Quantitative Assessment of Cloud Security Level Agreements - A Case Study

Jesus Luna Garcia, Hamza Ghani, Tsvetoslava Vateva, Neeraj Suri

2012

Abstract

The users of Cloud Service Providers (CSP) often motivate their choice of providers based on criteria such as the offered service level agreements (SLA) and costs, and also recently based on security aspects (i.e., due to regulatory compliance). Unfortunately, it is quite uncommon for a CSP to specify the security levels associated with their services, hence impeding users from making security relevant informed decisions. Consequently, while the many economic and technological advantages of Cloud computing are apparent, the migration of key sector applications has been limited, in part, due to the lack of security assurance on the CSP. In order to achieve this assurance and create trustworthy Cloud ecosystems, it is desirable to develop metrics and techniques to compare, aggregate, negotiate and predict the trade-offs (features, problems and the economics) of security. This paper contributes with a quantitative security assessment case study using the CSP information found on the Cloud Security Alliance’s Security, Trust & Assurance Registry (CSA STAR). Our security assessment rests on the notion of Cloud Security Level Agreements — SecLA — and, a novel set of security metrics used to quantitatively compare SecLAs.

References

  1. Almorsy, M., et.al. (2011). Collaboration-Based Cloud Computing Security Management Framework. In Proc. of the IEEE International Conference on Cloud Computing, pages 364-371.
  2. Andrieux, K., et.al. Web Services Agreement Specification (WS-Agreement). Technical Report TRWSAgreement-2007, Open Grid Forum.
  3. Bernsmed, K., et.al. (2011). Security SLAs for Federated Cloud Services. In Proc. of the IEEE Sixth International Conference on Availability, Reliability and Security, pages 202-209.
  4. Boyle K., et.al. (2010). The CIS security metrics. Technical Report TR-28, Center for Internet Security.
  5. Casola V., et.al. (2005). A Reference Model for Security Level Evaluation: Policy and Fuzzy Techniques. Journal of Universal Computer Science, pages 150-174.
  6. Casola V., et.al. (2006). A SLA evaluation methodology in Service Oriented Architectures. In Quality of Protection, volume 23 of Springer Advances in Information Security, pages 119-130.
  7. Casola, V., et.al. (2007). Interoperable Grid PKIs Among Untrusted Domains: An Architectural Proposal. In Advances in Grid and Pervasive Computing, volume 4459 of Springer Lecture Notes in Computer Science, pages 39-51.
  8. Casola, V. et.al. (2007). Static evaluation of Certificate Policies for Grid PKIs interoperability. In Proc. of the IEEE Second International Conference on Availability, Reliability and Security, pages 391-399.
  9. Center for Internet Security (2009). User Guide for CISCAT. Online: http://benchmarks.cisecurity.org/enus/docs/user-guides/CIS-CAT-Users-Guide.pdf.
  10. Cloud Security Alliance (2011a). Security metrics workgroup. Online: http://www.cloudsecurityalliance.org/Research.html.
  11. Cloud Security Alliance (2011b). The Consensus Assessments Initiative Questionnaire. Online: https://cloudsecurityalliance.org/research/cai/.
  12. Cloud Security Alliance (2011c). The Security, Trust & Assurance Registry (STAR). Online: https://cloudsecurityalliance.org/star/.
  13. De Chaves, S. A., et.al. (2010). SLA perspective in security management for Cloud computing. In Proc. of the IEEE Sixth International Conference on Networking and Services, pages 212-217.
  14. Dekker, M. and Hogben, G. (2011). Survey and analysis of security parameters in cloud SLAs across the European public sector. Technical Report TR-2011-12-19, European Network and Information Security Agency.
  15. Feglar, T. (2004). ITIL based Service Level Management if SLAs cover Security. Journal on Systemics, Cybernetics and Informatic, pages 61-71.
  16. Frankova, G. and Yautsiukhin, A. (2007). Service and protection level agreements for business processes. In Proc. of the IEEE Second European Young Researchers Workshop on Service Oriented Computing, page 38.
  17. Ghani, H., et.al. (2010). Assessing the Security of Internet Connected Critical Infrastructures (The CoMiFin Project Approach). In Proc. of the Workshop on Security of the Internet of Things.
  18. Henning, R. (1999). Security service level agreements: quantifiable security for the enterprise? In Proc. of the ACM Workshop on New security paradigms, pages 54-60.
  19. Irvine, C. and Levin, T. (2001). Quality of security service. In Proc. of the ACM Workshop on New security paradigms, pages 91-99.
  20. Jansen, W. (2010). Directions in security metrics research. Technical Report TR-7564, National Institute for Standards and Technology.
  21. Krautsevich, L., et.al. (2011). A general method for assessment of security in complex services. In Towards a Service-Based Internet, volume 6994 of Springer Lecture Notes in Computer Science, pages 153-164.
  22. Ludwig, H., et.al. Web Service Level Agreement (WSLA) Language Specification. Technical Report TRWSLA-2003-01-28, IBM.
  23. Luna, J. et.al. (2008). Providing security to the Desktop Data Grid. In Proc. of the IEEE International Symposium on Parallel and Distributed Processing, pages 1-8.
  24. Luna, J., et.al. (2011). A Security Metrics Framework for the Cloud. In Proc. of the INSTICC Internation Conference on Security and Cryptography, pages 245- 250.
  25. Monahan, B. and Yearworth, M. (2008). Meaningful security SLAs. Technical Report TR-HPL-2005-218, HP Labs.
  26. Neto, A., et.al. (2011). To benchmark or not to benchmark security: That is the question. In Proc. of the IEEE Dependable Systems and Networks Workshops, pages 182-187.
  27. Samani, R., et.al. (2011). Common Assurance Maturity Model: Scoring Model. Online: http://commonassurance.com/.
  28. Trimintzios, P. (2011). Measurement Frameworks and Metrics for Resilient Networks and Services. Discussion Draft. European Network and Information Security Agency.
  29. Verendel, V. (2009). Quantified security is a weak hypothesis: a critical survey of results and assumptions. In Proc. of the ACM Workshop on new security paradigms, pages 37-50.
  30. Weisstein, W. (2011a). Frobenius Norm. Online: http://mathworld.wolfram.com/FrobeniusNorm.html.
  31. Weisstein, W. (2011b). L1-Norm. Online: http://mathworld.wolfram.com/L1-Norm.html.
Download


Paper Citation


in Harvard Style

Luna Garcia J., Ghani H., Vateva T. and Suri N. (2012). Quantitative Assessment of Cloud Security Level Agreements - A Case Study . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012) ISBN 978-989-8565-24-2, pages 64-73. DOI: 10.5220/0004019900640073


in Bibtex Style

@conference{secrypt12,
author={Jesus Luna Garcia and Hamza Ghani and Tsvetoslava Vateva and Neeraj Suri},
title={Quantitative Assessment of Cloud Security Level Agreements - A Case Study},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)},
year={2012},
pages={64-73},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004019900640073},
isbn={978-989-8565-24-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)
TI - Quantitative Assessment of Cloud Security Level Agreements - A Case Study
SN - 978-989-8565-24-2
AU - Luna Garcia J.
AU - Ghani H.
AU - Vateva T.
AU - Suri N.
PY - 2012
SP - 64
EP - 73
DO - 10.5220/0004019900640073