Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leveraging the potential of Cloud security SLAs

Published bySheena Grant Modified over 9 years ago

Similar presentations

Presentation on theme: "Leveraging the potential of Cloud security SLAs"— Presentation transcript:

1 Leveraging the potential of Cloud security SLAs
Dr. Jesus Luna Garcia Cloud Security Alliance (Europe)

2 Agenda Cloud Security SLAs (secSLAs)
Good-enough security through secSLAs SecSLA automation Summary

3 How do you choose a Cloud Service Provider (CSP)?
Service-related: Performance Price Reputation What about security (and privacy)?

4 Cloud Service Level Agreements
A cloud SLA is a documented agreement between the cloud service provider (CSP) and cloud service customer that identifies services and associated quality levels (i.e., cloud service level objectives or SLOs). Security specification in cloud SLAs (secSLAs) aims to provide useful/measurable (security) information to Customers. Despite their advocated advantages, most cloud SLAs/secSLAs are offered on a “take it, or leave it” manner. How Cloud customers can benefit from Cloud secSLAs?

5 Good-enough Cloud security through secSLAs
“[…] everything should be made as secure as necessary, but not securer.” Sandhu, 2003 Realizing adequate levels of IT security is typically related to risk management activities. Preliminary research based on Cloud-Adapted Risk Management Framework (CRMF, draft NIST SP ).

6 Cloud secSLA 1-Impact analysis 2-Elicit security requirements
3-Select Cloud arch. 4-Assess available CSPs 5-Select CSP and negotiate secSLA 6-Monitor CSP and own controls Cloud secSLA Baseline & tailored SLOs SecSLA agreed CSP specific and own SLO’s

7 Risk Assessment Cloud secSLA 1-Impact analysis
Step 1 – Impact analysis. Step 2 – Risk assessment. 1-Impact analysis 2-Elicit security requirements 3-Select Cloud arch. 4-Assess available CSPs 5-Select CSP and negotiate secSLA 6-Monitor CSP and own controls Cloud secSLA Baseline & tailored SLOs SecSLA agreed CSP specific and own SLO’s

8 Cloud secSLA Risk Treatment 1-Impact analysis
2-Elicit security requirements 3-Select Cloud arch. 4-Assess available CSPs 5-Select CSP and negotiate secSLA 6-Monitor CSP and own controls Cloud secSLA Baseline & tailored SLOs SecSLA agreed Risk Treatment Step 3 – Select the Cloud architecture. Step 4 – Assess CSP options. Negotiate additional security controls with CSP. Identify security controls under the consumer’s responsibility. CSP specific and own SLO’s

9 Risk Control Cloud secSLA 1-Impact analysis
2-Elicit security requirements 3-Select Cloud arch. 4-Assess available CSPs 5-Select CSP and negotiate secSLA 6-Monitor CSP and own controls Risk Control Step 5 – Select CSP. Draft a SLA. Step 6 – Monitor the CSP (secSLA) and customer-side controls. Cloud secSLA Baseline & tailored SLOs SecSLA agreed CSP specific and own SLO’s

10 Interested on this topic?
“Leveraging the Potential of Cloud Security Service Level Agreements through Standards” Jesus Luna, Neeraj Suri, Michaela Iorga, Anil Karmel IEEE Cloud Computing, 2015

11 Automating good-enough Cloud secSLAs
(putting all the secSLA pieces together)

12 European Project SPECS
CeRICT, Italy (coordinator) TUD, Germany IeAT, Romania CSA, United Kingdom XLAB, Slovenia EISI, Ireland FP7-ICT Project Start: 1/11/2013 Project Type: STREP Duration: 30 Months

13 SPECS SecaaS based on secSLAs
Provisions security services to Customers Manages the secSLA life cycle (negotiation, monitoring and enforcement) Ongoing integration into products like EMC’s ViPR.

14 Leveraging and contributing to standards

15 Machine-readable (XML) secSLA specification

16 It’s showtime! SPECS Demo

17 Summary: Are we there yet?
Standards (vocabularies, metrics, …), and best practices (making Cloud SLAs usable for SMEs). ISO/IEC Parts 1-4 Cloud secSLAs in supply chains/multi-cloud systems. Certifications or SLA’s or both?

18 Questions? Give us your opinion about secSLAs:
Help us secure Cloud computing: SPECS:

19

20 (Some) Cloud barriers The lack of transparency of some CSPs or brokers
Lack of clarity in contracts Cloud security not easy to understand for SME’s

Download ppt "Leveraging the potential of Cloud security SLAs"

Similar presentations

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.
STANDARDIZATION AND THE INTERNATIONAL TRANSFER OF SUSTAINABLE TECHNOLOGIES WORKSHOP Sustainability and Technical Barriers to Trade Environmental Standards.

STANDARDIZATION AND THE INTERNATIONAL TRANSFER OF SUSTAINABLE TECHNOLOGIES WORKSHOP Sustainability and Technical Barriers to Trade Environmental Standards.
Policy based Cloud Services on a VCL platform Karuna P Joshi, Yelena Yesha, Tim Finin, Anupam Joshi University of Maryland, Baltimore County.

Policy based Cloud Services on a VCL platform Karuna P Joshi, Yelena Yesha, Tim Finin, Anupam Joshi University of Maryland, Baltimore County.
Cloud Services Measurement, Audit – and Standards Martin Kuppinger Founder and Principal Analyst, KuppingerCole

Cloud Services Measurement, Audit – and Standards Martin Kuppinger Founder and Principal Analyst, KuppingerCole
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Cloud Controls Matrix Work Group Session Sean Cordero President of Cloudwatchmen,

Copyright © 2011 Cloud Security Alliance Cloud Controls Matrix Work Group Session Sean Cordero President of Cloudwatchmen,
Www.enisa.europa.eu ENISA – Cloud Computing Security Strategy Dr Steve Purser Head of Technical Department European Network and Information Security Agency.

ENISA – Cloud Computing Security Strategy Dr Steve Purser Head of Technical Department European Network and Information Security Agency.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
1 International Partner Program by EuroCloud Europe EuroCloud Star Audit Based on European Quality Values for a Worldwide Usage.

1 International Partner Program by EuroCloud Europe EuroCloud Star Audit Based on European Quality Values for a Worldwide Usage.
Output Break-out Session # 4 CLOUD SLA © ETSI 2012. All rights reserved CLOUD STANDARDS COORDINATION Cannes, 4-5 december 2012.

Output Break-out Session # 4 CLOUD SLA © ETSI All rights reserved CLOUD STANDARDS COORDINATION Cannes, 4-5 december 2012.
T-NOVA: Developing a platform for NFaaS T-NOVA Consortium Presenter: Kourtis Akis - NCSR Demokritos, Greece.

T-NOVA: Developing a platform for NFaaS T-NOVA Consortium Presenter: Kourtis Akis - NCSR Demokritos, Greece.
Www.cloudsecurityalliance.org Security and Privacy SLAs for Cloud services Dr. Jesus Luna, CSA Research Director EMEA Copyright © 2015 Cloud Security Alliance.

Security and Privacy SLAs for Cloud services Dr. Jesus Luna, CSA Research Director EMEA Copyright © 2015 Cloud Security Alliance.
SmartER Semantic Cloud Sevices Karuna P Joshi University of Maryland, Baltimore County Advisors: Dr. Tim Finin, Dr. Yelena Yesha.

SmartER Semantic Cloud Sevices Karuna P Joshi University of Maryland, Baltimore County Advisors: Dr. Tim Finin, Dr. Yelena Yesha.
SECURECLOUD2012 MAY-2012 1 QUantifiable End-to-end SecuriTy for Cloud Trustworthiness TU Darmstadt, Germany DEEDS Group Dr. Jesus Luna G.

SECURECLOUD2012 MAY QUantifiable End-to-end SecuriTy for Cloud Trustworthiness TU Darmstadt, Germany DEEDS Group Dr. Jesus Luna G.
Security Controls – What Works

Security Controls – What Works
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev. 12-16-11)

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
0 Software as a Service in Finance Date: 15 May 2007 Produced by: Chris Swan The materials may not be used or relied upon in any way.

0 Software as a Service in Finance Date: 15 May 2007 Produced by: Chris Swan The materials may not be used or relied upon in any way.
Annie W. Sokol, IT Specialist, NIST

Annie W. Sokol, IT Specialist, NIST
Vendor Management Frequent regulatory findings:

Vendor Management Frequent regulatory findings:

Similar presentations

Ads by Google