Methodology to Obtain the Security Controls in Multi-cloud Applications

Samuel Olaiya Afolaranmi, Luis E. Gonzalez Moctezuma, Massimiliano Rak, Valentina Casola, Erkuden Rios, Jose L. Martinez Lastra


What controls should be used to ensure adequate security level during operation is a non-trivial subject in complex software systems and applications. The problem becomes even more challenging when the application uses multiple cloud services which security measures are beyond the control of the application provider. In this paper, a methodology that enables the identification of the best security controls for multi-cloud applications whose components are deployed in heterogeneous clouds is presented. The methodology is based on application decomposition and modelling of threats over the components, followed by the analysis of the risks together with the capture of cloud business and security requirements. The methodology has been applied in the MUSA EU H2020 project use cases as the first step for building up the multi-cloud applications’ security-aware Service Level Agreements (SLA). The identified security controls will be included in the applications’ SLAs for their monitoring and fulfilment assurance at operation.


  1. Alzain, M., Soh, B., and Pardede, E. (2014). TMR-MCDB: Enhancing Security in a Multi-cloud Model through Improvement of Service Dependability.
  2. Bernsmed, K., Meland, P.H., Jaatun, M.G. (2015). Cloud Security Requirements. SINTEF ICT, Norway, 2015.
  3. Bernstein, D. and Vij, D. (2010). Intercloud security considerations. Proceedings - 2nd IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2010, pages 537-544.
  4. Bernstein, D., Ludvigson, E., Sankar, K., Diamond, S., & Morrow, M. (2009, May). Blueprint for the intercloudprotocols and formats for cloud computing interoperability. In Internet and Web Applications and Services, 2009. ICIW'09. Fourth International Conference on (pp. 328-336). IEEE.
  5. Bohli, J.-M., Gruschka, N., Jensen, M., Iacono, L. L., and Marnau, N. (2013). Security and Privacy-Enhancing Multicloud Architectures. IEEE Transactions on Dependable and Secure Computing, 10(4):212-224.
  6. Celesti, A., Tusa, F., Villari, M., & Puliafito, A. (2010, July). How to enhance cloud architectures to enable cross-federation. In Cloud Computing (CLOUD), 2010 IEEE 3rd International Conference on (pp. 337-345).
  7. Cloud Security Alliance, “Cloud Controls Matrix, Version 1.2”, Aug. 2011; research/initiativesccm.
  8. Ferrer, A.J., Hernández, F., Tordsson, J., Elmroth, E., AliEldin, A., Zsigri, C., Sirvent, R., Guitart, J., Badia, R.M., Djemame, K., Ziegler, W., Dimitrakos, T., Nair, S.K., Kousiouris, G., Konstanteli, K., Varvarigou, T., Hudzia, B., Kipp, A., Wesner, S., Corrales, M., Forgó, N., Sharif, T., Sheridan, C. OPTIMIS: a holistic approach to cloud service provisioning. Future Generation Computer Systems 2012; 28(1):66-77.
  9. Ferry, N., Rossini, A., Chauvel, F., Morin, B., and Solberg, A. (2013). Towards a model-driven provisioning, deployment, monitoring, and adaptation of multi-cloud systems. In Cloud Computing (CLOUD), 2013 IEEE Sixth International Conference on (pp. 887-894). IEEE.
  10. Finnish Personal Data Act (523/1999). Available at:
  11. Global Inter-cloud Technology Forum (2010). Use Cases and Functional Requirements for Inter-Cloud Computing. Technical report.
  12. Myagmar, S. (2005). Threat Modeling as a Basis for Security Requirements. In StorageSS 7805: Proceedings of the 2005 ACM workshop on Storage security and survivability, pages 94-102.
  13. National Institute of Standards and Technology (NIST), “SP 800-53 Rev.4 - Security and Privacy Controls for Federal Information Systems and Organizations,” Natl. Inst. Stand. Technol. - Spec. Publ., vol. 800-53, pp. 1- 460, 2014.
  14. Nikolay, G. and Buyya, R. (2012). Inter-Cloud architectures and application brokering: taxonomy and survey. Software - Practice and Experience, 44(3):369|- 390.
  15. Oliveira, P. F., Lima, L., Vinhoza, T. T. V., Barros, J., and Medard, M. (2010). Trusted Storage over Untrusted Networks. Global Telecommunications Conference (GLOBECOM 2010), 2010 IEEE, pages 1-5.
  16. Petcu, D., Crciun, C., Neagul, M., Panica, S., Di Martino, B., Venticinque, S., Rak, M., and Aversa, R. Architecturing a sky computing platform. In Proceedings of the International Conference Towards a Service-Based Internet ServiceWave'10, Vol. 6569, CezonM,Wolfsthal Y (eds). Springer-Verlag: Ghent, Belgium, 2011; 1-13.
  17. Saini, V., Duan, Q., and Paruchuri, V. (2008). Threat modeling using attack trees. Journal of Computing Sciences, (APRIL):124-131.
  18. Singhal, M., Chandrasekhar, S., Ge, T., Sandhu, R., Krishnan, R., Ahn, G. J., & Bertino, E. (2013). Collaboration in multicloud computing environments: Framework and security issues. Computer, (2), 76-84.
  19. Sodiya, A. S., Onashoga, S. A., and Oladunjoye, B. A. (2007). Threat modeling using fuzzy logic paradigm. Informing Science: International Journal of an Emerging Transdiscipline, 4(1):53-61.
  20. Casola, V., De benedictis, A., Rak, M., and Villano, U. “SLA-based Secure Cloud Application Development: the SPECS Framework”, In MICAS 2015, Timisoara, 21-22 September 2015.
  21. Yan, Z., Hongxin, H., Gail-Joon, A., and Mengyang, Y. (2012). Cooperative Provable Data Possession for Integrity Verification in Multicloud Storage. IEEE Transactions on Parallel and Distributed Systems, 23(12):2231-22.

Paper Citation

in Harvard Style

Afolaranmi S., Moctezuma L., Rak M., Casola V., Rios E. and Lastra J. (2016). Methodology to Obtain the Security Controls in Multi-cloud Applications . In Proceedings of the 6th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-758-182-3, pages 327-332. DOI: 10.5220/0005912603270332

in Bibtex Style

author={Samuel Olaiya Afolaranmi and Luis E. Gonzalez Moctezuma and Massimiliano Rak and Valentina Casola and Erkuden Rios and Jose L. Martinez Lastra},
title={Methodology to Obtain the Security Controls in Multi-cloud Applications},
booktitle={Proceedings of the 6th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},

in EndNote Style

JO - Proceedings of the 6th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - Methodology to Obtain the Security Controls in Multi-cloud Applications
SN - 978-989-758-182-3
AU - Afolaranmi S.
AU - Moctezuma L.
AU - Rak M.
AU - Casola V.
AU - Rios E.
AU - Lastra J.
PY - 2016
SP - 327
EP - 332
DO - 10.5220/0005912603270332