Building a compliance vocabulary to embed security controls in cloud SLAs

Matthew L. Hale, Rose Gamble

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Scopus citations

Abstract

Mission critical information systems must be certified against a set of security controls to mitigate potential security incidents. Cloud service providers must in turn employ adequate security measures that conform to security controls expected by the organizational information systems they host. Since service implementation details are abstracted away by the cloud, organizations can only rely on service level agreements (SLAs) to assess the compliance of cloud security properties and processes. Various representation schema allow SLAs to embed service security terms, but are disconnected from documents regulating security controls. This paper demonstrates an extensible solution for building a compliance vocabulary that associates SLA terms with security controls. The terms allow services to express which security controls they comply with and enable at-a-glance comparison of security service offerings so organizations can distinguish among cloud service providers that best comply with security expectations. To exemplify the approach, we build a sample vocabulary of terms based on audit security controls from a standard set of governing documents and apply them to an SLA for an example cloud storage service. We assess the compatibility with existing SLAs and calculate the computational overhead associated with the use of our approach in service matchmaking.

Original languageEnglish (US)
Title of host publicationProceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013
Pages118-125
Number of pages8
DOIs
StatePublished - 2013
Event2013 IEEE 9th World Congress on Services, SERVICES 2013 - Santa Clara, CA, United States
Duration: Jun 27 2013Jul 2 2013

Publication series

NameProceedings - 2013 IEEE 9th World Congress on Services, SERVICES 2013

Conference

Conference2013 IEEE 9th World Congress on Services, SERVICES 2013
CountryUnited States
CitySanta Clara, CA
Period6/27/137/2/13

Keywords

  • certification
  • cloud
  • compliance
  • security
  • service level agreement
  • web services
  • xml

ASJC Scopus subject areas

  • Electrical and Electronic Engineering

Fingerprint Dive into the research topics of 'Building a compliance vocabulary to embed security controls in cloud SLAs'. Together they form a unique fingerprint.

Cite this