Analyzing and Improving Customer-Side Cloud Security Certifiability

Cloud services have become popular as an effective form to outsource computational resources. While providing cost efficiency on the one side, this outsourcing also causes a certain loss of control over the computational resources, which makes security risks difficult to predict and manage. To address such concerns, security service level agreements (secSLAs) have been proposed as contracts between Cloud service providers (CSPs) and Cloud service customers (CSCs) that cover security properties of Cloud services. SecSLAs cover a variety of different security properties, ranging from the availability of encrypted communication channels for accessing Cloud resources to the timely detection and removal of vulnerabilities in the CSP's infrastructure. As previous work [1] has shown, and as is evident for the example of timely vulnerability removal, not all of these security properties can be assessed by the CSC, which limits their utility as a contract basis. In this paper we propose a new monitoring framework for Cloud services to support the monitoring and validation of security properties on the customer side that require infrastructure-internal knowledge. To obtain the security properties to be monitored by our framework, we have manually investigated 97 different quantifiable properties in 5 standards from both industry and academia. We identified only 21 measurable properties from those standards, out of which we implement measurements for 13 representative ones and evaluated our measurements on the OPENSTACK platform.