A Semantic Model for Audit of Cloud Engines based on ISO/IEC TR 3445:2022
Morteza Sargolzaei Javan
TL;DR
The paper addresses the lack of a unified framework for cloud architecture and compliance by proposing a semantic model for Cloud Engines that integrates ISO/IEC 22123 with ISO/IEC 27001 and TR 3445:2022. It presents an RDF/Turtle ontology that decomposes cloud systems into four interfaces—Control, Business, Audit, Data—and maps security mechanisms to regulatory controls, enabling automated SPARQL and SHACL-based validation. The authors validate the approach with OpenStack and AWS case studies, illustrating practical mappings and reproducible workflows. This work advances auditability and vendor-agnostic cloud design by bridging architectural and security standards in a machine-readable, extensible framework.
Abstract
Cloud computing has become the foundation of modern digital infrastructure, yet the absence of a unified architectural and compliance framework impedes interoperability, auditability, and robust security. This paper introduces a formal, machine-readable semantic model for Cloud Engines, integrating the architectural taxonomy of ISO/IEC 22123 (Cloud Reference Architecture) with the security and compliance controls of ISO/IEC 27001:2022 and ISO/IEC TR 3445:2022. The model decomposes cloud systems into four canonical interfaces--Control, Business, Audit, and Data--and extends them with a security ontology that maps mechanisms such as authentication, authorization, and encryption to specific compliance controls. Expressed in RDF/Turtle, the model enables semantic reasoning, automated compliance validation, and vendor-neutral architecture design. We demonstrate its practical utility through OpenStack and AWS case studies, and provide reproducible validation workflows using SPARQL and SHACL. This work advances the state of cloud security modeling by bridging architectural and compliance standards in a unified framework, with a particular emphasis on auditability.