ABSTRACT
While the many economic and technological advantages of Cloud computing are apparent, the migration of key sector applications onto it has been limited, in part, due to the lack of security assurance on the Cloud Service Provider (CSP). However, the recent efforts on specification of security statements in Service Level Agreements, also known as "Security Level Agreements" or SecLAs is a positive development. While a consistent notion of Cloud SecLAs is still developing, already some major CSPs are creating and storing their advocated SecLAs in publicly available repositories e.g., the Cloud Security Alliance's "Security, Trust & Assurance Registry" (CSA STAR). While several academic and industrial efforts are developing the methods to build and specify Cloud SecLAs, very few works deal with the techniques to quantitatively reason about SecLAs in order to provide security assurance. This paper proposes a method to benchmark - both quantitatively and qualitatively -- the Cloud SecLAs of one or more CSPs with respect to a user-defined requirement, also in the form of a SecLA. The contributed security benchmark methodology rests on the notion of Quantitative Policy Trees (QPT), a data structure that we propose to represent and systematically reason about SecLAs. In this paper we perform the initial validation of the contributed methodology with respect to another state of the art proposal, which in turn was empirically validated using the SecLAs stored on the CSA STAR repository. Finally, our research also contributes with QUANTS-as-a-Service (QUANTSaaS), a system that implements the proposed Cloud SecLA benchmark methodology.
- Almorsy, M., et.al. Collaboration-Based Cloud Computing Security Management Framework. In Proc. of IEEE Intl Conference on Cloud Computing, pages 364--371, 2011. Google ScholarDigital Library
- Andrieux, K., et.al. Web Services Agreement Specification (WS-Agreement). Technical Report TR-WSAgreement-2007, Open Grid Forum, 2007.Google Scholar
- Bernsmed, K., et.al. Security SLAs for Federated Cloud Services. In Proc. of IEEE Availability, Reliability and Security, pages 202--209, 2011. Google ScholarDigital Library
- Binnig, C., et. al. How is the weather tomorrow?: towards a benchmark for the cloud. In Proc. of the ACM Workshop on Testing Database Systems, pages 9:1--9:6, 2009. Google ScholarDigital Library
- Bistarelli, S., et. al. Defense trees for economic evaluation of security investments. In Proc. of Availability, Reliability and Security, pages 8--16, 2006. Google ScholarDigital Library
- Casola, V., et.al. Interoperable Grid PKIs Among Untrusted Domains: An Architectural Proposal. In Advances in Grid and Pervasive Computing, volume 4459 of Springer LNCS, pages 39--51. 2007. Google ScholarDigital Library
- Casola, V., et.al. A Reference Model for Security Level Evaluation: Policy and Fuzzy Techniques. Journal of Universal Computer Science, pages 150--174, 2005.Google Scholar
- Casola, V., et.al. A SLA evaluation methodology in Service Oriented Architectures. In Quality of Protection, volume 23 of Springer Advances in Information Security, pages 119--130. 2006.Google Scholar
- Cloud Security Alliance. The Consensus Assessments Initiative Questionnaire. Online: https://cloudsecurityalliance.org/research/cai/, 2011.Google Scholar
- Cloud Security Alliance. The Security, Trust & Assurance Registry (STAR). Online: https://cloudsecurityalliance.org/star/, 2011.Google Scholar
- Cloud Security Alliance. Security and Privacy Level Agreements working groups. Online: https://cloudsecurityalliance.org/research/pla/, 2012.Google Scholar
- Dekker, M. and Hogben, G. Survey and analysis of security parameters in cloud SLAs across the European public sector. Technical Report TR-2011-12-19, European Network and Information Security Agency, 2011.Google Scholar
- Dumitras, T. and Shou, D. Toward a standard benchmark for computer security research: the worldwide intelligence network environment (WINE). In Proc. of the ACM BADGERS Workshop, pages 89--96, 2011. Google ScholarDigital Library
- Forum of Incident Response and Security Teams. CVSS-Common Vulnerability Scoring System. Online: http://www.first.org/cvss/, 2012.Google Scholar
- Henning, R. Security service level agreements: quantifiable security for the enterprise? In Proc. of ACM Workshop on New security paradigms, pages 54--60, 1999. Google ScholarDigital Library
- Hoff, C., et.al. CloudAudit 1.0 - Automated Audit, Assertion, Assessment, and Assurance API (A6). Technical Report draft-hoff-cloudaudit-00, IETF, 2011.Google Scholar
- Irvine, C. and Levin, T. Quality of security service. In Proc. of ACM Workshop on New security paradigms, pages 91--99, 2001. Google ScholarDigital Library
- Jansen, W. Directions in security metrics research. Technical Report TR-7564, National Institute for Standards and Technology, 2010.Google Scholar
- Livshits, B. Stanford SecuriBench. Online: http://suif.stanford.edu/livshits/securibench/, 2005.Google Scholar
- Livshits, B. and Lam, M. Finding security errors in Java programs with static analysis. In Proc. of Usenix Security Conference, pages 18--18, 2005. Google ScholarDigital Library
- Ludwig, H., et.al. Web Service Level Agreement (WSLA) Language Specification. Technical Report TR-WSLA-2003-01-28, IBM, 2003.Google Scholar
- Luna, J. et.al. Providing security to the Desktop Data Grid. In Proc. of IEEE Symposium on Parallel and Distributed Processing, pages 1--8, 2008.Google ScholarCross Ref
- Luna, J., et.al. A Security Metrics Framework for the Cloud. In Proc. of Security and Cryptography, pages 245--250, 2011.Google Scholar
- Luna, J., et.al. Quantitative Assessment of Cloud Security Level Agreements: A Case Study. In Proc. of Security and Cryptography, (In Press).Google Scholar
- mOSAIC. mOSAIC FP7. Online: http://www.mosaic-cloud.eu/, 2011.Google Scholar
- Neto, A., et.al. To benchmark or not to benchmark security: That is the question. In Proc. of DSN HoTDep Workshop, pages 182--187, 2011. Google ScholarDigital Library
- Parrend, P. and Frenot, S. Security benchmarks of OSGi platforms: toward Hardened OSGi. Softw. Pract. Exper., 39:471--479, 2009. Google ScholarDigital Library
- Poe, J. and Li, T. BASS: a benchmark suite for evaluating architectural security systems. SIGARCH Comput. Archit. News, 34(4):26--33, 2006. Google ScholarDigital Library
- Samani, R., et.al. Common Assurance Maturity Model: Scoring Model. Online: http://common-assurance.com/, 2011.Google Scholar
- Savola, R., et.al. Towards Wider Cloud Service Applicability by Security, Privacy and Trust Measurements. In Proc. of IEEE Application of Information and Communication Technologies, pages 1--6, 2010.Google Scholar
- Schneier, B. Assurance. Online: http://www.schneier.com/blog/archives/2007/08/assurance.html, 2007.Google Scholar
- Weisstein, W. Frobenius Norm. Online: http://mathworld.wolfram.com/FrobeniusNorm.html, 2011.Google Scholar
- Weisstein, W. L1-Norm. Online: http://mathworld.wolfram.com/L1-Norm.html, 2011.Google Scholar
Index Terms
- Benchmarking cloud security level agreements using quantitative policy trees
Recommendations
A stakeholder-oriented assessment index for cloud security auditing
IMCOM '15: Proceedings of the 9th International Conference on Ubiquitous Information Management and CommunicationCloud computing is an emerging computing model that provides numerous advantages to organizations (both service providers and customers) in terms of massive scalability, lower cost, and flexibility, to name a few. Despite these technical and economical ...
A security evaluation framework for cloud security auditing
Cloud computing is clearly one of today's most enticing technologies due to its scalable, flexible, and cost-efficient access to infrastructure and application services. Despite these benefits, cloud service users (CSUs) have serious concerns about the ...
Definition of Security Metrics for the Cloud Computing and Security-Aware Virtual Machine Placement Algorithms
CYBERC '13: Proceedings of the 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge DiscoveryNowadays, Cloud Computing is becoming a key factor in computer science. Besides the great benefits it brought to the information technology and to the economy, Cloud Computing shows some weakness when looking at the security. An IaaS client should be ...
Comments