Authors:
Jesus Luna Garcia
;
Hamza Ghani
;
Tsvetoslava Vateva
and
Neeraj Suri
Affiliation:
Technische Universität Darmstadt, Germany
Keyword(s):
Cloud security, security assessment, security benchmarks, Security Level Agreements, security metrics
Related
Ontology
Subjects/Areas/Topics:
Data and Application Security and Privacy
;
Formal Methods for Security
;
Information and Systems Security
;
Information Assurance
;
Information Systems Auditing
;
Management of Computing Security
;
Risk Assessment
;
Secure Cloud Computing
;
Security in Distributed Systems
;
Security in Information Systems
;
Security Metrics and Measurement
Abstract:
The users of Cloud Service Providers (CSP) often motivate their choice of providers based on criteria such as the offered service level agreements (SLA) and costs, and also recently based on security aspects (i.e., due to regulatory compliance). Unfortunately, it is quite uncommon for a CSP to specify the security levels associated with their services, hence impeding users from making security relevant informed decisions. Consequently, while the many economic and technological advantages of Cloud computing are apparent, the migration of key sector applications has been limited, in part, due to the lack of security assurance on the CSP. In order to achieve this assurance and create trustworthy Cloud ecosystems, it is desirable to develop metrics and techniques to compare, aggregate, negotiate and predict the trade-offs (features, problems and the economics) of security. This paper contributes with a quantitative security assessment case study using the CSP information found on the Clo
ud Security Alliance’s Security, Trust & Assurance Registry (CSA STAR). Our security assessment
rests on the notion of Cloud Security Level Agreements — SecLA — and, a novel set of security metrics used to quantitatively compare SecLAs.
(More)