Calculating the trust of providers through the construction weighted Sec-SLA

Abstract

Information systems are often exposed to various types of threats, which can cause different types of damage and lead to significant financial losses. Security issues can range from small losses to a destruction of the whole information system. The effects of various threats vary considerably: some affect the confidentiality or integrity of data, while others affect the availability of a system. Organizations are now struggling to understand what the threats to their information assets are, and how to fight them, which remains a challenge. We can consider than one of the key requirements to consolidate cloud computing as a robust and reliable solution is security. Organizations that seek to embrace the cloud as a solution should be aware that this technology inherits all the security vulnerabilities from traditional solutions. These are aligned with the complexity and heterogeneity of configurations related to the architecture, privacy and compliance of cloud computing. Uniform management practices should be applied between providers in relation to the security control policies agreed with their clients - defined by the Security Service Level Agreement (Sec-SLA). Because of this, we present a standardization of responsibilities, taking into account the security perimeter of the cloud, and the main mitigation and resolution measures for the types of attacks enumerated by a vulnerability base, to be included in Sec-SLAs. This enables us to measure and classify the provider’s reliability regarding the services offered. Thus, the cloud is expected to improve its control and security and get efficient response to incidents. We propose a calculation model to determine the reliability of a provider based on the solution measures and mitigation of security incidents offered in its service catalog, as well as the development of an abstract method to support consumers in the definition of weights to be attributed to the architecture, privacy and compliance used in the calculation of trust. From the vulnerabilities found, impacts and mitigation measures in the subcategories of Architecture, Privacy and Compliance of the suggested providers, considering the weights given by the consumers, allowed us to validate the abstract model of the proposed confidence calculation. This allows us to classify the providers according to the confidence presented to the consumer in a context of the security vulnerabilities and policies adopted.