SERVICE LEVEL AGREEMENTS AS A SERVICE - Towards Security Risks Aware SLA Management

Katerina Stamou, Jean-Henry Morin, Benjamin Gateau, Jocelyn Aubert

Abstract

Cloud computing has matured to become a valuable on demand alternative to traditional ownership models for the provisioning of services, platforms and infrastructure. However, this raises many issues for Governance, Risk and Compliance (GRC) and in particular in terms of Information Systems Security Risk Management (ISSRM). Considering such issues lack attention and knowledge, particularly for small and medium sized enterprises (SMEs), and that cloud computing Service Level Agreements (SLA) provide very limited support outside of basic Quality of Service (QoS) parameters, this paper argues that SLAs for cloud computing services should be more customer oriented and aware of security and risk management. A design is proposed where the SLA process, from context initialization to negotiation and agreement is decoupled from the actual cloud service provisioning and itself turned into a Service : SLA as a Service (SLAaaS). This should provide customers with much more customized and fine-grained agreements compared with the ones currently offered.

References

  1. Andrieux, A., Czajkowski, K., Dan, A., Keahey, K., Ludwig, H., Nakata, T., Pruyne, J., Rofrano, J., Tuecke, S., and Xu, M. (2005). Web Services Agreement Specification (WS-Agreement). Available at http:// mailman.ogf.org/documents/GFD.107.pdf.
  2. Butler, J., Lambea, J., Nolan, M., Theilmann, W., Torelli, F., Yahyapour, R., Chiasera, A., and Pistore, M. (2011). SLAs Empowering Services in the Future Internet. In The Future Internet, volume 6656 of Lecture Notes in Computer Science, pages 327-338. Springer Berlin / Heidelberg.
  3. Cloud4SOA (June 2011). D1.3 Reference Architecture. Technical report, EU FP7. Available at http:// www.cloud4soa.eu, accessed October 2011.
  4. Contrail (2011). D3.2 SLA Management Services Terms and Initial Architecture. Technical report, EU FP7. Available at http://contrail-project.eu, accessed October 2011.
  5. CSA (2010). GRC Stack, an Integrated Suite of Four CSA Initiatives. Available at https:// cloudsecurityalliance.org/research/initiatives/grcstack, accessed November 2011.
  6. Czajkowski, K., Foster, I., Kesselman, C., Sander, V., and Tuecke, S. (2002). SNAP: A protocol for negotiating service level agreements and coordinating resource management in distributed systems. volume 2537 of Job scheduling strategies for parallel processing, pages 153-183. Springer.
  7. Dan, A., Ludwig, H., and Pacifici, G. (2003). Web service differentiation with service level agreements. White Paper, IBM Corporation. Available at http:// www.ibm.com/developerworks/library/ws-slafram.
  8. ENISA (2009). Cloud computing: Benefits, Risks and Recommendations for Information Security. Technical report. Available at http:// www.enisa.europa.eu/act/rm/files/deliverables/cloudcomputing-risk-assessment, accessed October 2011.
  9. IRMOS (2009). D7.2.1 Initial version of Path Manager Architecture and Guaranteeing QoS with Dynamic and Automated SLAs in real-time aware SOIs. Technical report, EU FP7. Available at http://www.irmosproject.eu, accessed October 2011.
  10. ITU (2005). SLA Management Handbook, Concepts and Principles, volume 2.0. TeleManagement Forum. Release 2.5, GB 917-2.
  11. Jansen, W. and Grance, T. (2011). Guidelines on Security and Privacy in Public Cloud Computing. Available at http://csrc.nist.gov/publications/nistpubs/800- 144/ SP800-144.pdf, accessed December 2011.
  12. Kaliski, J., Burton, S., and Pauley, W. (2010). Toward Risk Assessment as a Service in Cloud Environments. In Proceedings of the 2nd USENIX conference on Hot topics in cloud computing, HotCloud'10, pages 13- 13, Berkeley, CA, USA. USENIX Association.
  13. Mell, P. and Grance, T. (2009). Effectively and Securely Using the Cloud computing Paradigm.
  14. Mell, P. and Grance, T. (2011). The NIST Definition of Cloud Computing ( Draft ) Recommendations of the National Institute of Standards and Technology. NIST Special Publication, 145(6):7.
  15. Morin, J.-H. (2008). Exception Based Enterprise Rights Management: Towards a Paradigm Shift in Information Security and Policy Management. volume 1 of International Journal On Advances in Systems and Measurements, pages 40-49.
  16. Morin, J.-H., Aubert, J., and Gateau, B. (2012). Towards Cloud computing SLA Risk Management: Issues and Challenges.
  17. mOSAIC (February 2011). D1.1 Architectural design of mOSAIC's API and platform. Technical report, EU FP7. Available at http://www.mosaic-cloud.eu, accessed October 2011.
  18. Optimis (2011). OPTIMIS SLA Framework and Term Languages for SLAs in Cloud Environment. Technical report, EU FP7. Available at http://www.optimisproject.eu, accessed October 2011.
  19. Potoczny-Jones, I. (2011). Cloud Security Risk Agreements for Small Businesses. Available at http:// corp.galois.com/blog/2011/8/23/cloud-security-riskagreements-for-small-businesses.html, accessed November 2011.
  20. Rana, O. F., Warnier, M., Quillinan, T. B., and Brazier, F. M. T. (2008). Monitoring and Reputation Mechanisms for Service Level Agreements. Grid Economics and Business Models GECON, pages 125-139. Springer.
  21. SLA@SOI (July 2011). D.A1a Reference Architecture for an SLA Management Framework. Technical report, EU FP7. Available at http://sla-at-soi.eu, accessed October 2011.
  22. WSLA (2003). WSLA Language Specification. Technical report, IBM Corporation. Available at www.research. ibm.com/wsla/WSLASpecV1-20030128.pdf, accessed October 2011.
Download


Paper Citation


in Harvard Style

Stamou K., Morin J., Gateau B. and Aubert J. (2012). SERVICE LEVEL AGREEMENTS AS A SERVICE - Towards Security Risks Aware SLA Management . In Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CloudSecGov, (CLOSER 2012) ISBN 978-989-8565-05-1, pages 663-669. DOI: 10.5220/0003966006630669


in Bibtex Style

@conference{cloudsecgov12,
author={Katerina Stamou and Jean-Henry Morin and Benjamin Gateau and Jocelyn Aubert},
title={SERVICE LEVEL AGREEMENTS AS A SERVICE - Towards Security Risks Aware SLA Management},
booktitle={Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CloudSecGov, (CLOSER 2012)},
year={2012},
pages={663-669},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003966006630669},
isbn={978-989-8565-05-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CloudSecGov, (CLOSER 2012)
TI - SERVICE LEVEL AGREEMENTS AS A SERVICE - Towards Security Risks Aware SLA Management
SN - 978-989-8565-05-1
AU - Stamou K.
AU - Morin J.
AU - Gateau B.
AU - Aubert J.
PY - 2012
SP - 663
EP - 669
DO - 10.5220/0003966006630669