QRES: Quantitative Reasoning on Encrypted Security SLAs

TL;DR

QRES is a system that enables cloud providers to securely share detailed security SLA information in encrypted form, allowing customers to verify security guarantees without compromising confidentiality, using advanced cryptographic techniques.

Contribution

QRES introduces a novel privacy-preserving system for secure SLA disclosure and verification leveraging Secure Two Party Computation and Searchable Encryption.

Findings

System runs efficiently with multiple CSPs in real-world tests.

Formal security proof against strong adversarial models.

Applicable to standardized SLAs for practical deployment.

Abstract

While regulators advocate for higher cloud transparency, many Cloud Service Providers (CSPs) often do not provide detailed information regarding their security implementations in their Service Level Agreements (SLAs). In practice, CSPs are hesitant to release detailed information regarding their security posture for security and proprietary reasons. This lack of transparency hinders the adoption of cloud computing by enterprises and individuals. Unless CSPs share information regarding the technical details of their security proceedings and standards, customers cannot verify which cloud provider matched their needs in terms of security and privacy guarantees. To address this problem, we propose QRES, the first system that enables (a) CSPs to disclose detailed information about their offered security services in an encrypted form to ensure data confidentiality, and (b) customers to assess the CSPs' offered security services and find those satisfying their security requirements. Our system preserves each party's privacy by leveraging a novel evaluation method based on Secure Two Party Computation (2PC) and Searchable Encryption techniques. We implement QRES and highlight its usefulness by applying it to existing standardized SLAs. The real world tests illustrate that the system runs in acceptable time for practical application even when used with a multitude of CSPs. We formally prove the security requirements of the proposed system against a strong realistic adversarial model, using an automated cryptographic protocol verifier.