INCORPORATING SECURITY IN SERVICE LEVEL AGREEMENTS
Asghar, Syed Usman (2020)
Avaa tiedosto
Åbo Akademi
2020
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
Julkaisun pysyvä osoite on
http://urn.fi/URN:NBN:fi-fe2020102888612
http://urn.fi/URN:NBN:fi-fe2020102888612
Tiivistelmä
Given that the information and the physical worlds are merging, threats to integrity,
confidentiality, and availability of information on cyber-physical systems, cloud computing,
and other information technology (IT) services create new challenges. The quantitative
estimation of security measurements is an extensively troublesome issue, and the dynamic
nature of security is a hindrance to the automation of risk assessment. Information technology
services are being used increasingly across organizational boundaries. These services are based
on particular infrastructures, i.e., servers, networking systems, and databases, as well as on
operating systems and application software. A Service Level Agreement (SLA) is a formal
binding agreement between a services provider and a customer of the service in the context of
a particular service provision. It represents the functional and non-functional features and
properties the customer anticipates from the service. An SLA also cites the disciplinary
measures and penalties that can be applied in the case of a violation.
Present-day SLAs encompass general Quality of Services (QoS) requirements such as
performance, availability, reliability, cost, and report handling. Currently, security
requirements are not enforced through SLAs since they are considered more difficult to
measure and quantify compared to other QoS requirements. The absence of affirmation and
clarity for security requirements in SLAs, with the current lack of procedures to evaluate
security, frequently results in customers not being able to evaluate a security level of services.
Recently, security metrics are being added as an SLA parameter, but still, multiple technical
and usability issues make its adaptation difficult.
An SLA can be expressed in specialized languages designed for facilitating SLA arrangement,
automating SLA negotiation, and adjusting services consequently_ as indicated by SLA terms.
The primary aim of the thesis is to devise a process that incorporates security metrics in an
SLA, assesses and monitors the SLA at run-time, and refines and updates the SLA in case of
violation. SLAC (Service-Level-Agreement for Clouds) is a language for SLAs, and this work
presents the extension of SLAC language syntax to address the security issues in the form of
security metrics. Moreover, two strategies for arguing over a security level of service are
presented. Finally, we argue over a security confidence level of service depending on the
quantification of the metrics to understand the violations during the service lifecycle.
confidentiality, and availability of information on cyber-physical systems, cloud computing,
and other information technology (IT) services create new challenges. The quantitative
estimation of security measurements is an extensively troublesome issue, and the dynamic
nature of security is a hindrance to the automation of risk assessment. Information technology
services are being used increasingly across organizational boundaries. These services are based
on particular infrastructures, i.e., servers, networking systems, and databases, as well as on
operating systems and application software. A Service Level Agreement (SLA) is a formal
binding agreement between a services provider and a customer of the service in the context of
a particular service provision. It represents the functional and non-functional features and
properties the customer anticipates from the service. An SLA also cites the disciplinary
measures and penalties that can be applied in the case of a violation.
Present-day SLAs encompass general Quality of Services (QoS) requirements such as
performance, availability, reliability, cost, and report handling. Currently, security
requirements are not enforced through SLAs since they are considered more difficult to
measure and quantify compared to other QoS requirements. The absence of affirmation and
clarity for security requirements in SLAs, with the current lack of procedures to evaluate
security, frequently results in customers not being able to evaluate a security level of services.
Recently, security metrics are being added as an SLA parameter, but still, multiple technical
and usability issues make its adaptation difficult.
An SLA can be expressed in specialized languages designed for facilitating SLA arrangement,
automating SLA negotiation, and adjusting services consequently_ as indicated by SLA terms.
The primary aim of the thesis is to devise a process that incorporates security metrics in an
SLA, assesses and monitors the SLA at run-time, and refines and updates the SLA in case of
violation. SLAC (Service-Level-Agreement for Clouds) is a language for SLAs, and this work
presents the extension of SLAC language syntax to address the security issues in the form of
security metrics. Moreover, two strategies for arguing over a security level of service are
presented. Finally, we argue over a security confidence level of service depending on the
quantification of the metrics to understand the violations during the service lifecycle.