by the user and can be compared in run-time

or on historic data. Note as mentioned in section 2.3.

We do not aim to automatically translate compliance

law and contract in rules but aim to leverage previous

work done in the ﬁeld in order to apply it to our sys-

tem. Monitoring features set by users enable them to

trigger alerts if compliance is not met. These alerts

can be sent by either SMS, email or mobile appli-

cation. Finally more traditional audit reports can be

produced as well as historic data or predictive trends.

The event source, processing and storage layers in

this architecture is implemented in a distributed ap-

proach, in order to tackle the challenges highlighted

in terms of geographic locality. By example, a por-

tion of the architecture can be deployed on premise in

order guarantee the conﬁdentiality of the data while

exposing only the necessary information to external

compliance engine.

5.1 Architecture Beneﬁts

The CEP-based architecture offers major advantages

compared with traditional monitoring techniques.

The event-driven approach provides ﬂexibility in it’s

loosely coupled design in which both the integration

of multiple event sources and the ﬁltering and stan-

dardisation of different event types can be easily ad-

dressed. Integration of event sources is also eased by

use of a common event transport (enterprise service

bus).

5.2 Architecture Challenges

The management of event publication, subscription

and ﬁltering may be difﬁcult. Identifying the rele-

vance of the data required and retrieving it, in order

to determine the outcome of legal requirements will

be key to the accuracy of processing business rules.

CLOSER 2011 - International Conference on Cloud Computing and Services Science

290

6 CONCLUSIONS

We have highlighted how businesses are under in-

creasing pressure to manage the litany of legislation

and regulation. Coupled with the adoption of web-

based infrastructures and composite services. We

propose an architecture that leverages the dynamism

of service-based infrastructures and enables real-time

compliance processing. The described architecture is

loosely based on an event-driven service-oriented ar-

chitecture (SOA). The loose coupling allows for easy

scalability and distribution of both event processing

and storage components whilst managing processing

complexity. This forms a foundation for further re-

search into a compliance-driven auditing architecture

for distributed systems.

REFERENCES

106th United States Congress (1999). Gramm-leach-bliley

act.

107th United States Congress (2002). Sarbanes-oxley act.

Securities and Exchange Commission.

Alliance, C. S. (2009). Security guidance for

critical areas of focus in cloud computing.

http://www.cloudsecurityalliance.org/csaguide.pdf.

Baumann, C., Peitz, P., Raabe, O., and Wacker, R. (2010).

Compliance for service based systems through for-

malization of law. In Filipe, J. and Cordeiro, J., ed-

itors, Proceedings of the 6th International Confer-

ence on Web Information Systems and Technology,

volume 2, pages 367–371, Valencia, Spain. INSTICC

Press.

Blau, B., Kramer, J., Conte, T., and Dinther, C. v. (2009).

Service value networks. In Proceedings of the 2009

IEEE Conference on Commerce and Enterprise Com-

puting, pages 194–201, Washington, DC, USA. IEEE

Computer Society.

Brandic, I., Dustdar, S., Anstett, T., Schumm, D., Ley-

mann, F., and Konrad, R. (2010). Compliant cloud

computing (c3): Architecture and language support

for user-driven compliance management in clouds.

Cloud Computing, IEEE International Conference on,

0:244–251.

Buyya, R., Yeo, C. S., and Venugopal, S. (2008). Market-

oriented cloud computing: Vision, hype, and reality

for delivering it services as computing utilities. In

HPCC ’08: Proceedings of the 2008 10th IEEE Inter-

national Conference on High Performance Computing

and Communications, pages 5–13, Washington, DC,

USA. IEEE Computer Society.

Cederquist, J., Corin, R., Dekker, M., Etalle, S., den Hartog,

J., and Lenzini, G. (2007). Audit-based compliance

control. International Journal of Information Secu-

rity, 6:133–151. 10.1007/s10207-007-0017-y.

Chesani, F., Mello, P., Montali, M., Riguzzi, F., Sebastia-

nis, M., and Storari, S. (2009). Checking compliance

of execution traces to business rules. In Aalst, W.,

Mylopoulos, J., Sadeh, N. M., Shaw, M. J., Szyperski,

C., Ardagna, D., Mecella, M., and Yang, J., editors,

Business Process Management Workshops, volume 17

of Lecture Notes in Business Information Processing,

pages 134–145. Springer Berlin Heidelberg.

Conrad, M., Funk, C., Raabe, O., and Waldhorst, O. (2007).

A lawful framework for distributed electronic mar-

kets. In Camarinha-Matos, L., Afsarmanesh, H., No-

vais, P., and Analide, C., editors, Establishing The

Foundation Of Collaborative Networks, IFIP Interna-

tional Federation for Information Processing, pages

233–240. Springer Boston.

Council, P. C. I. S. S. (2004). Payment card industry data

security standard.

Elgammal, A., Turetken, O., Heuvel, W. v. d., and Papa-

zoglou, M. (2010). On the formal speciﬁcation of

business contracts and regulatory compliance. Open

access publications from tilburg university, Tilburg

University.

Etzion, O. and Niblett, P. (2010). Event Processing in Ac-

tion. Manning Publications.

Flint, D. (2009). Law shaping technology: Technology

shaping the law. International Review of Law, Com-

puters & Technology, 23 , 1:5–11.

Heuser, L., Alsdorf, C., and Woods, D. (2008). Interna-

tional Research Forum 2007. Evolved Technologist

Press.

Jaeger, P., Lin, J., Grimes, J., and Simmons, S. (2009).

Where is the cloud? geography, economics, environ-

ment, and jurisdiction in cloud computing. First Mon-

day, 14:5.

Janiesch, C., Niemann, M., and Repp, N. (2009). Towards a

service governance framework for the internet of ser-

vices. In 17th European conference on information

systems (ECIS), pages 1 –13.

Janvrin, D. (2007). The impact of information technology

on the audit process: An assessment of the state of

the art and implications for the future. Managerial

Auditing Journal, 16:159–164.

Law, U. S. P. (2000). Health insurance portability and ac-

countability act.

Li, X.-Y., Shi, Y., Guo, Y., and Ma, W. (2010). Multi-

tenancy based access control in cloud. In Computa-

tional Intelligence and Software Engineering (CiSE),

2010 International Conference on, pages 1 –4.

Mell, P. and Grance, T. (2009). Effectively and securely us-

ing the cloud computing paradigm. National Institute

of Standards and Technology.

Moreau, L., Groth, P., Miles, S., Vazquez-Salceda, J., Ib-

botson, J., Jiang, S., Munroe, S., Rana, O., Schreiber,

A., Tan, V., and Varga, L. (2008). The provenance of

electronic data. Commun. ACM, 51, 4(4):52–58.

Morrison, R., Balasubramaniam, D., Greenwood, M.,

Kirby, G., Mayes, K., Munro, D., and Warboys, B.

ARCHITECTURE FOR COMPLIANCE ANALYSIS OF DISTRIBUTED SERVICE BASED SYSTEMS

291

(2000). An approach to compliance in software archi-

tectures. Computing and Control Engineering Jour-

nal, 4:195–200.

Mulo, E., Zdun, U., and Dustdar, S. (2010). Monitoring

web service event trails for business compliance.

on Banking Supervision, B. C. (2009). International Con-

vergence of Capital Measurement and Capital Stan-

dards. Bank for International Settlements Press &

Communications CH-4002 Basel, Switzerland.

Parliament, E. (1995). Directive 95/46/ec of the

european parliament and of the council. Of-

ﬁcial Journal of the European Communities.

http://ec.europa.eu/justice/policies/privacy/docs/95-

46-ce/dir1995-46 part1 en.pdf.

Pearson, S. (2009). Taking account of privacy when design-

ing cloud computing services. Software Engineering

Challenges of Cloud Computing, IEEE, 2009:44–52.

Rozsnyai, S., Vecera, R., Schiefer, J., and Schatten, A.

(2007). Event cloud - searching for correlated busi-

ness events. E-Commerce Technology, IEEE Interna-

tional Conference on, and Enterprise Computing, E-

Commerce, and E-Services, IEEE International Con-

ference on, 0:409–420.

Santos, N., Gummadi, K. P., and Rodrigues, R. (2009). To-

wards trusted cloud computing. In Proceedings of

the 2009 conference on Hot topics in cloud comput-

ing, HotCloud’09, pages 3–3, Berkeley, CA, USA.

USENIX Association.

Schmidt, M. T., Hutchison, B., Lambros, P., and Phippen,

R. (2005). The enterprise service bus: making service-

oriented architecture real. IBM Syst. J., 44(4):781–

797.

Silveira, P., Rodriguez, C., Casati, F., Daniel, F., D’Andrea,

V., Worledge, C., and Taheri, Z. (2010). On the de-

sign of compliance governance dashboards for effec-

tive compliance and audit management. In Dan, A.,

Gittler, F., and Toumani, F., editors, Service-Oriented

Computing. ICSOC/ServiceWave 2009 Workshops,

volume 6275 of Lecture Notes in Computer Science,

pages 208–217. Springer Berlin / Heidelberg.

Skene, J. (2007). Language support for service-level agree-

ments for application-service provision. PhD thesis,

Department of Computer Science, UCL.

Sotto, L., Treacy, B., and McLellan, M. (2010). Privacy

and data security risks in cloud. Computing Electronic

Commerce & Law Report, 15:186.

Swanson, M., Bowen, P., Wohl Phillips, A., and Gallup, D.,

D. L. (2010). Contingency planning guide for federal

information systems. NIST Special Publication 800-

34 Rev. 1.

Weber, R. (1998). Information Systems Control and Audit.

Pearson Education.

Wood, L. (2009). Cloud computing and compliance: Be

careful up there. Computerworld.

Zhang, C., De Sterck, H., Aboulnaga, A., Djambazian, H.,

and Sladek, R. (2010). Case study of scientiﬁc data

processing on a cloud using hadoop. In Mewhort,

D., Cann, N., Slater, G., and Naughton, T., editors,

High Performance Computing Systems and Applica-

tions, volume 5976 of Lecture Notes in Computer Sci-

ence, pages 400–415. Springer Berlin / Heidelberg.

CLOSER 2011 - International Conference on Cloud Computing and Services Science

292