Cloud Security: from Per-Provider to Per-Service Security SLAs

Cloud Security is still considered one of the main factors inhibiting the diffusion of the Cloud Computing paradigm. Potential Cloud Service Customers (CSCs) do not trust delegating every kind of resources and data to external Cloud Service Providers (CSPs). The problem grows in complexity due to the increasing adoption of complex supply chains: CSPs that offer Sofware-as-a-Service (SaaS) cloud services often do not have their own data centers, but just acquire resources and services from other CSPs. This makes it hard, if not impossible, to ascribe the responsibility of a security incident. A possible solution is the adoption of Security Service Level Agreements (SLAs): CSPs should deliver services with an SLA that details each guarantee offered in terms of security, and CSCs should be able to compare offerings from different CSPs and verify that SLAs are respected during service life cycle. This paper shows how it is possible to build up a per-service Security SLA in a chain of cloud services, proposing a solution based on a security evaluation technique to compare different cloud service supply chains based on their Security SLAs.