A broker-based cooperative security-sla evaluation methodology for personal cloud computing

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks (2014) Published online in Wiley Online Library (wileyonlinelibrary.com) RESEARCH ARTICLE A broker-based cooperative security-sla evaluation methodology for personal cloud computing Sang-Ho Na and Eui-Nam Huh* Kyung Hee University, Seoul, Korea ABSTRACT An underlying cloud computing feature, outsourcing of resources, makes the service-level agreement (SLA) a critical factor for quality of service (QoS), and many researchers have addressed the question of how an SLA can be evaluated. Lately, security SLAs have also received much attention to guarantee security in a user perspective and provide optimal and efficient security service in the security paradigm shifting by cloud computing, such as security as a service. The quantitative measurement of security metrics is a considerably difficult problem and might be considered one of the multi-dimensional aspects of security threats. To address these issues, we provide a novel cooperative security-sla evaluation model for the personal cloud service environment including a multi-dimensional approach to analyze security threats depending on services type as well as a cooperative model to reach a general consensus of priorities, that is, indicators depending on services type and security metrics based on cloud brokers. Copyright 2014 John Wiley & Sons, Ltd. KEYWORDS security SLA; SLA evaluation; personal cloud service; cooperative model *Correspondence Eui-Nam Huh, Kyung Hee University, Seoul, Korea. johnhuh@khu.ac.kr 1. INTRODUCTION Explosive growth in information systems is shifting to the cloud computing paradigm, and cloud computing has five typical features: multi-tenancy, scalability, elasticity, pay as you go, and self-provisioning of resources. These attributes allow customers to manage their computing capability as needed. In the 1980s, personal computers (PCs) were hooked up [1] to a set of devices in order to input and output information, while after the paradigm shift, personal devices, that is, mobile devices, are hooked up [1] via a personal cloud that is registered with and has permission to use a network, for example, the Internet. Cloud services delivered over the Internet, such as Webbased applications, meet users 4S needs: storing and synchronizing personal data, and sharing and streaming stored personal data via a personal cloud. The personal cloud, or the Personal Cloud, is a hybrid cloud in which the public cloud and private cloud are combined in a user-centric cloud computing model to facilitate access to personal data and manage personal data. The personal cloud is categorized according to service types: online storage, online desktop, and Web-based application. For the outsourcing of virtual resources, the guarantee of availability and the capability of resources become a more important consideration, and accordingly, the components of service-level agreement (SLA) have become critical factors. An SLA is a contract negotiated between a service provider and a user that establishes service levels, which are enforced by penalties and compensation if the conditions are violated by the cloud service provider [2]. In cloud computing environments, the pay-as-you-go model has been adopted because the outsourcing of resources requires reasonable SLAs regarding availability, security, andsoforth.inparticular,cloud-basedaccesstodataand services brings with it some threats regarding privacy and data security. Therefore, it requires more attention to the SLA components of security (denoted as a security SLA). However, quantitative SLA analysis is difficult because security threats vary and include many different, multidimensional aspects. In order to evaluate security SLAs, technical approaches and administrative procedures of cloud service providers make it harder to define, analyze, and evaluate SLAs for security services. Furthermore, the requirement for accurate measurement of security has a trade-off with quality of service (QoS) components in terms of the performance. Moreover, security needs differ slightly depending on the service type. For example, data encryption services for Web applications require more access controls than those for storage services. Copyright 2014 John Wiley & Sons, Ltd.

2 A cooperative security-sla evaluation methodology S.-H. Na and E.-N. Huh Therefore, in addition to the security threats, the security control for each service type is an important aspect of security SLAs. The Cloud Security Alliance (CSA) has published documents regarding the top threats and security guidance in cloud computing [3]. Among the various articles, The Notorious Nine, the latest article issued in Feb 2013, provides a ranking of the top threats, along with implications and suggested security controls based on a survey of industry experts. This threat ranking deserves consideration as it suggests the relative priorities of threats. Quantitative approaches for the evaluation of security SLAs are necessary for the provision of secure cloud services. This paper, therefore, suggests a novel quantitative model that cloud brokers can use to evaluate security SLAs on personal cloud services. This study includes security-sla evaluation model based on a multi-dimensional approach to analyze security threats as follows: (1) a cooperative security-sla evaluation model to reach general consensus on security SLA in broker-based personal cloud computing environment; (2) evaluation of the relative weight of security controls based on the personal cloud service type; (3) reflect users requirements in accordance with network environments to evaluate security SLA. The remainder of this paper is organized as follows. In Section 2, we discuss related work. In Section 3, we propose a cooperative security-sla evaluation model for broker-based personal cloud service environments with the aforementioned features employing network model in analytic network process (ANP) [4]. In Section 4, we verify our concept gradationally and sum up our contribution. Finally, we conclude the paper including our plans for future work in Section RELATED WORKS Wu et al. have reviewed recent research regarding SLAs and have identified sensitive issues such as the different SLA parameters of users and service providers and the difficulty in quantifying these parameters [5]. Owing to continued service suspensions in cloud computing environments, Hossain and Huh [6] provided convincing answers to the refund model in regard to SLA violation. Nowadays, security aspects are emerging as issues for SLAs in cloud computing. Security SLAs for cloud computing have been given considerable attention in recent years, particularly regarding how to reach a unified agreement between users and providers [7 10]. The studies in [9,10] illuminated the question of how cloud providers could address the user s security needs, such as integrity and confidentiality, from the SLA perspective and provided a detailed outline of security controls. Cloud security SLAs are negotiated between the user and cloud providers [10]. An important part of this view is in regard to the current emergence of cloud collaboration services to the worldwide market [11,12]. Most research has introduced security SLAs and provided security parameters but has rarely focused on how to measure these security aspects. As mentioned earlier, the parameters of SLAs, especially those of the security aspects, are very difficult to estimate and calculate. To negotiate a specific security SLA, the foremost consideration is how to establish contractible security parameters and an evaluation methodology for each security parameter. The CSA has published articles regarding top threats and security guidance in cloud computing [3]. Among the various articles, The Notorious Nine provides a top threats ranking, implications, and security controls based on a survey of industry experts. This paper showed that security threats and parameters can be quantified, suggesting which threats are most influential and thus should take priority in security efforts. However, this ranking only considered the implications of specific security breaches and did not consider the correlations between threats. To satisfy users security-specific SLAs, the security aspects should be addressed from the users point of view. Tian et al. [13] suggested a novel threat evaluation model using the analytic hierarchy process (AHP) to attempt to address privacy and potential threats in radio frequency identification, employing the AHP model to analyze user preference regarding threats. 3. COOPERATIVE SECURITY-SLA EVALUATION MODEL 3.1. Overview of security SLA To achieve security SLAs for users, security metrics and goal agreed between the parties that provide cloud service are needed. As mentioned in related works, however, many researcher and security-relative institute provide security metrics and results in a form somewhat differing. Therefore, we might define and deal with the security metrics of services in transparent manner by involved stakeholders. The service providers then could compete based on a consensus of security metrics. A user could be ensured trustworthy evaluation result of security SLA. For reaching a consensus of security metrics, we provide a broker-based cooperative security-sla evalaution model such as the Delphi technique in the next section (Figure 1). The security SLA is different with risk assessment. While the risk assessment is evaluation from system of service provider, security SLA is an approach in the view of a user regarding security threats. As we know, security threats such as common vulnerabilities and exposures (CVE) have targets, for example, network, system, and data, to exploit for malicious purpose. In this sense, we might consider defense-in-depth model for information security, that is, network host application data, to evaluate security threats including a user environment such as network layer and service-specific characteristic such as

3 S.-H. Na and E.-N. Huh A cooperative security-sla evaluation methodology Figure 1. Security SLA evaluation and negotiation model. host-application layer. It means that a measure of the degree of security threats is different according to the service types and network environment of a user to access services. For example, public wireless network and private network of enterprise, or a Web-based application delivered https session and a virtual desktop infrastructure (VDI) service delivered by secure container, have different threats, respectively. This idea is examined in Section 3.3, and we will see how this subject matter is being unveiled in Section A cloud broker-based cooperative security-sla evaluation model The cloud broker, as shown in Figure 2, is an entity of a cloud partner, which includes cloud brokers, auditors, and a cloud service developer; cloud brokers [13,14] can be people or organizations. A broker provides suitable cloud services to cloud customers to evaluate and select cloud service providers for user purposes, which are categorized as VDI service (denoted as a webtop), online storage, and Web-based application (denoted as a webapp) in personal cloud services [15]. Based on the earlier cloud broker definition, in the next paragraphs, we will describe cloud brokers specific roles for security SLAs in order to offer suitable personal cloud services. In our proposal, a cooperative security-sla evaluation model offers appropriate personal cloud services based on cooperative evaluation results. This model provides a formalized expression of security controls, which is defined by a cloud broker with general consensus among cloud providers and cloud brokers. Above all, the formalized expression of security control can be easily understood by cloud customers; in particular, standardized templates are needed to prevent potential confusion. Many researchers have pointed out the confusion caused by the different definitions of security control metrics. A standardized contract template should therefore be prepared under the auspices of a cloud broker or another appropriate institution. Workflows 1 9 in Figure 1 show how cloud brokers and cloud service providers can reach a general consensus on security-sla evaluation. For the formalized expression of security control (step 4 in Figure 1), cloud service providers initially assess security control based on the definition of security-sla metrics provided by cloud brokers. As we mentioned in Section 1, security vulnerabilities and user Figure 2. Broker-based personal cloud service.

4 A cooperative security-sla evaluation methodology S.-H. Na and E.-N. Huh requirements are slightly different for each type of personal cloud service. When cloud service providers consider assessing the security aspects of their service, they place a great deal of weight upon the different security controls based on their service purpose, performance, and other aspects. This will be reflected when establishing the priorities of the security controls process (step 5 in Figure 1). Before describing how the priority values of the security controls are established, we will briefly examine the security threats and corresponding security controls and provide a security threats analysis of personal cloud service types in next section Security threats and metrics for security SLA Security threats and vulnerabilities in cloud computing are studied by many researchers and institutes. We considered the nine most notorious threats [3]: data breach, data loss, account hijacking, insecure APIs, denial of service, malicious insider, abuse of cloud services, insufficient due diligence, and shared technology issue. Among the nine threats, we selected five security concerns from the user s point of view. These are as follows: data breaches Table I. Security treats and controls. Security controls DB DL AH API MI S Data isolation Data encryption Data location Data integrity Data backup P Application isolation Virtual firewalls Application integrity N Network encryption Traffic isolation Integrity protection AC Identity management Access management Key management AU Logging Auditing Certification Customer privacy (DB), data loss (DL), account hijacking (AH), insecure APIs (API), and malicious insiders (MI). We then attempted to match these to the corresponding security controls [10,16], which have outlined a framework for security mechanisms in SLAs for cloud services. Table I categorizes the five threats into the corresponding security controls: secure resource pooling (storage, processing, and networking), access control (AC) audit, verification, and compliance (AU). When we consider threat evaluation, a multi-dimensional approach model is needed. This means that we might consider not only the technical factors based on service-specific threats but also unpredictable threats such as the network environment, malicious insider. To analyze security threats based on the technology dependence and uncertainty of threats in cloud, we employed a 2 2 thinking matrix (Figure 3 [17]), which is used to facilitate better thinking and decisions. Figure 3 is based upon two considerations with aforementioned five threats. The AH, although mostly predictable and a technical issue in managed network such as private network in cloud, it has high uncertainty of threats in untrusted network (UN) like public wireless network. This makes explicit statements about evaluation of security threats based on service-specific characteristic, that is, technical factor, is staring point and evaluation of unpredictable security threats, for example, network environments, is end for security SLA. In this sense, we have assumed that the personal cloud infrastructure consists of a relatively trustworthy internal network and an untrusted external network (i.e., the Internet), as shown in Figure 4. Security threats are different depending on the network environment, as we noted in Figure 4 (e.g., malicious insiders do not have to be considered in the Internet environment). This means that the priorities or weight values of corresponding security controls might be applied respectively. Furthermore, as we mentioned, depending on the personal cloud service type, there are different preferences among the user requirements. In the case of webtop, a user may want a strict authentication process with certification and a VPN solution above everything else; usually, we do not expect data encryption using the desktop. An online storage user, on the other hand, might look for secure data backup, integrity, and encryption. In summary, security threats are closely related with QoS of services, and we might consider the security threats to assess security SLAs based on underlying service type Figure thinking matrix of threats.

5 S.-H. Na and E.-N. Huh A cooperative security-sla evaluation methodology Figure 4. Cloud infrastructure. and property. With these considerations in mind, let us now describe a security-sla evaluation model that takes a multi-dimensional approach Security-SLA evaluation model Researchers, for the most part, have tended to center around providing security-sla definitions, needs, security metrics, and negotiation processes. As previous researchers have noted, the main issues are (i) the confusion caused by different security metrics or parameters between service providers and customers; (ii) how the security metric is measured; and (iii) the difficulty in monitoring security metrics. To address the confusion about security metrics or parameters, we have proposed cooperative security- SLA process based on broker in Section We, here, aim to provide security-sla evaluation methodology with simulation including self-assessment of service providers and security requirements of users reflected security-sla evaluation in view of a multi-dimensional approach for recommending suitable services to users based on evaluation results Previous works and our purpose. We have previously outlined a simple security-sla evaluation model [17,18] that employs an AHP, which is a mathematics-based and psychology-based decisionmaking technique described by Saaty in 1970s [19]; we pointed out the correlation between threats and established weight values (priorities) of each threat to quantify the threats for SLA evaluation. Our previous works attempted to measure threats and security metrics. In this study, we extend the scope of our previous study focusing on multi-dimensional threat evaluation approaches that consider the personal cloud service types and network environment. We employed AHP with the outer dependence method and the ANP [4]: AHP with the outer dependence method extended to the network model ANP model for security SLA. We provide series ANP model for security SLA as in Figure 5. The series ANP model consists of goal, scenario, criteria, and alternative. The meaning of each layer regarding ANP model in Figure 5 are given as follows: Goal: Security-SLA evaluation is a scenario-based reachable objective. Scenario: Service usage scenario has influence on security controls (Criteria): network environments and service types. In each scenario on network environment, for example, UN and trusted network (TN), the priorities are determined by pair-comparison matrices on criteria, that is, security controls. Criteria: Corresponding security controls, S, P, N, AC, and AU as described in Section 3.3, with security threats, is a standard to assess the alternative, that is, service providers. We describe the aforementioned definition and relationship to assess personal cloud services from the security perspective shown in Figure 9. Alternative: Consisting of service providers, which are webtop, online storage, and webapp. The notations of components in each layer are given as follows: N ={N x x =1,, o}: A set of o network environment; where o = 2, UN, TN. ST ={ST y y =1,, p}: A set of p service types, where p = 3, webapp, online storage, and webtop. W ST, N ={W SC SC =1,, m}: A set of m weights on security controls of service type (ST) and network environments (N). SC ={SC i i =1,, m}: A set of m security controls (criteria). CS ={CS j j =1,, n}: A set of n services to compare. Figure 6 describes hierarchical model for the network model earlier. The weight on service type is missed, and weight value on service types in preparation phase has been determined (refer to Section 4), affecting the result of pair comparison in accordance with network environment. The details are shown in the scenario phase of Section 4. The final result provides a basis for a recommendation to users by a cloud broker.

6 A cooperative security-sla evaluation methodology S.-H. Na and E.-N. Huh Figure 5. Network model for security SLA. Figure 6. ANP hierarchy model. The important concept of this model is that there are different priorities (weight) based on the services and network environments. For example, the webtop service for enterprise puts a higher priority (weight value) on access control in UN than in TN. Because webtop service uses some of container solution such as VDI to deliver the content securely, when it comes to service, the online storage service needs more secure storage control than the webapp in a user perspective. 4. SECURITY-SLA EVALUATION In this section, we will see how we could evaluate security SLA according to our model. To reach a goal, service recommendation for a user purpose, defining security metrics and weight on security controls, is needed as described in Section 3.2. We here use Table I shown in Section 3.3 for the security metrics. Then weight value on security controls is affected by service type based on our assumption Weight evaluation using pair comparison To evaluate each component in Figures 5 and 6 shown in Section 3.4.2, we use pair-comparison matrix between elements of each component in view of object that is affected by the component as given in the example in Figure 7; elements of SC component (Criteria) are n = 3, and the pair comparison is enumerated for

7 S.-H. Na and E.-N. Huh A cooperative security-sla evaluation methodology the scenario explained in Section θ infigure6is one of Saaty s discrete nine-value scales [19], which are from 1 (equal importance) to9(extreme importance), and 2, 4, 6, and 8 are intermediate values. Let the preceding pair-comparison matrix be A =(a ij ), the resulting matrix of the pair comparison on elements a i, a j. Those matrices have the following characteristics: 4.2. Security-SLA evaluation using super matrix To attain the goal of hierarchical model in Figure 6 shown in Section 3.4.2, we use the following super matrix to calculate security SLA. a ii ¼ 1; a ji ¼ 1=a ij Aω ¼ λω where λ is eigenvalue of the matrix A and ω is dominant eigenvector. The eigenvector is a priority in Figure 6, and the consistency index (CI) value can be acquired by the following equation: CI ¼ ðλ nþðn 1Þ where n = (number of target elements). The CI should be lower than 0.1. If that is the case, the result of pair comparison is reliable. Let the initial vector be u(0) to calculate λ and ω. uð0þ ¼ ð1=n 1=n 1=nÞ vk ðþ¼a k uk ð 1Þ; k ¼ 1; 2; ; n vk ðþ¼ ð uk ðþ¼vk ðþ=tðþ k v 1 ðþ; k v 2 ðþ; k vn ðþ k Against a sufficiently large value of k, v(k) and u(k) converged to determined values, that is, λ max and ω of A, respectively. ω is the weight value of the pair-comparison result, and each ω, a result of each component evaluation, is assigned a value in super matrix to calculate security SLA as described subsequently. Þ where I is the unit matrix. W A are the provided priorities of the alternative services on the security controls by service provider with selfassessment, and W C W A means a network environment considering priorities of alternatives (services) of users. W S W C W A is the final evaluation result that means security SLA. Let W be W ¼ W ij Then, W has the following characteristics: W ij ¼ W i =W j ; W ij W jk W i =W k lim n W ¼ W W jk ¼ W j =W k Figure 7. Pair-comparison matrix.

8 A cooperative security-sla evaluation methodology S.-H. Na and E.-N. Huh Therefore, we can express W * on our hierarchy model as follows: service. Each matrix in Figure 8(a c) is a comparison result of security control (criteria) on personal cloud service types. This comparison is based on the outer dependence model, in which the alternatives depend on certain criteria, and each priority of the alternatives can be a dominant eigenvector for relative assessment of the alternative. The weight values are useful to discriminate the relative importance of security controls according to the service type. W WT = {0.058 S, P, N, AC, AU } W OS = {0.442 S, P, N, AC, AU } W WA = {0.174 S, P, N, AC, AU } The final result, W S W C W A of W*, means which service providers are better for users from the security perspective. Each value in W are calculated using pair comparison by stage, as follows. Preparation phase: establishing weight values on service types (W ST : indicator) Each cloud service, that is, webapp, online storage, and webtop, has different server configurations, service deliveries, and user purposes. Regarding those service-specific features, measuring security threats and corresponding security controls are different. Each service provider, therefore, does a pair comparison on security controls in view of their where WT is webtop, OS is online storage, and WA is webapp. The results of the preceding three pair-comparison matrices are derived from Figure 8. These results, in Figure 9, indicate that the priorities of security control, that is, the security metrics for security SLAs, should be considered the feature and purpose of the service type; and the relative importance of each security metric cannot be applied to services uniformly. Each resulting set of priorities for service providers of the same service type is stored in the database (shown in Figure 1), and the geometric average of the priorities can then be used as an indicator (as shown in Figure 10) of the group [19], which provide the same types of cloud services to determine the relative importance of each security metric depending on the service type. Let W i S and W I S be priorities (dominant eigenvectors) of service i in a service group of the S type and an indicator in a service group of the S type, respectively. Figure 8. Pair-comparison matrix for each type of service.

9 S.-H. Na and E.-N. Huh A cooperative security-sla evaluation methodology Figure 9. Priority comparison between the service types. Figure 10. Comparison with service indicator. qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi W I S ¼ n W 1 S; 1 *W2 S;1 Wn n S;1 W 1 S;n *W2 S;n Wn S;nÞ where n is the number of services. Figure 10 shows the priorities of specific service group and indicators of that service group. According to the comparison graph, we can choose the S3 to meet secure storage needs with average safety at the marketplace level. Scenario phase: criteria evaluation The scenario, that is, UN and TN could affect weight value on security controls (criteria) from the perspective of a user. A user in public wireless network has much threats than a user in private network. This hypothesis is perfectly obvious. To gain effect of scenario, we could execute pair comparison, such as in Figure 7, between security controls. If there is some template, such as in Figure 1, to gain user requirements on security controls, then we could do a pair comparison based on the requirements. This paper is concerned with the influence on final result of security SLA. We provide two examples about online storage service, as follows: W OS, UN ={0.081 S,0.047 P,0.413 N,0.358 AC, AU } W OS, TN = {0.258 S, P, N, AC, AU } We might consider here W ST of preparation phase. User s requirements, W OS, UN and W OS, TN, according to the network environments are affected by service-specific characteristic, which is W ST. The final result is W C ¼ W OS; UNW ST W OS; TN W ST W ST is normalized as follows: W C ¼ W C=W SUM where W SUM is sum of elements in W C.

10 A cooperative security-sla evaluation methodology S.-H. Na and E.-N. Huh W C ¼ 0:236 S; 0:072 P ; 0:337 N ; 0:309 AC ; 0:046 AU 0:483 S ; 0:312 P ; 0:080 N ; 0:095 AC ; 0:030 AU Criteria phase: alternative evaluation This phase is for evaluation alternative, that is, service providers, to determine which service provider supports better security on each security controls. The security metrics and corresponding security controls already defined using the Delphi technology as described in Figure 1. Thus, in this phase, we could do a pair comparison between service providers. This pair comparisons carry out regarding all security controls, respectively. Goal phase: security-sla evaluation The following example describes the ways in which services may be evaluated using super matrix in Section 4.2. This super matrix consists of W C in scenario phase and W A in criteria phase, and W S is expressed as α and β of the super matrix W as shown in Section 4.2. in the public network (UN), that is, W N3 ; and both networks, that is, W N2, are shown in (a) (c), as follows. W N1 = (UN, TN) = (0, 1) W N2 = (UN, TN) = (0.5, 0.5) W N3 = (UN, TN) = (1, 0) In other words, W N1 indicates the enterprise solution not considering public network out of private network, while W N3 indicates the common solution for a public user. The enterprise solution often is being offered through managed and controlled private network; sometimes, a user accesses the service in public network environment such as bring your own device (BYOD) in case of W N2, for example. Figure 11 describes the results of the aforementioned three cases, respectively, which fully correspond to our view. The enterprise solution S2 meeting the user requirement, W OS, TN W ST = (0.483 S, P, N, AC, AU ), could be recommended by cloud broker in case of TN. While the public solution S3 is suited for the UN. Figure 12 describes that the security-sla evaluation results are influenced by which security controls place a great deal of weight on the services, even within in same network environment Simulation of security-sla negotiation To reach the final goal through preceding super matrix, we need to define the W S ahead very clearly. We suppose that the service S2 and service S3 are specialized on enterprise user and public user, respectively. Then we are going to figure out the impact of the network environments (W S ). We make up scenarios in three ways: a user accesses the services only in the TN, that is, W N1 ; a user accesses the services only We have addressed the question of which aspects are considered for security SLA and how the aspects are reflected to in security SLA employing ANP model. We here provide some simulations of security-sla negotiation steps 6 to 9 as shown in Figure 1. Thus, we present how the cloud broker can recommend the service best suited to a user s requirements. At first, the user can input his or her requirements to the template made by the cloud broker. The template should be made with a user-friendly expression. The user requirements could be determined by a pair-comparison matrix on a UN and a TN, which are used in a scenario phase. Figure 11. Evaluation results on services.

11 S.-H. Na and E.-N. Huh A cooperative security-sla evaluation methodology Figure 12. Evaluation results on network environments. The needs of users about a security service vary depending on the user purpose and environment. Enterprise users (U1), for example, in corporate networks, are less sensitive to UNs compared with public users (U2). These two users requirements of webapp, calculated using pair comparison by two types of users, are shown in Table II. We suppose that the service type is a webapp; thus, the user wants more secure access control with encryption on uploaded information. Both the network environments and security threats might involve uncertainty. We consider security-sla evaluation results depending on the users requirements as expressed by network in Table II. Figures 13 and 14 describe the security-sla results, derived by the goal phase in Section 4.2, among the following webapp service providers: S1, S2, and S3 (Tables III and IV). The cloud broker is able to recommend service S2 to the user1, as S2 has higher evaluation results in the TN environment. The service S2, moreover, also good at BYOD configuration, that is, W N =(UN, TN) = (0.5, 0.5). For Table II. Users requirements. User Network S P N AC AU Enterprise user (U1) UN TN Public user (U2) UN TN Figure 13. Evaluation results of user1 (U1).

12 A cooperative security-sla evaluation methodology S.-H. Na and E.-N. Huh Figure 14. Evaluation results of user2 (U2). user2, however, the graph describes a definite result: service S3. The cloud broker could recommend service based Table III. Security-SLA evaluation of user1 (U1). UN TN S1 S2 S3 First priority S S S S S S S S S2 Table IV. Security-SLA evaluation of user2 (U2). UN TN S1 S2 S3 First priority S S S S S S S S S S S S S S S S S S3 on the priorities of the services to the user with indicator of those service groups, as shown in Figure Motivation and contributions of this study We discuss about security-sla evaluation in which aspects might be considered and how we can provide a quantitative evaluation. The security could begin as technologies and be completed by human. There is a saying that Themoresecure you make something, the less secure it becomes. So, the answer lies in usability. To obtain usability in security, we focus on the paradigm shift, that is, security as a service. Security as a service Current security is in the field of technology, that is why a user cannot access and understand the security. To solve this problem, we fix our sight upon the security SLA for transparent security as shown in Figure 15. The beginning of security SLA is achieving consensus on security service including security metrics and corresponding security controls. Thus, (i) we propose cooperative security-sla evaluation model using the Delphi technology in Section 3. The security SLA could accomplish the security reflecting users requirements efficiently by an objective evaluation of the cloud broker. Efficient security as a service Chen et al.[20] have convincingly expounded ondemand security architecture in cloud computing that differentiated security architecture according to servicespecific characteristics that could prevent an unnecessary drain on IT resources by protecting cloud computing services at just the right level. In this sense, the security SLA could provide security service at just the right level, efficient security, with agreements, and clarify where the responsibility lies regarding security incidents. (ii) We try to give convincing answers to the considerations for determination of the right level through the influence of

13 S.-H. Na and E.-N. Huh A cooperative security-sla evaluation methodology Figure 15. Security service for usability. service type on security SLA and verify our assumption by mathematical model employing ANP. Moreover, (iii) we consider user requirements, expressed as network environments in this study, for security-sla evaluation, because different network environments have different threats. However, the practical method to reflect users requirements and present quantitative evaluation is reserved for future works. 5. CONCLUSION Great attention has been given to the question of how to measure security SLA and how services could be recommended to users based on security SLAs. Even though many researchers have provided definitions and evaluation models or processes for security SLAs, in fact, quantitative methodologies for evaluation are rarely studied, and their difficulty is often noted. In addition, there are few approaches to addressing the confusion caused by the different criteria (i.e., security metrics or parameters) for security SLAs. In this sense, security-sla evaluation might consider multi-dimensional approaches such as service types, network environments, and quantitative measurements. In this paper, we proposed a novel cooperative security- SLA evaluation methodology to solve the aforementioned problems by achieving security as a service with security SLA for transparent security. However, a decision methodology of the elements of a pair-comparison matrix based on an objective analysis has not been described, and this deserves considerable attention in future work. ACKNOWLEDGEMENTS This research was supported by the MSIP (Ministry of Science, ICT & Future Planning), Korea, under the ITRC (Information Technology Research Center) support program (NIPA-2014-H ) supervised by the NIPA (National IT Industry Promotion Agency). REFERENCES 1. Personal Cloud. [Accessed on March 2014]. 2. Sahai A, Graupner S, Machiraju V, Moorsel A. Specifying and Monitoring Guarantees in Commercial Grids through SLA. In proceeding(s) of IEEE/ACM International Symposium Cluster Computing and the Grid 2003; The Cloud Security Alliance. org/ [Accessed on February 2013]. 4. Saaty TL. Decision Making with Dependence and Feedback: The Analytic Network Process. RWS Publications: Pittsburgh, 2001; Wu C, Zhu Y, Pan S. The SLA evaluation model for cloud computing. In Proceeding(s) of the International Conference on Computer, Networks and Communication Engineering 2013; Hossain AA, Huh E-N. Refundable service through cloud brokerage. Proceeding of IEEE Cloud 2013: doi: /cloud Ryan MD. Cloud computing security: the scientific challenge, and a survey of solutions. Journal of Systems and Software 2013; 86(9): doi: /j. jss Zissis D, Lekkas D. Addressing cloud computing security issues. Future Generation Computer Systems 2012; 28(3): doi: /j. future Rong C, Nguyen ST, Jaatun MG. Beyond lightning: a survey on security challenges in cloud computing. Computers & Electrical Engineering 2013; 39(1): doi: /j.compeleceng Bernsmed K, Jaatun MG, Meland PH, Undheim A. Security SLAs for federated cloud services. In Proceeding(s) of the Availability, Reliability and Security (ARES) 2011;

14 A cooperative security-sla evaluation methodology S.-H. Na and E.-N. Huh 11. Collaboration Services: Deployment Options for The Enterprise. Forrester Research: 2012; Tian Y, Song B, Huh E-N. A novel threat evaluation method for privacy-aware system in RFID. International Journal of Ad Hoc and Ubiquitous Computing 2011; 8(4): Hassan M, Song B, Huh E-N. A market-oriented dynamic collaborative cloud services platform. Annals of Telecommunications 2010; 65(11-12): ISO/IEC CD Information technology Distributed application platforms and services (DAPS) Cloud Computing Reference Architecture, Na S-H, Park J-Y, Huh E-N. Personal cloud computing security framework. Services Computing Conference (APSCC), IEEE Asia-Pacific 2010; Bernsmed K, Jaatun MG, Undheim A. Security in service level agreements for cloud computing. In Proceedings of the 1st International Conference on Cloud Computing and Services Science, Na S-H, Kim K-H, Huh E-N. A methodology for evaluating cloud computing security service-level agreements 2013; 5(13): Na S-H, Kim K-H, Huh E-N. Threats evaluation for SLAs in cloud computing, The 3rd International Conference on Convergence Technology 2013; Saaty TL. How to make a decision: the analytic hierarchy process. European Journal of Operational 1990; 48: Chen J, Wang Y, Wang X. On-demand security architecture for cloud computing. Computer 2012; 45(7): doi: /mc