State of the art and challenges of security SLA for cloud computing

https://doi.org/10.1016/j.compeleceng.2016.12.030Get rights and content

Highlights

  • A classification of security SLAs solutions is presented.

  • The security issues for SLA management in cloud computing environment are discussed.

  • The research opportunities to develop a SLA for cloud security are enumerated.

Abstract

There are users and organizations that resist adopting cloud computing solutions, due to concerns about the security and privacy of their data. A Service Level Agreement (SLA) can be used to address these concerns, increasing trust in the purchased services through the clear description of the guarantees offered by the provider to the subscribers. For this purpose, the authors performed a literature systematic mapping to enumerate existing solutions and open issues in security SLAs in cloud computing. This review is presented in this paper as well as an analysis of the state of art. This paper also presents a classification of the selected papers and a discussion about management of security SLAs in clouds.

Introduction

Cloud computing is a paradigm that allows companies and organizations to focus their efforts on their core business or activity by outsourcing its resources in Information Technology (IT). Cloud computing makes it possible to reduce the infrastructure cost by contracting a public cloud provider and paying only for the consumed resources. Elasticity is one of its main features as it allows the use of more or fewer resources in accordance with the needs. Cloud computing is a reality, with high investments from big companies, such as Amazon, Microsoft, and Google. However, this technology comes with the main drawback that is the loss of control over the cloud infrastructure. Consequently, individuals, companies, and organizations are resisting adopting public clouds, due to concerns about the security and privacy [1], [2].

Rong et al. [3] highlight security challenges related to, for example, data leakage, data sharing, resource location, availability and multi-tenancy issues. The providers deal with the security concerns, implementing controls based on standards and frameworks, such as ISO/IEC 270171, Cloud Security Alliance’s Cloud Control Matrix (CSA CCM)2 and US National Institute of Standards and Technology (NIST) Special Publication 800-533 [2]. These frameworks can be used to assess the providers, increasing the trust in their services. However, the customers have only a view of the cloud security and require mechanisms that supply security assurances and greater transparency over the provided services [2].

In this context, Service Level Agreements (SLAs) can be used to provide the desired transparency and guarantees. An SLA is a formal document in which a cloud provider specifies its level of QoS assurance through the parameters of the non-functional requirements (e.g., availability, performance and security) [4]. For example, it is possible to define that a service will be available 99.9% of the time and a response time be, at most, 3.5 s. However, security terms are not covered in SLAs of the public cloud providers [3]. For example, the Amazon EC2 SLA only specifies service availability4, without any other QoS assurance. Likewise, Microsoft5 and Google6 provide only availability assurances.

A solution of security SLA for clouds must include tools to manage an SLA, allowing the negotiation of the SLA terms in accordance with the customer’s needs, and assessment and measurement of the security in a cloud environment. Audit mechanisms are important to avoid that tampered information are provided. When a violation of some SLA term is detected, procedures can be performed to restore an SLA.

Faniyi and Bahsoon performed a systematic review about the SLAs management in the cloud environment [5]. Their focus is the analysis of the resource allocation techniques that can be used to maintain the SLA. However, they do not address security aspects in their analysis. Luna et al. [2] discuss the standardization of the security SLA, and Casola et al. [1] analysis the research initiatives and open issues, considering mainly their previous contributions. Besides, review papers, about cloud security, do not properly address the SLA management [3].

In this context, we performed a systematic mapping of the literature to search for solutions of security SLAs for clouds and for existing challenges. The main contribution of this paper consists of analyzing the state of the art in security SLA management for clouds. The aims of this review are: i) identify and classify the contributions of security SLA for clouds; and ii) discover limitations of existing solutions and research opportunities. The results of our review are presented here with a discussion about the management of the security SLA and open issues.

The remaining of this paper is organized as follows. In Section 2, we present the SLA components and the life cycle of an SLA, focusing in the cloud security context. The systematic mapping is exposed in Section 3. We summarize the open challenges in Section 4 and the conclusions at the end of this paper.

Section snippets

Security SLA for cloud computing

An SLA is a legal contract that defines the QoS offered by a provider as part of agreements with the customer contracting [5]. The main components of an SLA contract are the Service Level Objectives (SLOs) that are inherent to the aspects covered by the SLA. Each SLO contains a set of Service Level Indicators (SLIs), which should be measured to determine the QoS level [6]. Other elements should be described to indicate the limitations of the provided services, eliminating unrealistic

Systematic mapping

We used the systematic mapping mechanism to perform the literature review. It is a mechanism of bibliographic review that produces, as a result, the general vision of a research topic. In this review type, it is possible to classify the selected studies and to identify evidences for future work. The review is conducted by a protocol that can be replicated and updated.

We executed the systematic mapping in accordance with a process detailed in Fig. 1. This process contains three steps: Planning,

Open challenges

The systematic mapping, described in the previous section, highlights some initiatives inherent to the use of security SLAs for cloud computing and exposes the relevance of this topic. The selected papers do not treat all parts of the life cycle in SLA management and focus mainly on negotiation or operationalization aspects. There are few works that address both phases, and the relationship between these aspects is not always suitable, such as in the approach proposed by Rak et al. [29]. In

Conclusions and future work

Security is one of the users’ concerns when using cloud computing services. This paper described a systematic mapping of the literature about research that uses the SLA to mitigate this concern. Firstly, an overview of the existing works was presented here, with a classification of the selected studies. This mapping revealed that the generic studies do not expose the viability of their solutions, and the concrete solutions focus on a specific security aspect and on a single phase of the SLA

Acknowledgment

This work is partially supported by the STIC-AmSud project SLA4Cloud. Carlos André Batista de Carvalho was also supported by CAPES/FAPEPI Doctoral Scholarship, and Rossana Maria de Castro Andrade has a researcher scholarship (DT Level 2), sponsored by CNPq (Brazil).

Carlos André Batista de Carvalho is Professor at the Computer Science Department of Federal University of Piauí. He is currently Ph.D. candidate at the Federal University of Ceará. He has B.Sc. in Computer Science from the Federal University of Piauí and M.Sc. in Systems and Computer from the Military Institute of Engineering.

References (30)

  • C. Rong et al.

    Beyond lightning: a survey on security challenges in cloud computing

    Comput Electr Eng

    (2013)
  • V. Casola et al.

    On the adoption of security slas in the cloud

    Accountability and security in the cloud

    (2015)
  • J. Luna et al.

    Leveraging the potential of cloud security service-level agreements through standards

    IEEE Cloud Comput Mag

    (2015)
  • S. Bose et al.

    Sla management in cloud computing: a service provider’s perspective

    Cloud computing: principles and paradigms

    (2011)
  • F. Faniyi et al.

    A systematic review of service level management in the cloud

    ACM Comput Surv

    (2015)
  • K. Bernsmed et al.

    Security slas for federated cloud services

    Proceedings of the 6th international conference on availability, reliability and security, ARES’11

    (2011)
  • K.-W. Park et al.

    Themis: a mutually verifiable billing system for the cloud computing environment

    IEEE Trans Serv Comput

    (2013)
  • S.A. de Chaves et al.

    Sla perspective in security management for cloud computing

    Proceedings of the 6th international conference on networking and services, ICNS’10

    (2010)
  • A. Albeshri et al.

    Geoproof: proofs of geographic location for cloud computing environment

    Proceedings of the 32nd IEEE international conference on distributed computing systems workshops, ICDCSW’12

    (2012)
  • A. Guesmi et al.

    Access control and security properties requirements specification for clouds’ seclas

    Proceedings of the 2013 IEEE 5th international conference on cloud computing technology and science, CloudCom’13

    (2013)
  • P.H. Meland et al.

    Expressing cloud security requirements for slas in deontic contract languages for cloud brokers

    Int J Cloud Comput

    (2014)
  • Top Threats Working Group

    The notorious nine: cloud computing top threats in 2013

    Tech. Rep.

    (2013)
  • M. Vanitha et al.

    Secured data destruction in cloud based multi-tenant database architecture

    International conference on computer communication and informatics

    (2014)
  • P. Manuel

    A trust model of cloud computing based on quality of service

    Ann Oper Res

    (2013)
  • M. Hussain et al.

    Effective third party auditing in cloud computing

    Proceedings of the 2014 IEEE 28th international conference on advanced information networking and applications workshops, WAINA’14

    (2014)
  • Cited by (0)

    Carlos André Batista de Carvalho is Professor at the Computer Science Department of Federal University of Piauí. He is currently Ph.D. candidate at the Federal University of Ceará. He has B.Sc. in Computer Science from the Federal University of Piauí and M.Sc. in Systems and Computer from the Military Institute of Engineering.

    Rossana Maria de Castro Andrade is the founder of the Group of Computer Networks, Software Engineering, and Systems of the Federal University of Ceará. She has Ph.D. at the Ottawa University, M.Sc. at the Federal University of Paraíba, and B.Sc. at the State University of Ceará. She has experience in research, development, and innovation in the areas of Computer Science and Telecommunications.

    Miguel Franklin de Castro has B.Sc. and M.Sc. in Computer Science from the Federal University of Ceará, Ph.D. in Computer Science from the Télécom SudParis Institute. He was Postdoctoral researcher on the IST European Project. He is Associate Professor in the Computer Science Department of Federal University of Ceará, acting on research and education on B.Sc., M.Sc. and Ph.D. levels.

    Emanuel Ferreira Coutinho is professor at Virtual University Institute (UFC-VIRTUAL), Federal University of Ceará (UFC), Fortaleza, Brazil. He obtained his Ph.D. degree in Computer Science from the Federal University of Ceará (2014), working with Cloud Computing, defining metrics and methodologies for performance analysis of elasticity. His research interests are Cloud Computing, Performance Analysis, Information Systems and Software Engineering.

    Nazim Agoulmine is a full professor at the University of Evry Val d’Essonne (2000). He received his M.Sc. (88) and Ph.D. (92) degrees in computer science from the University of Paris XI. His research interests are cloud computing, future Internet, resource management and their applications. He is the author and co-author of 100+ papers and five scientific books.

    Reviews processed and recommended for publication to the Editor-in-Chief by Area Editor Dr. G. Martinez.

    View full text