Idea: Optimising Multi-Cloud Deployments with Security Controls as Constraints

  • Philippe Massonet
  • Jesus Luna
  • Alain Pannetrat
  • Ruben Trapero
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8978)


The increasing number of cloud service providers (CSP) is creating opportunities for multi-cloud deployments, where components are deployed across different CSP, instead of within a single CSP. Selecting the right set of CSP for a deployment then becomes a key step in the deployment process. This paper argues that deployment should take security into account when selecting CSP. This paper makes two contributions in this direction. First the paper describes how industrial standard security control frameworks may be integrated into the deployment process to select CSP that provide sufficient levels of security. It also argues that ability to monitor CSP security should also be considered. The paper then describes how security requirements may be modelled as constraints on deployment objectives to find optimal deployment plans. The importance of using cloud security standards as a basis for reasoning on required and provided security features is discussed.


Cloud Security Deployment Optimization Security controls Security service level agreements Monitoring 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Cloud Control Matrix (2011),
  2. 2.
    Cloud Security Alliance. The Security, Trust & Assurance Registry (STAR), (last access: 2014)
  3. 3.
    Dekker, M., Hogben, G.: Survey and analysis of security parameters in cloud SLAs across the European public sector (2011),
  4. 4.
    NIST, Cloud Computing: Cloud Service Metrics Description (RATAX) (2014)Google Scholar
  5. 5.
    SPECS home page, (last access: 2014)
  6. 6.
    CUMULUS project home page, (last access: 2014)
  7. 7.
    PASSAGE project home page, (last access: 2014)
  8. 8.
  9. 9.
  10. 10.
    Brenner, J.: ISO 27001: Risk management and compliance. Risk Management 54(1), 24 (2007)Google Scholar
  11. 11.
    Industry, Payment Card. Data security standard. Requirements and Security Assessment Procedures, Version 3 (2013)Google Scholar
  12. 12.
  13. 13.
    NIST, Cloud Computing: Cloud Service Metrics Description (RATAX). Working document (2014)Google Scholar
  14. 14.
    Garcia, J.L., Vateva-Gurova, T., Suri, N., Rak, M., Liccardo, L.: Negotiating and Brokering Cloud Resources based on Security Level Agreements. In: CLOSER, pp. 533–541. SciTePress (2013)Google Scholar
  15. 15.
    Pannetrat, A., Hogben, G., et al.: D2.1 Security-aware SLA specification language and Cloud security dependency model., CUMULUS project deliverable (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Philippe Massonet
    • 2
  • Jesus Luna
    • 1
  • Alain Pannetrat
    • 1
  • Ruben Trapero
    • 3
  1. 1.Cloud Security Alliance (Europe)United Kingdom
  2. 2.Centre d’Excellence en Technologies de l’Information et de la CommunicationBelgium
  3. 3.Department of Computer ScienceTechnische Universitat DarmstadtGermany

Personalised recommendations