Secure Provisioning of cloud Services based on SLA management

Valentina Casola, Massimiliano Rak, CeRICT
Focus Area: 

The goal of this position paper is to present the general objectives and current results of the SPECS project. SPECS copes with the problem of defining and managing the Security Service Level Agreements for Cloud Services. This is very challenging from many points of view as providing security as a service, covered by a SLA, implies to quantify and measure the security, automatically enforce it, continuously monitor it and, possibly, proactively react if some violation is occurring.

Who benefits and how: 

The SPECS framework can be used by Cloud Service Providers to integrate their service offerings with Security SLAs features and/or by developers in order to offer a Third Party solution that enhances the security of public Cloud Service Providers. In particular, the SPECS framework has been designed to empower Small and Medium-sized Enterprises with techniques and tools to improve their control and assurance over the security aspects of their Cloud services.
As a positive side effect, SPECS facilitates transparency between Cloud Service Providers (CSPs) and End-users to allow for a better assessment of the provided/requested security levels through SLAs.

The SPECS project aims at developing and implementing an open source framework to offer Security-as-a-Service, by relying on the notion of security parameters specified in Service Level Agreements (SLA), and also providing the techniques to systematically manage their life-cycle. Providing such a comprehensible and enforceable security assurance by Cloud Service Providers (CSP) is a critical factor to deploy trustworthy Cloud ecosystems.

The SPECS framework provides techniques and tools for:

  • Enabling a user-centric negotiation of security parameters in Cloud SLA, along with a trade-off evaluation process among users and CSPs, in order to provide Cloud services fulfilling service level objectives expressed through measurable security metrics over security capabilities. The result of the negotiation is the mutual agreement on a signed security SLA, formatted according to the most recent standards.
  • Monitoring in real-time the fulfilment of SLAs agreed with a CSP. SPECS’ monitoring services also enable notifying both users and CSPs, when a SLA is not being fulfilled (e.g., due to a cyber-attack).
  • Enforcing agreed Cloud SLA in order to keep a sustained security level that enables the implementation of the requested security capabilities, identified by the user and configured according to available security control frameworks (e.g. NIST security control framework, CSA Cloud Control Matrix). Furthermore, SPECS’ enforcement framework will also “react and adapt” in real-time to fluctuations in the security level by advising/applying the correct countermeasures (e.g., triggering a two-factor authentication mechanism).

SPECS copes with the problem of defining and managing the Security Service Level Agreements for Cloud Services. This is very challenging from many points of view as providing security as a service, covered by a SLA, implies to quantify and measure the security, automatically enforce it, continuously monitor it and, possibly, proactively react if some violation is occurring.

The SPECS framework, i.e. the software collection produced by the project in open source, can be used by Cloud Service Providers to integrate their service offerings with Security SLAs features and/or by developers in order to offer a Third Party solution that enhances the security of public Cloud Service Providers. In particular, the SPECS framework has been designed to empower Small and Medium-sized Enterprises with techniques and tools to improve their control and assurance over the security aspects of their Cloud services.

As a positive side effect, SPECS facilitates transparency between Cloud Service Providers (CSPs) and End-users to allow for a better assessment of the provided/requested security levels through SLAs. Indeed, SPECS is actively contributing to Cloud security SLA standardization initiatives.

The full SPECS framework is now available as a prototype and released as open source in the SPECS official repository https://bitbucket.org/specs-team/. In July 2015, as exploitation of available results, a SPECS’ Solution Portfolio was released, it currently comprises four solutions that are either integrated within commercial products (e.g., EMC’s ViPR Software-Defined Storage), or are offered as stand-alone products (e.g., CSA’ STAR Watch, XLAB End-to-End encryption, and CERICT’s Secure Web Container).

The SPECS web site (www.specs-project.eu) has dedicated pages that describe the portfolio and useful links to available resources, which collect all the links to repositories and tools needed to use the framework or participate to the software development process.

 

References

Rak M., Suri N., Luna J., Petcu D., Casola V., Villano U.  “Security as a service using an SLA-based approach via SPECS”. In Proceedings of the 5th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2013.

 

Nike Ambassador VIII 8