a broker-based cooperative security-sla evaluation ... · research article a broker-based...

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks (2014)

Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1086

RESEARCH ARTICLE

A broker-based cooperative security-SLA evaluationmethodology for personal cloud computingSang-Ho Na and Eui-Nam Huh*

Kyung Hee University, Seoul, Korea

ABSTRACT

An underlying cloud computing feature, outsourcing of resources, makes the service-level agreement (SLA) a critical factorfor quality of service (QoS), and many researchers have addressed the question of how an SLA can be evaluated. Lately,security SLAs have also received much attention to guarantee security in a user perspective and provide optimal andefficient security service in the security paradigm shifting by cloud computing, such as security as a service. The quantitativemeasurement of security metrics is a considerably difficult problem and might be considered one of the multi-dimensionalaspects of security threats. To address these issues, we provide a novel cooperative security-SLA evaluation model for thepersonal cloud service environment including a multi-dimensional approach to analyze security threats depending on servicestype as well as a cooperative model to reach a general consensus of priorities, that is, indicators depending on services typeand security metrics based on cloud brokers. Copyright © 2014 John Wiley & Sons, Ltd.

KEYWORDS

security SLA; SLA evaluation; personal cloud service; cooperative model

*Correspondence

Eui-Nam Huh, Kyung Hee University, Seoul, Korea.E-mail: [email protected]

1. INTRODUCTION

Explosive growth in information systems is shifting to thecloud computing paradigm, and cloud computing has fivetypical features: multi-tenancy, scalability, elasticity, payas you go, and self-provisioning of resources. Theseattributes allow customers to manage their computingcapability as needed. In the 1980s, personal computers(PCs) were “hooked up” [1] to a set of devices in orderto input and output information, while after the paradigmshift, personal devices, that is, mobile devices, are “hookedup” [1] via a personal cloud that is registered with and haspermission to use a network, for example, the Internet.Cloud services delivered over the Internet, such as Web-based applications, meet users’ “4S” needs: storing andsynchronizing personal data, and sharing and streamingstored personal data via a personal cloud. The personalcloud, or the Personal Cloud, is a hybrid cloud in whichthe public cloud and private cloud are combined in auser-centric cloud computing model to facilitate access topersonal data and manage personal data. The personalcloud is categorized according to service types: onlinestorage, online desktop, and Web-based application.

For the outsourcing of virtual resources, the guaranteeof availability and the capability of resources become a

Copyright © 2014 John Wiley & Sons, Ltd.

more important consideration, and accordingly, the com-ponents of service-level agreement (SLA) have becomecritical factors. An SLA is a contract negotiated betweena service provider and a user that establishes service levels,which are enforced by penalties and compensation if theconditions are violated by the cloud service provider [2].In cloud computing environments, the pay-as-you-go modelhas been adopted because the outsourcing of resourcesrequires reasonable SLAs regarding availability, security,and so forth. In particular, cloud-based access to data andservices brings with it some threats regarding privacy anddata security. Therefore, it requires more attention to theSLA components of security (denoted as a security SLA).

However, quantitative SLA analysis is difficult becausesecurity threats vary and include many different, multi-dimensional aspects. In order to evaluate security SLAs,technical approaches and administrative procedures ofcloud service providers make it harder to define, analyze,and evaluate SLAs for security services.

Furthermore, the requirement for accurate measurementof security has a trade-off with quality of service (QoS)components in terms of the performance. Moreover, securityneeds differ slightly depending on the service type. Forexample, data encryption services for Web applicationsrequire more access controls than those for storage services.

A cooperative security-SLA evaluation methodology S.-H. Na and E.-N. Huh

Therefore, in addition to the security threats, the securitycontrol for each service type is an important aspect ofsecurity SLAs.

The Cloud Security Alliance (CSA) has publisheddocuments regarding the top threats and security guidancein cloud computing [3]. Among the various articles, “TheNotorious Nine”, the latest article issued in Feb 2013,provides a ranking of the top threats, along with implica-tions and suggested security controls based on a surveyof industry experts. This threat ranking deserves consider-ation as it suggests the relative priorities of threats.

Quantitative approaches for the evaluation of securitySLAs are necessary for the provision of secure cloud services.This paper, therefore, suggests a novel quantitative model thatcloud brokers can use to evaluate security SLAs on personalcloud services. This study includes security-SLA evaluationmodel based on a multi-dimensional approach to analyzesecurity threats as follows:

(1) a cooperative security-SLA evaluationmodel to reachgeneral consensus on security SLA in broker-basedpersonal cloud computing environment;

(2) evaluation of the relative weight of security controlsbased on the personal cloud service type;

(3) reflect users’ requirements in accordance withnetwork environments to evaluate security SLA.

The remainder of this paper is organized as follows. InSection 2, we discuss related work. In Section 3, wepropose a cooperative security-SLA evaluation model forbroker-based personal cloud service environments withthe aforementioned features employing network model inanalytic network process (ANP) [4]. In Section 4, weverify our concept gradationally and sum up our contribu-tion. Finally, we conclude the paper including our plans forfuture work in Section 5.

2. RELATED WORKS

Wu et al. have reviewed recent research regarding SLAsand have identified sensitive issues such as the differentSLA parameters of users and service providers and thedifficulty in quantifying these parameters [5]. Owing tocontinued service suspensions in cloud computing envi-ronments, Hossain and Huh [6] provided convincinganswers to the refund model in regard to SLA violation.

Nowadays, security aspects are emerging as issues forSLAs in cloud computing. Security SLAs for cloudcomputing have been given considerable attention inrecent years, particularly regarding how to reach a unifiedagreement between users and providers [7–10]. The studiesin [9,10] illuminated the question of how cloud providerscould address the user’s security needs, such as integrityand confidentiality, from the SLA perspective and pro-vided a detailed outline of security controls. Cloud securitySLAs are negotiated between the user and cloud providers[10]. An important part of this view is in regard to the

current emergence of cloud collaboration services to theworldwide market [11,12]. Most research has introducedsecurity SLAs and provided security parameters but hasrarely focused on how to measure these security aspects.As mentioned earlier, the parameters of SLAs, especiallythose of the security aspects, are very difficult to estimateand calculate.

To negotiate a specific security SLA, the foremostconsideration is how to establish contractible securityparameters and an evaluation methodology for each secu-rity parameter. The CSA has published articles regardingtop threats and security guidance in cloud computing [3].Among the various articles, “The Notorious Nine”provides a top threats ranking, implications, and securitycontrols based on a survey of industry experts. This papershowed that security threats and parameters can be quanti-fied, suggesting which threats are most influential and thusshould take priority in security efforts. However, this rank-ing only considered the implications of specific securitybreaches and did not consider the correlations betweenthreats. To satisfy users’ security-specific SLAs, the secu-rity aspects should be addressed from the users’ point ofview. Tian et al. [13] suggested a novel threat evaluationmodel using the analytic hierarchy process (AHP) toattempt to address privacy and potential threats in radiofrequency identification, employing the AHP model toanalyze user preference regarding threats.

3. COOPERATIVE SECURITY-SLAEVALUATION MODEL

3.1. Overview of security SLA

To achieve security SLAs for users, security metrics andgoal agreed between the parties that provide cloud serviceare needed. As mentioned in related works, however, manyresearcher and security-relative institute provide securitymetrics and results in a form somewhat differing. There-fore, we might define and deal with the security metricsof services in transparent manner by involved stakeholders.The service providers then could compete based on aconsensus of security metrics. A user could be ensured trust-worthy evaluation result of security SLA. For reaching aconsensus of security metrics, we provide a broker-basedcooperative security-SLA evalaution model such as theDelphi technique in the next section (Figure 1).

The security SLA is different with risk assessment.While the risk assessment is evaluation from system ofservice provider, security SLA is an approach in the viewof a user regarding security threats. As we know, securitythreats such as common vulnerabilities and exposures(CVE) have targets, for example, network, system, anddata, to exploit for malicious purpose. In this sense, wemight consider defense-in-depth model for informationsecurity, that is, network–host–application–data, to evaluatesecurity threats including a user environment such asnetwork layer and service-specific characteristic such as

Security Comm. Networks (2014) © 2014 John Wiley & Sons, Ltd.DOI: 10.1002/sec

Figure 1. Security SLA evaluation and negotiation model.

A cooperative security-SLA evaluation methodologyS.-H. Na and E.-N. Huh

host-application layer. It means that a measure of the degreeof security threats is different according to the service typesand network environment of a user to access services. Forexample, public wireless network and private network ofenterprise, or a Web-based application delivered httpssession and a virtual desktop infrastructure (VDI) servicedelivered by secure container, have different threats, re-spectively. This idea is examined in Section 3.3, and we willsee how this subject matter is being unveiled in Section 3.4.

3.2. A cloud broker-based cooperativesecurity-SLA evaluation model

The cloud broker, as shown in Figure 2, is an entity of a cloudpartner, which includes cloud brokers, auditors, and a cloudservice developer; cloud brokers [13,14] can be people ororganizations. A broker provides suitable cloud services tocloud customers to evaluate and select cloud service providersfor user purposes, which are categorized as VDI service(denoted as a webtop), online storage, andWeb-based applica-tion (denoted as a webApp) in personal cloud services [15].Based on the earlier cloud broker definition, in the next

Figure 2. Broker-based pe


paragraphs, we will describe cloud brokers’ specific roles forsecurity SLAs in order to offer suitable personal cloud services.

In our proposal, a cooperative security-SLA evaluationmodel offers appropriate personal cloud services based oncooperative evaluation results. This model provides a for-malized expression of security controls, which is definedby a cloud broker with general consensus among cloud pro-viders and cloud brokers. Above all, the formalized expres-sion of security control can be easily understood by cloudcustomers; in particular, standardized templates are neededto prevent potential confusion. Many researchers havepointed out the confusion caused by the different definitionsof security control metrics. A standardized contract templateshould therefore be prepared under the auspices of a cloudbroker or another appropriate institution.

Workflows 1–9 in Figure 1 show how cloud brokers andcloud service providers can reach a general consensus onsecurity-SLA evaluation. For the formalized expression ofsecurity control (step 4 in Figure 1), cloud service providersinitially assess security control based on the definition ofsecurity-SLAmetrics provided by cloud brokers. As we men-tioned in Section 1, security vulnerabilities and user

rsonal cloud service.


requirements are slightly different for each type of personalcloud service. When cloud service providers considerassessing the security aspects of their service, they place agreat deal of weight upon the different security controls basedon their service purpose, performance, and other aspects. Thiswill be reflected when establishing the priorities of the secu-rity controls process (step 5 in Figure 1). Before describinghow the priority values of the security controls areestablished, we will briefly examine the security threats andcorresponding security controls and provide a security threatsanalysis of personal cloud service types in next section.

3.3. Security threats and metrics forsecurity SLA

Security threats and vulnerabilities in cloud computing arestudied by many researchers and institutes. We consideredthe nine most notorious threats [3]: data breach, data loss,account hijacking, insecure APIs, denial of service,malicious insider, abuse of cloud services, insufficientdue diligence, and shared technology issue. Among thenine threats, we selected five security concerns from theuser’s point of view. These are as follows: data breaches

Table I. Security treats and controls.

Security controls DB DL AH API MI

S Data isolation ●Data encryption ●Data location ●Data integrity ●Data backup ●

P Application isolation ● ●Virtual firewalls ● ●Application integrity ● ●

N Network encryption ● ●Traffic isolation ● ●Integrity protection ● ●

AC Identity management ● ● ● ● ●Access management ● ● ● ● ●Key management ● ● ● ● ●

AU Logging ● ● ● ● ●Auditing ● ● ● ● ●Certification ● ●Customer privacy ●

Figure 3. 2×2 thinking

(DB), data loss (DL), account hijacking (AH), insecureAPIs (API), and malicious insiders (MI). We thenattempted to match these to the corresponding securitycontrols [10,16], which have outlined a framework forsecurity mechanisms in SLAs for cloud services. Table Icategorizes the five threats into the corresponding securitycontrols: secure resource pooling (storage, processing, andnetworking), access control (AC) audit, verification, andcompliance (AU). When we consider threat evaluation, amulti-dimensional approach model is needed. This meansthat we might consider not only the technical factors basedon service-specific threats but also unpredictable threatssuch as the network environment, malicious insider.

To analyze security threats based on the technologydependence and uncertainty of threats in cloud, we employeda 2× 2 thinking matrix (Figure 3 [17]), which is used tofacilitate better thinking and decisions. Figure 3 is basedupon two considerations with aforementioned five threats.The AH, although mostly predictable and a technical issuein managed network such as private network in cloud, ithas high uncertainty of threats in untrusted network (UN)like public wireless network. This makes explicit statementsabout evaluation of security threats based on service-specificcharacteristic, that is, technical factor, is staring point andevaluation of unpredictable security threats, for example,network environments, is end for security SLA.

In this sense, we have assumed that the personal cloudinfrastructure consists of a relatively trustworthy internal net-work and an untrusted external network (i.e., the Internet), asshown in Figure 4. Security threats are different dependingon the network environment, aswe noted in Figure 4 (e.g.,ma-licious insiders do not have to be considered in the Internet en-vironment). This means that the priorities or weight values ofcorresponding security controls might be applied respectively.

Furthermore, as we mentioned, depending on the per-sonal cloud service type, there are different preferencesamong the user requirements. In the case of webtop, a usermay want a strict authentication process with certificationand a VPN solution above everything else; usually, wedo not expect data encryption using the desktop. An onlinestorage user, on the other hand, might look for secure databackup, integrity, and encryption.

In summary, security threats are closely related withQoS of services, and we might consider the security threatsto assess security SLAs based on underlying service type

matrix of threats.


Figure 4. Cloud infrastructure.


and property. With these considerations in mind, let usnow describe a security-SLA evaluation model that takesa multi-dimensional approach.

3.4. Security-SLA evaluation model

Researchers, for the most part, have tended to centeraround providing security-SLA definitions, needs, securitymetrics, and negotiation processes. As previous researchershave noted, the main issues are (i) the confusion caused bydifferent security metrics or parameters between serviceproviders and customers; (ii) how the security metric ismeasured; and (iii) the difficulty in monitoring securitymetrics. To address the confusion about security metricsor parameters, we have proposed cooperative security-SLA process based on broker in Section 3.1.1. We, here,aim to provide security-SLA evaluation methodology withsimulation including self-assessment of service providersand security requirements of users reflected security-SLAevaluation in view of a multi-dimensional approach forrecommending suitable services to users based on evalua-tion results.

3.4.1. Previous works and our purpose.We have previously outlined a simple security-SLA

evaluation model [17,18] that employs an AHP, which isa mathematics-based and psychology-based decision-making technique described by Saaty in 1970s [19]; wepointed out the correlation between threats and establishedweight values (priorities) of each threat to quantify thethreats for SLA evaluation. Our previous works attemptedto measure threats and security metrics. In this study, weextend the scope of our previous study focusing onmulti-dimensional threat evaluation approaches that con-sider the personal cloud service types and network envi-ronment. We employed AHP with the outer dependencemethod and the ANP [4]: AHP with the outer dependencemethod extended to the network model.

3.4.2. ANP model for security SLA.We provide series ANP model for security SLA as in

Figure 5. The series ANP model consists of goal, scenario,


criteria, and alternative. The meaning of each layer regardingANP model in Figure 5 are given as follows:

• Goal: Security-SLA evaluation is a scenario-basedreachable objective.

• Scenario: Service usage scenario has influence on se-curity controls (Criteria): network environments andservice types. In each scenario on network environ-ment, for example, UN and trusted network (TN),the priorities are determined by pair-comparison ma-trices on criteria, that is, security controls.

• Criteria: Corresponding security controls, S, P, N,AC, and AU as described in Section 3.3, with securitythreats, is a standard to assess the alternative, that is,service providers. We describe the aforementioneddefinition and relationship to assess personal cloudservices from the security perspective shown inFigure 9.

• Alternative: Consisting of service providers, whichare webtop, online storage, and webApp.

The notations of components in each layer are given asfollows:

• N= {Nx|x= 1,…, o}: A set of o network environment;where o= 2, UN, TN.

• ST= {STy|y= 1,…, p}: A set of p service types, wherep= 3, webApp, online storage, and webtop.

• WST, N= {WSC|SC= 1,…,m}: A set of m weights onsecurity controls of service type (ST) and network en-vironments (N).

• SC = {SCi|i= 1,…,m}: A set of m security controls(criteria).

• CS = {CSj|j= 1,…, n}: A set of n services to compare.

Figure 6 describes hierarchical model for the networkmodel earlier. The weight on service type is missed, andweight value on service types in preparation phase has beendetermined (refer to Section 4), affecting the result of paircomparison in accordance with network environment. Thedetails are shown in the scenario phase of Section 4. The finalresult provides a basis for a recommendation to users by acloud broker.

Figure 6. ANP hierarchy model.

Figure 5. Network model for security SLA.


The important concept of this model is that there aredifferent priorities (weight) based on the services andnetwork environments. For example, the webtop servicefor enterprise puts a higher priority (weight value) onaccess control in UN than in TN. Because webtop serviceuses some of container solution such as VDI to deliverthe content securely, when it comes to service, the onlinestorage service needs more secure storage control thanthe webApp in a user perspective.

4. SECURITY-SLA EVALUATION

In this section, we will see how we could evaluate securitySLA according to our model. To reach a goal, service

recommendation for a user purpose, defining securitymetrics and weight on security controls, is needed asdescribed in Section 3.2. We here use Table I shown inSection 3.3 for the security metrics. Then weight valueon security controls is affected by service type based onour assumption.

4.1. Weight evaluation usingpair comparison

To evaluate each component in Figures 5 and 6 shownin Section 3.4.2, we use pair-comparison matrixbetween elements of each component in view of objectthat is affected by the component as given in the exam-ple in Figure 7; elements of SC component (Criteria)are n = 3, and the pair comparison is enumerated for



the scenario explained in Section 3.4.2. θ in Figure 6 isone of Saaty’s discrete nine-value scales [19], whichare from 1 (equal importance) to 9 (extreme importance),and 2, 4, 6, and 8 are intermediate values.

Let the preceding pair-comparison matrix be A= (aij),the resulting matrix of the pair comparison on elementsai, aj. Those matrices have the following characteristics:

aii ¼ 1; aji ¼ 1=aij

Aω ¼ λω

where λ is eigenvalue of the matrix A and ω is dominant ei-genvector. The eigenvector is a priority in Figure 6, and theconsistency index (CI) value can be acquired by the fol-lowing equation:

CI ¼ λ� nð Þ n� 1ð Þ

where n= (number of target elements).The CI should be lower than 0.1. If that is the case, the

result of pair comparison is reliable. Let the initial vectorbe u(0) to calculate λ and ω.

u 0ð Þ ¼ 1=n 1=n…1=nð Þv kð Þ ¼ Aku k � 1ð Þ; k ¼ 1; 2; …; n

v kð Þ ¼ v1 kð Þ; v2 kð Þ; … vn kð Þð Þu kð Þ ¼ v kð Þ=t kð Þ

Against a sufficiently large value of k, v(k) and u(k) con-verged to determined values, that is, λmax and ω of A, re-spectively. ω is the weight value of the pair-comparisonresult, and each ω, a result of each component evaluation,is assigned a value in super matrix to calculate securitySLA as described subsequently.

Figure 7. Pair-com


4.2. Security-SLA evaluation using supermatrix

To attain the goal of hierarchical model in Figure 6 shownin Section 3.4.2, we use the following super matrix tocalculate security SLA.

where I is the unit matrix.WA are the provided priorities of the alternative services

on the security controls by service provider with self-assessment, and WCWA means a network environmentconsidering priorities of alternatives (services) of users.WSWCWA is the final evaluation result that means securitySLA. Let W be

W ¼ Wij

� �

Then, W has the following characteristics:

Wij ¼ Wi=Wj; Wjk ¼ Wj=Wk

Wij�Wjk≈Wi=Wk

limn→∞

W� ¼ W∞

parison matrix.


Therefore, we can express W* on our hierarchy modelas follows:

The final result, WSWCWA of W*, means which serviceproviders are better for users from the security perspective.Each value in W are calculated using pair comparison bystage, as follows.

• Preparation phase: establishing weight values on ser-vice types (WST : indicator)

Each cloud service, that is, webApp, online storage, andwebtop, has different server configurations, service deliver-ies, and user purposes. Regarding those service-specific fea-tures, measuring security threats and corresponding securitycontrols are different. Each service provider, therefore, doesa pair comparison on security controls in view of their

Figure 8. Pair-comparison matr

service. Each matrix in Figure 8(a–c) is a comparison resultof security control (criteria) on personal cloud service types.

This comparison is based on the outer dependencemodel, in which the alternatives depend on certain criteria,and each priority of the alternatives can be a dominanteigenvector for relative assessment of the alternative. Theweight values are useful to discriminate the relative impor-tance of security controls according to the service type.

• WWT= {0.058S, 0.214P, 0.417N, 0.203AC, 0.108AU}• WOS= {0.442S, 0.234P, 0.124N, 0.133AC, 0.069AU}• WWA= {0.174S, 0.058P, 0.103N, 0.460AC, 0.206AU}

where WT is webtop, OS is online storage, and WA iswebApp.

The results of the preceding three pair-comparisonmatrices are derived from Figure 8. These results, inFigure 9, indicate that the priorities of security control, thatis, the security metrics for security SLAs, should beconsidered the feature and purpose of the service type;and the relative importance of each security metric cannotbe applied to services uniformly.

Each resulting set of priorities for service providers ofthe same service type is stored in the database (shown inFigure 1), and the geometric average of the priorities canthen be used as an indicator (as shown in Figure 10) ofthe group [19], which provide the same types of cloudservices to determine the relative importance of eachsecurity metric depending on the service type. Let Wi

S andWI

S be priorities (dominant eigenvectors) of service i in aservice group of the S type and an indicator in a servicegroup of the S type, respectively.

ix for each type of service.


Figure 9. Priority comparison between the service types.

Figure 10. Comparison with service indicator.


WIS ¼

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiW1

S; 1*W2S;1…Wn

S;1n

q…

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiW1

S;n*W2S;n…Wn

S;nn

qÞ

�

where n is the number of services.Figure 10 shows the priorities of specific service group

and indicators of that service group. According to the com-parison graph, we can choose the S3 to meet secure storageneeds with average safety at the marketplace level.

• “Scenario” phase: criteria evaluation

The scenario, that is, UN and TN could affectweight value on security controls (criteria) from theperspective of a user. A user in public wireless networkhas much threats than a user in private network. Thishypothesis is perfectly obvious. To gain effect ofscenario, we could execute pair comparison, such asin Figure 7, between security controls. If there is sometemplate, such as in Figure 1, to gain user requirementson security controls, then we could do a pair com-parison based on the requirements. This paper is


concerned with the influence on final result of securitySLA. We provide two examples about online storageservice, as follows:

• WOS, UN={0.081S, 0.047P, 0.413N, 0.358AC, 0.101AU}• WOS, TN= {0.258S, 0.315P, 0.153N, 0.171AC,0.103AU}

We might consider here WST of preparation phase.User’s requirements, WOS, UN and WOS, TN, according tothe network environments are affected by service-specificcharacteristic, which is WST. The final result is

WC ¼ WOS; UN�WST

WOS; TN�WST

� �

WST is normalized as follows:

W ’C ¼ WC=WSUM

where WSUM is sum of elements in WC.


W ′C ¼ 0:236S; 0:072P; 0:337N; 0:309AC; 0:046AU

0:483S; 0:312P; 0:080N; 0:095AC; 0:030AU

� �

• “Criteria” phase: alternative evaluation

This phase is for evaluation alternative, that is, serviceproviders, to determine which service provider supportsbetter security on each security controls. The securitymetrics and corresponding security controls alreadydefined using the Delphi technology as described inFigure 1. Thus, in this phase, we could do a pair comparisonbetween service providers. This pair comparisons carry outregarding all security controls, respectively.

• “Goal” phase: security-SLA evaluation

The following example describes the ways in whichservices may be evaluated using super matrix in Section 4.2.This super matrix consists of W ′

C in “scenario” phase andWA in “criteria” phase, and WS is expressed as α and β of thesuper matrixW as shown in Section 4.2.

To reach the final goal through preceding super matrix,we need to define theWS ahead very clearly.We suppose thatthe service S2 and service S3 are specialized on enterpriseuser and public user, respectively. Then we are going to fig-ure out the impact of the network environments (WS). Wemake up scenarios in three ways: a user accesses the servicesonly in the TN, that is,WN1; a user accesses the services only

Figure 11. Evaluation r

in the public network (UN), that is,WN3; and both networks,that is, WN2, are shown in (a)–(c), as follows.

• WN1 = (UN, TN) = (0, 1)• WN2= (UN, TN) = (0.5, 0.5)• WN3 = (UN, TN) = (1, 0)

In other words,WN1 indicates the enterprise solution notconsidering public network out of private network, whileWN3 indicates the common solution for a public user. Theenterprise solution often is being offered through managedand controlled private network; sometimes, a user accessesthe service in public network environment such as bringyour own device (BYOD) in case of WN2, for example.

Figure 11 describes the results of the aforementionedthree cases, respectively, which fully correspond to ourview. The enterprise solution S2 meeting the user require-ment, WOS, TN ×WST= (0.483S, 0.312P, 0.080N, 0.095AC,0.030AU), could be recommended by cloud broker in caseof TN. While the public solution S3 is suited for the UN.Figure 12 describes that the security-SLA evaluationresults are influenced by which security controls place agreat deal of weight on the services, even within in samenetwork environment.

4.3. Simulation of security-SLA negotiation

We have addressed the question of which aspects are con-sidered for security SLA and how the aspects are reflectedto in security SLA employing ANP model. We hereprovide some simulations of security-SLA negotiationsteps 6 to 9 as shown in Figure 1. Thus, we present howthe cloud broker can recommend the service best suitedto a user’s requirements.

At first, the user can input his or her requirements to thetemplate made by the cloud broker. The template should bemade with a user-friendly expression. The user require-ments could be determined by a pair-comparison matrixon a UN and a TN, which are used in a “scenario” phase.

esults on services.


Figure 12. Evaluation results on network environments.


The needs of users about a security service vary dependingon the user purpose and environment. Enterprise users(U1), for example, in corporate networks, are less sensitiveto UNs compared with public users (U2). These two users’requirements of webApp, calculated using pair comparisonby two types of users, are shown in Table II.

We suppose that the service type is a webApp; thus, theuser wants more secure access control with encryption onuploaded information. Both the network environmentsand security threats might involve uncertainty. We

Table II. Users’ r

User Network S

Enterprise user (U1) UN 0.058TN 0.442

Public user (U2) UN 0.175TN 0.211

Figure 13. Evaluation re


consider security-SLA evaluation results depending onthe users’ requirements as expressed by “network” in Ta-ble II. Figures 13 and 14 describe the security-SLA results,derived by the “goal” phase in Section 4.2, among thefollowing webApp service providers: S1, S2, and S3(Tables III and IV).

The cloud broker is able to recommend service S2 to theuser1, as S2 has higher evaluation results in the TN envi-ronment. The service S2, moreover, also good at BYODconfiguration, that is, WN= (UN, TN) = (0.5, 0.5). For

equirements.

P N AC AU

0.214 0.417 0.203 0.1080.234 0.124 0.131 0.0690.133 0.210 0.289 0.1930.210 0.165 0.235 0.179

sults of user1 (U1).

Figure 14. Evaluation results of user2 (U2).


user2, however, the graph describes a definite result: ser-vice S3. The cloud broker could recommend service based

Table III. Security-SLA evaluation of user1 (U1).

UN TN S1 S2 S3 First priority

0.1 0.9 0.320 0.308 0.372 S30.2 0.8 0.318 0.315 0.367 S30.3 0.7 0.308 0.302 0.362 S30.4 0.6 0.316 0.322 0.362 S30.5 0.5 0.312 0.337 0.352 S30.6 0.4 0.31 0.344 0.347 S30.7 0.3 0.308 0.351 0.341 S30.8 0.2 0.305 0.358 0.336 S20.9 0.1 0.303 0.366 0.331 S2

Table IV. Security-SLA evaluation of user2 (U2).

UN TN S1 S2 S3 First priority

0.1 0.9 0.320 0.308 0.372 S30.2 0.8 0.318 0.315 0.367 S30.3 0.7 0.308 0.302 0.362 S30.4 0.6 0.316 0.322 0.362 S30.5 0.5 0.312 0.337 0.352 S30.6 0.4 0.31 0.344 0.347 S30.7 0.3 0.308 0.351 0.341 S30.8 0.2 0.305 0.358 0.336 S20.9 0.1 0.303 0.366 0.331 S20.1 0.9 0.302 0.340 0.358 S30.2 0.8 0.302 0.341 0.358 S30.3 0.7 0.301 0.341 0.357 S30.4 0.6 0.301 0.342 0.357 S30.5 0.5 0.301 0.343 0.356 S30.6 0.4 0.301 0.343 0.356 S30.7 0.3 0.301 0.344 0.356 S30.8 0.2 0.3 0.345 0.355 S30.9 0.1 0.3 0.345 0.355 S3

on the priorities of the services to the user with indicator ofthose service groups, as shown in Figure 8.

4.4. Motivation and contributions of thisstudy

We discuss about security-SLA evaluation in which aspectsmight be considered and how we can provide a quantitativeevaluation. The security could begin as technologies and becompleted by human. There is a saying that “The more se-cure you make something, the less secure it becomes”. So,the answer lies in usability. To obtain usability in security,we focus on the paradigm shift, that is, security as a service.

• “Security” as a service

Current security is in the field of technology, that is why auser cannot access and understand the security. To solve thisproblem, we fix our sight upon the security SLA for transpar-ent security as shown in Figure 15. The beginning of securitySLA is achieving consensus on security service including se-curity metrics and corresponding security controls. Thus, (i)we propose cooperative security-SLA evaluation model usingthe Delphi technology in Section 3. The security SLA couldaccomplish the security reflecting users’ requirements effi-ciently by an objective evaluation of the cloud broker.

• Efficient security as a service

Chen et al.[20] have convincingly expounded on-demand security architecture in cloud computing that dif-ferentiated security architecture according to service-specific characteristics that could prevent an unnecessarydrain on IT resources by protecting cloud computing ser-vices at just the right level. In this sense, the securitySLA could provide security service at just the right level,efficient security, with agreements, and clarify where theresponsibility lies regarding security incidents. (ii) We tryto give convincing answers to the considerations fordetermination of “the right level” through the influence of


Figure 15. Security service for usability.


service type on security SLA and verify our assumption bymathematical model employing ANP.

Moreover, (iii) we consider user requirements,expressed as “network environments” in this study, forsecurity-SLA evaluation, because different network envi-ronments have different threats. However, the practicalmethod to reflect users’ requirements and present quantita-tive evaluation is reserved for future works.

5. CONCLUSION

Great attention has been given to the question of how tomeasure security SLA and how services could be recom-mended to users based on security SLAs. Even thoughmany researchers have provided definitions and evaluationmodels or processes for security SLAs, in fact, quantitativemethodologies for evaluation are rarely studied, and theirdifficulty is often noted. In addition, there are fewapproaches to addressing the confusion caused by the differ-ent criteria (i.e., security metrics or parameters) for securitySLAs. In this sense, security-SLA evaluation might considermulti-dimensional approaches such as service types, net-work environments, and quantitative measurements.

In this paper, we proposed a novel cooperative security-SLA evaluation methodology to solve the aforementionedproblems by achieving security as a service with securitySLA for transparent security. However, a decision methodol-ogy of the elements of a pair-comparison matrix based on anobjective analysis has not been described, and this deservesconsiderable attention in future work.

ACKNOWLEDGEMENTS

This research was supported by the MSIP (Ministry ofScience, ICT & Future Planning), Korea, under the ITRC(Information Technology Research Center) supportprogram (NIPA-2014-H0301-14-1020) supervised by theNIPA (National IT Industry Promotion Agency).


REFERENCES

1. Personal Cloud. http://personal-clouds.org [Accessedon March 2014].

2. Sahai A, Graupner S, Machiraju V, Moorsel A. Speci-fying and Monitoring Guarantees in Commercial Gridsthrough SLA. In proceeding(s) of IEEE/ACM Interna-tional Symposium Cluster Computing and the Grid2003; 292–300.

3. The Cloud Security Alliance. https://cloudsecurityalliance.org/ [Accessed on February 2013].

4. Saaty TL. Decision Making with Dependence andFeedback: The Analytic Network Process. RWS Publi-cations: Pittsburgh, 2001; 1–370.

5. Wu C, Zhu Y, Pan S. The SLA evaluation model forcloud computing. In Proceeding(s) of the InternationalConference on Computer, Networks and Communica-tion Engineering 2013; 331–334.

6. Hossain AA, Huh E-N. Refundable service throughcloud brokerage. Proceeding of IEEE Cloud2013:972–973. doi:10.1109/CLOUD.2013.115.

7. Ryan MD. Cloud computing security: the scientific chal-lenge, and a survey of solutions. Journal of Systems andSoftware 2013; 86(9):2263–2268. doi:10.1016/j.jss.2012.12.025.

8. Zissis D, Lekkas D. Addressing cloud computingsecurity issues. Future Generation ComputerSystems 2012; 28(3):583–592. doi:10.1016/j.future.2010.12.006.

9. Rong C, Nguyen ST, Jaatun MG. Beyond lightning: asurvey on security challenges in cloud computing.Computers & Electrical Engineering 2013; 39(1):47–54. doi:10.1016/j.compeleceng.2012.04.015.

10. Bernsmed K, Jaatun MG, Meland PH, Undheim A. Se-curity SLAs for federated cloud services. In Proceed-ing(s) of the Availability, Reliability and Security(ARES) 2011; 202–209.

https://cloudsecurityalliance.org/

https://cloudsecurityalliance.org/


11. Collaboration Services: Deployment Options for TheEnterprise. Forrester Research: 2012; 1–15.

12. Tian Y, Song B, Huh E-N. A novel threat evaluationmethod for privacy-aware system inRFID. InternationalJournal of Ad Hoc and Ubiquitous Computing 2011;8(4):230–240.

13. Hassan M, Song B, Huh E-N. A market-orienteddynamic collaborative cloud services platform. Annalsof Telecommunications 2010; 65(11-12):669–688.

14. ISO/IEC CD 17789. Information technology—Distrib-uted application platforms and services (DAPS)—CloudComputing—Reference Architecture, 2013.

15. Na S-H, Park J-Y, Huh E-N. Personal cloud computingsecurity framework. Services Computing Conference(APSCC), IEEE Asia-Pacific 2010; 671–675.

16. Bernsmed K, JaatunMG, Undheim A. Security in servicelevel agreements for cloud computing. In Proceedings ofthe 1st International Conference on Cloud Computingand Services Science, 2011.

17. Na S-H, Kim K-H, Huh E-N. A methodology for eval-uating cloud computing security service-level agree-ments 2013; 5(13):235–242.

18. Na S-H, Kim K-H, Huh E-N. Threats evaluation forSLAs in cloud computing, The 3rd International Confer-ence on Convergence Technology 2013; 1570–1571.

19. Saaty TL. How to make a decision: the analytic hierarchyprocess. European Journal of Operational 1990; 48:9–26.

20. Chen J, Wang Y, Wang X. On-demand security architec-ture for cloud computing. Computer 2012; 45(7):73–78.doi:10.1109/MC.2012.120.


a broker-based cooperative security-sla evaluation ... · research article a broker-based...

Documents