Per Håkon Meland, Karin Bernsmed, Martin Gilje Jaatun, Astrid Undheim, Humberto Castejon


The uptake of Cloud computing is being hindered by the fact that not only are current Cloud SLAs written in natural language, but they also fail to cover security requirements. This paper considers a Cloud brokering model that helps negotiate and establish SLAs between customers and providers. This broker handles security requirements on two different levels; between the customer and the broker, where the requirements are stated in natural language; and between the broker and the different Cloud providers, where requirements are stated in deontic contract languages. We investigate the suitability of seven of those languages for expressing security requirements in SLAs and exemplify their use in the Cloud brokering model through a practical use case for a video streaming service.


  1. Aktug, I. and Naliuka, K. (2008). Conspec - a formal language for policy specification. Electron. Notes Theor. Comput. Sci., 197:45-58.
  2. Andrieux, A., Czajkowski, K., Dan, A., Keahey, K., Ludwig, H., Nakata, T., Pruyne, J., Rofrano, J., Tuecke, S., and Xu, M. (2003). Web Services Agreement Specification (WS-Agreement). https://
  3. Aniketos Consortium (2012). Aniketos - ensuring trustworthinesss and security in service composition.
  4. Cranor, L. F. (2003). P3P: making privacy policies more useful. Security & Privacy, IEEE, 1(6):50 - 55.
  5. Cranor, L. F., Langheinrich, M., and Marchiori, M. (2002). A P3P Preference Exchange Language 1.0 (APPEL1.0). World Wide Web Consortium.
  6. Dwivedi, V. and Padmanabhuni, S. (2008). Providing Web Services Security SLA Guarantees: Issues and Approaches. In Khan, K. M., editor, Managing Web service quality : measuring outcomes and effectiveness, chapter 13, pages 286-305. IGI Global.
  7. Egelman, S., Cranor, L. F., and Chowdhury, A. (2006). An analysis of P3P-enabled web sites among top-20 search results. In Proceedings of the 8th int. conf. on Electronic commerce, ICEC 7806, pages 197-207.
  8. ENISA (2009). Cloud Computing: Benefits, risks and recommendations for information security. European Network and Information Security Agency.
  9. Erlingsson, U. (2004). The inlined reference monitor approach to security policy enforcement. PhD thesis, Cornell University.
  10. Farrell, A. D. H., Sergot, M. J., Trastour, D., and Christodoulou, A. (2004). Performance monitoring of service-level agreements for utility computing using the event calculus. In Proc. First IEEE Int. WS on Electronic Contracting, pages 17-24.
  11. Finnegan, J., Malone, P., Maranon, A., and Guillen, P. (2007). Contract modelling for digital business ecosystems. In Digital EcoSystems and Technologies Conference, 2007. DEST 7807., pages 71 -76.
  12. Gartner (2011). Public Cloud Services, Worldwide and Regions, Industry Sectors, 2010-2015, 2011 Update.
  13. Governatori, G. and Milosevic, Z. (2006). A formal analysis of a business contract language. Int. J. Cooperative Inf. Syst., 15(4):659-685.
  14. Greci, P., Martinelli, F., and Matteucci, I. (2009). A framework for contract-policy matching based on symbolic simulations for securing mobile device application. In Leveraging Applications of Formal Methods, Verification and Validation, volume 17 of Communications in Computer and Information Science, pages 221-236. Springer. 10.1007/978-3-540-88479-8 16.
  15. IBM (2009). General considerations for setting up security for presence server. infocenter/wtelecom/ v7r0m0/ index.jsp?topic=/ com. ibm. presence.plan.doc/generalsecurity c.html.
  16. Leff, L. and Meyer, P. (2007). eContracts Version 1.0. Technical report, OASIS. legalxml-econtracts.
  17. Liu, F., Tong, J., Mao, J., Bohn, R., Messina, J., Badger, L., and Leaf, D. (2011). NIST Cloud Computing Reference Architecture. NIST Special Publication 500-292.
  18. Nepal, S., Zic, J., and Chen, S. (2009). A contract language for service-oriented dynamic collaborations. In Collaborative Computing: Networking, Applications and Worksharing, volume 10 of LNICST, pages 545-562. Springer. 10.1007/978-3-642-03354-4 41.
  19. OASIS (2005). eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Open. http:// controlxacml-2.0-core-spec-os.pdf.
  20. Paschke, A. (2005). RBSLA - A declarative Rulebased Service Level Agreement Language based on RuleML. In Int. Conf. Comp. Intelligence for Modelling, Control and Automation, and Intelligent Agents, Web Tech. and Internet Commerce, volume 2, pages 308 -314.
  21. Pearson, S. and Charlesworth, A. (2009). Accountability as a way forward for privacy protection in the cloud. In Proc. 1st International Conference on Cloud Computing, CloudCom 7809, pages 131-144. Springer.
  22. PrimeLife Consortium (2012). Primelife - privacy and identity management in europe for life. http://
  23. Ragget, D. et al (2009). H5.3.2 - Draft 2nd Design for Policy Languages and Protocols. Technical report, The PrimeLife project.
  24. RuleML (2012). The Rule Markup Initiative.
  25. Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J., Polk, J., and Rosenberg, J. (2007). Common Policy: A Document Format for Expressing Privacy Preferences. Request For Comments 4745 http://
  26. Wang, X. (2010). Specifying the business collaboration framework in the Contract Expression Language. International Journal of Business Process Integration and Management, 4(3):200-208.
  27. WSLA (2003). Web Service Level Agreements (WSLA) Project.
  28. Yagüe, M. I. (2006). Survey on XML-Based Policy Languages for Open Environments. Journal of Information Assurance and Security, 1(1):11-20.

Paper Citation

in Harvard Style

Meland P., Bernsmed K., Jaatun M., Undheim A. and Castejon H. (2012). EXPRESSING CLOUD SECURITY REQUIREMENTS IN DEONTIC CONTRACT LANGUAGES . In Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CloudSecGov, (CLOSER 2012) ISBN 978-989-8565-05-1, pages 638-646. DOI: 10.5220/0003977906380646

in Bibtex Style

author={Per Håkon Meland and Karin Bernsmed and Martin Gilje Jaatun and Astrid Undheim and Humberto Castejon},
booktitle={Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CloudSecGov, (CLOSER 2012)},

in EndNote Style

JO - Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CloudSecGov, (CLOSER 2012)
SN - 978-989-8565-05-1
AU - Meland P.
AU - Bernsmed K.
AU - Jaatun M.
AU - Undheim A.
AU - Castejon H.
PY - 2012
SP - 638
EP - 646
DO - 10.5220/0003977906380646