The cloud is both a risk and an opportunity depending on the service. Despite the opportunities, security is a top concern for a growing number of cloud service customers, and rightfully so. A key challenge is representing security and measuring it in a service level agreement? How can a cloud service provider grant the security level? And how can a cloud service customer automatically enforce it? Prof. Massimiliano Raks, University of Naples, talks us through Security Service Level Agreement (SecureSLAs), looking at Security SLA Negotiation, Security SLA (Automatic) Enforcement and Security SLA Continuous Monitoring with the SPECS platform for SecSLAs.

1. SPECS Project
Secure Provisioning of Cloud Services based on SLA
Management
Berlin, Germany
16th September 2015

2. Agenda
 SPECS Introduction
 Security Service Level Agreement
 SPECS Demo
 SPECS Framework

3. CeRICT, Italy (coordinator)
TUD, Germany
IeAT, Romania
CSA, United Kingdom
XLAB, Slovenia
EISI, Ireland
FP7-ICT-10-610795
Project Start: 1/11/2013
Project Type: STREP
Duration: 30M
Total Funding: 3.5 M
EU Contribution: 2.4 M
SPECS Project

4. SPECS: Addressed Objective
 Problem Statement:
 End-User Cloud Security: How to compare Cloud Service Providers (CSPs)?,
What they grant? How to improve their security features if they do not grant
enough? …
 Challenges:
 Security Service Level Agreement (SLA): Adoption of Security SLA to states the
security grants between CSPs and Cloud Service Customers (CSCs)
 Security SLA Negotiation: Security SLA are evaluated to help CSC in selecting
the servicesand customized according to Customers requirements
 Security SLA (Automatic) Enforcement: Services are customized and enriched
with ad-hoc security mechanisms to grant the requested security SLAs
 Security SLA Continuous Monitoring: CSC conitnuously monitors the services to
be assured on the respect of agreed Secrutity SLAs

5. SPECS: A Platform for security SLAs
Negotiate Security SLAs,
Use cloud services,
Broker cloud services
Enforce additional security controls
Monitor security

6. SECURITY SERVICE LEVEL
AGREEMENT
Security Service Level Agreement in Practice:
How to represent security, How to measure it, How to grant the security level and a
concrete example of SPECS automatic enforcement of Security SLAs

7. Security Service Level Agreement
What (Security) SLAs should be
 CSP delivers services with an
SLA that details each grant
offered
 CSC compares offerings from
different CSPs
 CSC are able to verify the
respect of SLA and request
penalties when unrespected
What (Security) SLAs are today
 CSP offers a natural language
description of what it is able to
grant
 Few services are able to compare
concretely security offered by CSPs
 CSC have no concrete tools to
monitor an SLA

8. How to Obtain Concrete SLAs
 Issue 1: SLA Life cycle to automate their management
 Definition of the Process of SLA Management, taking into
account both CSP and CSC
 Issue 2: Security SLA Model to represent the grants
 What is the content of a SLAs? How to offer security grants?
 Gap among Customers (focused on risks) and Providers
(focused on security mechanisms offered)
 Issue 3: Automatic Enforcement/Monitoring of SLA
 Is a Security SLA (automatically) implementable?

9. SLA Life Cycle
Negotiation Phase: Establishing the agreement
Implementation Phase: CSP takes all the
actions needed to grant SLA over target services
Monitoring Phase: Both CSP and CSC monitor
services, to verify that SLA are respected
Remediation Phase: CSP performs action
in order to remdiate to an SLA violation
Renegotiation Phase: one of the party aims
at changing the terms of the agreement

10. A Security SLA Model
 Define Security terms according to standards and known best
practices, understandable by both CSC and CSP
 Security terms must be measurable and verifiable for both
CSC and CSP
 Implementable in cloud (self-service, on-demand cloud
characteristics)
 Automate negotiation of the agreement terms
 Automate implementation of SLA
 Automate monitoring of SLA

11. Security Model: Core Idea
 Best Practice:
 Risk Assessment helps in
identification of threats and
security requirements
 Selection of standard security
controls (a safeguard or
countermeasure prescribed to
protect confidentiality, integrity,
and availability)
 Certification verifies the
respect of security controls
 Security SLA made of
 Declarative Part:
Declaration of Security
Controls applied to the service
delivered.
 Measurable Part:
Declaration of the Security
Metrics that can be used by
CSC to verify the security Level
 Mapping:
Relates Controls and Metrics
11/19/2015 WP or Event Reference 11

12. Security SLA Model
12
Declarative
Measurable

13. Security SLA: Standard Format
 In order to enable the (automated) SLA processing Security
SLA must be represented in a machine readable format
 SPECS relies on WS-Agreement (OGF GFD-192) and offers a
set of extension to:
 Represent security controls (NIST 800-53rev4, CCM v3.0)
 Represent Standard Security Metrics (NIST RATAX)
 SPECS Map Security Metrics against security controls
11/19/2015 WP or Event Reference 13

14. Security SLA
14
What SLA
declare
What SLA measure
What the SLA protect
How declaration and
measurement are
associated

15. Implementable Security SLAs
 Are the Security SLA implementable? Is the Security SLA Model
Concrete?
 Additional Concepts:
 Security SLA Template: According to WS-Agreement approach
Security SLA are negotiated through templates that summarizes the
terms that can be negotiated
 Security Mechanisms: To grant security controls we introduce the
concept of security mechanism: a software, offered –as-a-service
that enrich the provided services with the safeguards and
countermeasures requested
11/19/2015 WP or Event Reference 15

16. Implementable Security SLA
11/19/2015 WP or Event Reference 16
Templates
to negotiate
with
customers
Security Mechanisms
IMPLEMENT
& DECLARE
security controls
& security metrics

17. Security SLA Model: how to use
Cloud Service Provider
 Security Controls enforced
through dedicated security
mechanisms
 Security Metrics can be
monitored through dedicated
tools
 SLA helps to verify correctness of
configuration and automates
service protection
Cloud Service Customer
 Security Controls grants the respect
of security requirements
 Customers are able to select and
compare providers
 SLA can be verified using Security
Metrics, whose definition is
standard
11/19/2015 WP or Event Reference 17

18. SECURITY SLA IN PRACTICE
A Demonstration of an application able to automate SLA Management
11/19/2015 WP or Event Reference 18
Demonstration Video

19. SPECS ARCHITECTURE
11/19/2015 WP or Event Reference 19

20. SPECS: What Offers
11/19/2015 WP or Event Reference 20
SPECS Platform
 A Platfrom that offers SPECS Core Services
(Negotiation, Monitoring, Enforcement)
 A Platform able to execute and manage SPECS Applications
SPECS Applications
 Application that offers cloud services protected by Security SLA
SPECS Open Source Framework
 Core Components to automate the SLA Life Cycle
 Security Mechanisms (and their metadata) to protect default services
 Tools to setup a SPECS Platform

21. WHO Uses SPECS
11/19/2015 WP or Event Reference 21
Cloud Service
Providers
 Use the SPECS PaaS
 Offer SPECS Applications
 Enrich their offerings with Security SLA
 Can customize their offerings according to specific security requirements (PA
example)
They are the SPECS Owners
Developers
 Use the SPECS Framework
 Know the security requirements of their customers
 Develop SPECS Applications
They are the SPECS Application Developers
Customers
 Negotiate Security SLAs
 Use the services offered by SPECS Applications
They are the End Users

22. SPECS Usage
SPECS as Third Party
 SPECS runs independently of a
single CSP, brokering resources
SPECS in a CSP
 SPECS runs INSIDE a CSP, using
the local resources and granting
SLAs
11/19/2015 Presentation template 22
Cloud Service Provider (CSP)

23. SPECS Framework
11/19/2015 Presentation template
23
SLA Platform
NegotiationMonitoring Enforcement
SPECS Application
Enabling Platform
Vertical
Layer

24. SPECS Framework in detail
11/19/2015 Presentation template 24

25. SPECS Behaviour
11/19/2015 WP or Event Reference 34

26. SPECS FRAMEWORK
SPECS Framework – The Open Source Solution
11/19/2015 WP or Event Reference 36
https://bitbucket.org/specs-team/
https://bamboo.services.ieat.ro/
http://mvn.services.ieat.ro/
Enabling Platform Demonstration Video

27. QUESTIONS?
16 November 2015 Berlin Workshop on Governance-Accountability-Compliance in the Cloud
CSA EMEA Congress
37