CloudSecGov 2012 Abstracts


Full Papers
Paper Nr: 2
Title:

SLA NEGOTIATION AND BROKERING FOR SKY COMPUTING

Authors:

Alba Amato, Loredana Liccardo, Massimiliano Rak and Salvatore Venticinque

Abstract: Cloud computing represents an opportunity for IT users to reduce costs and increase efficiency providing an alternative way of using IT services. Elastic provisioning plays an important role by giving the possibility to get the best resources configuration that satisfies the application requirements. Even if there are many Cloud Providers, with a rich and various offer of technological solutions, above all at IAAS, however there is neither support of SLA negotiation, nor of SLA management yet. One of the most important issue in such a context is the lack of negotiation interfaces and mechanisms by current providers for dynamic provisioning, which instead only make available a configuration form to submit the request for a specific resource among the available ones. In the following we propose the design of a tool for SLA based dynamic provisioning of Cloud Resources at IAAS, that offer to the user negotiation and brokering facilities by integrating multiple models. We present a prototype implementation of our architecture using the mOSAIC framework.

Paper Nr: 5
Title:

ADDING CLOUD PERFORMANCE TO SERVICE LEVEL AGREEMENTS

Authors:

Lee Gillam, Bin Li and John O'Loughlin

Abstract: To some the next iteration of Grid and utility computing, Clouds offer capabilities for the high-availability of a wide range of systems. But it is argued that such systems will only attain acceptance by a larger audience of commercial end-users if binding Service Level Agreements (SLAs) are provided. In this paper, we discuss how to measure and use quality of service (QoS) information to be able to predict availability, quantify risk, and consider liability in case of failure. We explore a set of benchmarks that offer both an interesting characterisation of resource performance variability, and identify how such information might be used both directly by a user and indirectly via a Cloud Broker in the automatic construction of SLAs.

Paper Nr: 6
Title:

AUTOMATING COMPLIANCE FOR CLOUD COMPUTING SERVICES

Authors:

Nick Papanikolaou, Siani Pearson, Marco Casassa Mont and Ryan Ko

Abstract: We present an integrated approach for automating service providers’ compliance with data protection laws and regulations, business and technical requirements in cloud computing. The techniques we propose in particular include: natural-language analysis (of legislative and regulatory texts, and corporate security rulebooks) and extraction of enforceable rules, use of sticky policies, automated policy enforcement and active monitoring of data, particularly in cloud environments. We discuss ongoing work on developing a software tool for natural-language processing of cloud terms of service and other related policy texts. We also identify opportunities for future software development in the area of cloud computing compliance.

Paper Nr: 7
Title:

EXPRESSING CLOUD SECURITY REQUIREMENTS IN DEONTIC CONTRACT LANGUAGES

Authors:

Per Håkon Meland, Karin Bernsmed, Martin Gilje Jaatun, Astrid Undheim and Humberto Castejon

Abstract: The uptake of Cloud computing is being hindered by the fact that not only are current Cloud SLAs written in natural language, but they also fail to cover security requirements. This paper considers a Cloud brokering model that helps negotiate and establish SLAs between customers and providers. This broker handles security requirements on two different levels; between the customer and the broker, where the requirements are stated in natural language; and between the broker and the different Cloud providers, where requirements are stated in deontic contract languages. We investigate the suitability of seven of those languages for expressing security requirements in SLAs and exemplify their use in the Cloud brokering model through a practical use case for a video streaming service.

Paper Nr: 9
Title:

FROM CREATIVE COMMONS TO SMART NOTICES - Designing User Centric Consent Management Systems for the Cloud

Authors:

Siani Pearson and Prodromos Tsiavos

Abstract: As cloud computing is evolving towards an ecosystem of service provision, in order for end users and customers to retain choice and control, they need to be able to select services, specify their preferences and have these reflected within the contractual framework, ideally enforced via a combination of legal and technical means. This paper presents an approach that builds upon successful methods from initiatives such as Creative Commons in order to improve the process of providing consent for usage of a data subject’s personal data, and for achieving an appropriate balance between complexity and simplicity. This approach enhances the notices provided by service providers to advocate Smart Notices that provide a simple and transparent way of expressing the terms of service and the options available to the data subject before they share personal information with cloud service providers.

Short Papers
Paper Nr: 3
Title:

SERVICE LEVEL AGREEMENTS AS A SERVICE - Towards Security Risks Aware SLA Management

Authors:

Katerina Stamou, Jean-Henry Morin, Benjamin Gateau and Jocelyn Aubert

Abstract: Cloud computing has matured to become a valuable on demand alternative to traditional ownership models for the provisioning of services, platforms and infrastructure. However, this raises many issues for Governance, Risk and Compliance (GRC) and in particular in terms of Information Systems Security Risk Management (ISSRM). Considering such issues lack attention and knowledge, particularly for small and medium sized enterprises (SMEs), and that cloud computing Service Level Agreements (SLA) provide very limited support outside of basic Quality of Service (QoS) parameters, this paper argues that SLAs for cloud computing services should be more customer oriented and aware of security and risk management. A design is proposed where the SLA process, from context initialization to negotiation and agreement is decoupled from the actual cloud service provisioning and itself turned into a Service : SLA as a Service (SLAaaS). This should provide customers with much more customized and fine-grained agreements compared with the ones currently offered.

Paper Nr: 8
Title:

SECURITY AND PRIVACY GOVERNANCE IN CLOUD COMPUTING VIA SLAs AND A POLICY ORCHESTRATION SERVICE

Authors:

Marco Casassa Mont, Kieran McCorry, Nick Papanikolaou and Siani Pearson

Abstract: We present in this paper the novel concept of a policy orchestration service, which is designed to facilitate security and privacy governance in the enterprise, particularly for the case where various services are provided to the enterprise through external suppliers in the cloud. The orchestration service mediates between the enterprises’ internal decision support systems (which incorporate core security and privacy recommendations) and the cloud-based service providers, who are assumed to be bound by contractual service level agreements with the enterprise. The function of the orchestration service, which is intended to be accessed as a trusted service in the cloud, is to ensure that applicable security and privacy recommendations are actioned by service providers through adequate monitoring and enforcement mechanisms.

Paper Nr: 10
Title:

SECURING PROCESSES FOR OUTSOURCING INTO THE CLOUD

Authors:

Sven Wenzel, Christian Wessel, Thorsten Humberg and Jan Jürjens

Abstract: Cloud computing is yet one of the leading developments and depicts the biggest progress in web technologies. It offers a convenient way for using shared and easy accessible resources, in both a web-based and demand-oriented sense. However, cloud computing brings concept-based risks, e.g. the risk of private data becoming publicly available. Outsourcing of services into a cloud computing environment arises numerous compliance and security-problems for the potential customer. Legal as well as business requirements have to be met after migration to a cloud environment. Compliance to laws, industry-specific regulations and other rules have to be kept. In this paper we present the research project SecureClouds and our ongoing research towards security and compliance analysis of processes which are to be outsourced into the cloud. We further show a first prototype of an analytic tool-environment that allows us to examine whether outsourcing of a business process is possible while keeping all security and compliance requirements.