SecAgreement: Advancing Security Risk Calculations in Cloud Services

Hale, Matthew; Gamble, Rose F.

doi:10.1109/services.2012.31

Cited by 28 publications

(31 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…which vocabulary terms) are being offered by the CSP. Our approach is demonstrably compatible with existing SLA frameworks including WS-Agreement [9,14,19] and WSLA [13,14,20,21].…”

Section: Introductionmentioning

confidence: 76%

“…Cloud service compliance research has focused on SLAs [9,14,15,22] and service matchmaking [9,14], security requirement assessment of CSPs [15], and the automation and validation of service configurations [22]. These approaches underscore the importance of service compliance with sets of security requirements, which may be expressed as security controls or formal statements.…”

Section: A Compliance and Certificationmentioning

confidence: 99%

“…In our previous work [9,10], we advance SLA research by developing a schema, based on WS-Agreement [19], that is capable of expressing security requirements in a standard way across service providers. We define an associated matchmaking algorithm that compares security requirements to identify the security offerings best suited to a particular organization.…”

Section: Xml Schema and Ontologies For Slasmentioning

confidence: 99%

“…Although various approaches have improved the ability of SLAs to expose and advertise their security services [9][10][11][12][13], selecting the provider that is most compatible with organizationally selected security controls is still ad-hoc [14]. The main problem is that security controls lack representation in cloud services [14,15], making it difficult to connect organizational certification efforts to the services and security features being used by the cloud.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Building a Compliance Vocabulary to Embed Security Controls in Cloud SLAs

Hale

Gamble

2013

2013 IEEE Ninth World Congress on Services

Self Cite

View full text Add to dashboard Cite

Abstract-Mission critical information systems must be certified against a set of security controls to mitigate potential security incidents. Cloud service providers must in turn employ adequate security measures that conform to security controls expected by the organizational information systems they host. Since service implementation details are abstracted away by the cloud, organizations can only rely on service level agreements (SLAs) to assess the compliance of cloud security properties and processes. Various representation schema allow SLAs to embed service security terms, but are disconnected from documents regulating security controls. This paper demonstrates an extensible solution for building a compliance vocabulary that associates SLA terms with security controls. The terms allow services to express which security controls they comply with and enable at-a-glance comparison of security service offerings so organizations can distinguish among cloud service providers that best comply with security expectations. To exemplify the approach, we build a sample vocabulary of terms based on audit security controls from a standard set of governing documents and apply them to an SLA for an example cloud storage service. We assess the compatibility with existing SLAs and calculate the computational overhead associated with the use of our approach in service matchmaking.

show abstract

“…which vocabulary terms) are being offered by the CSP. Our approach is demonstrably compatible with existing SLA frameworks including WS-Agreement [9,14,19] and WSLA [13,14,20,21].…”

Section: Introductionmentioning

confidence: 76%

Section: A Compliance and Certificationmentioning

confidence: 99%

Section: Xml Schema and Ontologies For Slasmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Building a Compliance Vocabulary to Embed Security Controls in Cloud SLAs

Hale

Gamble

2013

2013 IEEE Ninth World Congress on Services

Self Cite

View full text Add to dashboard Cite

show abstract

“…However risk quantification is not semantically netted in ws-agreement. SecAgreement [46] articulates the security parameters and services to be provided in the SLAs. The SecAgreement extends the template of the ws-agreement to include security constraints and metrics into the SLAs.…”

Section: Discussion:-mentioning

confidence: 99%

An Analysis of Cloud Computing Information Security Challenges.

Hosni¹

2017

IJAR

View full text Add to dashboard Cite

A non‐repudiable negotiation protocol for security service level agreements

Kannisto

Takahashi

Harju

et al. 2014

Int J Communication

View full text Add to dashboard Cite

Summary Security service level agreements (SSLAs) provide a systematic way for end users at home or in the office to guarantee sufficient security level when doing business or exchanging sensitive personal or organizational data with an online service. In this paper, we propose an SSLA negotiation protocol that implements non‐repudiation with cryptographic identities and digital signatures and includes features that make it resistant to denial of service attacks. The basic version of the protocol does not rely on the use of a trusted third party, and it can be used for all kinds of simple negotiations. For the negotiation about SSLAs, the protocol provides an option to use an external knowledge base that may help the user in the selection of suitable security measures. We have implemented a prototype of the system, which uses JSON Web Signature for the message exchange and made some performance tests with it. The results show that the computational effort required by the cryptographic operations of the negotiation protocol remains at a reasonable level. Copyright © 2014 John Wiley & Sons, Ltd.

show abstract

SecAgreement: Advancing Security Risk Calculations in Cloud Services

Cited by 28 publications

References 10 publications

Building a Compliance Vocabulary to Embed Security Controls in Cloud SLAs

Building a Compliance Vocabulary to Embed Security Controls in Cloud SLAs

An Analysis of Cloud Computing Information Security Challenges.

A non‐repudiable negotiation protocol for security service level agreements

Contact Info

Product

Resources

About