SecAgreement: Advancing Security Risk Calculations in Cloud Services

By choosing to use cloud services, organizations seek to reduce costs and maximize efficiency. For mission critical systems that must satisfy security constraints, this push to the cloud introduces risks associated with cloud service providers not implementing organizationally selected security controls or policies. As internal system details are abstracted away as part of the cloud architecture, the organization must rely on contractual obligations embedded in service level agreements (SLAs) to assess service offerings. Current SLAs focus on quality of service metrics and lack the semantics needed to express security constraints that could be used to measure risk. We create a framework, called SecAgreement (SecAg), that extends the current SLA negotiation standard, WS-Agreement, to allow security metrics to be expressed on service description terms and service level objectives. The framework enables cloud service providers to include security in their SLA offerings, increasing the likelihood that their services will be used. We define and exemplify a cloud service matchmaking algorithm to assess and rank SecAg enhanced WS-Agreements by their risk, allowing organizations to quantify risk, identify any policy compliance gaps that might exist, and as a result select the cloud services that best meet their security needs.