Skip to main content
Log in

Taking value-networks to the cloud services: security services, semantics and service level agreements

  • Original Article
  • Published:
Information Systems and e-Business Management Aims and scope Submit manuscript

Abstract

Cloud services have become an emerging solution for organizations striving to address today’s need for agility, but little research has addressed transitioning multiple, collaborating organizations to what can be referred to as a “value-network cloud.” We know that organizations adopting cloud services to execute business processes must concomitantly reconfigure their security solutions for their integrated intra- and inter-organizational collaborations. We address the question, “What is needed to make it possible for an entire value-network to take secure, collaborative business process executions to the cloud?” Future value-network cloud solutions will require completely new security approaches that will leverage contracted brokering solutions operating as part of the cloud solution. We view value-network cloud security service provisioning as a bundle decision characterized by a mix of communication patterns relevant to intra- and inter-enterprise collaboration. We propose a cloud service broker model—using semantics and SLA based middleware—to serve as a trusted interface between the enterprise, cloud service providers and other organizations collaborating in a value-network. The approach enables IT governance for value-network cloud services. The architectural requirements adapt design principles for infrastructure management tailored from approaches to how business cartels historically conducted secure business dealings.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  • Adams WJ, Yellen JL (1976) Commodity bundling and the burden of monopoly. Q J Econ 90:475–498

    Article  Google Scholar 

  • Akkermans H, Baida Z, Gordijn J, Pena N, Altuna A, Laresgoiti I (2004) Value webs: using ontologies to bundle real-world services. IEEE Intell Syst 19(4):57–66

    Article  Google Scholar 

  • Alturi V, Warner J (2005) Supporting conditional delegation in secure workflow management systems. Proceedings of the symposium on access control models and technologies (SACMAT’05), June, pp 49–58

  • Anderson J (1972) Computer security technology planning study. US air force electronic systems division tech. Report, (Oct), pp 73–151

  • Anderson R (2001) Why information security is hard—An economic perspective. Proceedings of 17th annual computer security applications conference (ACSAC), New Orleans, La. 10–14 Dec

  • AT&T (2004) Network security: managing the risk and opportunity. AT&T point of view, July 1–21

  • Audin G (2004) A roadmap to convergence. A supplement to business communications review—transforming telephony. Oct 9–12

  • Axelsson S (2000) The base-rate fallacy and the difficulty of intrusion detection. ACM Trans Inf Syst Secur 3(3):186–205

    Article  Google Scholar 

  • Babaie E, Hale K, Souza RD, Adachi Y, Ng F (2006) Forecast: IT services, worldwide, 2003–2010, Gartner Forecast, Gartner Group, Stamford, CT, Nov 30

  • Bakos Y, Brynjolfsson E (1999) Bundling information goods: pricing, profits, and efficiency. Manag Sci 45(12):1613–1630

    Article  Google Scholar 

  • Bardhan I, Demirkan H, Kannan PK, Kauffman RJ, Sougstad R (2010) An interdisciplinary perspective on IT services management and services science. J Manag Inf Syst 26(4):13–65

    Article  Google Scholar 

  • Basin D, Doser J, Zurich E (2006) Model driven security: from UML models to access control infrastructures. ACM Trans Softw Eng Methodol 15(1):39–91

    Article  Google Scholar 

  • Bell D (2005) Looking back at the Bell-La Padula model. Proceedings of 21st annual computer security applications conference, December

  • Bishop S, Walker M (1999) The economics of EC competition law. Sweet and Maxwell, London

    Google Scholar 

  • Blakley B (2010) Federated identity. Gartner report, 9 Dec 2010 ID:G00206782

  • Bodin LD, Gordon LA, Loeb MP (2005) Evaluating information security investments using the analytic hierarchy process. Commun ACM 48(2):79–83

    Article  Google Scholar 

  • Boeing (2006) http://www.boeing.com/commercial/787family/dev_team.html

  • Borda A, Careless J, Dimitrova M, Fraser M, Frey J, Hubbard P, Goldstein S, Pung C, Shoebridge M, Wiseman N, Arenas A (2006) Report of working group on virtual research communities for the OST e-infrastructure steering group. VCR Final Report, March 31, 2006

  • Brown G, Carpenter R (2004) Successful application of SOA across the enterprise and beyond. Intel Technol J 8(4):344–359

    Google Scholar 

  • Buzzard K (1999) Computer security—what should you spend your money on. Comput Secur 18(4):322–334

    Article  Google Scholar 

  • Carr NG (2003) IT doesn’t matter. Harvard Bus Rev 81(5):41–49

    Google Scholar 

  • Cavusoglu H, Mishra B, Raghunathan S (2004) A model for evaluating IT security investments. Commun ACM 47:87–92

    Google Scholar 

  • Cavusoglu H, Mishra B, Raghunathan S (2005) The value of intrusion detection systems in information technology security architecture. Inf Syst Res 16(1):28–46

    Article  Google Scholar 

  • Chapman DB, Zwicky ED (1995) Building internet firewalls. O’Reilly and Associates Inc, USA

    Google Scholar 

  • Cheswick WR, Bellovin SM (1994) Firewalls and internet security: repelling the Wily Hacker, Addison-Wesley, Reading

  • Cohen E, Thomas RK, Winsborough W, Shands D (2002) Models for coalition-based access control (CBAC). Seventh ACM symposium on access control models and technologies (SACMAT 02), June, Monterey, California, USA

  • Computer World (2006) 2006 IT Agenda. Computer world special report “Forecast 200, Computer World Data Points, 2, Jan 2006

  • Cone E (2006) Flying in formation. Ziff Davis CIO Insight 65:35–42

    Google Scholar 

  • Covington MJ, Long W, Srinivasan S, Dev SA, Ahamad M, Abowd GD (2001) Securing context-aware applications using environment roles. Proceedings of the sixth ACM symposium on Access control models and technologies, May, Chantilly, Virginia, USA, pp 10–20

  • CPDA (Collaborative Product Development Associates) (2004) Integrated process and technology framework. Collaborative Research Services

  • Currier G (2011) Emerging technology adoption trends. CIO Insight Research

  • Daniels TE, Spafford EH (1999) Identification of host audit data to detect attacks on low-level IP. J Comput Secur 7(1):3–35

    Google Scholar 

  • D’aubeterre F, Singh R, Iyer L (2008) Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes. Eur J Inf Syst 17(5):528–543

    Article  Google Scholar 

  • Davenport T (2005) The coming commoditization of processes. Harvard Bus Rev 101–108

  • Deltas G, Serfes K, Sicotte R (1999) American shipping cartels in the pre-world war I era. In: Clarke GC, Sundstrom WA (eds) Research in economic history. JAI Press, Stamford, Conn

    Google Scholar 

  • Demirkan H, Kauffman RJ, Vayghan JA, Fill H-G, Karagiannis D, Maglio PP (2009) Service-oriented technology and management: perspectives on research and practice for the coming decade. Electron Commer Res Appl J 7(4):356–376

    Article  Google Scholar 

  • Demirkan H, Cheng HK, Bandyopadhyay S (2010) Coordination strategies in a SaaS supply chain. J Manag Inf Syst 26(4):121–146

    Google Scholar 

  • Demirkan H, Harmon R, Goul M (2011) Service-oriented web application framework: utility-grade instrumentation of emergent web applications, the special issue of the IEEE IT professional on the future of web applications: strategies and design, pp 15–21, Sep/Oct

  • Denning D (1987) An intrusion-detection model. IEEE Trans Softw Eng 13(2):222–226

    Article  Google Scholar 

  • Denning D, Branstad D (1996) A taxonomy of key escrow encryption systems. Commun ACM 39(3):34–40

    Article  Google Scholar 

  • Dick AR (1996) When are cartels stable contracts? J Law Econ 39(1):241–283

    Article  Google Scholar 

  • Drecun V, Brown DH (2004) Closing the process/technology gap FERA. Collaborative Product Development Associates, LLC

  • Edwards PN, Jackson SJ, Bowker GC, Knobel CP (2007) Understanding infrastructure: dynamics, tensions, and design. Report of a NSF workshop on “History & theory of infrastructure: lessons for new scientific cyberinfrastructures”. Ann Arbor, Michigan

    Google Scholar 

  • FERA-based SOA—Semantion Inc. http://www.ebxmlsoft.com/papers/fera-based-soa.html

  • Fernández-Medina E, Trujillo J, Piattini M (2007) Model-driven multidimensional modeling of secure data warehouses. Eur J Inf Syst 16(4):374–390

    Article  Google Scholar 

  • Frincke D (2000) Balancing cooperation and risk in intrusion detection. ACM Trans Inf Syst Secur 3(1):1–29

    Article  Google Scholar 

  • Georgiadis CK, Mavridis I, Pangalos G, Thomas R (2001) Flexible team-based access control using contexts. Proceedings of ACM symposium on access control model and technology, Chantilly, VA

    Google Scholar 

  • Gordon L, Loeb M (2001) A framework for using information security as a response to competitor analysis systems. Commun ACM 44(9):70–75

    Article  Google Scholar 

  • Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans Inf Syst Secur 5(4):438–457

    Article  Google Scholar 

  • Gordon LA, Loeb M, Lucyshyn W (2003) Sharing information on computer systems security: an economic analysis. J Acc Public Policy 22(6):461–485

    Article  Google Scholar 

  • Graham G, Denning P (1972) Protection—principles and practice. Proceedings of the AFIPS spring joint computer conference, vol. 40, pp 417–429, Atlantic City, New Jersey

  • Gregor S (2006) The nature of theory in information systems. MIS Q 30(3):611–642

    Google Scholar 

  • Gregor S, Jones D (2007) The anatomy of a design theory. J Assoc Inf Syst 8(5):312–335

    Google Scholar 

  • Huang CD, Hu Q, Behara R (2005a) In search for optimal level of information security investment in risk-averse firms. Proceedings of the third annual security symposium, Tempe, Arizona, Sept 8–9

  • Huang CD, Hu Q, Behara R (2005b) Investment in information security by a riskaverse firm. Proceedings of the 2005 software conference, Las Vegas, Nevada, 10–11, Dec

  • Huang CD, Hu Q, Behara R (2006) Economics of information security investment. Proceedings of the fifth workshop on the economics of information security (WEIS 2006), Robinson College, University of Cambridge, England, 26–28, June

  • Hulsebosch RJ, Salden AH, Bargh MS, Ebben PWG, Reitsma J (2005) Context sensitive access control. Proceedings of the tenth ACM symposium on access control models and technologies, Stockholm, Sweden, 01–03, June

  • Jackson SJ, Edwards PN, Bowker GC, Knobel CP (2007) Understanding infrastructure: history, heuristics, and cyberinfrastructure policy. First Monday 12(6). http://www.crew.umich.edu/publications/tr_07_10.html

  • Jenks JW, Clark WE (1917) The trust problem. Doubleday. Page & Company, Garden City, New York

    Google Scholar 

  • Kai (2009) Press release: IT security spending will increase to match rising cybercrime threat in 2009. The Roer.com Information Security Blog, 12 January. Available at http://www.roer.com/node/446. Last accessed on March 31, 2009

  • Kang MH, Park JS, Froscher JN (2001) Access control mechanisms for inter-organizational workflows. Proceedings of 6th ACM symposium on access control models and technologies, Chantilly, VA

  • Kavanagh KM, Pescatore J (2007) Magic quadrant for MSSPs, North America, 1H07. Gartner RAS core research note G00149649, 1 Aug

  • Larsen A (1999) Global security survey: virus attack. InformationWeek.Com, http://www.informationweek.com/743/security.htm

  • Loch KD, Carr HH, Warkentin ME (1992) Threats to information systems: today’s reality, yesterday’s understanding. MIS Q 17(2):173–186

    Article  Google Scholar 

  • Maedche A, Motik B, Silva N, Volz R (2002) MAFRA—A MApping FRamework for distributed ontologies. In: Proceedings of the 13th European conference on knowledge engineering and knowledge management EKAW-2002, Madrid, Spain

  • Mana A, Montenegro JA, Rudolph C, Vivas JL (2003) A business process-driven approach to security engineering. Proceedings of the 14th international workshop on database and expert system applications (DEXA’03)

  • Markus ML, Majchrzak A, Gasser L (2002) A design theory for systems that support emergent knowledge processes. Mis Q 26(3):179–212

    Google Scholar 

  • Matutes C, Regibeau P (1992) Compatibility and bundling of complementary goods in a duopoly. J Ind Econ 40(1):37–54

    Article  Google Scholar 

  • McKnight DH, Choudhury V, Kacmar C (2002) Developing and validating trust measures for e-Commerce: an integrative typology. Inf Syst Res 13(3):334–359

    Article  Google Scholar 

  • Mell P, Grance T (2011) The NIST definition of cloud, recommendations of the national institute of standarts and technology. Available at http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

  • Miller HG, Levine HD, Bates SN (2005) Welcome to convergence: surviving the next platform change. IEEE IT Professional 7(3):18–25

    Article  Google Scholar 

  • Monteiro E (2006) Future research issues and agendas. Information infrastructures and architectures: international research workshop by National e-Science Centre, Edinburgh, 27 Sept

  • Newhouse S, Schopf J, Richards A, Atkinson M (2007) Sudy of priorities for e-Infrastructure for e-Research. UK e-Science Core Programme Report, 7 Feb

  • OASIS (2006a) A reference model for service oriented architecture. OASIS SOA reference model technical committee

  • OASIS (2006b) Electronic business service oriented architecture. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ebsoa

  • Osborn S, Sandhu R, Munawer Q (2000) Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans Inf Syst Secur 3(2):85–106

    Article  Google Scholar 

  • Park I, Lee J, Raghav Rao H, Upadhyaya SJ (2006) Guest editorial part 2: emerging issues for secure knowledge management—results of a delphi study. IEEE Trans Syst Man Cybern Part A: Syst Humans 36(3):421–428

    Article  Google Scholar 

  • Peffers K, Tuunanen T, Rothenberger MA, Chatterjee S (2007) A design science research methodology for information systems research. J Manag Inf Syst 24(3):45–77

    Article  Google Scholar 

  • Peppard J (2003) Managing IT as a portfolio of services. Eur Manag J 21(4):467–483

    Article  Google Scholar 

  • Peyravian M, Roginsky A, Zunic N (1999) Hash-based encryption. Comput Secur 18(4):345–350

    Article  Google Scholar 

  • Phifer L (2006) Managed security services, 2006 MSSP survey, part 4: managed virtual private networks. ISP Planet, 21 Dec

  • Pike Research (2011) Cloud computing. http://www.pikeresearch.com/research/cloud-computing-energy-efficiency

  • Preziosi D (2006) Secure collaboration: working together, without worry. CMP integrated marketing solutions, 23 Oct

  • Romano L, Kenworthy T (1997) Oklahoma city prosecutor depicts a ‘twisted’ mcveigh. Washington Post 117(21). http://tech.mit.edu/V117/N21/mcveigh.21w.html

  • Sandhu RS, Coyne EJ, Feinstein HL, Youman CE (1996) Role-based access control models. IEEE Comput 29(2):38–47

    Article  Google Scholar 

  • Sandhu RS, Bhamidipati V, Munawer Q (1999) The ARBAC97 model for role-based administration of roles. ACM Trans Inf Syst Secur 1(2):105–135

    Article  Google Scholar 

  • Siddiqi J, Akhgar B, Naderi M, Orth W, Meyer N, Tuisku M, Pipan G, Gallego ML, Garcia JA, Cecchi M, Colin J (2006) Secure ICT services for mobile and wireless communications: a federated global identity management framework. Proceedings of the third international conference on information technology: New Generations (ITNG’06)

  • Simmons G (1994) Cryptanalysis and protocol failures. Commun ACM 37(11):56–64

    Article  Google Scholar 

  • Singh A, Liu L (2003) TrustMe: anonymous management of trust relationships in decentralized P2P systems. Proceedings of third international conference on peer-to-peer computing, 2003. (P2P 2003) vol. 3, pp 142–149, 1 Sept

  • Smith HA, McKeen JD (2006) IT In 2010: the next frontier. MIS Q Executive 5(3):125–136

    Google Scholar 

  • Sohlenkamp M, Chwelos G (1994) Integrating communication, cooperation, and awareness: the diva virtual office environment. Proceedings of AXM conference on computer supported cooperative work, Chapel Hill, NC, pp 31–343

    Google Scholar 

  • Soper D, Demirkan H, Goul M (2007) A proactive interorganizational knowledge-sharing security model with breach propagation detection and dynamic policy revision. Special Issue Secur Knowl Manag Inf Syst Frontiers 9(5):469–479

    Google Scholar 

  • Sorathia V, Laliwala Z, Chaudhary S (2005) Towards agricultural marketing reforms: web services orchestration approach. Proceedings of 2005 IEEE international conference on services computing (SCC’05), vol. 1, pp 260–270

  • Stigler GJ (1964) A theory of oligopoly. J Polit Econ 72(1):44–61

    Google Scholar 

  • Straub DW (1990) Effective IS security: an empirical study. Inf Syst Res 1(3):255–276

    Article  Google Scholar 

  • Straub DW, Welke RJ (1998) Coping with systems risk: aecurity planning models for management decision making. MIS Q 23(4):441–469

    Article  Google Scholar 

  • Stremersch S, Tellis GJ (2002) Strategic bundling of products and prices: a new synthesis for marketing. J Market 66:55–72

    Article  Google Scholar 

  • Sure Y, Erdmann M, Angele J, Staab S, Studer R, Wenke D (2002) Ontoedit: collaborative ontology development for the semantic web. In: Proceedings of the 1st international semantic web conference (ISWC2002), 9–12th, June, 2002, Sardinia, Italia, LNCS 2342, pp 221–235. Springer

  • Talley T (2006) Experts fear Oklahoma City bombing lessons forgotten. The San Diego Union Tribune, 17 April

  • Thomas RK (1997) Team-based accesses control TMAC): a primitive for applying role-based access controls in collaborative environments. Proceedings of the second ACM workshop on role-based access control, Fairfax, Virginia, 13–19 Nov

  • Thomas RK, Sandhu R (1994) Conceptual foundations for a model-based authorizations. In: Proceedings of 7th IEEE computer security foundations workshop. Franconia, NH, pp 66–79

  • Thomas RK, Sandhu R (1997) Task-based authorization controls (TBAC): a family of models for active and enterprise-oriented authorization management. In: Proceedings of the IFIP WG 11.3 workshop on database security, pp 166–181, Lake Tahoe, California, August

  • Tolone W, Ahn G-J, Pai T, Hong SP (2005) Access control in collaborative systems. CM Comput Survey 37(1):29–41

    Article  Google Scholar 

  • TrustCom (2005) D22 technology roadmap. http://www.eu trustcom.com/DownDocumentation.php?tipo=docu&id=246—TrustCom—http://www.eu-trustcom.com/

  • Ulicki M (2003) Security blanket for the HIPAA Era: outsourcing security services. BioMetriTech featured article by Norlight telecommunications, 17 Sept. http://www.tmcnet.com/biomag/features/norlight.htm

  • VCG (2005) The value chain operations reference (VCOR) model, Value Chain Group, Inc., Wexford, PA

  • VCOR—MODEL—http://www.value-chain.org/index.asp

  • Vigna G, Kemmerer RA (1999) NetSTAT: a network-based intrusion detection system. J Comput Secur 7(1):37–71

    Google Scholar 

  • Wang W (1999) Team-and-role-based organizational context and access control for cooperative hypermedia environments. Proceedings of the 10th ACM conference on hypertext and hypermedia (Hypertext’99). ACM, New York, pp 37–46

  • Wang H, Osborn SL (2006) Delegation in the role graph model. Proceedings of SACMAT’06, pp 91–100

  • Wiseman S (1986) A secure capability computer system. Proceedings of the IEEE Symposium on security and privacy, Los Alamitos, CA, pp 86–94

  • Yadav MS, Monroe KB (1993) How buyers perceive savings in a bundle price: an examination of a bundle’s transaction value. J Market Res 30(3):350–358

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Haluk Demirkan.

Appendix

Appendix

See Table 7.

Table 7 Managed security service providers: adapted from ISP Planet 2006 and 2009 MSSP surveys—Phifer (2006); and Gartner Magic Quadrant for MSSPs 2007—Kavanagh and Pescatore (2007)

Rights and permissions

Reprints and permissions

About this article

Cite this article

Demirkan, H., Goul, M. Taking value-networks to the cloud services: security services, semantics and service level agreements. Inf Syst E-Bus Manage 11, 51–91 (2013). https://doi.org/10.1007/s10257-011-0186-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10257-011-0186-0

Keywords

Navigation