NIST Cloud Computing Forum and Workshop VIII

Leveraging the potential of Cloud security SLAs

Dr. Jesus Luna Garcia

Cloud Security Alliance (Europe)

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

Agenda

• Cloud Security SLAs (secSLAs)• Good-enough security through secSLAs• SecSLA automation• Summary

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

How do you choose a Cloud Service Provider (CSP)?

• Performance• Price• Reputation

What about security (and privacy)?

Service-related:

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

Cloud Service Level Agreements

• A cloud SLA is a documented agreement between the cloud service provider (CSP) and cloud service customer that identifies services and associated quality levels (i.e., cloud service level objectives or SLOs).

• Security specification in cloud SLAs (secSLAs) aims to provide useful/measurable (security) information to Customers.

• Despite their advocated advantages, most cloud SLAs/secSLAs are offered on a “take it, or leave it” manner.

• How Cloud customers can benefit from Cloud secSLAs?

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

Good-enough Cloud security through secSLAs“[…] everything should be made as secure as necessary, but not

securer.”Sandhu, 2003

• Realizing adequate levels of IT security is typically related to risk management activities.

• Preliminary research based on Cloud-Adapted Risk Management Framework (CRMF, draft NIST SP 800-173).

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

1-Impact analysis

2-Elicit security

requirements

3-Select Cloud arch.

4-Assess available

CSPs

5-Select CSP and

negotiate secSLA

6-Monitor CSP and

own controls

Baseline & tailored SLOs

CSP specific and own SLO’s

SecS

LA a

gree

d

Cloud secSLA

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

1-Impact analysis

2-Elicit security

requirements

3-Select Cloud arch.

4-Assess available

CSPs

5-Select CSP and

negotiate secSLA

6-Monitor CSP and

own controls

Baseline & tailored SLOs

CSP specific and own SLO’s

SecS

LA a

gree

d

Cloud secSLA

Risk AssessmentStep 1 – Impact analysis.

Step 2 – Risk assessment.

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

1-Impact analysis

2-Elicit security

requirements

3-Select Cloud arch.

4-Assess available

CSPs

5-Select CSP and

negotiate secSLA

6-Monitor CSP and

own controls

Baseline & tailored SLOs

CSP specific and own SLO’s

SecS

LA a

gree

d

Cloud secSLA

Risk TreatmentStep 3 – Select the Cloud architecture.

Step 4 – Assess CSP options. Negotiate additional security controls with CSP. Identify security controls under the consumer’s responsibility.

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

1-Impact analysis

2-Elicit security

requirements

3-Select Cloud arch.

4-Assess available

CSPs

5-Select CSP and

negotiate secSLA

6-Monitor CSP and

own controls

Baseline & tailored SLOs

CSP specific and own SLO’s

SecS

LA a

gree

d

Cloud secSLA

Risk ControlStep 5 – Select CSP. Draft a SLA.

Step 6 – Monitor the CSP (secSLA) and customer-side controls.

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

Interested on this topic?

“Leveraging the Potential of Cloud Security Service Level Agreements through Standards”

Jesus Luna, Neeraj Suri, Michaela Iorga, Anil Karmel

IEEE Cloud Computing, 2015

NIST Cloud Computing Forum and Workshop VIII

(putting all the secSLA pieces together)

Automating good-enough Cloud

secSLAs

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

European Project SPECS

CeRICT, Italy (coordinator)

TUD, Germany

IeAT, Romania

CSA, United Kingdom

XLAB, Slovenia

EISI, Ireland

FP7-ICT-10-610795

Project Start: 1/11/2013Project Type: STREPDuration: 30 Months

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

SPECS SecaaS based on secSLAs

Provisions security services to Customers

Manages the secSLA life cycle (negotiation, monitoring and enforcement)

Ongoing integration into products like EMC’s ViPR.

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

Leveraging and contributing to standards

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

Machine-readable (XML) secSLA specification

NIST Cloud Computing Forum and Workshop VIII

It’s showtime!

SPECS Demo

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

Summary: Are we there yet?• Standards (vocabularies,

metrics, …), and best practices (making Cloud SLAs usable for SMEs).

• ISO/IEC 19086 Parts 1-4• Cloud secSLAs in supply

chains/multi-cloud systems.• Certifications or SLA’s or both?

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

Questions?

• Give us your opinion about secSLAs:https://www.surveymonkey.com/r/SPECS_SLA

• Help us secure Cloud computing:– http://www.cloudsecurityalliance.org – jluna@cloudsecurityalliance.org– SPECS: http://www.specs-project.eu/

NIST Cloud Computing Forum and Workshop VI I I19

NIST Cloud Computing Forum and Workshop VI I IJu ly 2015

(Some) Cloud barriers

The lack of transparency of

some CSPs or brokers

Lack of clarity in contracts

Cloud security not easy to

understand for SME’s