SecAgreement: Advancing security risk calculations in cloud services

Matthew L. Hale, Rose Gamble

Research output: Chapter in Book/Report/Conference proceedingConference contribution

24 Citations (Scopus)

Abstract

By choosing to use cloud services, organizations seek to reduce costs and maximize efficiency. For mission critical systems that must satisfy security constraints, this push to the cloud introduces risks associated with cloud service providers not implementing organizationally selected security controls or policies. As internal system details are abstracted away as part of the cloud architecture, the organization must rely on contractual obligations embedded in service level agreements (SLAs) to assess service offerings. Current SLAs focus on quality of service metrics and lack the semantics needed to express security constraints that could be used to measure risk. We create a framework, called SecAgreement (SecAg), that extends the current SLA negotiation standard, WS-Agreement, to allow security metrics to be expressed on service description terms and service level objectives. The framework enables cloud service providers to include security in their SLA offerings, increasing the likelihood that their services will be used. We define and exemplify a cloud service matchmaking algorithm to assess and rank SecAg enhanced WS-Agreements by their risk, allowing organizations to quantify risk, identify any policy compliance gaps that might exist, and as a result select the cloud services that best meet their security needs.

Original languageEnglish (US)
Title of host publicationProceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012
Pages133-140
Number of pages8
DOIs
StatePublished - Oct 15 2012
Event2012 IEEE 8th World Congress on Services, SERVICES 2012 - Honolulu, HI, United States
Duration: Jun 24 2012Jun 29 2012

Publication series

NameProceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012

Conference

Conference2012 IEEE 8th World Congress on Services, SERVICES 2012
CountryUnited States
CityHonolulu, HI
Period6/24/126/29/12

Fingerprint

Quality of service
Semantics
Costs
Compliance

Keywords

  • audit
  • cloud
  • quality of security service
  • risk
  • security
  • service level agreement
  • web services
  • xml

ASJC Scopus subject areas

  • Electrical and Electronic Engineering

Cite this

Hale, M. L., & Gamble, R. (2012). SecAgreement: Advancing security risk calculations in cloud services. In Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012 (pp. 133-140). [6274042] (Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012). https://doi.org/10.1109/SERVICES.2012.31

SecAgreement : Advancing security risk calculations in cloud services. / Hale, Matthew L.; Gamble, Rose.

Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012. 2012. p. 133-140 6274042 (Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Hale, ML & Gamble, R 2012, SecAgreement: Advancing security risk calculations in cloud services. in Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012., 6274042, Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012, pp. 133-140, 2012 IEEE 8th World Congress on Services, SERVICES 2012, Honolulu, HI, United States, 6/24/12. https://doi.org/10.1109/SERVICES.2012.31
Hale ML, Gamble R. SecAgreement: Advancing security risk calculations in cloud services. In Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012. 2012. p. 133-140. 6274042. (Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012). https://doi.org/10.1109/SERVICES.2012.31
Hale, Matthew L. ; Gamble, Rose. / SecAgreement : Advancing security risk calculations in cloud services. Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012. 2012. pp. 133-140 (Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012).
@inproceedings{c6bb06a071154935b8899007eea41a53,
title = "SecAgreement: Advancing security risk calculations in cloud services",
abstract = "By choosing to use cloud services, organizations seek to reduce costs and maximize efficiency. For mission critical systems that must satisfy security constraints, this push to the cloud introduces risks associated with cloud service providers not implementing organizationally selected security controls or policies. As internal system details are abstracted away as part of the cloud architecture, the organization must rely on contractual obligations embedded in service level agreements (SLAs) to assess service offerings. Current SLAs focus on quality of service metrics and lack the semantics needed to express security constraints that could be used to measure risk. We create a framework, called SecAgreement (SecAg), that extends the current SLA negotiation standard, WS-Agreement, to allow security metrics to be expressed on service description terms and service level objectives. The framework enables cloud service providers to include security in their SLA offerings, increasing the likelihood that their services will be used. We define and exemplify a cloud service matchmaking algorithm to assess and rank SecAg enhanced WS-Agreements by their risk, allowing organizations to quantify risk, identify any policy compliance gaps that might exist, and as a result select the cloud services that best meet their security needs.",
keywords = "audit, cloud, quality of security service, risk, security, service level agreement, web services, xml",
author = "Hale, {Matthew L.} and Rose Gamble",
year = "2012",
month = "10",
day = "15",
doi = "10.1109/SERVICES.2012.31",
language = "English (US)",
isbn = "9780769547565",
series = "Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012",
pages = "133--140",
booktitle = "Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012",

}

TY - GEN

T1 - SecAgreement

T2 - Advancing security risk calculations in cloud services

AU - Hale, Matthew L.

AU - Gamble, Rose

PY - 2012/10/15

Y1 - 2012/10/15

N2 - By choosing to use cloud services, organizations seek to reduce costs and maximize efficiency. For mission critical systems that must satisfy security constraints, this push to the cloud introduces risks associated with cloud service providers not implementing organizationally selected security controls or policies. As internal system details are abstracted away as part of the cloud architecture, the organization must rely on contractual obligations embedded in service level agreements (SLAs) to assess service offerings. Current SLAs focus on quality of service metrics and lack the semantics needed to express security constraints that could be used to measure risk. We create a framework, called SecAgreement (SecAg), that extends the current SLA negotiation standard, WS-Agreement, to allow security metrics to be expressed on service description terms and service level objectives. The framework enables cloud service providers to include security in their SLA offerings, increasing the likelihood that their services will be used. We define and exemplify a cloud service matchmaking algorithm to assess and rank SecAg enhanced WS-Agreements by their risk, allowing organizations to quantify risk, identify any policy compliance gaps that might exist, and as a result select the cloud services that best meet their security needs.

AB - By choosing to use cloud services, organizations seek to reduce costs and maximize efficiency. For mission critical systems that must satisfy security constraints, this push to the cloud introduces risks associated with cloud service providers not implementing organizationally selected security controls or policies. As internal system details are abstracted away as part of the cloud architecture, the organization must rely on contractual obligations embedded in service level agreements (SLAs) to assess service offerings. Current SLAs focus on quality of service metrics and lack the semantics needed to express security constraints that could be used to measure risk. We create a framework, called SecAgreement (SecAg), that extends the current SLA negotiation standard, WS-Agreement, to allow security metrics to be expressed on service description terms and service level objectives. The framework enables cloud service providers to include security in their SLA offerings, increasing the likelihood that their services will be used. We define and exemplify a cloud service matchmaking algorithm to assess and rank SecAg enhanced WS-Agreements by their risk, allowing organizations to quantify risk, identify any policy compliance gaps that might exist, and as a result select the cloud services that best meet their security needs.

KW - audit

KW - cloud

KW - quality of security service

KW - risk

KW - security

KW - service level agreement

KW - web services

KW - xml

UR - http://www.scopus.com/inward/record.url?scp=84867244563&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84867244563&partnerID=8YFLogxK

U2 - 10.1109/SERVICES.2012.31

DO - 10.1109/SERVICES.2012.31

M3 - Conference contribution

AN - SCOPUS:84867244563

SN - 9780769547565

T3 - Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012

SP - 133

EP - 140

BT - Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012

ER -