D2.1.1: Report on requirements for Cloud SLA negotiation – Initial

Despite the appealed advantages and user-friendliness offered by the cloud nowadays, it is true that the typical cloud customer is not a security expert (in particular small and medium enterprises -SMEs-), nevertheless will have some context-specific security requirements to fulfill. For such (prospective) customers, matching their security requirements with the security being offered by available Cloud Service Providers (CSP) is a task that is still manual, expensive and unrealistic to accomplish in many cases. This problem worsens if we take into account the ever increasing number of CSPs available in the cloud ecosystem. Despite the assumption that a given CSP “seems” secure, is it actually providing “good enough security” for my organization’s requirements? How to compare different CSPs with regards to security? How can SMEs add realistic levels of automation to the process of negotiating security requirements with their customers?
Taking into account these concerns, the SPECS project proposes the development of a process (and associated techniques) to semi-automatically negotiate customer security requirements versus the cloud SLA (Service Level Agreements) offered by the CSP. This Deliverable D2.1.1 provides an initial version of the technical and non-technical requirements associated with the proposed SPECS negotiation process. In particular, this deliverable analyses the cloud (security) SLA landscape from the research, industrial and standardization perspectives to guarantee a holistic requirements elicitation. These requirements (including a list of prospective cloud security Service Level Objectives –SLO-), will be further analyzed and managed by the design and implementation activities in WP2 (Tasks 2.2 and 2.3 respectively).
The next iteration of this deliverable (D2.1.2) will include a requirements analysis based on a set of case studies (including the notion of re-negotiation), a detailed discussion on the machine-readable specification language for SLA, and a detailed description of the security SLOs to negotiate (e.g., proposing a conceptual model, and associated low-level metrics).