Risk propagation of security SLAs in the cloud

For organizations with mission critical systems, moving data or functionality to the cloud introduces a risk of additional exposed vulnerabilities associated with cloud service providers not implementing organizationally selected security controls. When internal system details are abstracted away as part of the cloud architecture, the organization must rely on contractual obligations embedded in service level agreements (SLAs) to assess service offerings for security risk. Whenever an SLA is formed, the level of risk incurred is based on how well the offered service terms meet the organizational security demands. In the cloud, additional SLAs between third party cloud service providers are formed to federate cloud resources, effectively distributing organizational risk among the various providers involved in the negotiated federations or service compositions. At runtime, whenever a cloud or service violates its SLA with respect to security controls or cancels any security offerings, the risk of noncompliance with organizational security policies increases. This paper provides a process to adapt to the propagated changes of service provider security risks within a service composition or federation due to SLA violations. The process is based on a distributed risk-aware renegotiation algorithm that replaces services if they violate SLAs.

[1]  Bu-Sung Lee,et al.  DAML-QoS ontology for Web services , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[2]  Cynthia E. Irvine,et al.  Quality of security service , 2001, NSPW '00.

[3]  Antonio Puliafito,et al.  How to Enhance Cloud Architectures to Enable Cross-Federation , 2010, IEEE CLOUD.

[4]  Bashar Nuseibeh,et al.  Model-Based Security Engineering of Distributed Information Systems Using UMLsec , 2007, 29th International Conference on Software Engineering (ICSE'07).

[5]  Rose F. Gamble,et al.  SecAgreement: Advancing Security Risk Calculations in Cloud Services , 2012, 2012 IEEE Eighth World Congress on Services.

[6]  Katia P. Sycara,et al.  An Efficient Algorithm for OWL-S Based Semantic Search in UDDI , 2004, SWSWPC.

[7]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[8]  Stefan Lindskog,et al.  Modeling and tuning security from a quality of service perspective , 2005 .

[9]  Martin Gilje Jaatun,et al.  Security SLAs for Federated Cloud Services , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[10]  Ronda R. Henning,et al.  Security service level agreements: quantifiable security for the enterprise? , 1999, NSPW '99.

[11]  Pankesh Patel,et al.  Service Level Agreement in Cloud Computing , 2009 .

[12]  Frances M. T. Brazier,et al.  Secure Monitoring of Service Level Agreements , 2010, 2010 International Conference on Availability, Reliability and Security.

[13]  Asit Dan,et al.  Web services agreement specification (ws-agreement) , 2004 .

[14]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[15]  Jianxun Liu,et al.  WSRank: A Method for Web Service Ranking in Cloud Environment , 2011, 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing.

[16]  Matthias Klusch,et al.  Hybrid Adaptive Web Service Selection with SAWSDL-MX and WSDL-Analyzer , 2009, ESWC.

[17]  Lei Li,et al.  AOP Based Trustable SLA Compliance Monitoring for Web Services , 2007, Seventh International Conference on Quality Software (QSIC 2007).