A Security SLA-driven Methodology to Set-Up Security Capabilities on Top of Cloud Services

The extensive use of cloud services by both individual users and organizations induces several security risks. The risk perception is higher when Cloud Service Providers (CSPs) do not clearly state their security policies and/or when such policies do not directly match user-defined requirements. Security-oriented Service Level Agreements (Security SLAs) represent a fundamental means to encourage the adoption of cloud services in contexts where security is mandatory. Nevertheless, despite the number of existing initiatives aimed at formalizing Security SLAs and at representing security guarantees by taking into account both customers' and providers' perspectives, they are far from being commonly adopted in practice by CSPs, due to the difficulty in automatically enforcing and monitoring the security capabilities agreed with customers. In this paper we illustrate, through a case study, a methodology to set-up a catalogue of security capabilities that can be offered as-a-service, on top of which specific guarantees can be specified through a Security SLA. Such a methodology, which explicitly takes into account the constraints behind the definition of formal guarantees related to security, is meant to serve as a guideline for providers willing to offer for their services specific security features that can be monitored and assessed by customers during operation.