SecLA-Based Negotiation and Brokering of Cloud Resources

  • Jesus Luna
  • Tsvetoslava Vateva-GurovaEmail author
  • Neeraj Suri
  • Massimiliano Rak
  • Alessandra De Benedictis
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 453)


As the popularity of Cloud computing has grown during the last years, the choice of Cloud Service Provider (CSP) has become an important issue from user’s perspective. Although the Cloud users are more and more concerned about their security in the Cloud and might have some specific security requirements, currently this choice is based on requirements related to the offered Service Level Agreements (SLA) and costs. Most of the CSPs do not provide user- understandable information regarding the security levels associated with their services, and in this way impede the users to negotiate their security requirements. In other words, the users do not have the technical means in terms of tools and semantics to choose the CSP that best suits their security demands. Industrial efforts on specification of Cloud security parameters in SLAs, also known as “Security Level Agreements” or SecLAs represent the initial steps towards solving this problem. The aim of this paper is to propose a practical approach that enables user-centric negotiation and brokering of Cloud resources. The proposed methodology relies on both the notion of SecLAs for establishing a common semantic between the CSPs and the users, and on a quantitative approach to evaluate the security levels associated with the specific SecLAs.

This work is a result of the joint effort spent on the security metrology-related techniques being developed by the EU FP7 projects ABC4Trust/SPECS and, the framework for SLA-based negotiation and Cloud resource brokering proposed by the EU FP7 mOSAIC project. The feasibility of the proposed negotiation approach and its applicability for Cloud Federations is demonstrated in the paper with a real-world case study considering a scenario presented in the FP7 project SPECS. The presented scenario shows the negotiation of a user’s security requirements with respect to a set of CSPs SecLAs, using both the information available in the Cloud Security Alliance’s “Security, Trust & Assurance Registry” (CSA STAR) and the WS-Agreement standard.


Cloud security Security level agreements Security metrics Security negotiation Resource brokering 



Research supported in part by the Deutsche Forschungsgemeinschaft (German Research Foundation) Graduiertenkolleg 1362 - DFG GRK 1362, the EC FP7 project SPECS (Grant Agreement no. 610795), the FP7-ICT-2009-5-256910 (mOSAIC) and TU Darmstadt’s project LOEWE-CASED.


  1. 1.
    Cloud Security Alliance: Security and Privacy Level Agreements working groups (2012). Accessed on 10.01.14
  2. 2.
    Rak, M., Aversa, R., Venticinque, S., Di Martino, B.: User centric service level management in mOSAIC applications. In: Alexander, M., et al. (eds.) Euro-Par 2011, Part II. LNCS, vol. 7156, pp. 106–115. Springer, Heidelberg (2012) Google Scholar
  3. 3.
    Kandukuri, B.R., et. al.: Cloud security issues. In: Proceedings of the IEEE International Conference on Services Computing, pp. 517–520. IEEE, New York (2009)Google Scholar
  4. 4.
    Dekker, M., Hogben, G.: Survey and analysis of security parameters in cloud SLAs across the European public sector. Technical report TR-2011-12-19, European Network and Information Security Agency (2011)Google Scholar
  5. 5.
    Luna, J., et al.: Quantitative assessment of cloud security level agreements: a case study. In: Samarati, P., Lou, W., Zhou, J. (eds.) Proceedings of Security and Cryptography, pp. 64–73. SciTePress (2012)Google Scholar
  6. 6.
    Luna, J., et al.: Benchmarking cloud security level agreements using quantitative policy trees. In: Proceedings of the 2012 ACM Workshop on Cloud Computing Security Workshop, CCSW ’12, pp. 103–112. ACM, New York (2012)Google Scholar
  7. 7.
    Andrieux, K., et al.: Web services agreement specification (WS-Agreement). Technical report TR-WSAgreement-2007, Open Grid Forum (2007)Google Scholar
  8. 8.
    mOSAIC: mOSAIC FP7 (2011). Accessed on 05.10.13
  9. 9.
    Cloud Security Alliance: The Security, Trust & Assurance Registry (STAR) (2011). Accessed on 10.01.14
  10. 10.
    Bernsmed, K., et al.: Security SLAs for federated cloud services. In: Proceedings of IEEE Availability, Reliability and Security, pp. 202–209. IEEE, New York (2011)Google Scholar
  11. 11.
    Casola, V., et al.: A SLA evaluation methodology in service oriented architectures. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds.) Quality of Protection. Advances in Information Security, vol. 23, pp. 119–130. Springer, Berlin (2006)CrossRefGoogle Scholar
  12. 12.
    Valentina, C., et al.: A reference model for security level evaluation: policy and fuzzy techniques. J. UCS 11, 150–174 (2005)Google Scholar
  13. 13.
    Samani, R., et al.: Common assurance maturity model: scoring model (2011). Accessed on 10.12.13
  14. 14.
    Luna, J., et al.: A security metrics framework for the cloud. In: Lopez, J., Samarati, P. (eds.) Proceedings of Security and Cryptography, pp. 245–250. SciTePress (2011)Google Scholar
  15. 15.
    Savola, R., et al.: Towards wider cloud service applicability by security, privacy and trust measurements. In: Proceedings of IEEE Application of Information and Communication Technologies, pp. 1–6. IEEE, New York (2010)Google Scholar
  16. 16.
    Cloud Security Alliance: The Consensus Assessments Initiative Questionnaire (2011). Accessed on 14.01.14
  17. 17.
    Almorsy, M., et al.: Collaboration-based cloud computing security management framework. In: Proceedings of IEEE International Conference on Cloud Computing, pp. 364–371. IEEE, New York (2011)Google Scholar
  18. 18.
    ETSI: Cloud Standards Coordination (2013). Accessed on 12.11.13.Google Scholar
  19. 19.
    Rak, M., Ficco, M.: Intrusion tolerance as a service - a SLA-based solution. In: Leymann, F., Ivanov, I., van Sinderen, M., Shan, T. (eds.): Proceedings of the International Conference on Cloud Computing and Services Science (CLOSER), pp. 375–384, SciTePress (2012)Google Scholar
  20. 20.
    Amato, A., et. al.: SLA negotiation and brokering for sky computing. In: Leymann, F., Ivanov, I., van Sinderen, M., Shan, T. (eds).: In: Proceedings of the International Conference on Cloud Computing and Services Science (CLOSER), pp. 611–620. SciTePress (2012)Google Scholar
  21. 21.
    SPECS: SPECS FP7 (2013). Accessed on 14.01.14
  22. 22.
    Rak, M., et. al.: A SLA-based interface for security management in cloud and GRID integrations. In: Proceedings of the IEEE International Conference on Information Assurance and Security, pp. 378–383. IEEE, New York (2011)Google Scholar
  23. 23.
    Hale, M.L., Gamble R.: SecAgreement: advancing security risk calculations in cloud services. In: Proceedings of the IEEE World Congress on Services, pp. 133–140. IEEE , New York (2012)Google Scholar
  24. 24.
    ABC4Trust: ABC4Trust FP7 (2011). Accessed on 14.12.13

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Jesus Luna
    • 1
  • Tsvetoslava Vateva-Gurova
    • 2
    Email author
  • Neeraj Suri
    • 2
  • Massimiliano Rak
    • 3
  • Alessandra De Benedictis
    • 4
  1. 1.Cloud Security AllianceScotlandUK
  2. 2.Department of Computer ScienceTechnische Universität DarmstadtDarmstadtGermany
  3. 3.Dipartimento di Ingegneria Dell’InformazioneSeconda Universita’ di NapoliCasertaItaly
  4. 4.Department of Electrical Engineering and Information TechnologyUniversity of Naples Federico IINapoliItaly

Personalised recommendations