Access Control and Security Properties Requirements Specification for Clouds´ SecLAs

Current Cloud Service Level Agreements (SLAs) do not cover security requirements. Some consortiums have proposed standards for the evaluation of security offered by the Cloud Providers (CP). Cloud Brokers (CB) can then generate Security Level Agreement (SecLA) contracts between customers and providers to fit users´ requirements. However, the SecLAs do not provide enough details for complex customers´ situations, such as sharing resources with other users/companies, or set up specific Access Controls and Security Properties (ACSP). In this paper, we tackle this issue, by introducing a general Requirement Specification Language (ACSP-RSL) to allow the customers to express their needs in term of ACSP. The underlying formal model, on which is based RSL, is partially presented. The global SecLA definition and negotiation process is thus extended with our proposal. RSL indeed also allows to express Security Requirements currently existing in SecLAs. The negotiation phase between CB and the CPs is discussed. We show how the RSL specifications expressed by the customer can be projected into a generic detection/protection policy expressed as an extension of RSL. A complete use-case for a healthcare system with multitenancy for users and services deployed is given. Its security requirements are analyzed, modeled, expressed and discussed.