An analysis of the alignment of the contracts for Cloud Computing with the norms and recommendations

16ª Conferência da Associação Portuguesa de Sistemas de Informação (CAPSI’2016) 22 a 24 de Setembro de 2016, Porto, Portugal

ISSN 2183-489X

DOI http://dx.doi.org/10.18803/capsi.v16.16-24

16

An analysis of the alignment of the contracts for Cloud Computing with the

norms and recommendations

Teófilo Branco Junior, University of Minho, Portugal, teofilotb@hotmail.com

Abstract

This study evaluated whether the content of the contracts for the provision of IT services platforms in Computer Cloud (PaaS) of some suppliers is adequate to ensure the good practices of an offer and use these services by vendors and clients. To can be auditable, the services agreements must comply with the recommendations and standards of the regulatory bodies and these must clearly be being in their contracts. Through a literature review, this study analyzed the established standards and recommendations under consideration by groups of normative research of the cloud environment. After, we conducted a study about the contractual clauses for the provision of IT services platforms in Cloud for some well-known suppliers that divulge their contracts on the web. A comparison between the recommendations and the terms of these contracts demonstrates there is still a lot to improve this relationship to provide compliance to safety auditability between both parties.

Keywords: Cloud Computing, Information Security, Platform as a Service (PaaS), auditability, Service Level Agreements (SLA).

1. I

The contracting of services under the modality Cloud Computing (CC) is a tendency of growing in the

market and has been several discussions about the security and auditability about this in recent times (Zhu,

Hu, Ahn, & Yau, 2012).

Several IT companies promise advantages in a use of these services such as decrease customer costs in

exchange for more advanced and specialized technologies. This proposal can be attractive and advantageous

for both parties, because the customers in delegating the IT infrastructure maintenance tasks to highly skilled

companies, can focusing their efforts on their end activity. Therefore, the suppliers can provide better

services for their clients increase your receipts and consolidating their business Cloud Computing (Chen,

Paxson, & Katz, 2010a).

However, several issues related to security and quality of service provision has raised discussions in

academia and reflections in the business community about the risks involved in adopting this model of

service at this time. One concern in this regard relates to the establishment of a formal trust relationship

between contractors and providers of this service by establishing Service Level Agreements (SLA) and the

feasibility of audits to verify the delivery of these services. To make viable this idea is must create ways of

verifying these clauses so that contractors and entrepreneurs can control and monitoring their contracts (M.

Kanchana, Sk. Nazar Hussain, Kumar, & Praveen, 2013).

16ª Conferência da Associação Portuguesa de Sistemas de Informação (CAPSI’2016) 17

This article makes an analysis of the cloud provider contracts applied in this moment and checks if they are

aligned with the regulators entities norms and safety recommendations in their clauses.

2. T

The research was conducted to know the rules and recommendations published by institutions involved in

regulating the CC area. The study included the following topics: Standards and recommendations for CC;

and relevant metrics and measures related to the CC.

The following entities that publish and conduct study groups in CC were considered. We selected the entities

by criteria of a significant number of publications and relevance regarding the technical norms:

 NIST National Institute of Standards and Technology;

 EU - European Commission and ENISA - European Network and Information Security Agency;

 ISO - International Organization for Standardization;

 IEEE - Institute of Electrical and Electronics Engineers;

 ETSI - European Telecommunications Standards Security;

 CSMIC - Cloud Services Measurement Initiative Consortium;

 DMTF - Distributed Management Taskforce;

 OMG - Object Manage Group CSCC - Cloud Standards Customer Council;

 CSA - Cloud Security Alliance;

 ISACA - Information Systems and Control Association Inc;

 HISPI - Holistic Information Security Practitioner Institute;

 SANS Institute.

In another hand, four companies that published their contracts on the Internet were selected. These

companies were chosen from the publication of NetworkWorld magazine (“Networkworld,” n.d.) listed the

ten most PaaS providers highlighted in its release on June 4, 2014:

 Amazon;

 Windows Azure;

 IBM;

16ª Conferência da Associação Portuguesa de Sistemas de Informação (CAPSI’2016) 18

Amazon RDS SLA – Database (AWS - Amazon Web Services, 2013a); Amazon EC2 SLA – Elastic (AWS -

Amazon Web Services, 2013c); Amazon S3 SLA – Storage (AWS - Amazon Web Services, 2013b);

Amazon Cloud Watch (AWS - Amazon Web Services, 2010)

 Services Level Agreements (W. Azure, 2015);

 IBM Cloud Services Agreement - Bluemix IBM (IBM, 2014);

 Google Compute Engine Service Level Agreement SLA (Cloud, 2014).

3. T

C

C

Cloud Computing (CC) are deposits of virtualized IT resources readily usable and accessible, in which the

vendor warranties of use and quality of use of these services and the user is tariffed only for what you use.

The service provider supplies the customer's computing resources disengaging it from the purchase and

maintenance of IT infrastructure (Mell & Grance, 2011).

CC is a service model where the premise is providing all kinds of processing information systems and

technological applications, through the provision of infrastructure and data storage over the internet, based

mainly on the user's consumption needs (Buyya, Broberg, & Goscinski, 2011).

A service-level agreement (Service Level Agreement - SLA) is a contract between a supplier of IT services

and a customer specifying in general and often contain measurable terms of what services the client will pay.

Service levels are set at the beginning of any hiring ratio of IT services and are used to measure and monitor

the performance of a vendor supplier (Armbrust, Fox, Griffith, & Joseph, 2009).

The services can be categorized in three layers of computing resources: Infrastructure as a Service (IaaS),

Platform as a Service (PaaS) and Software as service (SaaS) (Armbrust et al., 2009). Figure 1 illustrates such

layers.

Figure 1- Layers in Cloud Computing

The analysis of this paper considers the availability of resources PaaS layer. This choice is because this layer

is the intermediate and the most appropriate for organizations that have their software and applications.

16ª Conferência da Associação Portuguesa de Sistemas de Informação (CAPSI’2016) 19

4. T

Currently, several agencies are working to develop specific safety standards for cloud computing, taking

these surveys for a large number of areas including auditing, applications, encryption, governance, network

security, risk management, storage and virtualization. Through literature review, we identified some entities

that develop relevant studies on the establishment of standards, procedures and recommendations through

their research work groups in CC. Table 1 presents a summary of approaches to each organ.

ENTITY REFERENCE PUBLICATIONS

NIST National Institute of Standards and Technology

NIST SP 800-53r4 (National Institute of Standards and Technology, 2013b); NIST SP 800-144 (Jansen & Grance, 2011); NIST 500-292 – Architecture (Liu et al., 2011); NIST 500-299 SP- Architecture (National Institute of Standards and Technology, 2013a); NIST 500-307 – Metrics (National Institute of Standards and Technology, 2015).

EU - European Commission and ENISA - European Network and Information Security Agency

Trusted Cloud Europe (European Commission, 2014b); A guide to monitoring of Security SLA (Giles Hogben, 2012); Incident reporting for cloud computing (Dekker, Liveri, & Lakka, 2013); Benefits, risks, and recommendations for information security (Catteddu & Hogben, 2009); Cloud Security Guide to SMEs (Dimitra, 2015); CSIG Cloud Service Level Agreement Standardisation Guidelines (European Commission, 2014a).

ISO - International Organization for Standardization (JTC 1/SC38 - ISO/IEC JTC 1/SC 38)

Catalogue Under development since 2014-09-22

ISO/IEC 17788:2014 Information Technology - Cloud Computing - Overview and vocabulary; ISO/IEC 17789:2014 Information Technology - Cloud Computing - Reference Architecture; ISO/IEC 17826:2012

Information Technology - Cloud Data Management Interface (CDMI); ISO/IEC AWI 19941 Information Technology - Cloud Computing - Interoperability and Portability; ISO/IEC AWI 19944 Information Technology - Cloud Computing - Data and their Flow across Devices and Cloud Services; ISO/IEC NP 19086-1 Part 1: Overview and concepts; ISO/IEC NP 19086-2 Part 2: Metrics; ISO/IEC NP 19086-3 Requirements IEEE - Institute of Electrical and

Electronics Engineers Standard P2301 Working Group; Standard P2302 Inter Cloud. ETSI - European

Telecommunications Standards Security

Cloud Standards Coordination (ETSI, 2013) CSMIC - Cloud Services

Measurement Initiative Consortium

CSMIC framework 2.1 Overview (CSMIC, 2014) DMTF - Distributed

Management Taskforce

Base Metrics Profile DSP1053 - 2011.07.31 (Benke et al., 2012); Cloud Audit Data Federation DSP 2038 (Management Task Force, 2015) OMG - Object Manage Group

CSCC - Cloud Standards Customer Council

Practical Guide to Cloud SLA V 1.0 (Meegan, Singh, Woodwar, Venticinque, & Rak, 2012)

CSA - Cloud Security Alliance (Guidance V.4: In development)

CSA releases the Cloud Trust Protocol data model and API (CSA Cloud Security Alliance, 2015); CSA Guidance V.3.0 (CSA Cloud Security Alliance, 2011); Cloud Control Matrix v3.01

ISACA - Information Systems

and Control Association Inc. Controls and Assurance in Cloud COBIT-5 (ISACA, 2014) HISPI - Holistic Information

Security Practitioner Institute CAAP Validate Score

SANS Institute Security SLA for Cloud (Hoehl & Pelaez, n.d.) Table 1 - Norms and references for entities that study the CC

16ª Conferência da Associação Portuguesa de Sistemas de Informação (CAPSI’2016) 20

On The CC environment, one of the challenges is to develop mutual auditing templates for agreements

management (SLAs), so that may be established a trust between the partners, thus consolidating the use of

this environment through a formal relationship, involving relevant legal responsibilities (Chen, Paxson, &

Katz, 2010b)

After analyzing the entities that conduct studies within the framework of rules and procedures in CC, there is

a series of standards and recommendations proposed to become the safest CC environment and proposes to

serve to support service contracts through clauses SLA.

Notes a greater standardization between entities regarding metrics and principles adopted for the SLA

agreements. Some bodies develop joint studies to establish standards and regulations for the CC

environment.

In general, the recommendations are based on processes considered "best practices" adopted in traditional IT

environment and SI being adapted the specifics of the CC environment.

The analysis of these norms and recommendations demonstrates the follows areas of interest: Technical

security mechanisms, safety guidelines recommendations, establish specific metrics for measuring

performances of safety and compliance.

5. T

P

S

The supply contracts by the selected companies (Amazon, Azure, IBM and Google) were listed the main

clauses and metrics involved in SLA agreements by a corporation, as shown in Table 2.

ENTITY REFERENCE PUBLICATIONS CLAUSES APPROACHED IN SLAS CONTRACTS

AWS - Amazon Web Service

Amazon RDS SLA – Database (AWS - Amazon Web Services, 2013a); Amazon EC2 SLA – Elastic (AWS - Amazon Web Services, 2013c); Amazon S3 SLA – Storage (AWS - Amazon Web Services, 2013b); Amazon Cloud Watch (AWS - Amazon Web Services, 2010)

Specification in uses cases and compensation in case of not available services; Access error rate; possible uptime in the month.

Windows

Azure Services Level Agreements (W. Azure, 2015)

Billing about deployment sites, using the Visual Studio online, manages traffic on the network, storage with geographic redundancy, use access to SQL database, site recovery service, Event Hubs services, Notification Hubs, Service Bus, Transaction research, Task Scheduler, using RemoteApp service, Multifactor Authentication Service, Activity mobile services, Protection to content, Media Services, HD Insight, Using Express route service, Performance measurement, Cache utilization, Using BizTalk, Backup service, Automation, API Management

IBM Smart Cloud

IBM Cloud Services Agreement - Bluemix IBM (IBM, 2014)

Best Practices to developed SLAs in Cloud (Myerson, 2013)

Forms of consulting contracts and helpdesk uses; specification about charging services; data security modes involving isolation, users identify; disposed of possible logs available.

16ª Conferência da Associação Portuguesa de Sistemas de Informação (CAPSI’2016) 21 Google App

Engine

Google Compute Engine Service Level Agreement SLA (Cloud, 2014).

Google Cloud Platform Terms (Google Cloud Platform, 2015)

Only clauses about uses and compensations in case of services unavailable.

Table 2 - Cloud Suppliers, references publications and principals’ clauses in SLAs contracts

Most of the provisions services (SLAs) are related to loading conditions and service availability. In most

contracts, to deal with the availability services are referenced through metrics that represent the performance

and availability of each of the services listed in a period of 30 days. Each service has its calculation formula.

The focus of the major terms in the SLA contracts of suppliers refer to commercial clauses of use like prices

for the services. Some of these clauses establishing rates and payment punishment in defaults rate cases.

The other content of the terms refers to the availability services. All the providers, in their contracts, offer

pledge a compensation for unavailability of any service through a corresponding time credit in minutes to

deduce from the next bill.

Another fact verified refers to the lack of a standardization of common nomenclatures by contractual

arrangements between companies and for the metrics used in contracts by the providers themselves. In this

way, each supplier has its proprietary metrics.

Regarding the possibility of monitoring or audit, service providers Microsoft Azure (M. Azure, 2015) and

IBM (IBM, 2014) allow the customer chooses to hire a third party to perform the control. However,

Microsoft's Azure contract (M. Azure, 2015) limits the scope of restricting the number of these companies

through a list of accredited companies that the customer can hire. The others companies do not allow

auditing or external monitoring by limiting the use of a monitoring tool of its property, for which the

customer even paid for their use.

The SLAs provided by suppliers only dealing with legal terms involving financial issues such as payments,

deadlines and responsibilities for such by the contracting client.

6. T

Regarding the possibility of monitoring or audit, service providers Microsoft Azure (M. Azure, 2015) and

IBM (IBM, 2014) allow the customer chooses to hire a third party to perform the control. However,

Microsoft's Azure contract (M. Azure, 2015) limits the scope of restricting the number of these companies

through a list of accredited companies that the customer can hire. The others companies do not allow

auditing or external monitoring by limiting the use of a monitoring tool of its property, for which the

customer even paid for their use. Table 3 shows the explicit permissions of the Sla`s PaaS suppliers related in

Section 5 to verify the compliance with the regulatory standards listed in Section 4.

16ª Conferência da Associação Portuguesa de Sistemas de Informação (CAPSI’2016) 22 SLA`S SUPPLIER PROPRIETARY AUDIT / MONITORING THIRD PART

MONITORING THIRD PART AUDIT ASSUMPTION RISKS

AWS - Amazon Yes Not permit Not permit No

Windows Azure No With restrictions With restrictions No

IBM Smart Cloud No Permit Permit No

Google App Engine Yes Not permit Not permit No

Table 3 - Comparison with SLA`s Supplier

7. C

This study allowed us to examine the compliance of provider CC contracts from the perspective of what is

required to ensure an auditability environment and how it can guarantee by contractual clauses (SLAs).

From regulators entities, note that the primary concern is the safety of the CC environment and the users’

operations involved in the cloud. In this sense, the providers of IT services in cloud publish some guides, but

their observance does not is mentioned in contracts clauses.

Regarding regulatory bodies, it is clear that these are developing in-depth studies, but many of them are not

consolidated yet. Many of the proposed standards are still in development or under review.

On the other hand, from the perspective of CC providers, the primary focus is the commercial, as shown by

the clauses dealing with billing services and regarding the issue of availability of the environment. On the

latter, some compensation given to the client for a possible unavailability of the environment is through

discounts on future rates over the coming months.

For aspects of confidentiality and integrity, some vendors omit or do not address explicitly and transparent

forms of verification and the implications that providers are subject. Another fact that stands out is how to

monitor services, often through use of metrics and measurement tools imposed by CC own service providers.

The omission in some security requirements in SLA agreements proposed by providers leads to the

conclusion that is not possible to offer guarantees about the safety and the quality of services explicitly in the

contracts.

There is still a need for many studies and work to develop for improving relationships between the suppliers

and customers in this scope, clearly defining the issues surrounding security and normative uses in the

business relationship through in the formal contracts to allow audits.

8. A

Our thanks to ALGORITMI CENTER - The research unit of the School of Engineering - University of

Minho - Portugal to support this publication. This work has been supported by FCT - Fundação para a

Ciência e Tecnologia within the Project Scope UID/CEC/00319/2013.

16ª Conferência da Associação Portuguesa de Sistemas de Informação (CAPSI’2016) 23

9. R

Armbrust, M., Fox, A., Griffith, R., & Joseph, A. (2009). Above the clouds: A Berkeley view of cloud computing.

University of California, Berkeley, Tech. Rep. UCB, 07–013. Retrieved from http://scholar.google.com/scholar?q=intitle:Above+the+clouds:+A+Berkeley+view+of+cloud+computing#0 AWS - Amazon Web Services. (2010). Amazon CloudWatch Developer Guide API Version 2010-08-01 Amazon

CloudWatch : Developer Guide.

AWS - Amazon Web Services. (2013a). Acordo de Nível de Serviço Amazon RDS. Retrieved from https://aws.amazon.com/pt/rds/sla/

AWS - Amazon Web Services. (2013b). Contrato de Nível de Serviço do Amazon S3. Retrieved from https://aws.amazon.com/pt/s3/sla/

AWS - Amazon Web Services. (2013c). Contrato de Nível de Serviços da Amazon EC2. Retrieved from https://aws.amazon.com/pt/ec2/sla/

Azure, M. (2015). Contrato de Nível de Serviço do Microsoft Azure. Retrieved from http://azure.microsoft.com/en-us/support/legal/sla/

Azure, W. (2015). Service Level Agreements. Retrieved from https://azure.microsoft.com/en-us/support/legal/sla/ Benke, O., Johanssen, M., Maier, A., Merkin, A., Papanyan, K., Schopmeyer, K., & Shah, N. (2012). Base Metrics

Profile V2, 1–91. Retrieved from

http://www.dmtf.org/sites/default/files/standards/documents/DSP1053_1.1.0a.pdf

Buyya, R., Broberg, J., & Goscinski, A. (2011). Cloud Computing: Principles and Paradigms. Cloud Computing:

Principles and Paradigms. John Wiley and Sons. Retrieved from http://books.google.pt/books?id=S1NvRRd77rQC&lpg=PT18&ots=HSi9o6Zo0g&dq=Cloud Computing: Principles and Paradigms&lr&hl=pt-BR&pg=PT23#v=onepage&q=Cloud Computing: Principles and Paradigms&f=false

Catteddu, D., & Hogben, G. (2009). Benefits, risks, and recommendations for information security. Computing, 72(1), 2009–2013. http://doi.org/10.1007/978-3-642-16120-9_9

Chen, Y., Paxson, V., & Katz, R. (2010a). What’s new about cloud computing security. of California, Berkeley Report

No. UCB/. California. Retrieved from

http://www.utdallas.edu/~muratk/courses/cloud13s_files/what-is-new-in-cloud-security.pdf

Chen, Y., Paxson, V., & Katz, R. (2010b). What’s new about cloud computing security. … of California, Berkeley

Report No. UCB/ …. Retrieved from

http://www.utdallas.edu/~muratk/courses/cloud13s_files/what-is-new-in-cloud-security.pdf

Cloud, G. (2014). Google Compute Engine Service Level Agreement ( SLA ). Retrieved from https://cloud.google.com/compute/sla

CSA Cloud Security Alliance. (2011). Security Guidance for Critical Areas of Focus in Cloud Computing V3.0. Cloud

Security Alliance, 3, 155. http://doi.org/10.1016/S1353-4858(99)90042-9

CSA Cloud Security Alliance. (2015). CTP Data Model and API, rev. 2.13, (October). Retrieved from https://downloads.cloudsecurityalliance.org/assets/research/cloudtrust-protocol/CTP-Data-Model-And-API.pdf CSMIC. (2014). Service Measurement Index Introducing the Service Measurement Index ( SMI ), (July), 1–8.

Retrieved from http://csmic.org/downloads/SMI_Overview_TwoPointOne.pdf

Dekker, M., Liveri, D., & Lakka, M. (2013). Cloud Security Incident Reporting - Framework for reporting about

major cloud security incidents. European Union Agency for Network and Information Security.

http://doi.org/10.2788/14231

Dimitra, L. (ENISA). (2015). Cloud Security Guide for SMEs. (E. U. A. for N. and I. S. (ENISA), Ed.). http://doi.org/10.2824/508412

ETSI. (2013). Cloud Standards Coordination Final Report. European Telecommunications Standards Institute (ETSI)

for the European Commission, (November), 59.

European Commission. (2014a). Cloud Service Level Agreement Standardisation Guidelines, 1–41. European Commission. (2014b). Establishing a Trusted Cloud Europe. http://doi.org/doi:10.2759/44445

Giles Hogben, M. D. (2012). A guide to monitoring of security service levels in cloud contracts. ENISA Europe. Retrieved from http://www.enisa.europa.eu/media/press-releases/procure-secure-enisa2019s-new-guide-for-monitoring-cloud-computing-contracts

Google Cloud Plataform. (2015). Google Cloud Platform Terms of Service. Retrieved from https://cloud.google.com/terms/

Hoehl, M., & Pelaez, M. H. S. (n.d.). Proposal for standard Cloud Computing Security SLAs - Key Metrics for Safeguarding Confidential Data in the Cloud.

IBM. (2014). IBM Cloud Services Agreement IBM Cloud Service Description : IBM Bluemix. Retrieved from http://www-03.ibm.com/software/sla/sladb.nsf/pdf/6605-01/$file/i126-6605-01_06-2014_en_US.pdf

ISACA. (2014). Controls and Assurance in the Cloud : Using COBIT-5. Retrieved from www.isaca.org/controls-and-assurance-in-the-cloud

16ª Conferência da Associação Portuguesa de Sistemas de Informação (CAPSI’2016) 24 November 27, 2015, from http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494

Liu, F., Tong, J., Mao, J., Bohn, R., Messina, J., Badger, L., & Leaf, D. (2011). NIST Cloud Computing Reference Architecture. Retrieved November 27, 2015, from http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505 M. Kanchana, Sk. Nazar Hussain, Kumar, M. K., & Praveen, C. (2013). Preserving Audit of Secure Data Storage

Services in Cloud Computing. International Journal of Advanced Research in Computer Science, 4(5), 70–73. Retrieved from http://www.ijarcs.info/?wicket:interface=:3::::

Management Task Force, I. (DMTF). (2015). Cloud Audit Data Federation - OpenStack Profile, 1–60. Retrieved from https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.0.0.pdf

Meegan, J., Singh, G., Woodwar, S., Venticinque, S., & Rak, M. (2012). Practical Guide to Cloud Service Level Agreements version 1.0. Cloud Standards Customer Council, 1–44. Retrieved from http://scholar.google.com/scholar?hl=en&btnG=Search&q=intitle:Practical+Guide+to+Cloud+Service+Level+Ag reements#0

Mell, P., & Grance, T. (2011). The NIST Definition of Cloud Computing Recommendations of the National Institute of

Standards and Technology. National Institute of Standards and Technology, Information Technology Laboratory

(Vol. 145). http://doi.org/10.1136/emj.2010.096966

Myerson, J. M. (2013). Best practices to develop SLAs for cloud computing Develop a standard way to create service level agreements that multiple partners can use, 1–9. Retrieved from http://www.ibm.com/developerworks/cloud/library/cl-slastandards/cl-slastandards-pdf.pdf

National Institute of Standards and Technology. (2013a). NIST Cloud Computing 6 Security Reference Architecture. Retrieved November 27, 2015, from http://bigdatawg.nist.gov/_uploadfiles/M0007_v1_3376532289.pdf

National Institute of Standards and Technology. (2013b). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved November 27, 2015, from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

National Institute of Standards and Technology. (2015). Cloud Computing Service Metrics Description. Retrieved November 27, 2015, from http://www.nist.gov/itl/cloud/upload/RATAX-CloudServiceMetricsDescription-DRAFT-20141111.pdf

Networkworld. (n.d.). Retrieved from http://www.networkworld.com/article/2288002/cloud-computing/10-most-powerful-paas-companies.html

Zhu, Y., Hu, H., Ahn, G.-J., & Yau, S. S. (2012). Efficient audit service outsourcing for data integrity in clouds.