Security Assurance of (Multi-)Cloud Application with Security SLA Composition

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10232)


Despite the diffusion of the cloud computing paradigm, cloud security is still considered one of the main inhibitors for the adoption of cloud-based solution. Security Service Level Agreements (Security SLAs), i.e. agreements among providers and customers that states the level of security granted on the services delivered, adopted to enable a Cloud Service Provider (CSP) to declare its security policy and a way to measure them from cloud service customer (CSC) point of view. Security SLAs, however, not completely solve the security issue in cloud when we have complex supply chains. This paper proposes a technique to automatically generate Security SLA, relying on CSP declaration and on the services, composing the application. Security SLAs and cloud applications are modeled, enabling automatic reasoning over the security offerings and the evaluation of the security policy over an orchestration of cloud services.


Cloud security Service Level Agreement SecSLA Security SLA Security policy Policy composition 



This research is partially supported by the grant H2020-ICT-07-2014-644429 (MUSA). The author would like to thank Marco Toscano, whose work during the master degree thesis was partially reused in this paper.


  1. 1.
    Casola, V., De Benedictis, A., Rak, M., Villano, U.: Preliminary design of a platform-as-a-service to provide security in cloud. In: CLOSER - Proceedings of the 4th International Conference on Cloud Computing and Services Science, Barcelona, Spain, 3–5 April, pp. 752–757 (2014)Google Scholar
  2. 2.
    SLA Ready Consortium: The SLA ready project web site (2015).
  3. 3.
    Casola, V., De Benedictis, A., Modic, J., Rak, M., Villano, U.: Per-service security SLA: a new model for security management in clouds. In: 2016 IEEE 25th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 83–88, June 2016Google Scholar
  4. 4.
    Bishop, D.M.: What is computer security? IEEE Secur. Priv. 1, 67–69 (2003). University of CaliforniaCrossRefGoogle Scholar
  5. 5.
    Casola, V., De Benedictis, A., Rak, M., Modic, J., Erascu, M.: Automatically enforcing security SLAs in the cloud. IEEE Trans. Serv. Comput. (2016, preprints)Google Scholar
  6. 6.
    Andreieux, A.: Web services agreement specification (2007).
  7. 7.
    NIST: SP 800-53 Rev 4: recommended security and privacy controls for federal information systems and organizations. National Institute of Standards and Technology, Technical report (2013).
  8. 8.
    Liu, H., Bu, F., Cai, H.: SLA-based service composition model with semantic support. In: IEEE Asia-Pacific Services Computing Conference (2012)Google Scholar
  9. 9.
    Zappatore, M., Longo, A., Bochicchio, M.A.: SLA composition in service networks. In: Proceedings of the 30th Annual ACM Symposium on Applied Computing - SAC 2015, pp. 1219–1224. ACM Press, New York (2015).
  10. 10.
    Bennani, N., Guegan, C., Musicante, M., Solar, G.: SLA-guided data integration on cloud environments. In: IEEE International Conference on Cloud Computing, CLOUD, pp. 934–935 (2014).
  11. 11.
    Bennani, N., Ghedira-Guegan, C., Vargas-Solar, G., Musicante, M.A.: Towards a secure database integration using SLA in a multi-cloud context. Constraint no. 2 (2015)Google Scholar
  12. 12.
    Satoh, F., Tokuda, T.: Security policy composition for composite services. In: 2008 Eighth International Conference on Web Engineering, pp. 86–97. IEEE, July 2008.
  13. 13.
    Satoh, F., Tokuda, T.: Security policy composition for composite web services. IEEE Trans. Serv. Comput. 4(4), 314–327 (2011). CrossRefGoogle Scholar
  14. 14.
    Lee, A.J., Boyer, J.P., Olson, L.E., Gunter, C.A.: Defeasible security policy composition for web services. In: Proceedings of the Fourth ACM Workshop on Formal Methods in Security - FMSE 2006, pp. 45–54 (2006).
  15. 15.
    Errico, M.D., Malmignati, F., Andreotti, G.F.: A platform for secure and trustworthy service composition, pp. 67–72 (2014)Google Scholar
  16. 16.
    Zhou, B., Llewellyn-Jones, D., Shi, Q., Asim, M., Merabti, M., Lamb, D.: A compose language-based framework for secure service composition. In: 2012 International Conference on Cyber Security, SocialInformatics, pp. 195–202. IEEE, December 2012.
  17. 17.
    Dell’Amico, M., Serme, G., Idrees, M.S., de Olivera, A.S., Roudier, Y.: HiPoLDS: a security policy language for distributed systems. In: Askoxylakis, I., Pöhls, H.C., Posegga, J. (eds.) WISTP 2012. LNCS, vol. 7322, pp. 97–112. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-30955-7_10 Google Scholar
  18. 18.
    Pham, N., Riguidel, M.: Security assurance aggregation for IT infrastructures. In: ICSNC, pp. 37–39 (2007)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Industrial and Information EngineeringUniversitá della Campania Luigi VanvitelliAversaItaly

Personalised recommendations