Building a compliance vocabulary to embed security controls in cloud SLAs

Matthew L. Hale, Rose Gamble

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Citations (Scopus)

Abstract

Mission critical information systems must be certified against a set of security controls to mitigate potential security incidents. Cloud service providers must in turn employ adequate security measures that conform to security controls expected by the organizational information systems they host. Since service implementation details are abstracted away by the cloud, organizations can only rely on service level agreements (SLAs) to assess the compliance of cloud security properties and processes. Various representation schema allow SLAs to embed service security terms, but are disconnected from documents regulating security controls. This paper demonstrates an extensible solution for building a compliance vocabulary that associates SLA terms with security controls. The terms allow services to express which security controls they comply with and enable at-a-glance comparison of security service offerings so organizations can distinguish among cloud service providers that best comply with security expectations. To exemplify the approach, we build a sample vocabulary of terms based on audit security controls from a standard set of governing documents and apply them to an SLA for an example cloud storage service. We assess the compatibility with existing SLAs and calculate the computational overhead associated with the use of our approach in service matchmaking.

Original languageEnglish (US)
Title of host publicationProceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013
Pages118-125
Number of pages8
DOIs
StatePublished - Nov 26 2013
Event2013 IEEE 9th World Congress on Services, SERVICES 2013 - Santa Clara, CA, United States
Duration: Jun 27 2013Jul 2 2013

Publication series

NameProceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013

Conference

Conference2013 IEEE 9th World Congress on Services, SERVICES 2013
CountryUnited States
CitySanta Clara, CA
Period6/27/137/2/13

Fingerprint

Information systems
Compliance

Keywords

  • certification
  • cloud
  • compliance
  • security
  • service level agreement
  • web services
  • xml

ASJC Scopus subject areas

  • Electrical and Electronic Engineering

Cite this

Hale, M. L., & Gamble, R. (2013). Building a compliance vocabulary to embed security controls in cloud SLAs. In Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013 (pp. 118-125). [6655684] (Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013). https://doi.org/10.1109/SERVICES.2013.27

Building a compliance vocabulary to embed security controls in cloud SLAs. / Hale, Matthew L.; Gamble, Rose.

Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013. 2013. p. 118-125 6655684 (Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Hale, ML & Gamble, R 2013, Building a compliance vocabulary to embed security controls in cloud SLAs. in Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013., 6655684, Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013, pp. 118-125, 2013 IEEE 9th World Congress on Services, SERVICES 2013, Santa Clara, CA, United States, 6/27/13. https://doi.org/10.1109/SERVICES.2013.27
Hale ML, Gamble R. Building a compliance vocabulary to embed security controls in cloud SLAs. In Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013. 2013. p. 118-125. 6655684. (Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013). https://doi.org/10.1109/SERVICES.2013.27
Hale, Matthew L. ; Gamble, Rose. / Building a compliance vocabulary to embed security controls in cloud SLAs. Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013. 2013. pp. 118-125 (Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013).
@inproceedings{ec529d1090c141a5972da24164430c5c,
title = "Building a compliance vocabulary to embed security controls in cloud SLAs",
abstract = "Mission critical information systems must be certified against a set of security controls to mitigate potential security incidents. Cloud service providers must in turn employ adequate security measures that conform to security controls expected by the organizational information systems they host. Since service implementation details are abstracted away by the cloud, organizations can only rely on service level agreements (SLAs) to assess the compliance of cloud security properties and processes. Various representation schema allow SLAs to embed service security terms, but are disconnected from documents regulating security controls. This paper demonstrates an extensible solution for building a compliance vocabulary that associates SLA terms with security controls. The terms allow services to express which security controls they comply with and enable at-a-glance comparison of security service offerings so organizations can distinguish among cloud service providers that best comply with security expectations. To exemplify the approach, we build a sample vocabulary of terms based on audit security controls from a standard set of governing documents and apply them to an SLA for an example cloud storage service. We assess the compatibility with existing SLAs and calculate the computational overhead associated with the use of our approach in service matchmaking.",
keywords = "certification, cloud, compliance, security, service level agreement, web services, xml",
author = "Hale, {Matthew L.} and Rose Gamble",
year = "2013",
month = "11",
day = "26",
doi = "10.1109/SERVICES.2013.27",
language = "English (US)",
isbn = "9780768550244",
series = "Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013",
pages = "118--125",
booktitle = "Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013",

}

TY - GEN

T1 - Building a compliance vocabulary to embed security controls in cloud SLAs

AU - Hale, Matthew L.

AU - Gamble, Rose

PY - 2013/11/26

Y1 - 2013/11/26

N2 - Mission critical information systems must be certified against a set of security controls to mitigate potential security incidents. Cloud service providers must in turn employ adequate security measures that conform to security controls expected by the organizational information systems they host. Since service implementation details are abstracted away by the cloud, organizations can only rely on service level agreements (SLAs) to assess the compliance of cloud security properties and processes. Various representation schema allow SLAs to embed service security terms, but are disconnected from documents regulating security controls. This paper demonstrates an extensible solution for building a compliance vocabulary that associates SLA terms with security controls. The terms allow services to express which security controls they comply with and enable at-a-glance comparison of security service offerings so organizations can distinguish among cloud service providers that best comply with security expectations. To exemplify the approach, we build a sample vocabulary of terms based on audit security controls from a standard set of governing documents and apply them to an SLA for an example cloud storage service. We assess the compatibility with existing SLAs and calculate the computational overhead associated with the use of our approach in service matchmaking.

AB - Mission critical information systems must be certified against a set of security controls to mitigate potential security incidents. Cloud service providers must in turn employ adequate security measures that conform to security controls expected by the organizational information systems they host. Since service implementation details are abstracted away by the cloud, organizations can only rely on service level agreements (SLAs) to assess the compliance of cloud security properties and processes. Various representation schema allow SLAs to embed service security terms, but are disconnected from documents regulating security controls. This paper demonstrates an extensible solution for building a compliance vocabulary that associates SLA terms with security controls. The terms allow services to express which security controls they comply with and enable at-a-glance comparison of security service offerings so organizations can distinguish among cloud service providers that best comply with security expectations. To exemplify the approach, we build a sample vocabulary of terms based on audit security controls from a standard set of governing documents and apply them to an SLA for an example cloud storage service. We assess the compatibility with existing SLAs and calculate the computational overhead associated with the use of our approach in service matchmaking.

KW - certification

KW - cloud

KW - compliance

KW - security

KW - service level agreement

KW - web services

KW - xml

UR - http://www.scopus.com/inward/record.url?scp=84888049317&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84888049317&partnerID=8YFLogxK

U2 - 10.1109/SERVICES.2013.27

DO - 10.1109/SERVICES.2013.27

M3 - Conference contribution

AN - SCOPUS:84888049317

SN - 9780768550244

T3 - Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013

SP - 118

EP - 125

BT - Proceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013

ER -