基于SecLA的云服务商选择方法研究

doi:10.11896/j.issn.1002-137X.2016.05.019

摘要/Abstract

摘要： 云计算应用领域不断拓展,用户越来越关注云服务的安全性,现有云服务商选择方法主要考量性能和费用,缺乏有效的安全属性考评方法,为此提出了基于安全等级协议的云安全量化评比方法。基于云安全联盟的云控制矩阵及配套共识评估问卷,设计了云服务商安全指标体系及量化评分模型；对Web服务协议框架进行扩展,设计了云安全等级协议的模板框架；引入负提供参数来增强比较优势度法,实现了云安全等级的量化评比。实验检验了系列方法的可行性及有效性,与参数评估方法、简单线性加权方法等的对比表明,优先度排序更加合理,负提供参数对决策起到了良好的辅助效果。

关键词: 云计算,云安全评估,云安全量化,安全等级协议,云服务商选择

Abstract: As the range of cloud computing applications is gradually expanded,users become more and more concerned about the security of cloud services.Existing selection methods of cloud provider focus on performance and cost while seldom emphasize security.There is no effective method for evaluating the security services of cloud computing.Under this background,this paper presented a method for quantitative assessment of cloud security services based on security level agreement(SecLA).Firstly,it builds the cloud computing security index system and the quantitative evaluation model based on cloud control matrix(CCM) and accompanying consensus assessments initiative questionnaire(CAIQ),which are published by cloud security alliance(CSA).Secondly,it designs the template framework of SecLA by extending WS-Agreement.Finally,it introduces two underprovisioning parameters to enhance comparison method of alternatives advantage degree and realizes the quantitative comparison of SecLAs in cloud computing environment.The experimental results prove that the methods are feasible and effective.Compared with reference evaluation method(REM) and simple linear weighted method,the cloud providers sorting results in this paper are more reasonable,and underprovisioning parameters contribute a good auxiliary effect to decision making.

Key words: Cloud computing,Cloud security assessment,Cloud security quantification,Security level agreement(SecLA),Cloud provider selection

朱华旻,吴礼发,康红凯. 基于SecLA的云服务商选择方法研究[J]. 计算机科学, 2016, 43(5): 100-107. https://doi.org/10.11896/j.issn.1002-137X.2016.05.019

ZHU Hua-min, WU Li-fa and KANG Hong-kai. Research of Cloud Provider Selection Method Based on SecLA[J]. Computer Science, 2016, 43(5): 100-107. https://doi.org/10.11896/j.issn.1002-137X.2016.05.019

参考文献

[1] Feng Deng-guo,Zhang Min,Zhang Yan,et al.Study on CloudComputing Security[J].Journal of Software,2011,22(1):71-83(in Chinese) 冯登国,张敏,张妍,等.云计算安全研究[J].软件学报,2011,22(1):71-83
[2] Thaweejinda J,Senivongse T.Semantic search for cloud provi-ders with security conformance to cloud controls matrix[C]∥Proceedings of the 2014 11th International Joint Conference on Computer Science and Software Engineering.IEEE,2014:286-291
[3] Bhensook N,Senivongse T.An assessment of security requirements compliance of cloud providers[C]∥Proceedings of the 2012 IEEE 4th International Conference on Cloud Computing Technology and Science(CloudCom).IEEE,2012:520-525
[4] Pumvarapruek N,Senivongse T.Classifying cloud provider security conformance to cloud controls matrix[C]∥Proceedings of the 2014 11th International Joint Conference on Computer Scien-ce and Software Engineering.IEEE,2014:268-273
[5] Luna J,Vateva-Gurova T,Suri N,et al.SecLA-Based Negotiation and Brokering of Cloud Resources[M]∥Helfert M.Cloud Computing and Services Science.Berlin:Springer International Publishing,2014:1-18
[6] Luna J,Langenberg R,Suri N.Benchmarking Cloud SecurityLevel Agreements Using Quantitative Policy Trees[C]∥Proceedings of the 2012 ACM Workshop on Cloud Computing Security Workshop.ACM,2012:103-112
[7] Hale M L,Gamble R.Secagreement:advancing security risk calculations in cloud services[C]∥Procee-dings of the 2012 IEEE 8th World Congress on Services.IEEE,2012:133-140
[8] Luna J,Ghani H,Vateva T,et al.Q uantitative Assessment of Cloud Security Level Agreements:A Case Study[C]∥Procee-dings of the 2012 International Conference on Security and Gryptography.Scitepress,2012:64-73
[9] Hale M L,Gamble R.Building a Compliance Vocabulary to Embed Security Controls in Cloud SLAs[C]∥Proceedings of the 2013 IEEE 9th World Congress on Services.IEEE,2013:118-125
[10] Cloud Security Alliance.Cloud Controls Matrix[EB/OL].(2015-04-25).https://cloudsecurityalliance.org/research/ccm
[11] Cloud Security Alliance.Consensus Assessments Initiative Question-naire[EB/OL].https://cloudsecurityalliance.org/research/cai
[12] Jiang Zheng-wei,Wu Xi-hong,Yang Pei-an,et al.Cloud Provider Selection Method Based on SecSLA[J].Computer Engineering,2013,39(10):1-5(in Chinese) 姜政伟,巫锡洪,杨沛安,等.基于SecSLA的云供应商选择方法[J].计算机工程,2013,39(10):1-5
[13] Andrieux A,Czajkowski K,Dan A,et al.Web services agreement specification(WS-Agreement)[EB/OL].http://www.ogf.org/documents/GFD.107.pdf
[14] Henning R R.Security service level agreements:quantifiable security for the enterprise[C]∥Proceedings of the 1999 workshop on New Security Paradigms.ACM,1999:54-60
[15] Bernsmed K,Jaatun M G,Meland P H,et al.Security SLAs for federated cloud services[C]∥2011 6th International Conference on Availability,Reliability and Security.IEEE,2011:202-209
[16] Ludwig H,Keller A,Dan A,et al.Web service level agreement(WSLA) language specification[R].IBM,2003:815-824
[17] Lawrence A,Djemame K,Wldrich O,et al.Using Service Le-vel Agreements for Optimising Cloud Infrastructure Services[M]∥Cezon M,Wolfsthal Y.Towards a Service-Based Internet.Berlin:Springer,2011:38-49
[18] Lin Zhi-ming,Mao Zheng-yuan.Comparison Method of Alternatives Advantage Degree for Multiple Attribute Decision-making[J].Statistics and Decision,2015(2):44-47(in Chinese) 林志明,毛政元.多属性决策的方案比较优势度法[J].统计与决策,2015(2):44-47
[19] Cloud Security Alliance.Security,Trust and Assurance Registry(STAR)[EB/OL].https://cloudsecurityalliance.org/star
[20] Chen Ai-zu,Tang Wen,Zhang Dong-li.Research on performance evaluation of system operation[M].Beijing:Science Press,2009:56-60(in Chinese) 陈爱祖,唐雯,张冬丽.系统运行绩效评价研究[M].北京:科学出版社,2009:56-60
[21] Li Xiao-lin,Zhang Li-na.Service Selection Strategies Based onMulti-Attribute Group Decision-Making Considering QoS Pre-ference[J].Computer Systems & pplications,2014,23(12):249-252(in Chinese) 李小林,张力娜.考虑QoS偏好的多属性群决策服务选择策略[J].计算机系统应用,2014,23(12):249-252

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed