Abstract
As the popularity of Cloud computing has grown during the last years, the choice of Cloud Service Provider (CSP) has become an important issue from user’s perspective. Although the Cloud users are more and more concerned about their security in the Cloud and might have some specific security requirements, currently this choice is based on requirements related to the offered Service Level Agreements (SLA) and costs. Most of the CSPs do not provide user- understandable information regarding the security levels associated with their services, and in this way impede the users to negotiate their security requirements. In other words, the users do not have the technical means in terms of tools and semantics to choose the CSP that best suits their security demands. Industrial efforts on specification of Cloud security parameters in SLAs, also known as “Security Level Agreements” or SecLAs represent the initial steps towards solving this problem. The aim of this paper is to propose a practical approach that enables user-centric negotiation and brokering of Cloud resources. The proposed methodology relies on both the notion of SecLAs for establishing a common semantic between the CSPs and the users, and on a quantitative approach to evaluate the security levels associated with the specific SecLAs.
This work is a result of the joint effort spent on the security metrology-related techniques being developed by the EU FP7 projects ABC4Trust/SPECS and, the framework for SLA-based negotiation and Cloud resource brokering proposed by the EU FP7 mOSAIC project. The feasibility of the proposed negotiation approach and its applicability for Cloud Federations is demonstrated in the paper with a real-world case study considering a scenario presented in the FP7 project SPECS. The presented scenario shows the negotiation of a user’s security requirements with respect to a set of CSPs SecLAs, using both the information available in the Cloud Security Alliance’s “Security, Trust & Assurance Registry” (CSA STAR) and the WS-Agreement standard.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Due to STAR’s usage restrictions, it is not possible to disclose the real identity of the CSPs under evaluation.
References
Cloud Security Alliance: Security and Privacy Level Agreements working groups (2012). https://cloudsecurityalliance.org/research/pla/. Accessed on 10.01.14
Rak, M., Aversa, R., Venticinque, S., Di Martino, B.: User centric service level management in mOSAIC applications. In: Alexander, M., et al. (eds.) Euro-Par 2011, Part II. LNCS, vol. 7156, pp. 106–115. Springer, Heidelberg (2012)
Kandukuri, B.R., et. al.: Cloud security issues. In: Proceedings of the IEEE International Conference on Services Computing, pp. 517–520. IEEE, New York (2009)
Dekker, M., Hogben, G.: Survey and analysis of security parameters in cloud SLAs across the European public sector. Technical report TR-2011-12-19, European Network and Information Security Agency (2011)
Luna, J., et al.: Quantitative assessment of cloud security level agreements: a case study. In: Samarati, P., Lou, W., Zhou, J. (eds.) Proceedings of Security and Cryptography, pp. 64–73. SciTePress (2012)
Luna, J., et al.: Benchmarking cloud security level agreements using quantitative policy trees. In: Proceedings of the 2012 ACM Workshop on Cloud Computing Security Workshop, CCSW ’12, pp. 103–112. ACM, New York (2012)
Andrieux, K., et al.: Web services agreement specification (WS-Agreement). Technical report TR-WSAgreement-2007, Open Grid Forum (2007)
mOSAIC: mOSAIC FP7 (2011). http://www.mosaic-cloud.eu/. Accessed on 05.10.13
Cloud Security Alliance: The Security, Trust & Assurance Registry (STAR) (2011). https://cloudsecurityalliance.org/star/. Accessed on 10.01.14
Bernsmed, K., et al.: Security SLAs for federated cloud services. In: Proceedings of IEEE Availability, Reliability and Security, pp. 202–209. IEEE, New York (2011)
Casola, V., et al.: A SLA evaluation methodology in service oriented architectures. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds.) Quality of Protection. Advances in Information Security, vol. 23, pp. 119–130. Springer, Berlin (2006)
Valentina, C., et al.: A reference model for security level evaluation: policy and fuzzy techniques. J. UCS 11, 150–174 (2005)
Samani, R., et al.: Common assurance maturity model: scoring model (2011). http://common-assurance.com/. Accessed on 10.12.13
Luna, J., et al.: A security metrics framework for the cloud. In: Lopez, J., Samarati, P. (eds.) Proceedings of Security and Cryptography, pp. 245–250. SciTePress (2011)
Savola, R., et al.: Towards wider cloud service applicability by security, privacy and trust measurements. In: Proceedings of IEEE Application of Information and Communication Technologies, pp. 1–6. IEEE, New York (2010)
Cloud Security Alliance: The Consensus Assessments Initiative Questionnaire (2011). https://cloudsecurityalliance.org/research/cai/. Accessed on 14.01.14
Almorsy, M., et al.: Collaboration-based cloud computing security management framework. In: Proceedings of IEEE International Conference on Cloud Computing, pp. 364–371. IEEE, New York (2011)
ETSI: Cloud Standards Coordination (2013). Accessed on 12.11.13.
Rak, M., Ficco, M.: Intrusion tolerance as a service - a SLA-based solution. In: Leymann, F., Ivanov, I., van Sinderen, M., Shan, T. (eds.): Proceedings of the International Conference on Cloud Computing and Services Science (CLOSER), pp. 375–384, SciTePress (2012)
Amato, A., et. al.: SLA negotiation and brokering for sky computing. In: Leymann, F., Ivanov, I., van Sinderen, M., Shan, T. (eds).: In: Proceedings of the International Conference on Cloud Computing and Services Science (CLOSER), pp. 611–620. SciTePress (2012)
SPECS: SPECS FP7 (2013). http://www.specs-project.eu/. Accessed on 14.01.14
Rak, M., et. al.: A SLA-based interface for security management in cloud and GRID integrations. In: Proceedings of the IEEE International Conference on Information Assurance and Security, pp. 378–383. IEEE, New York (2011)
Hale, M.L., Gamble R.: SecAgreement: advancing security risk calculations in cloud services. In: Proceedings of the IEEE World Congress on Services, pp. 133–140. IEEE , New York (2012)
ABC4Trust: ABC4Trust FP7 (2011). http://www.abc4trust.eu/. Accessed on 14.12.13
Acknowledgements
Research supported in part by the Deutsche Forschungsgemeinschaft (German Research Foundation) Graduiertenkolleg 1362 - DFG GRK 1362, the EC FP7 project SPECS (Grant Agreement no. 610795), the FP7-ICT-2009-5-256910 (mOSAIC) and TU Darmstadt’s project LOEWE-CASED.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Luna, J., Vateva-Gurova, T., Suri, N., Rak, M., De Benedictis, A. (2014). SecLA-Based Negotiation and Brokering of Cloud Resources. In: Helfert, M., Desprez, F., Ferguson, D., Leymann, F. (eds) Cloud Computing and Services Science. CLOSER 2013. Communications in Computer and Information Science, vol 453. Springer, Cham. https://doi.org/10.1007/978-3-319-11561-0_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-11561-0_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11560-3
Online ISBN: 978-3-319-11561-0
eBook Packages: Computer ScienceComputer Science (R0)