Leveraging the potential of Cloud security SLAs

Slides:



Advertisements
Similar presentations
Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.
Advertisements

STANDARDIZATION AND THE INTERNATIONAL TRANSFER OF SUSTAINABLE TECHNOLOGIES WORKSHOP Sustainability and Technical Barriers to Trade Environmental Standards.
Policy based Cloud Services on a VCL platform Karuna P Joshi, Yelena Yesha, Tim Finin, Anupam Joshi University of Maryland, Baltimore County.
Cloud Services Measurement, Audit – and Standards Martin Kuppinger Founder and Principal Analyst, KuppingerCole
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Copyright © 2011 Cloud Security Alliance Cloud Controls Matrix Work Group Session Sean Cordero President of Cloudwatchmen,
ENISA – Cloud Computing Security Strategy Dr Steve Purser Head of Technical Department European Network and Information Security Agency.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
1 International Partner Program by EuroCloud Europe EuroCloud Star Audit Based on European Quality Values for a Worldwide Usage.
Output Break-out Session # 4 CLOUD SLA © ETSI All rights reserved CLOUD STANDARDS COORDINATION Cannes, 4-5 december 2012.
T-NOVA: Developing a platform for NFaaS T-NOVA Consortium Presenter: Kourtis Akis - NCSR Demokritos, Greece.
Security and Privacy SLAs for Cloud services Dr. Jesus Luna, CSA Research Director EMEA Copyright © 2015 Cloud Security Alliance.
SmartER Semantic Cloud Sevices Karuna P Joshi University of Maryland, Baltimore County Advisors: Dr. Tim Finin, Dr. Yelena Yesha.
SECURECLOUD2012 MAY QUantifiable End-to-end SecuriTy for Cloud Trustworthiness TU Darmstadt, Germany DEEDS Group Dr. Jesus Luna G.
Security Controls – What Works
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
0 Software as a Service in Finance Date: 15 May 2007 Produced by: Chris Swan The materials may not be used or relied upon in any way.
Annie W. Sokol, IT Specialist, NIST
Vendor Management Frequent regulatory findings:
Building trust in the Cloud: the CSA perspective Daniele Catteddu, Managing Director EMEA & OCF-STAR Program Director Cloud Security Alliance © Cloud Security.
EPLC Deliverables Sherry Brown-Scoggins & Wanda Hall
Defining a federated messaging and trust infrastructure for secure and reliable exchange of data Kenneth Bengtsson OASIS Business Document Exchange (BDXR)
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
NIST Information Technology Laboratory Cloud Computing Program NIST Cloud Computing Program Current Activities Robert Bohn OASIS – International Cloud.
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
CSG Workshop – Shared Services a.k.a. “We’re in the Clouds” 1 May 2009 Tracy, Joel, Jerry, Bill, Brad, Ron, Ann, Michael & Chuck.
Security and Privacy Services Cloud computing point of view October 2012.
Test Organization and Management
T AKING THE MOST FROM H YBRID C LOUDS OPTIMIS PROJECT W ATERLOO (CANADA), M ARCH 24 TH Josep Martrat TIM Market Manager ATOS research and Innovation
© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM Laura Posey, Chair CAIQ.
Information ITIL Technology Infrastructure Library ITIL.
Andrea Ricci - ISIS Brussels, 12 April 2012 Smart Grids: Overview of the study and main challenges 1.
Ready to use Cloud SLAs. SLALOM Project2 SLALOM is ready to use Cloud SLAs “SLALOM will take theory to practice, providing a trusted verifiable starting.
Managing Third Party Risk In a world fraught w/Risk Trust In the Cloud How are you Protecting Customer Data? February 26, 2014 Case Study Vincent Campitelli.
Risk Management & Legal Issues in Cloud Practice Christopher Dodorico Director, PricewaterhouseCoopers Wednesday, October 10, 2012.
Singapore: Benefits from Secure Clouds
The Regional Initiatives: Progress and Prospects Conference Brussels, 28 March 2007 Mr Walter Boltz ERGEG Gas Focus Group Chair Status Report of the Gas.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
Using Risk Management to Improve Privacy in Information Systems 1.
© 2008 IBM Corporation Challenges for Infrastructure Outsourcing July 29, 2011 Atul Gupta Vice President, Strategic Outsourcing, IBM.
Slide 1 Service Level Management. Slide 2 Goal – Primary Objective To maintain and gradually improve business aligned IT service quality, through a constant.
EMERGENCY ALERTING Opportunities through collaboration and standards.
A trust and Contract Management framework enabling secure collaborative business processing in on-demand created, self- managed, scalable, and highly dynamic.
Health and Consumers Health and Consumers 3rd Pillar Retirement Products results of the public consultation Anna Passera DG SANCO UNIT B.4.
Roundtable: Best Practice for Cloud Sourcing Daniel Shap, Managing Counsel CIBC Dr Sam De Silva, Partner, Penningtons Manches LLP.
NASA Update NDIA PMSC Quarterly Meeting August 26, 2010 NDIA PMSC Quarterly Meeting August 26, 2010 Ken Poole NASA/MSFC/CS40 (Project Planning & Analysis.
PRESENTATION TITLE Presented by: Xxxx Xxxxx. Providence Health & Services Very large Catholic healthcare system 33 hospitals in AK, CA, MT, OR, WA 65,000.
Geneva, Switzerland, 14 November 2014 ENISA and Cloud Certification Dimitra Liveri Security and Resilience of Communication Networks Officer ENISA ITU.
Daniel Field, Atos Spain Towards the European Open Science Cloud, Heidelberg, 20/01/2016.
D3.2 Procurement Best Practices Interim Report 20 January 2016 Toward the European Open Science Cloud 1 Damir Savanovic, CSA.
HNSciCloud Project MSc in Project Engineering delivered by Professor Gilles Vallet Oxford Academics for Computing Science Department, University of Chester.
Agenda © 2015 | Tel: (980) | Big Data: Types of data and benefits Implementation Challenges / Risks Tools & Platforms.
© Cloud Security Alliance, 2015 March 2, Agenda © Cloud Security Alliance, 2015 The SecaaS Working Group Recent Activity Charter Category outline/templates.
Connecting and collaborating with University departments to achieve a more impactful curriculum career education Anna Graves, Kim.
A Methodology to Evaluate the Trustworthiness and Security Compliance of Cloud Service Providers Sasko Ristov Ss. Cyril and Methodius University, Skopje,
Information ITIL Technology Infrastructure Library ITIL.
Security Checklists for IT Products
Integrated Management System and Certification
Trilateral Research EUROPEAN COMMISSION
Risk Management and Compliance
Cisco’s Intelligent Automation for Cloud
Policy based Cloud Services on a VCL platform
Data protection certification and cloud computing
Interaction with resource providers: selection, SLA, support
The work of European energy regulators on generation adequacy
Luis Jorge Romero Saro ETSI Director-General
The SAFERtec project on V2I security assurance: concept and vision
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

Leveraging the potential of Cloud security SLAs Dr. Jesus Luna Garcia Cloud Security Alliance (Europe)

Agenda Cloud Security SLAs (secSLAs) Good-enough security through secSLAs SecSLA automation Summary

How do you choose a Cloud Service Provider (CSP)? Service-related: Performance Price Reputation What about security (and privacy)?

Cloud Service Level Agreements A cloud SLA is a documented agreement between the cloud service provider (CSP) and cloud service customer that identifies services and associated quality levels (i.e., cloud service level objectives or SLOs). Security specification in cloud SLAs (secSLAs) aims to provide useful/measurable (security) information to Customers. Despite their advocated advantages, most cloud SLAs/secSLAs are offered on a “take it, or leave it” manner. How Cloud customers can benefit from Cloud secSLAs?

Good-enough Cloud security through secSLAs “[…] everything should be made as secure as necessary, but not securer.” Sandhu, 2003 Realizing adequate levels of IT security is typically related to risk management activities. Preliminary research based on Cloud-Adapted Risk Management Framework (CRMF, draft NIST SP 800-173).

Cloud secSLA 1-Impact analysis 2-Elicit security requirements 3-Select Cloud arch. 4-Assess available CSPs 5-Select CSP and negotiate secSLA 6-Monitor CSP and own controls Cloud secSLA Baseline & tailored SLOs SecSLA agreed CSP specific and own SLO’s

Risk Assessment Cloud secSLA 1-Impact analysis Step 1 – Impact analysis. Step 2 – Risk assessment. 1-Impact analysis 2-Elicit security requirements 3-Select Cloud arch. 4-Assess available CSPs 5-Select CSP and negotiate secSLA 6-Monitor CSP and own controls Cloud secSLA Baseline & tailored SLOs SecSLA agreed CSP specific and own SLO’s

Cloud secSLA Risk Treatment 1-Impact analysis 2-Elicit security requirements 3-Select Cloud arch. 4-Assess available CSPs 5-Select CSP and negotiate secSLA 6-Monitor CSP and own controls Cloud secSLA Baseline & tailored SLOs SecSLA agreed Risk Treatment Step 3 – Select the Cloud architecture. Step 4 – Assess CSP options. Negotiate additional security controls with CSP. Identify security controls under the consumer’s responsibility. CSP specific and own SLO’s

Risk Control Cloud secSLA 1-Impact analysis 2-Elicit security requirements 3-Select Cloud arch. 4-Assess available CSPs 5-Select CSP and negotiate secSLA 6-Monitor CSP and own controls Risk Control Step 5 – Select CSP. Draft a SLA. Step 6 – Monitor the CSP (secSLA) and customer-side controls. Cloud secSLA Baseline & tailored SLOs SecSLA agreed CSP specific and own SLO’s

Interested on this topic? “Leveraging the Potential of Cloud Security Service Level Agreements through Standards” Jesus Luna, Neeraj Suri, Michaela Iorga, Anil Karmel IEEE Cloud Computing, 2015

Automating good-enough Cloud secSLAs (putting all the secSLA pieces together)

European Project SPECS CeRICT, Italy (coordinator) TUD, Germany IeAT, Romania CSA, United Kingdom XLAB, Slovenia EISI, Ireland FP7-ICT-10-610795 Project Start: 1/11/2013 Project Type: STREP Duration: 30 Months

SPECS SecaaS based on secSLAs Provisions security services to Customers Manages the secSLA life cycle (negotiation, monitoring and enforcement) Ongoing integration into products like EMC’s ViPR.

Leveraging and contributing to standards

Machine-readable (XML) secSLA specification

It’s showtime! SPECS Demo

Summary: Are we there yet? Standards (vocabularies, metrics, …), and best practices (making Cloud SLAs usable for SMEs). ISO/IEC 19086 Parts 1-4 Cloud secSLAs in supply chains/multi-cloud systems. Certifications or SLA’s or both?

Questions? Give us your opinion about secSLAs: https://www.surveymonkey.com/r/SPECS_SLA Help us secure Cloud computing: http://www.cloudsecurityalliance.org jluna@cloudsecurityalliance.org SPECS: http://www.specs-project.eu/

(Some) Cloud barriers The lack of transparency of some CSPs or brokers Lack of clarity in contracts Cloud security not easy to understand for SME’s

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.