SecAgreement: Advancing security risk calculations in cloud services

Matthew L. Hale, Rose Gamble

Research output: Chapter in Book/Report/Conference proceedingConference contribution

24 Scopus citations

Abstract

By choosing to use cloud services, organizations seek to reduce costs and maximize efficiency. For mission critical systems that must satisfy security constraints, this push to the cloud introduces risks associated with cloud service providers not implementing organizationally selected security controls or policies. As internal system details are abstracted away as part of the cloud architecture, the organization must rely on contractual obligations embedded in service level agreements (SLAs) to assess service offerings. Current SLAs focus on quality of service metrics and lack the semantics needed to express security constraints that could be used to measure risk. We create a framework, called SecAgreement (SecAg), that extends the current SLA negotiation standard, WS-Agreement, to allow security metrics to be expressed on service description terms and service level objectives. The framework enables cloud service providers to include security in their SLA offerings, increasing the likelihood that their services will be used. We define and exemplify a cloud service matchmaking algorithm to assess and rank SecAg enhanced WS-Agreements by their risk, allowing organizations to quantify risk, identify any policy compliance gaps that might exist, and as a result select the cloud services that best meet their security needs.

Original languageEnglish (US)
Title of host publicationProceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012
Pages133-140
Number of pages8
DOIs
Publication statusPublished - Oct 15 2012
Event2012 IEEE 8th World Congress on Services, SERVICES 2012 - Honolulu, HI, United States
Duration: Jun 24 2012Jun 29 2012

Publication series

NameProceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012

Conference

Conference2012 IEEE 8th World Congress on Services, SERVICES 2012
CountryUnited States
CityHonolulu, HI
Period6/24/126/29/12

    Fingerprint

Keywords

  • audit
  • cloud
  • quality of security service
  • risk
  • security
  • service level agreement
  • web services
  • xml

ASJC Scopus subject areas

  • Electrical and Electronic Engineering

Cite this

Hale, M. L., & Gamble, R. (2012). SecAgreement: Advancing security risk calculations in cloud services. In Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012 (pp. 133-140). [6274042] (Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012). https://doi.org/10.1109/SERVICES.2012.31