Security SLAs for cloud services: Hadoop case study

Cloud paradigm is currently one of the most remunerative segments of Information Technology. It has gained the interest of a very large number of corporates and organizations. However, despite the promising features, security is the major concern for businesses that want to shift their services to the cloud. On the other hand, business critical systems must be certified against a set of security controls to be compliant to security standards, as well as to mitigate potential security incidents. Therefore, cloud service providers must employ adequate security measures that conform to security controls expected by the information systems they host; moreover, they should be able to grant the correct application of such controls to their customers. Security service level agreements (SLAs) are a way to face such issues, through the definition of contracts among cloud service providers and customers that clearly state the security grants applied to the offered cloud services. This chapter illustrates a case study that describes how it is possible to implement such security SLAs on a concrete cloud service, which offers Apache Hadoop services over public cloud providers. The chapter outlines how to write and assess security SLAs on such services.