SLAs and Risk management

CLOVIS objective is to improve GRC (Governance, Risk management and Compliance), SLA and exception management of cloud infrastructure services (also known as “Infrastructure-as-a-Service” (IaaS)) by defining a service-level framework that integrates ISSRM and SLA capabilities.


An emerging vision for the future of the Internet suggests the intensive use of the Internet of Services; where users (individuals or companies) no longer own their computing resources (e.g. servers) but use services on demand (Software as a Service, SaaS) without having to deal with their complexity.

This technological breakthrough raises serious issues regarding information security and data privacy. The distributed nature of the approach challenges many principles of IS (Information System) that need to be adapted, even re-thought. Moreover, many new threats are emerging, for example due to multi-tenancy (infrastructure and services). Due to the almost unlimited computation capacities of cloud computing platforms, any vulnerability may be the source of disastrous consequences.

In this context, IS Security Risk Management (ISSRM) is paramount because it helps to adopt relevant and cost-effective security measures. However, current ISSRM methods only provide a snapshot of the current situation of an IS. This snapshot generally needs to be updated occasionally (once or twice a year for example), but it does not need to be dynamic. In our context, the situation is different, with services that may be added, removed, or modified very often. The current ISSRM approaches are thus inadequate and need to be adapted and improved in order to enable efficient use in such versatile and dynamic environments as cloud computing systems.

Moreover, in terms of risk management in a service-oriented context, the risk treatments are often done through Service Level Agreements (SLA). SLA have become increasingly important, as they define the terms and conditions for the provisioning and delivery of services, including those related to security. Given the diversity of providers of on-demand services (infrastructure, platforms, and software as a service), SLA management will increasingly rely on digital approaches, thus enabling / requiring them to be taken into account in real time within ISSRM frameworks. To this end, the project will work on the study and integration of Exception Management in managed and persistent protection approaches used in enterprise DRM environments.

As a result, the paradigmatic evolution towards cloud and on-demand computing requires major re-thinking of information security. Traditional perimeter-based approaches are no longer valid in a highly versatile, nomadic, and service-based environment, which rather calls for studying novel approaches capable of integrating flexibility by design, that shall be integrated within broader ISSRM frameworks. The overall objective of this project is to improve GRC (Governance, Risk management and Compliance) as well as SLA and exception management in a cloud computing environment, by providing relevant and flexible models and tools. This will be achieved through the definition of a service-level framework integrating ISSRM and SLA capabilities. Tool support for implementing the models produced shall also be developed. The development of these results will be based on information gathering both on a theoretical example and on a specific case. Throughout the project, the results will be validated in a concrete case study in order to identify inconsistencies and opportunities for improvement at the earliest possible stages