Security Service Level Agreements in the Cloud: The SPECS Framework

Prof. Massimiliano Rak - CeRICTSPECS Project

Secure Provisioning of Cloud Services based on SLA Management

Outline

n Introductionn Projectn Challengesn Security SLAsn Mission

n SPECSn Modelsn Processn Framework

n Resultsn Security SLAn Security Metric Cataloguen Frameworkn Solution Portfolio

n Demo

2

FP7-ICT-10-610795

Project Start: 1/11/2013Project Type: STREPDuration: 30MTotal Funding: 3.5 MEU Contribution: 2.4 M

3

SPECS Project

CeRICT, Italy (coordinator)

TUD, Germany

IeAT, Romania

CSA, United Kingdom

XLAB, Slovenia

EISI, Ireland

Cloud Security Challenges

n CSP Security Assessmentn I made a risk assessment; does my

CSP offer all the controls I need to meet my security requirement?

n Comparison of security offered by CSPs n Many CSPs offer the same

functionalities at different costs, how the security changes from one to another?

n Monitoring CSP Securityn My CSP granted me it is applying a

lot of security controls, how can I verify it is true? If a security breach happens, how can I be aware of it?

n Data Protectionn Do I respect all data protection

regulation? Is my privacy respected?

4

Security Service level Agreements

n Open Challenges:n identification and representation of security attributes n quantification of the security leveln continuous monitoring of the fulfillment of the SLAsn automated enforcement

5

Security SLAs are contracts among CSP and CSCs regulating the security level granted over provisioned services

SPECS Mission

SPECS aims at using Security SLAs to:n negotiate Security among CSC and CSP, enabling Customers

to compare CSPs and CSPs to offer security addressing customer specific needs;

n automatically enforce Security on services delivered to CSCs according to their requirements.

n enable both CSCs and CSPs to monitor security levels and react when security is violated

6

SLA-based cloud Services

Negotiate• Agree on

Security Controls and Metrics

Implement• Activate

Security Mechanism

Monitor• Collect

Security Metrics measuremnt

Remediation• Identify

Violation and apply remedies

Renegotiate• Change

SLA terms

7

SPECS Model

8

Customer

SPECS Owner

Developer

CSP

Develop Use

Manage

Cloud Service

Cloud Service

Use

Broker &Configure

Results: Security SLA Model

n A Security SLA model and its machine readable format made according to state-of-the art standards (ISO 19086, WS-Agreement, …)

n Security SLA usable according to standard risk modelingprocesses

n Security SLA containing standard and measurable security metrics to offer grants (easy for Providers and verifiable by Customers)

9

Security SLA Model

10

Declarative

Measurable

SPECS Framework

11

11

SLA Platform

NegotiationMonitoring Enforcement

SPECS Application

Enabling Platform

Customer Developer

SPECS Owner

Results: SPECS Framework

12

SPECS SLA Management Process

13

SLA Offer

Mechanisms

Plan

Planning Implementation

ImplementedPlan

Monitoring

Current Events

Monipoli Notifications

RemediationDiagnosis

Historical Events

Remediation

RemediationPlanning

Remediation Plan

Service Manager

Monitoring Systems

Event Archiver

Service Manager

SLOManager

SLA Template

Negotiation

Remediation Plan

RemediationImplementation

EU

Results: Security Metric Catalogue

n A Catalogue of security metrics represented according to the latest NIST/ISO standards

n More than 20 security metrics defined in SPECSn More than 160 security metrics collected from other projects

and standard bodies and represented according to SPECS model

23/02/16 1st Workshop DPSP - Napoli 14

Results: SPECS portfolion Secure Web Container

n A PaaS offering Web servers preconfigured with TLS, protected against DoS and enriched with Software Vulnerability Assessment

n STAR Watchn Evaluate and compare CSPs using

CSA STAR Repository

n E2EEn A Storage Service protected with

E2E Encryption

n ViPR+SPECSn A CSP datacenter offering Security

SLA on top of EMC ViPR solution

23/02/16 1st Workshop DPSP - Napoli 15

SPECS impact goals

n Support Private and Public Cloud Providers to enhance the security of their service under a signed Security SLA

n Support small Private Cloud Providers (the majority in Europe) to offer more security, and negotiable with customers (more flexibility then big CSP)

n Improve customers’ trust in the Cloud

16

Questions?

References:SPECS: www.specs-project.eu

Security SLA in WS-Agreement

18

WhatSLA declare

What SLA measure

What the SLA protect

How declaration and measurement are associated