Top

Published in:

2017 | OriginalPaper | Chapter

Investigating Security Capabilities in Service Level Agreements as Trust-Enhancing Instruments

Authors : Yudhistira Nugraha, Andrew Martin

Published in: Trust Management XI

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Many government agencies (GAs) increasingly rely on external computing, communications and storage services supplied by service providers (SPs) to process, store or transmit sensitive data to increase scalability and decrease the costs of maintaining services. The relationships with external SPs are usually established through service level agreements (SLAs) as trust-enhancing instruments. However, there is a concern that existing SLAs are mainly focused on the system availability and performance aspects, but overlook security in SLAs. In this paper, we investigated ‘real world’ SLAs in terms of security guarantees between GAs and external SPs, using Indonesia as a case study. This paper develops a grounded adaptive Delphi method to clarify the current and potential attributes of security-related SLAs that are common among external service offerings. To this end, we conducted a longitudinal study of the Indonesian government auctions of 59 e-procurement services from 2010–2016 to find ‘auction winners’. Further, we contacted five selected major SPs (n = 15 participants) to participate in a three-round Delphi study. Using a grounded theory analysis, we examined the Delphi study data to categorise and generalise the extracted statements in the process of developing propositions. We observed that most of the GAs placed significant importance on service availability, but security capabilities of the SPs were not explicitly expressed in SLAs. Additionally, the GAs often use the provision of service availability to demand additional security capabilities supplied by the SPs. We also observed that most of the SPs found difficulties in addressing data confidentiality and integrity in SLAs. Overall, our findings call for a proposition-driven analysis of the Delphi study data to establish the foundation for incorporating security capabilities into security-related SLAs.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Social Network Analysis for Trust Prediction

next chapter Managing Software Uninstall with Negative Trust

Data was gathered from the slide, https://goo.gl/vumsm2, (Accessed March 2017).

e-Gov Procurement on IT Services, https://goo.gl/hzcHL9, (Accessed March 2017).

Government Procurement Auctions, https://goo.gl/5LhWun, (Accessed March 2017).

Delphi study questions, https://goo.gl/mIrQUk, (Accessed March 2017).

Participants information, https://goo.gl/dBSDcn, (Accessed March 2017).

Perceived threats, https://goo.gl/IdNKZj, (Accessed March 2017).

Government Security Requirements, https://goo.gl/eGtLRi, (Accessed March 2017).

Security Capabilities, https://goo.gl/zuCt18, (Accessed March 2017).

More details of research gaps, https://goo.gl/8i0ISC, (Accessed March 2017).

Ferrer, A.J., i Montanera, E.P.: The role of SLAs in building a trusted cloud for europe. In: Damsgaard Jensen, C., Marsh, S., Dimitrakos, T., Murayama, Y. (eds.) IFIPTM 2015. IAICT, vol. 454, pp. 262–275. Springer, Cham (2015). doi:10.1007/978-3-319-18491-3_22

Böhme, R.: Security audits revisited. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 129–147. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32946-3_11 CrossRef

Bernsmed, et al.: Security SLAs for federated cloud services. In: International Conference on Availability, Reliability and Security, pp. 202–209. IEEE (2011)

Jaatun, M.G., Bernsmed, K., Undheim, A.: Security SLAs – an idea whose time has come? In: Quirchmayr, G., Basl, J., You, I., Xu, L., Weippl, E. (eds.) CD-ARES 2012. LNCS, vol. 7465, pp. 123–130. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32498-7_10 CrossRef

Henning, R.R.: Security service level agreements: quantifiable security for the enterprise? In: Proceedings of the 1999 workshop on New security paradigms, pp. 54–60. ACM (1999)

Monahan, B., Yearworth, M.: Meaningful security SLAs. Technical report, HP Labs (2008)

Guesmi, et al.: Access control and security properties requirements specification for clouds’ SECLAS. In: IEEE Conference on Cloud Computing Technology and Science (2013)

Takahashi, T., et al.: Tailored security: building nonrepudiable security service-level agreements. IEEE Veh. Technol. Mag. 8, 54–62 (2013)CrossRef

Rak, et al.: Security as a service using an SLA-based approach via SPECS. In: IEEE Conference on Cloud Computing Technology and Science, pp. 1–6 (2013)

10.

SLALOM Project. The SLALOM project website (2015)

11.

SLA Ready Consortium. The SLA ready project website (2015)

12.

Rios, et al.: Towards Self-Protective Multi-Cloud Applications (2015)

13.

Luna, J., et al.: Quantitative reasoning about cloud security using service level agreements. IEEE Trans. Cloud Comput., p. 1 (2015)

14.

Cabinet Office: Procurement policy note-use of cyber essentials scheme certification (2016)

15.

Hadeka, S., Scheimer, M.: DoD Amends its DFARS Safeguarding and Cyber Incident Reporting Requirements with a Second Interim Rule (2016)

16.

Bird, et al.: China introduces new cybersecurity for rules for banking procurement (2016)

17.

Nugraha, Y.: Security assurance requirements engineering (STARE) for trustworthy service level agreements. In: IEEE Conference on Requirements Engineering, pp. 398–399 (2015)

18.

NIST 800-53: Security and privacy controls for federal information systems and organisations (2013)

19.

Nugraha, Y., et al.: An adaptive wideband delphi method to study state cyber-defence requirements. IEEE Trans. Emerg. Top. Comput. 4, 47–59 (2016)CrossRef

20.

Harrell et al.: Data Collection Methods, RAND Corporation (2009)

21.

Paul, G., et al.: Methods of data collection in qualitative research. Nature, 291–295 (2008)

22.

McGregor, et al.: Investigating the computer security practices and needs of journalists. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 399–414 (2015)

23.

Egelman, et al.: Are you ready to lock? In: ACM CCS, pp. 750–761 (2014)

24.

Charmaz, K.: Constructing Grounded Theory. Sage, London (2014)

25.

Birks, M., Mills, J.: Grounded Theory: A Practical Guide. Sage, London (2015)

26.

Guest, G., et al.: How many interviews are enough? Field Methods 18, 59–82 (2006)CrossRef

27.

Pivrinta, et al.: Grounding theory from Delphi studies. In: International Conference on Information Systems, pp. 2022–2035 (2011)

28.

Howard, K.: Educating cultural heritage information professionals for Australia’s galleries, libraries, archives and museums: A grounded Delphi study, Ph.D dissertation, QUT (2015)

29.

Turoff, M.: The design of a policy Delphi. Technol. Forecast. Soc. Change 2(2), 149–171 (1970)CrossRef

30.

Schmidt, R., et al.: Identifying software project risks: an international Delphi study. J. Manag. Inf. Syst. 17(4), 5–36 (2001)CrossRef

31.

Okoli, C., et al.: The Delphi method as a research tool. Inf. Manag. 42, 15–29 (2004)CrossRef

32.

Forsyth, D.: Delphi technique. In: Levine, J., Hogg, M. (eds.), Encyclopedia of Group Processes & Intergroup Relations, pp. 196–198. SAGE Publications (2010)

33.

Delbecq, et al.: Group Techniques for Program Planning. Scott Foresman (1975)

34.

Hsu, C., Sandford, B.: Delphi technique. In: Salkind, N.J. (ed.) Encyclopedia of Research Design, pp. 344–347. SAGE Publications (2010)

35.

Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)

Title: Investigating Security Capabilities in Service Level Agreements as Trust-Enhancing Instruments
Authors: Yudhistira Nugraha
Andrew Martin
Publisher: Springer International Publishing
Book: Trust Management XI
Print ISBN: 978-3-319-59170-4

Electronic ISBN: 978-3-319-59171-1

Copyright Year: 2017
DOI: https://doi.org/10.1007/978-3-319-59171-1_6

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner