Risk propagation of security SLAs in the cloud

For organizations with mission critical systems, moving data or functionality to the cloud introduces a risk of additional exposed vulnerabilities associated with cloud service providers not implementing organizationally selected security controls. When internal system details are abstracted away as part of the cloud architecture, the organization must rely on contractual obligations embedded in service level agreements (SLAs) to assess service offerings for security risk. Whenever an SLA is formed, the level of risk incurred is based on how well the offered service terms meet the organizational security demands. In the cloud, additional SLAs between third party cloud service providers are formed to federate cloud resources, effectively distributing organizational risk among the various providers involved in the negotiated federations or service compositions. At runtime, whenever a cloud or service violates its SLA with respect to security controls or cancels any security offerings, the risk of noncompliance with organizational security policies increases. This paper provides a process to adapt to the propagated changes of service provider security risks within a service composition or federation due to SLA violations. The process is based on a distributed risk-aware renegotiation algorithm that replaces services if they violate SLAs.