Cloud security frameworks and measures for SLA (Service Level Agreement)

Sammanfattning: Small companies and organizations have expressed doubts about using cloud services due to unclear Service Level Agreement (SLA) contracts. These contracts are usually based on security frameworks and measures adapted for data security in general, but not for complex cloud data specifically. The purpose of this study was therefore to compare end users’ opinions of the security measures and security frameworks that were being used for their SLA contracts for cloud services. The study was carried out through semi-structured interviews, thematization, and comparison with earlier research on SLA and cloud security. The result showed that security frameworks on which SLA contracts were based were being used in a too general way by cloud service providers. This made the contracts unclear and not entirely relevant to their own operations. Therefore, the users wanted implementations of security measures that were easier to interpret, well-established and recognized, and relevant to their own operations. The users wanted the security measures to be more detailed by having the cloud service providers divide them into more categories relevant to their particular activities. The users also wanted SLA contracts adapted to their individual needs for cloud security specifically. One conclusion was that frameworks such as ISO, NIST, and COBIT were being used in a too general way for generating cloud service SLAs. Another conclusion was that cloud service security measures should be more specific to users’ own operations and easier to interpret in relation to established frameworks. Cloud service providers could use NIST, ISO, and COBIT to generate more specific measures. One solution would be to automatically generate more specific SLA contracts by auto-selecting established frameworks and well-defined security measures.