Managing the Lifecycle of Security SLA Requirements in Cloud Computing

  • Marco Antonio Torrez Rojas
  • Fernando Frota Redígolo
  • Nelson Mimura Gonzalez
  • Fernando Vilgino Sbampato
  • Tereza Cristina Melo de Brito Carvalho
  • Kazi Walli Ullah
  • Mats Näslund
  • Abu Shohel Ahmed
Conference paper
Part of the Studies in Computational Intelligence book series (SCI, volume 718)

Abstract

One of the major barriers for full adoption of cloud computing is the security issue. As the cloud computing paradigm presents a shared management vision, it is important that security requirements are addressed inside the Service Level Agreements (SLAs) established between cloud providers and consumers, along with the tools and mechanisms necessary to deal with these requirements. This work aims at proposing a framework to orchestrate the management of cloud services and security mechanisms based on the security requirements defined by a SLA, in an automated manner, throughout their lifecycles. In addition, the integration of the framework with a cloud computing solution is presented, in order to demonstrate and validate the framework support throughout SLAs lifecycle phases.

Keywords

Service Provider Cloud Computing Cloud Service Security Requirement Security Issue 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgements

This work was supported by the Innovation Center, Ericsson Telecomunicações S.A., Brazil.

References

  1. 1.
    Baudoin, C., Flynn, J., McDonald, J., Meegan, J., Salsburg, M., Woodward, S.: Public cloud service agreements: what to expect and what to negotiate. Technical report, Cloud Standards Customer Council (CSCC) (2013). http://www.cloud-council.org/publiccloudSLA.pdf
  2. 2.
    Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vtpm: virtualizing the trusted platform module. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15, USENIX-SS’06. USENIX Association, Berkeley, CA, USA (2006). http://dl.acm.org.ez67.periodicos.capes.gov.br/citation.cfm?id=1267336.1267357
  3. 3.
    Bishop, M.A.: Computer Security: Art and Science. Addison-Wesley Professional (2002)Google Scholar
  4. 4.
    Bouchenak, S., Chockler, G., Chockler, H., Gheorghe, G., Santos, N., Shraer, A.: Verifying cloud services: present and future. SIGOPS Oper. Syst. Rev. 47(2), 6–19 (2013). doi: 10.1145/2506164.2506167
  5. 5.
    Bowen, P., Hash, J., Wilson, A.: Information security handbook: a guide for managers. Technical Report 800-100, National Institute of Standards and Technology (NIST) (2006)Google Scholar
  6. 6.
    CPNI: Information security briefing 01/2010—cloud computing. Technical report, Centre for the Protection of National Infrastructure (CPNI) (2010). http://www.cpni.gov.uk/Documents/Publications/2010/2010007-ISB-cloud-computing.pdf
  7. 7.
    Csaplar, D.: Who is adopting the public cloud faster ? north america or europe ? Technical report, Aberdeen Group (2013). http://www.aberdeen.com/Aberdeen-Library/8565/AI-public-cloud-adoption.aspx
  8. 8.
    Damm, G., Bain, G., Timms, J., Philippart, L., Roman, R., Deheus, J., Cruz, A., Best, I., Milham, D., Alhakbani, M.A.: Gb917—sla management handbook version 3.0. Technical report, TeleManagement Forum (2012). http://www.dmtf.org/sites/default/files/standards/documents/DSP2029/20-1.0.0a.pdf
  9. 9.
    Dekker, M., Hogben, G.: Survey and analysis of security parameters in cloud slas across the european public sector. Technical report, ENISA—European Network and Information Security Agency (2011). http://www.enisa.europa.eu
  10. 10.
    Fernandes, D.A.B., Soares, L.F.B., Gomes, J.V., Freire, M.M., Inácio, P.R.M.: Security issues in cloud environments: a survey. Int. J. Inf. Secur. 13(2), 113–170 (2014). doi: 10.1007/s10207-013-0208-7
  11. 11.
    Ferreira, A.S.: Uma arquitetura para monitoramento de segurança baseada em acordos de níveis de serviço para nuvens de infraestrutura. Instituto de Computação, Universidade Estadual de Campinas, UNICAMP, Dissertação de mestrado (2013)Google Scholar
  12. 12.
    Garcia, J.L., Ghani, H., Germanus, D., Suri, N.: A security metrics framework for the cloud. In: Lopez, J., Samarati, P. (eds.) SECRYPT, pp. 245–250. SciTePress (2011). http://dblp.uni-trier.de/db/conf/secrypt/secrypt2011.html#LunaGGS11
  13. 13.
    Gonzalez, N.M., Miers, C., Redigolo, F.F., Carvalho, T.C.M.B., Jr., M.A.S., Nslund, M., Pourzandi, M.: A quantitative analysis of current security concerns and solutions for cloud computing. J. Cloud Comput. Adv. Syst. Appl. 11(1), 1–18 (2012)Google Scholar
  14. 14.
    Henning, R.R.: Security service level agreements: quantifiable security for the enterprise? In: Kienzle, D.M., Zurbo, M.E., Greenwald, S.J., Serbau, C. (eds.) NSPW, pp. 54–60. ACM (1999)Google Scholar
  15. 15.
    Hogben, G., Dekker, M.: Procure secure: a guide to monitoring of security service levels in cloud contracts. Technical report, ENISA—European Network and Information Security Agency (2012). http://www.enisa.europa.eu
  16. 16.
    Huang, W., Ganjali, A., Kim, B.H., Oh, S., Lie, D.: The state of public infrastructure-as-a-service cloud security. ACM Comput. Surv. 47(4), 68:1–68:31 (2015). doi: 10.1145/2767181
  17. 17.
    ITU-T: Focus group on cloud computing technical report part 1. Technical report, ITU-T (2012). http://www.itu.int/en/ITU-T/focusgroups/cloud/Pages/default.aspx
  18. 18.
    Jaatun, M., Bernsmed, K., Undheim, A.: Security slas an idea whose time has come? In: Quirchmayr, G., Basl, J., You, I., Xu, L., Weippl, E. (eds.) Multidisciplinary Research and Practice for Information Systems. Lecture Notes in Computer Science, vol. 7465, pp. 123–130. Springer, Berlin Heidelberg (2012)CrossRefGoogle Scholar
  19. 19.
    Jegou, Y., Harsh, P., Cascella, R., Dudouet, F., Morin, C.: Managing ovf applications under sla constraints on contrail virtual execution platform. Network and service management (CNSM). 2012 8th International Conference and 2012 Workshop on Systems Virtualiztion Management (svm), pp. 399–405. Las Vegas, NV (2012)Google Scholar
  20. 20.
    Jiang, Q.: Cy13-q4 community analysis openstack vs opennebula vs eucalyptus vs cloudstack. Technical report, IEEE Organization (2014). http://www.qyjohn.net/?p=3432
  21. 21.
    Kandukuri, B.R., Paturi, V., Rakshit, A.: Cloud security issues. In: IEEE International Conference on Services Computing, 2009. SCC ’09, pp. 517–520 (2009)Google Scholar
  22. 22.
    Ken, R., Harris, D., Meegan, J., Pardee, B., Le Roux, Y., Dotson, C., Cohen, E., Edwards, M., Gershater, J.: Security for cloud computing: 10 steps to ensure sucess. Technical report, Cloud Standards Customer Council (CSCC) (2012). http://www.cloud-council.org/Security_for_Cloud_Computing_Final-080912.pdf
  23. 23.
    Luna, J., Ghani, H., Vateva, T., Suri, N.: Quantitative assessment of cloud security level agreements—a case study. In: In Proceedings of the International Conference on Security and Cryptography, SECRYPT 2012, pp. 64–73. SciTePress (2012). http://www.deeds.informatik.tu-darmstadt.de/fileadmin/user_upload/GROUP_DEEDS/Publications/conf/secLA_eval.pdf
  24. 24.
    Luna, J., Langenberg, R., Suri, N.: Benchmarking cloud security level agreements using quantitative policy trees. In: Proceedings of the 2012 ACM Workshop on Cloud Computing Security Workshop, CCSW ’12, pp. 103–112. ACM, New York, NY, USA (2012). doi: 10.1145/2381913.2381932
  25. 25.
    Meegan, J., Singh, G., Woodward, S., Venticinque, S., Rank, M., Harris, D., Murray, G., Di Mastirno, B., Le Roux, Y., McDonald, J., Kean, R., Edwards, M., Russel, D., Malekkos, G.: Practical guide to cloud service level agreement. Technical report, Cloud Standards Customer Council (CSCC) (2012). http://www.cloudstandardscustomercouncil.org/2012_Practical_Guide_to_Cloud_SLAs.pdf
  26. 26.
    Meland, P.H., Bernsmed, K., Jaatun, M.G., Undheim, A., Castejon, H.: Expressing cloud security requirements in deontic contract languages. In: Leymann, F., Ivanov, I., van Sinderen, M., Shan, T. (eds.) CLOSER, pp. 638–646. SciTePress (2012). http://dblp.uni-trier.de/db/conf/closer/closer2012.html#MelandBJUC12
  27. 27.
    Mell, P., Grance, T.: The nist definition of cloud computing. Technical Report 800-145, National Institute of Standards and Technology (NIST) (2011). http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
  28. 28.
    Online: Cloud security alliance—csa (2014). https://cloudsecurityalliance.org/
  29. 29.
    Patel, S.G., Jethava, G.B.: A review on sla and various approaches for efficient cloud service provider selection. Int. J. Eng. Res. Technol. 1(1) (2012)Google Scholar
  30. 30.
    Rak, M., Liccardo, L., Aversa, R.: A sla-based interface for security management in cloud and grid integrations. In: 2011 7th International Conference on Information Assurance and Security (IAS), pp. 378–383 (2011)Google Scholar
  31. 31.
    Rojas, M.A.T., Gonzalez, N.M., Sbampato, F., Redigolo, F., de Brito Carvalho, T.C.M., Nguyen, K.K., Cheriet, M.: Inclusion of security requirements in sla lifecycle management for cloud computing. In: 2015 IEEE 2nd Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE), pp. 7–12 (2015). doi: 10.1109/ESPRE.2015.7330161
  32. 32.
    Rojas, M.A.T., Gonzalez, N.M., Sbampato, F.V., Redgolo, F.F., Carvalho, T., Ullah, K.W., Nslund, M., Ahmed, A.S.: A framework to orchestrate security sla lifecycle in cloud computing. In: 2016 11th Iberian Conference on Information Systems and Technologies (CISTI), pp. 1–7 (2016). doi: 10.1109/CISTI.2016.7521372
  33. 33.
    Schnjakin, M., Alnemr, R., Meinel, C.: Contract-based cloud architecture. In: Proceedings of the Second International Workshop on Cloud Data Management, CloudDB ’10, pp. 33–40. ACM, New York, NY, USA (2010). doi: 10.1145/1871929.1871936
  34. 34.
    Silva, C.A.D., Ferreira, A.S., Geus, P.L.D.: A methodology for management of cloud computing using security criteria. In: 1st Latin American Conference on Cloud Computing and Communications (LatinCloud), pp. 49–54. IEEE, Porto Alegre, Brasil (2012)Google Scholar
  35. 35.
    Stoneburner, G.: Underlying technical models for information technology security. Technical Report 800-33, National Institute of Standards and Technology (NIST) (2001)Google Scholar
  36. 36.
    Ulla, K.W.: Automated Security Compliance Tool for the Cloud. Department of Telematics, Norwegian University of Science and Technology, NTNU, Master (2012)Google Scholar
  37. 37.
    Venters, W., Whitley, E.A.: A critical review of cloud computing: researching desires and realities. JIT 27(3), 179–197 (2012)Google Scholar
  38. 38.
    Whiteside, F., Iorga, M., Badger, L., Mao, J., Chu, S.: Challenging security requirements for us government cloud computing adoption. Technical report, National Institute of Standards and Technology (NIST) (2012). http://www.nist.gov/customcf/get_pdf.cfm?pub-id=912695

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Marco Antonio Torrez Rojas
    • 1
  • Fernando Frota Redígolo
    • 1
  • Nelson Mimura Gonzalez
    • 1
  • Fernando Vilgino Sbampato
    • 1
  • Tereza Cristina Melo de Brito Carvalho
    • 1
  • Kazi Walli Ullah
    • 2
  • Mats Näslund
    • 3
  • Abu Shohel Ahmed
    • 2
  1. 1.Escola PolitécnicaUniversity of São PauloSão PauloBrazil
  2. 2.Ericsson ResearchJorvasFinland
  3. 3.Ericsson ResearchStockholmSweden

Personalised recommendations