Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
Security Service Level Agreements in the Cloud: The SPECS Framework
Prof. Massimiliano Rak - CeRICTSPECS Project
Secure Provisioning of Cloud Services based on SLA Management
Outline
n Introductionn Projectn Challengesn Security SLAsn Mission
n SPECSn Modelsn Processn Framework
n Resultsn Security SLAn Security Metric Cataloguen Frameworkn Solution Portfolio
n Demo
2
FP7-ICT-10-610795
Project Start: 1/11/2013Project Type: STREPDuration: 30MTotal Funding: 3.5 MEU Contribution: 2.4 M
3
SPECS Project
CeRICT, Italy (coordinator)
TUD, Germany
IeAT, Romania
CSA, United Kingdom
XLAB, Slovenia
EISI, Ireland
Cloud Security Challenges
n CSP Security Assessmentn I made a risk assessment; does my
CSP offer all the controls I need to meet my security requirement?
n Comparison of security offered by CSPs n Many CSPs offer the same
functionalities at different costs, how the security changes from one to another?
n Monitoring CSP Securityn My CSP granted me it is applying a
lot of security controls, how can I verify it is true? If a security breach happens, how can I be aware of it?
n Data Protectionn Do I respect all data protection
regulation? Is my privacy respected?
4
Security Service level Agreements
n Open Challenges:n identification and representation of security attributes n quantification of the security leveln continuous monitoring of the fulfillment of the SLAsn automated enforcement
5
Security SLAs are contracts among CSP and CSCs regulating the security level granted over provisioned services
SPECS Mission
SPECS aims at using Security SLAs to:n negotiate Security among CSC and CSP, enabling Customers
to compare CSPs and CSPs to offer security addressing customer specific needs;
n automatically enforce Security on services delivered to CSCs according to their requirements.
n enable both CSCs and CSPs to monitor security levels and react when security is violated
6
SLA-based cloud Services
Negotiate• Agree on
Security Controls and Metrics
Implement• Activate
Security Mechanism
Monitor• Collect
Security Metrics measuremnt
Remediation• Identify
Violation and apply remedies
Renegotiate• Change
SLA terms
7
SPECS Model
8
Customer
SPECS Owner
Developer
CSP
Develop Use
Manage
Cloud Service
Cloud Service
Use
Broker &Configure
Results: Security SLA Model
n A Security SLA model and its machine readable format made according to state-of-the art standards (ISO 19086, WS-Agreement, …)
n Security SLA usable according to standard risk modelingprocesses
n Security SLA containing standard and measurable security metrics to offer grants (easy for Providers and verifiable by Customers)
9
Security SLA Model
10
Declarative
Measurable
SPECS Framework
11
11
SLA Platform
NegotiationMonitoring Enforcement
SPECS Application
Enabling Platform
Customer Developer
SPECS Owner
Results: SPECS Framework
12
SPECS SLA Management Process
13
SLA Offer
Mechanisms
Plan
Planning Implementation
ImplementedPlan
Monitoring
Current Events
Monipoli Notifications
RemediationDiagnosis
Historical Events
Remediation
RemediationPlanning
Remediation Plan
Service Manager
Monitoring Systems
Event Archiver
Service Manager
SLOManager
SLA Template
Negotiation
Remediation Plan
RemediationImplementation
EU
Results: Security Metric Catalogue
n A Catalogue of security metrics represented according to the latest NIST/ISO standards
n More than 20 security metrics defined in SPECSn More than 160 security metrics collected from other projects
and standard bodies and represented according to SPECS model
23/02/16 1st Workshop DPSP - Napoli 14
Results: SPECS portfolion Secure Web Container
n A PaaS offering Web servers preconfigured with TLS, protected against DoS and enriched with Software Vulnerability Assessment
n STAR Watchn Evaluate and compare CSPs using
CSA STAR Repository
n E2EEn A Storage Service protected with
E2E Encryption
n ViPR+SPECSn A CSP datacenter offering Security
SLA on top of EMC ViPR solution
23/02/16 1st Workshop DPSP - Napoli 15
SPECS impact goals
n Support Private and Public Cloud Providers to enhance the security of their service under a signed Security SLA
n Support small Private Cloud Providers (the majority in Europe) to offer more security, and negotiable with customers (more flexibility then big CSP)
n Improve customers’ trust in the Cloud
16
Questions?
References:SPECS: www.specs-project.eu
Security SLA in WS-Agreement
18
WhatSLA declare
What SLA measure
What the SLA protect
How declaration and measurement are associated