TY - GEN
T1 - SecAgreement
T2 - 2012 IEEE 8th World Congress on Services, SERVICES 2012
AU - Hale, Matthew L.
AU - Gamble, Rose
PY - 2012
Y1 - 2012
N2 - By choosing to use cloud services, organizations seek to reduce costs and maximize efficiency. For mission critical systems that must satisfy security constraints, this push to the cloud introduces risks associated with cloud service providers not implementing organizationally selected security controls or policies. As internal system details are abstracted away as part of the cloud architecture, the organization must rely on contractual obligations embedded in service level agreements (SLAs) to assess service offerings. Current SLAs focus on quality of service metrics and lack the semantics needed to express security constraints that could be used to measure risk. We create a framework, called SecAgreement (SecAg), that extends the current SLA negotiation standard, WS-Agreement, to allow security metrics to be expressed on service description terms and service level objectives. The framework enables cloud service providers to include security in their SLA offerings, increasing the likelihood that their services will be used. We define and exemplify a cloud service matchmaking algorithm to assess and rank SecAg enhanced WS-Agreements by their risk, allowing organizations to quantify risk, identify any policy compliance gaps that might exist, and as a result select the cloud services that best meet their security needs.
AB - By choosing to use cloud services, organizations seek to reduce costs and maximize efficiency. For mission critical systems that must satisfy security constraints, this push to the cloud introduces risks associated with cloud service providers not implementing organizationally selected security controls or policies. As internal system details are abstracted away as part of the cloud architecture, the organization must rely on contractual obligations embedded in service level agreements (SLAs) to assess service offerings. Current SLAs focus on quality of service metrics and lack the semantics needed to express security constraints that could be used to measure risk. We create a framework, called SecAgreement (SecAg), that extends the current SLA negotiation standard, WS-Agreement, to allow security metrics to be expressed on service description terms and service level objectives. The framework enables cloud service providers to include security in their SLA offerings, increasing the likelihood that their services will be used. We define and exemplify a cloud service matchmaking algorithm to assess and rank SecAg enhanced WS-Agreements by their risk, allowing organizations to quantify risk, identify any policy compliance gaps that might exist, and as a result select the cloud services that best meet their security needs.
KW - audit
KW - cloud
KW - quality of security service
KW - risk
KW - security
KW - service level agreement
KW - web services
KW - xml
UR - http://www.scopus.com/inward/record.url?scp=84867244563&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84867244563&partnerID=8YFLogxK
U2 - 10.1109/SERVICES.2012.31
DO - 10.1109/SERVICES.2012.31
M3 - Conference contribution
AN - SCOPUS:84867244563
SN - 9780769547565
T3 - Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012
SP - 133
EP - 140
BT - Proceedings - 2012 IEEE 8th World Congress on Services, SERVICES 2012
Y2 - 24 June 2012 through 29 June 2012
ER -