A novel approach to manage cloud security SLA incidents

Future Generation Computer Systems

Volumn 72, Issue , 2017, Pages 193-205

  Trapero, Ruben ^a   Modic, Jolanda ^b   Stopar, Miha ^b   Taha, Ahmed ^a   Suri, Neeraj ^a  

^a DARMSTADT UNIVERSITY OF TECHNOLOGY   (Germany)

^b XLAB Doo   (Slovenia)

Author keywords

Cloud computing; Cloud security; Security SLAs; SLA monitoring; SLA remediation

Indexed keywords

CLOUD COMPUTING; PUBLIC ADMINISTRATION; QUALITY OF SERVICE; WEB SERVICES;

CLOUD SECURITIES; CLOUD SERVICE PROVIDERS; CRITICAL SERVICE; SECURITY ASSURANCE; SECURITY BREACHES; SECURITY SERVICES; SECURITY SLAS; SERVICE PROVISIONING;

AIR TRAFFIC CONTROL;

EID: 85006372420     PISSN: 0167739X     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.future.2016.06.004     Document Type: Article

References (51)

1. [1] Coles, C., Yeoh, J., Cloud adoption practices & priorities Survey Report., 2015, CSA Available online https://downloads.cloudsecurityalliance.org/initiatives/surveys/capp/Cloud_Adoption_Practices_Priorities_Survey_Final.pdf (last accessed in October 2015).
2. [2] KPMG, Cloud Survey Report: Elevating Business in the Cloud, 2014. Available online https://www.kpmg.com/PL/pl/IssuesAndInsights/ArticlesPublications/Documents/2015/2014-KPMG-Cloud-Survey-Report-online-secured.pdf (last accessed in October 2015).
3. [3] Skyway Magazine by Eurocontrol, Why Eurocontrol built a cloud, 2013. Available online http://www.eurocontrol.int/sites/default/files/content/documents/official-documents/skyway/articles/2013-spring-skyway-focus-why-ecl-built-a-cloud.pdf (last accessed in October 2015).
4. [4] SESAR project. http://ec.europa.eu/transport/modes/air/sesar/index_en.htm (last accessed in October 2015).
5. [5] M. Dekker, Security Framework for Governmental Clouds—ENISA, 2015. Available online https://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/governmental-cloud-security/security-framework-for-govenmental-clouds (last accessed in October 2015).
6. [6] International Organization for Standardization, Guidelines on information security controls for the use of cloud computing services based on ISOIEC 27002, 2014.
7. [7] Cloud Security Alliance, Cloud Controls Matrix v3.0.1. Available online https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ (last accessed in October 2015).
8. [8] National Institute of Standards and Technology, Security and privacy controls for federal information systems and organizations, NIST 800-53v4, 2014.
9. [9] Luna, J., Suri, N., Iorga, M., Karmel, A., Leveraging the potential of cloud security service-level agreements through standards. IEEE Cloud Comput. Mag. 2:3 (2015), 32–40.
10. [10] European Network and Information Security Agency, Survey and analysis of security parameters in Cloud SLAs across the European public sector, 2011. Available online https://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/survey-and-analysis-of-security-parameters-in-cloud-slas-across-the-european-public-sector (last accessed in October 2015).
11. [11] International Organization for Standardization, Information Technology–cloud computing–Service level agreement (SLA) framework and terminology (Draft), ISO/IEC 19086, 2014.
12. [12] European Commission, Cloud service level agreement standardization guidelines, C-SIG SLA 2014, 2014. Available online http://ec.europa.eu/digital-agenda/en/news/cloud-service-level-agreement-standardisation-guidelines (last accessed in October 2015).
13. [13] Rak, M., Suri, N., Luna, J., Petcu, D., Casola, V., Villano, U., Security as a service using an SLA-based approach via SPECS. Proceedings of IEEE 5th International Conference on Cloud Computing Technology and Science, CloudComp, 2013, IEEE, 1–6.
14. [14] SPECS project (ICT-610795; Secure Provisioning of Cloud Services based on SLA Management). http://www.specs-project.eu/ (last accessed in October 2015).
15. [15] SPECS, SPECS Team Bitbucket Account, 2015. Available online https://bitbucket.org/specs-team/ (last accessed in April 2016).
16. [16] Diver, S., Information Security Policy—A Development Guide for Large and Small Companies. 2007, SANS Institute Available online https://www.sans.org/reading-room/whitepapers/policyissues/information-security-policy-development-guide-large-small-companies-1331 (last accessed in October 2015).
17. [17] Monahan, B., Yearwort, M., Meaningful security SLAs, Technical Report., 2008, HP Laboratories Available online http://www.hpl.hp.com/techreports/2005/HPL-2005-218R1.pdf (last accessed in October 2015).
18. [18] A. Undheim, K. Bernsmed, M.G. Jaatun, Security in service level agreements for cloud computing, in: Proceedings of the 1st International Conference on Cloud Computing and Services Science, CLOSER 2011, 2011, pp. 636–642.
19. [19] Cloud Security Alliance, Security, Trust & Assurance Registry (STAR). Available online https://cloudsecurityalliance.org/star/ (last accessed in October 2015).
20. [20] V. Casola, A. Mazzeo, N. Mazzocca, M. Rak, A SLA evaluation methodology in service oriented architectures, in: Proceedings of the 2nd ACM Workshop on Quality of Protection, QOP 2006, 2006, pp. 119–130.
21. [21] J. Luna, H. Ghani, D. Germanus, N. Suri, A security metrics framework for the cloud, in: Proceedings of the 6th International Conference on Security and Cryptography, SECRYPT 2011, 2011, pp. 245–250.
22. [22] A. Taha, R. Trapero, J. Luna, N. Suri, AHP-based quantitative approach for assessing and comparing cloud security, in: Proceedings of Trust, Security and Privacy in Computing and Communications, 2014, pp. 284–291.
23. [23] Savola, R.M., On the feasibility of utilizing security metrics in software-intensive systems. Int. J. Comput. Sci. Network Secur. (IJCSNS) 10:1 (2010), 230–239.
24. [24] J. Luna, R. Langenberg, N. Suri, Benchmarking cloud security level agreements using quantitative policy trees, in: ACM Workshop on Cloud computing security, 2012, pp. 103–112.
25. [25] Casola, V., Preziosi, R., Rak, M., Troiano, L., A reference model for security level evaluation: Policy and fuzzy techniques. J. UCS, 2005, 150–174.
26. [26] E. Novikoff, The role of remote monitoring in Cloud Computing, 2014. Available online http://enki.co/blog/the-role-of-remote-monitoring-in-cloud-computing.html (last accessed in October 2015).
27. [27] A. Grabner, Proof of Concept: dynaTrace provides Cloud Service Monitoring and Root Cause Analysis for GigaSpaces, 2009. Available online http://apmblog.dynatrace.com/2009/05/07/proof-of-concept-dynatrace-provides-cloud-service-monitoring-and-root-cause-analysis-for-gigaspaces/ (last accessed in October 2015).
28. [28] Nagios. http://www.nagios.org/ (last accessed in October 2015).
29. [29] Amazon CloudWatch. http://aws.amazon.com/cloudwatch/ (last accessed in October 2015).
30. [30] V.C. Emeakaroha, R.N. Calheiros, M.A.S. Netto, I. Brandic, C.A.F. De Rose, DeSVi: An architecture for detecting sla violations in cloud computing infrastructures, in: Proceedings of the 2nd International ICST Conference on Cloud Computing, CloudComp 2010, 2010.
31. [31] Brower, J., The security Onion Cloud Client—Network Security Monitoring for the Cloud. 2013, SANS Institute Available online https://www.sans.org/reading-room/whitepapers/cloud/security-onion-cloud-client-network-security-monitoring-cloud-34335 (last accessed in October 2015).
32. [32] N. Kroes, Cyber Security—A shared responsibility, 2012. Available online http://europa.eu/rapid/press-release_SPEECH-12-774_en.htm (last accessed in October 2015).
33. [33] CSA, Cloud Trust Protocol. Available online https://cloudsecurityalliance.org/research/ctp/ (last ccessed in October 2015).
34. [34] I. Brandic, V.C. Emeakaroha, M. Maurer, S. Dustdar, S. Acs, A. Kertesz, G. Kecskemeti, Laysi: A layered approach for sla-violation propagation in self-manageable cloud infrastructures, in: Proceedings of the 2010 IEEE 34th Annual IEEE Computer Software and Applications Conference Workshops, COMPSACW, 2010, pp. 365–370.
35. [35] Rana, O.F., Warnier, M., Quillinan, T.B., Brazier, F., Cojocarasu, D., Managing violations in service level agreements. Grid Middleware and Services, 2008, Springer, US, 349–358.
36. [36] Zhang, Z., Liao, L., Liu, H., Li, G., Policy-based adaptive service level agreement management for cloud services. Proceedings of the 2014 5th IEEE International Conference on Software Engineering and Service Science, ICSESS, 2014, IEEE, 496–499.
37. [37] SLA@SOI project (IST-216556; Empowering the Service Economy with SLA-aware Infra-structures). http://www.sla-at-soi.org (last accessed in October 2015).
38. [38] National Institute of Standards and Technology, Cloud Computing: Cloud Service Metrics Description, NIST Public RATAX EG draft document, 2014. Available online http://www.nist.gov/itl/cloud/upload/RATAX-CloudServiceMetricsDescription-DRAFT-20141111.pdf (last accessed in October 2015).
39. [39] Luna, J., Taha, A., Trapero, R., Suri, N., Quantitative reasoning about cloud security using service level agreements. IEEE Trans. Cloud Comput., 99, 2015 Available online http://www1.deeds.informatik.tu-darmstadt.de/External/PublicationData/0/TCC_secSLA_2014.pdf (last accessed in April 2016).
40. [40] Cloud Security Alliance, The Consensus Assessments Initiative Questionnaire, 2011. Available online https://cloudsecurityalliance.org/group/consensus-assessments/ (last accessed in October 2015).
41. [41] Amazon Web Services (AWS). https://aws.amazon.com/ (last accessed in April 2016).
42. [42] Microsoft Azure. https://azure.microsoft.com/en-us/ (last accessed in April 2016).
43. [43] P. Mell, K. Scarfone, S. Romanosky, A complete guide to the Common Vulnerability Scoring System Version 2.0, 2007. Available online https://www.first.org/cvss/cvss-v2-guide.pdf (last accessed in October 2015).
44. [44] M. Stopar, J. Modic, D. Petcu, M. Rak, Towards a proof-based SLA management framework—the SPECS approach, in: Proceedings of the 2016 6th International Conference on Cloud Computing and Services Science, CLOSER, January 2016. http://dx.doi.org/10.5220/0005771302400248.
45. [45] Micro Focus, OVAL Information, 2015. Available online https://support.novell.com/security/oval/ (last accessed in October 2015).
46. [46] The Open Vulnerability and Assessment Language (OVAL) repository. Available online https://oval.cisecurity.org/repository (last accessed in October 2015).
47. [47] Chef, An Overview of Chef, 2009. Available online. https://docs.chef.io/chef_overview.html (last accessed in October 2015).
48. [48] Puppet Labs, Puppet Enterprise Overview, 2005. Available online http://docs.puppetlabs.com/pe/latest/overview_about_pe.html (last accessed in October 2015).
49. [49] SaltStack, SaltStack Walkthrough, 2011. Available online https://docs.saltstack.com/en/latest/topics/tutorials/walkthrough.html (last accessed in October 2015).
50. [50] Ansible, Ansible documentation, 2015. Available online http://docs.ansible.com/ansible/index.html (last accessed in October 2015).
51. [51] G. Davis, The Heartbleed Vulnerability: What It Is and How It Affects You, 2014. Available online https://blogs.mcafee.com/consumer/what-is-heartbleed/ (last accessed in October 2015).