towardsa fullyprovisioningof security‐as‐a‐ servicesecurity service level agreement towardsa...
TRANSCRIPT
![Page 1: Towardsa fullyprovisioningof Security‐as‐a‐ ServiceSecurity Service Level Agreement Towardsa fullyprovisioningof Security‐as‐a‐ Service Trust in the Digital World, 15‐16](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f35acee66b31e1b843db2dd/html5/thumbnails/1.jpg)
Security Service Level Agreement
Towards a fully provisioning of Security‐as‐a‐Service
Trust in the Digital World, 15‐16 June 2016
Prof. Valentina CasolaUniversità di Napoli Federico II
Italy
![Page 2: Towardsa fullyprovisioningof Security‐as‐a‐ ServiceSecurity Service Level Agreement Towardsa fullyprovisioningof Security‐as‐a‐ Service Trust in the Digital World, 15‐16](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f35acee66b31e1b843db2dd/html5/thumbnails/2.jpg)
Outline
• Cloud Security Services Challenges:• Provide Security‐as‐a‐Service • Security Service Level Agreements• Security SLA for an agile development
• Scientific Projects:– SPECS– MUSA
TDW, 15 June 2016 2
![Page 3: Towardsa fullyprovisioningof Security‐as‐a‐ ServiceSecurity Service Level Agreement Towardsa fullyprovisioningof Security‐as‐a‐ Service Trust in the Digital World, 15‐16](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f35acee66b31e1b843db2dd/html5/thumbnails/3.jpg)
Key challenges• Security-as-a-Service
– Dynamicaly add/provide security capabilities even when services are offered by external CSP
• Security Services and SLAs– Security services delivered under the control of SLAs
• Negotiating Security SLAs in Cloud?– Enable users to negotiate per-user and per-service
security SLAs in the Cloud– Enable providers to measure and guarantee SLOs
• Monitoring Security SLAs in Cloud?– Monitoring SLAs even when associated to services offered
by external CSPs
TDW, 15 June 2016 3
![Page 4: Towardsa fullyprovisioningof Security‐as‐a‐ ServiceSecurity Service Level Agreement Towardsa fullyprovisioningof Security‐as‐a‐ Service Trust in the Digital World, 15‐16](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f35acee66b31e1b843db2dd/html5/thumbnails/4.jpg)
Service Level Agreement (SLA)
• “Contract” which describes the Service, the associated quality levels and specifies the responsibilities (typically ‘soft’ formal obligations!) of both the Provider and the Customer.
TDW, 15 June 2016 4
SLA’s?
Security? From SLA to Security SLA?
![Page 5: Towardsa fullyprovisioningof Security‐as‐a‐ ServiceSecurity Service Level Agreement Towardsa fullyprovisioningof Security‐as‐a‐ Service Trust in the Digital World, 15‐16](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f35acee66b31e1b843db2dd/html5/thumbnails/5.jpg)
The SPECS Security SLA model
TDW, 15 June 2016 5
Negotiation is based on a Security SLA Template declaring all available • Resources, providers• Security capabilities
(and related security controls)
• Security metrics
Requested guarantees are specified in form of (measurable) SLOs
![Page 6: Towardsa fullyprovisioningof Security‐as‐a‐ ServiceSecurity Service Level Agreement Towardsa fullyprovisioningof Security‐as‐a‐ Service Trust in the Digital World, 15‐16](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f35acee66b31e1b843db2dd/html5/thumbnails/6.jpg)
Security SLA life cycle
Negotiate• Agree on Security Controls and Metrics
Implement• Activate Security Mechanism
Monitor• Collect Security Metrics measurement
Remediate• Identify Violations and apply remedies
Renegotiate• Change SLA terms
TDW, 15 June 2016 6
![Page 7: Towardsa fullyprovisioningof Security‐as‐a‐ ServiceSecurity Service Level Agreement Towardsa fullyprovisioningof Security‐as‐a‐ Service Trust in the Digital World, 15‐16](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f35acee66b31e1b843db2dd/html5/thumbnails/7.jpg)
Main concepts behind SLA negotiation
• Security SLA are modelled to cope with the semantic gap between not-expert customers and the needed standard technical controls that must be implemented to offer specific security capabilities
• The SLA model is compliant with available and on-going standards
Research challenges:• The negotiation process must identify feasible offers to the customer• The feasibility is evaluated according to security and CSP
constraints • The offers are evaluated according to the security level they provide
TDW, 15 June 2016 7
![Page 8: Towardsa fullyprovisioningof Security‐as‐a‐ ServiceSecurity Service Level Agreement Towardsa fullyprovisioningof Security‐as‐a‐ Service Trust in the Digital World, 15‐16](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f35acee66b31e1b843db2dd/html5/thumbnails/8.jpg)
Main concepts behind SLA enforcement/remediation
• Dynamically add security to services even when servicesare provided by external CSP
– Acquire and configure resources: SLA-based acquisition of resources and enforcement of security mechanisms
• Research challenges:– A quantitative approach to modular security to
improve security of services/resources offered by External CSPs
– Resource provision in a multi-cloud environment– Transparent adaptation of security services
TDW, 15 June 2016 8
![Page 9: Towardsa fullyprovisioningof Security‐as‐a‐ ServiceSecurity Service Level Agreement Towardsa fullyprovisioningof Security‐as‐a‐ Service Trust in the Digital World, 15‐16](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f35acee66b31e1b843db2dd/html5/thumbnails/9.jpg)
Main concepts behind SLAmonitoring
• Monitoring SLAs of services offered by external CSPs– Drive monitoring using SLAs– Notify possible SLA violations– Avoid violations with proactive reactions
• Research challenges:– Adapt monitoring to SLAs– Continuously monitor security of services offered by
external CSPs– Measure the security (relationship with security SLO
metrics) and incident management
TDW, 15 June 2016 9
![Page 10: Towardsa fullyprovisioningof Security‐as‐a‐ ServiceSecurity Service Level Agreement Towardsa fullyprovisioningof Security‐as‐a‐ Service Trust in the Digital World, 15‐16](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f35acee66b31e1b843db2dd/html5/thumbnails/10.jpg)
SPECS: Secure provisioning of SLA-basedsecure services (FP7, 2014-2016)
TDW, 15 June 2016 10
SPECS framework www.specs-project.eu
- SPECS framework provides APIs and tools to developSPECS Application to let a target service be covereda SLA
- SPECS Applications available: CSP comparison, Secure WebPool, E2E encryption, ….https://bitbucket.org/specs‐team/
![Page 11: Towardsa fullyprovisioningof Security‐as‐a‐ ServiceSecurity Service Level Agreement Towardsa fullyprovisioningof Security‐as‐a‐ Service Trust in the Digital World, 15‐16](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f35acee66b31e1b843db2dd/html5/thumbnails/11.jpg)
MUSA: multi‐cloud security applications (H2020, 2015‐2017)
www.musa-project.eu
A security framework thatincludes: • a) security-by-design
mechanisms to allowapplication self-protection at runtime,
• b) methods and toolsfor the integratedsecurity assurance in both the engineeringand operation of multi-cloud applications
TDW, 15 June 2016 11
![Page 12: Towardsa fullyprovisioningof Security‐as‐a‐ ServiceSecurity Service Level Agreement Towardsa fullyprovisioningof Security‐as‐a‐ Service Trust in the Digital World, 15‐16](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f35acee66b31e1b843db2dd/html5/thumbnails/12.jpg)
ConclusionsSecurity SLA for an agile development?
• With Security SLA, we can effectively offersecurity as a service
• Available security services, accessible and measurable, enable the development of new secureapplications with a more agile approach
• Standardization activities: ISO/IEC 19086 (part 2 and part 4) on Cloud SLA metrics and Cloud SLA security and privacy
TDW, 15 June 2016 12
![Page 13: Towardsa fullyprovisioningof Security‐as‐a‐ ServiceSecurity Service Level Agreement Towardsa fullyprovisioningof Security‐as‐a‐ Service Trust in the Digital World, 15‐16](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f35acee66b31e1b843db2dd/html5/thumbnails/13.jpg)
References and Contacts
TDW, 15 June 2016 13
www.specs-project.euhttps://bitbucket.org/specs‐team/
NATRES and DPSP EU project clusters:https://eucloudclusters.wordpress.com/
www.musa-project.eu