Cloud security: From per-provider to per-service security SLAs

Cloud Security is still considered one of the main factors inhibiting the diffusion of the Cloud Computing paradigm. Potential Cloud Service Customers (CSCs) do not trust delegating every kind of resources and data to external Cloud Service Providers (CSPs). The problem grows in complexity due to the increasing adoption of complex supply chains: CSPs that offer Sofware-as-a-Service (SaaS) cloud services often do not have their own data centers, but just acquire resources and services from other CSPs. This makes ithard, if not impossible, to ascribe the responsibility of a securityincident. A possible solution is the adoption of Security ServiceLevel Agreements (SLAs): CSPs should deliver services withan SLA that details each guarantee offered in terms of security, and CSCs should be able to compare offerings from differentCSPs and verify that SLAs are respected during service lifecycle. This paper shows how it is possible to build up a per-serviceSecurity SLA in a chain of cloud services, proposing asolution based on a security evaluation technique to comparedifferent cloud service supply chains based on their SecuritySLAs.