Combining Learning and Model-Based Reasoning to Reduce Uncertainties in Cloud Security and Compliance Auditing

Security and compliance auditing is expensive, time-consuming, and error-prone for cloud service providers operating in multiple domains. Existing approaches predominantly use formal logic and domain-specific languages to facilitate collection and validation of evidence needed for compliance certification. Such approaches do not sufficiently account for the uncertainties and challenges caused by human involvement, which are a major contributor to inefficiencies and mistakes in the audit process. We propose that hybrid approaches, in which formal, model-based approaches are combined with machine learning techniques to reason about evidence and historical audit data, are necessary to address such uncertainties. Such approaches can help both auditors and service providers better deal with uncertainties, and reduce costs, errors, and the manual effort required to identify evidence needed for compliance certification. We present a taxonomic framework for understanding the causes of and potential solutions to uncertainty in the audit process. We identify areas within evidence collection and validation in which machine learning can augment model-based techniques to reduce uncertainties. We provide some examples of hybrid approaches that we are exploring and discuss the need for more work in this area.