Essay Writing Service

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Analysing Security in Service Level Agreement (SLA)Security Issues in Peer-to-peer Networking

ABSTRACT   Context: This project puts to test the following hypothesis, “Web Services are widely deployed and play an important role in today’s Internet paradigm”. The role of web services is currently a broad aspect in research, academia and e-commerce. This is for example, numerous services such as, email, storage and cloud

ACKNOWLEDGEMENTS:

The interest in the field of networking, driven me to take the computer networking as my course in M.Sc. there are many different types of networks. Out of them the more popularized and upcoming trend of networks are peer-to-peer networks. This report of my final dissertation for the partial fulfilment of my M.Sc, computer networking, would not have been possible without the support of my supervisor, Mr. Harry Benetatos. He helped me a lot by guiding me and pin-pointing the key mistakes which I have done during my research. My course leader Mr. Nicholas Ioannides also helped me a lot to complete this dissertation. His advises and suggestions gave me a lot of encouragement and support which made me do this research and finish it in time. I am very thankful to my university, LONDON METROPOLITAN UNIVERSITY which provided me the free access to the IEEE library which helped me to find the key papers which are very useful for my research. I also thank my parents for their support given to me in all walks of my life.

DEDICATION:

I dedicate this report to my parents and my well wisher Sakshi for their constant support and encouragement throughout my education and life.

CHAPTER 1

PROJECT INTRODUCTION

1.1 INTRODUCTION TO THE PROJECT:

This dissertation is all about the security issues in the peer-to-peer networks. There are many security issues in peer-to-peer networks. I have chosen to do research on worm intrusions in peer-to-peer networks. In this document I have mentioned how the worm propagates in the network from one peer to another peer, how the worm can be detected and how the detected worm can be attacked and save the network from getting infected.

1.2 AIM:

Security issue in Peer-to-peer networks:

Securing the peer-to-peer network from worms.

1.3 OBJECTIVES:

Ø To understand how the peers communicate with each other in the peer-to-peer network

Ø To analyse the propagation of worms in the network.

Ø To detect the worms near the nodes of the network

Ø To defence the worms in the network.

1.4 RESEARCH QUESTION:

This document briefly discusses about how the worms propagates in the network and how can it be detected and attacked in order to save the peer-to-peer network

1.5 APPROACH:

My approach for this dissertation is as follows:

Ø Understanding peer-to-peer networks

Ø Defining the problem

Ø Data collection and analysis

Ø Study and understanding the existing solutions for the problem

Ø Comparing different solutions

Ø conclusion

1.6 METHODOLOGY:

This section of my document contains what important steps to be followed in order to achieve the mentioned objectives. It also helps to schedule how to develop and complete different parts of the dissertation.

In this dissertation firstly I will study and understand about the peer-to-peer networks and how the peers in the networks communicate and share information with the remaining peer in the network. Then I do research on how the worm propagates in the network, how can the worm be detected and how the detected worm can be attacked and restore the network.  In the pictorial form the different stages of my dissertation are

Literature review:

Study and understand the peer-to-peer networks

Identifying the problem :

Securing the nodes of the peer-to-peer networks from the worms

Solution to the problem:

Understanding how the worm propagates from one node to another in the network.
Detecting the worm in the network.
Attacking the detected worm and saving the network
Comparing the results
Conclusion

1.7 PREVIEW ABOUT THE COMING CHAPTERS IN THE REPORT:

The rest of the report is organised as follows: in the chapter 2, there is brief discussion about the peer-to-peer networks, different types of peer-to-peer networks, advantages and disadvantages of the peer-to-peer networks. There is also some information about the worms, its nature and different types of worms. In chapter 3, there is a discussion about the methods given by the different person to detect the worm in the network by the method of matching the characteristic string of the worm. In section 4, there is a solution for this issue. That is mathematical method of detecting the worm in the network and defending it. Chapter 5 consists of a critical appraisal and suggestions for the further work. Finally, I concluded in chapter 6.

CHAPTER 2

OVERVIEW OF THE GENERIC AREA AND IDENTIFICATION OF PROBLEM:

2.1 NETWORK:

Network is a group of electronic devices which are connected to each other in order to communicate which each other.  The devices can be computers, laptops, printers etc. networks can be wired or wireless. Wired networks are networks in which the devices are connected with the help of wires. Wireless networks are the networks in which the devices are connected without the wires. There are many different types of networks and peer-to-peer is one of the important and special types of networks.

2.2 PEER-TO-PEER NETWORKS:

Peer-to-peer networks are emerged in 1990 because of the development of the peer-to-peer file sharing like Napster [1].  Peer-to-peer networks abbreviated as p2p networks are the networks in which all the nodes or peers in the network acts as servers as well as clients on demand. This is unlike typical client server model, in which the clients requests the services and server supplies the resources. But in case of peer-to-peer networks every node in the networks requests services like a client and every node will supply the resources like server on demand. Peer-to-peer network doesn’t need any centralized server coordination.  Peer-to-peer network is scalable. Addition of new nodes to the network or removal of already existing nodes on the network doesn’t affect the network. That means addition or removal of nodes can be done dynamically. All the nodes connected in a peer-to-peer network run on the same network protocol and software. Resources available on a node in the network are available to the remaining nodes of the network and they can access this information easily. Peer-to-peer networks provide robustness and scalability. All the wired and wireless networks can be configured as peer-to-peer networks. Home networks and small enterprise networks are preferable to configure in a peer-to-peer networks. Most the networks are not pure peer-to-peer networks because of they use some network interface devices. In the beginning, the information is stored at all the nodes by making a copy of it. But this increases the flow of traffic in the network. But now, a centralised system is maintained by the network and the requests are directed to the nodes which contains the relevant information. This will save the time and the traffic flow in the network.

2.3 WIRELESS NETWORKS:

Devices connected to each other without any wires can also be configured like peer-to-peer networks. In a case of small of number of devices it is preferable to configure the network in wireless peer-to-peer networks because it will be easy to share the data in both the directions. It is even cheaper to connect the networks in wireless peer-to-peer because we do not need to spend on the wires.

Peer-to-peer networks are divided into three types. They are:

  1. Instant messaging networks
  2. Collaborative networks
  3. Affinity community networks[2]

Instant messaging networks:

In this type of peer-to-peer networks, the users can chat with each other in real time by installing some software such as MSN messenger, AOL instant messenger etc.

Collaborative networks:

This type of peer-to-peer networks are also called as distributed computing.  This is widely used in the field of science and biotechnology where the intense computer processing is needed.

Affinity community peer-to-peer networks:

It is a type of p2p network, where the group of devices are connected only for the purpose of sharing the data among them.

Peer to peer networks are basically classified into two types. They are:

Ø Structured peer-to-peer networks

Ø Unstructured peer-to-peer networks

2.4 STRUCTURED PEER-TO-PEER NETWORKS:

In the structured peer-to-peer nodes connected in the network are fixed. They use distributed hashing table (DHT) for indexing [4].

In DHT data is stored in the form of hash table like (key, value). Any node willing to retrieve the data can easily do that using the keys. The mapping of values to the keys are maintained by all the nodes present in the network such that there will be very less disruption in case of change in the set of participants

DHT-based networks are very efficient in retrieving the resources.

2.5 UNSTRUCTURED PEER-TO-PEER NETWORKS:

In unstructured p2p network nodes are established arbitrarily. There are three types of unstructured p2p networks. They are

Pure peer-to-peer

Hybrid peer-to-peer

Centralized peer-to-peer

In Pure p2p networks all the nodes in the network are equal. There won’t be any preferred node with special infrastructure function.

In hybrid p2p networks there will be a special node called “supernodes” [3] . This supernode can be any node in the network depending on the momentary need of the network.

Centralized p2p network is a type of hybrid network in which there will be one central system which manages the network. The network cannot be able to work without this centralized system

Basically, all the nodes in the peer-to-peer networks contain the information of the neighbour in its routing table. The rate of propagation of worms in the peer-to-peer networks is larger than compared to the other networks. This is because the information of the neighbour peers can easily achieved from the routing table of the infected node.

Different types of files are shared between the nodes in the peer-to-peer networks. These files can be the audio files, video files, music files, text documents, books; articles etc. there are a lot of peer-to-peer software available these days in the market for sharing the files. Some of them are bittorrent, limeware, shareaza, kazaa, Imesh, bearshare Lite, eMule, KCeasy, Ares Galaxy, Soulseek, WinMX, Piolet, Gnutella, Overnet, Azureus (vuze), FrostWire, uTorrent, Morpheus, Ants, Acquisition[5]. There are lot more file sharing softwares in the market but these are the top 20 file sharing softwares for peer-to-peer networks.

Basically, all the nodes connected together in the network should configure with the same network protocol and the same software should be installed in all the nodes in order to communicate with each other. Else the nodes in the network cannot communicate if they are configured with the different software or protocol.

2.6 ADVANTAGES OF PEER-TO-PEER NETWORKS [6]:

  1. It is more useful for the small business network comprising of very small number of computer systems or devices.
  2. Computers in this network can be configured easily.
  3. Full time network administrator is not required for the p2p networks.
  4. Easy maintenance of the network.
  5. Only a single operating system and less number of cables needed to get connected
  6. Can be installed easily
  7. Users can control the shared resources
  8. Distributed nature of the network increases the robustness of the network.

2.7 DISADVANTAGES OF THE PEER-TO-PEER NETWORKS [12]:

  1. No centralised administration
  2. Back-up should be performed on the each computer individually.
  3. Peer-to-peer networks are not secure
  4. Every computer in the network behaves as server and client which can slow down the performance of the system
  5. Legal controversy with the copyrights.

2.8 WORM:

Worm is a computer malware program or it can be called as a mischievous code which can multiple itself  into several replicas or it duplicate itself into several copies. Worm in simple can be called as “autonomous intrusion agent” [19] .It doesn’t actually alters the function of the system but it pass through i.e., worm is unlike virus.  It intrudes the network without the mediation of the user.

This is first detected by Robert T Morris in 1988[18]. Today we have some billions of systems connected to internet. Bu during 1988 there were only 60,000 systems connected to the internet. During that period 10% of the internet systems i.e., 6000 of the systems are infected and almost clogged because of the worms [8].

Worms when enters the system it hides in the operating system where it cannot be noticeable [18] . It drastically slows down the system the effect the other programs in the system. In worst cases it could even effect the entire network and slow down the internet across whole world.

As it is said earlier that it replicates itself into multiple copies and attach itself to the emails and corrupt them and sometimes deleting the file without the user interaction. If it enters our email, it can able to send itself to all the contacts in our email book and then to all the contacts of the emails of our email book and likewise it propagates, grow and spread at the higher rate.

Worms will even create the “backdoor” into the computer [11]. This will make the attackers to send spam easily.

Some famous worms discovered in 2003 and 2004 are “Mydoom”, “ Sobig” and “Sasser”[7].  “Sasser” worm has recently affected the computers which are using Windows 2000 or Windows XP operating system. It restarts the system automatically and crashes it. It is spread to all the nodes in the network.

There are some worms which are unlike the normal worms. These worms are very useful to the user some times. Hence, these are called the “helpful worms” [9]. Sometimes they help users without the interaction with the user. But most of the known worms are harmful and will always tries to infect the nodes in the network and affect the performance of the network.

When the peer-to-peer networks are attacked by the worms, it slows down the efficiency of the network. So there is a need to save the networks from entering into the network and spreading itself all over the network. The worms should be detected and defended. If we delay in defending these worms, they replicate itself and makes many copies of itself and spread all through the network. This is very dangerous to the network as it affects the performance and efficiency of the network [10].

CHAPTER 3

RELEVANT WORK DONE BY OTHERS IN ORDER TO SOLVE THE PROBLEM:

Many people proposed solutions to this problem. First Zhou L gave solution to p2p worm and he observed that propagation of worm in p2p network is very speed when compared to other networks[13] . Jayanthkumar performed some simulations on worm propagation from infected node to other node[10]. Wei yu researched on the behaviour of worms in p2p networks[14]. In my research I found one more interesting method of detecting the worms in the peer-to-peer network. This is indeed a special method of detecting the worms in network because the authors Yu Yao, Yong Li, Fu-xiang Gao, Ge Yu in their paper titled “A Signature-behaviour-based P2P worm detection approach” they proposed a mechanism of detecting the known worms in the peer-to-peer networks based on characteristic string matching. Worm make use of vulnerabilities in the network and +Spreads[15]. They also proposed the detection mechanism for the unknown worms based on their behaviour. They technique mainly consists of the technology of characteristic string matching, identifying the application and the unknown worm detection technology. They have given the algorithm for the matching the characteristics string of the worm called suffix-tree algorithm- suffix array algorithm. This is efficient and simple with very less time complexity. As peer-to-peer network follows fragment transfer technique there is chance of assigning the characteristics string of the worm to the other blocks of data. And again during the reorganisation process this characteristic string can identify the worm. These authors even validated their results by simulation. They proved that their method is also one of the efficient methods of p2p worm detection.

As mentioned above this method detects the known worm and also the unknown worms based on characteristic string matching and their behaviour respectively. In this method they initially capture the network packets using the library function called “LibPcap”. “LibPcap” is the library function that captures the network packets in UNIX and Linux platforms. This function contains many functions that will be useful for capturing the network packets. After capturing the data packets with help of these functions the non-P2P packets are filtered out. So now the P2P packets are filtered. In these P2P packets the known worms are detected by using the characteristic string matching. This is implemented by the couple of algorithms. They are the “suffix array algorithm” and the “dichotomy algorithm”. These algorithms are very accurate and are capable of detecting the worms in very less time. As I mentioned above peer-to-peer networks follow fragment transfer mechanism. Hence the characteristic string of the worm can be assigned to the other blocks of data. So, in this situation it is difficult to detect the worm if the characteristic string of the worm is based on the single packet. But if the characteristic string is present in the block then there is a chance of detecting the worm because it will assign it to the two packets. At this time the worm characteristic string present in the two different data packets need to restructure. After restructuring, the worm can be detected by using the matching mechanism. In this way the known worm in the network is detected by using the characteristic string matching. The unknown worms in the p2p network can be detected with the help of the act characteristics of the worm at the initial stage of its propagation. This can be called as the behaviour based detection of the unknown p2p worms. Like this all the known and unknown worms in the network are detected.

3.1 P2P KNOWN WORM DETECTION:

There are four steps in detecting the p2p known worms. They are:

  1. Deal flow
  2. Technology of identifying the application
  3. Characteristic string matching
  4. Reorganising the characteristic string

3.1.1 DEAL FLOW:

In this step of deal flow the flow of data is divided into four steps[16].

Step 1: Extracting the p2p data stream from the original data stream.

Step 2: check the extracted p2p data stream for worms using characteristic string matching with the worms already existing in the library function.

Step 3: data is flow is reorganised. It now contains worm characteristic string as well. Go to step 2.

Step 4: check the data flow for unknown worms using unknown worm detection techniques.

After performing the four steps update the library function.

All the four steps is represented  pictorially as in the next page.

Figure 4: flow chart representing four steps to detect worms

yes   normal  Normal

no

Abnormal

abnormal

3.1.2 TECHNOLOGY OF IDENTIFYING THE APPLICATION:

As said earlier, this paper uses the method of capturing the data packets and sca it for the worms which are known with the help of a function library called “LibPcap”[17] . For this there should be already some assigned rules in the network interface devices. So assigning these rules to those devices is done in stepwise procedure as:

  • Identify the available network interface devices
  • Open the network interface device
  • Compile the rules that we are willing to attach to the devices
  • Setup the rules of filtering to the device
  • Now operate the equipment
  • Start the process of capturing the packets

There are some rules for identifying the p2p application. They are:

  1. Characteristic information of the known p2p is used
  2. Sometimes, if source-destination IP pairs don’t use the known P2P and they may use TCP and UDP at same time, then they are p2p.
  3. At a particular time source pairs {srcIP, srcport}[27] and the destination pairs {dstIP, dstport}[27] are checked

Here we can identify whether it’s a p2p or not. If the number of connection port is equal to the number of connection IP, then we can say that it is a p2p. There are the situations where these rules have been used unruly. So the there were some amendments made to these rules. The amendments are rule (2) can identify even the mazes which are present and rule (3) is modified in such a way that in the detect cycle {srcIP, srcport}[27] pairs at the source and the {dstIP,  dstport }[27] pairs at the destination are checked. From this they derived that if the number of connection port is equal to the number of connection IP, the protocols which are used are same. If they are different then the protocols are different.

3.1.3 CHARACTERISTIC STRING MATCHING:

This is the most important section of the paper. Here authors have given some definitions to the terms which we are going to use, the algorithms which we are going to use to detect the worm. Couple of algorithms are mentioned. They are suffix-array algorithm and the dichotomy algorithm. So the entire process of detecting the worm depends on the efficiency and the accuracy of these algorithms.

First of all before using and understanding suffix-array algorithm we will try to understand some keywords and rules.

Suffix: suffix is the part of a string or a substring which starts at a particular location to the end of the string. If a suffix in the string S starts at the location ‘i’ to the end of the string S, then the suffix can be represented as Suffix(i)=S[i,Len(S) ][27] .

Let us understand how the strings can be compared. The comparison in this paper followed “dictionary comparison” If u and v are the two different strings. Comparing the strings u and v is same like comparing u[i] and v[i], where ‘i’ starts with the value 1.

Ø Here string u is equal to string v i.e., u=v when u[i]=v[i]

Ø String u is greater then string v i.e., u>v when u[i]>v[i]

Ø String u is less than string v i.e., u

But the results were still not obtained for i>len(u) or i>len(v)

Also if len(u)>len(v) then u >v, if len(u)<len(v) then=”” u<v=”” and=”” if=”” len(u)=”len(v)” u=”v[27].</p”></len(v)>

Suffix-array: suffix-array is denoted by SA. It is a one-dimensional array. It is an array of SA[1], S[2], SA[3],…. And so on. Here s[i]< s[i+1], where 1< or =i

Rank-array: rank-array is nothing but SA-1. If SA[i]=j, then Rank[j]=i. we can say that the rank[i] saves the rank of Suffix(i) in an ascending order for all the suffixes.

In this paper the author has taken the example of string “science” and explained everything clearly. The string “science” can generate seven suffixes. They are:

Suffix(1): science

Suffix(2): cience

Suffix(3): ience

Suffix(4): ence

Suffix(5): nce

Suffix(6): ce

Suffix(7): e

When we sort out everything in a dictionary order it will be in the order as follow

Suffix(6)= ce

Suffix(2)= cience

Suffix(7)= e

Suffix(4)= ence

Suffix(3)= ience

Suffix(5)= nce

Suffix(1)= science

Suffix-array algorithm follows multiplier ideas. Firstly get SA1 and Rank1 by comparing every character in the string. Comparing string is similar to comparing the every character sequentially. So by comparing every character, SA1 and Rank1 can derive SA2 and Rank2. And this SA2 and Rank2 will derive SA4 and Rank4. And this will again derive SA8 and Rank8. So finally suffix-array and rank-array are derived from this process. The main process of the suffix-array algorithm is

Ø Calculating SA1 and Rank1. Firstly all the suffixes are arranged in the first letter order and then suffix-array (SA1) is generated by using quick sorry algorithm and then Rank1 is also generated.

Ø Comparing 2k-prefix Suffix(i) and Suffix(j) using SAk and Rankk.

2k-Suffix(i) = 2k-Suffixes(j), this is equivalent to Rankk[SAk[i]] = Rankk[SAk[j]] and Rankk[SAk[i+k]] = Rankk[SAk[j+k]]

2k-Suffix(i) < 2k-Suffixes(j), this is equivalent to Rankk[SAk[i]] = Rankk[SAk[j]] and Rankk[SAk[i+k]] < Rankk[SAk[j+k]] or Rankk[SAk[i]] < Rankk[SAk[j]] [16].

Suffix-array algorithm is a sorting algorithm which sorts out the characteristic string. So, this uses binary search algorithm. The algorithm follows

Step 1: in the first step values are assigned like left=1, right=n and max_match=0

Step 2: the middle value i.e., mid= (left +right)/2.

Step 3: comparing the characters corresponding to Suffix (SA[mid]) and P. the longest public prefix r can be helpful in implantation and comparison. If r > max_match, then max_match=r.

Step 4: if Suffix(SA[mid])<p, then=”” left=”mid+1</p”></p,>

If Suffix(SA[mid])>P, then right=mid-1

If Suffix(SA[mid])=P, then go to step 6

Step 5: if left<right, then=”” go=”” to=”” step=”” 2,=”” else=”” 6<=”” p=””></right,>

Step 6: if max_match= m, then print “match is successful”.

3.1.4 REORGANISING THE CHARACTERISTIC STRING:

In this step the characteristic string is reorganised. If the character string is divided into two different data blocks, then the data block with the partial characteristic string is stored. Basically, all the information about the data block like index, beginning offset, length of the block and so on are contained at the head of the each block. Here a structure piece is defined which consists of index of the block, beginning offset of the block offset, length of the character array head and the length of the character array end[18]. Initially each and every data packet is compared with the characteristic string for matching. If it is matched then the warning or an alert is sent to all the users about the worm. Here if the tail of the characteristic string of the worm matches with the head of the data block, then it will be stored in the character array end. And if the head of the characteristic string of the worm matches with the tail of the data block then it is stored in the corresponding character array head. Suppose if the neighbouring data block contains a partial characteristic string of the worm then the neighbour string in the array head as well as in the end will be reorganised. Now this reorganised string will again perform the characteristic string matching and if any worm is detected then again the warning is sent to all users saying that the worm have found. If it is not matched then it won’t perform any operation. If in a case that the characteristic string is present in the block but is divided into two different data packets, then a special term called “character array” is introduced. First the matching mechanism is performed in both the data packet. If the matching characteristic string is found then the warning is sent to the users that there is a worm present. But if only part of the characteristic string is found then it will be enough if it meets some of the requirements like the head of the data packet should match with the tail of the characteristic string or the tail of the data packet should match with the head of the characteristic string. But if these conditions are not satisfied then no operation is performed. Now, if the tail of the data packet contains the partial characteristic string then the data packet is stored in the array. If the length of the characteristic string is m, then the Array[m] is set as ’’. And if the head of the data packet contains a part of the characteristic string then that data packet is stored in the n consecutive units of array. Finally, this array will be the characteristic string matching and if the worm is detected then the warning is sent to all the users. If it is not matched then nothing is done.

3.2 DETECTING UNKNOWN P2P WORM:

In the above section we have seen how the known worm is detected. But that algorithm or mechanism are meant to detect the unknown p2p worms. So here in this section we will understand how the unknown worms can be detected and restrain the network. As we know in p2p networks a node can able to send the information to multiple hosts at a same time. Anyhow same protocol is used by all the nodes in the network[27]. These characteristics of the network helps worm to propagate easily. As we discussed above, only the known worms can be detected by using the characteristic string matching method. Here we will see how the unknown worms can be detected. The unknown worms are detected based on the behaviour of the node. Some of the detection rules are: same content files are transferred to multiple hosts in a very short time. Same protocol is used and the destination port is same. If these rules are satisfies by the source port then it allows the p2p worm to propagate. Now, it is necessary to extract the characteristics of worm near the worm propagation nodes. When these characteristics are extracted, they are added to the feature library. This data similarity comparison and extracting the characteristics are done using the LCSeq algorithm. But the LCSeq algorithm based on generalized suffix tree (GST) is the more efficient. The overall idea is that all the suffixes are represented as a tree.

And this tree will have some characteristics like:

Ø Every node in a tree is a string and root is the empty string

Ø Every suffix can be represented as a path from the root.

Ø Every substring can be considered as a prefix of a suffix.

Ø To achieve the searching public sub sequence, every node should be set the information of its subordinate source string.

3.3 EXPERIMENT:

We know that the worm body tries to infect the other nodes in the network by sending the worm to the specific ports of p2p node. So here the author tried to prove the efficiency of his method by performing an experiment. In this experiment he prepared a multiple group worm body and sent it repeatedly at regular intervals of time. Then he captured these packets and extracted their characteristics and compared it with the one that already exist in the feature library.

P2p worm is detected separately using different algorithms like BF algorithm, KMP algorithm and suffix-array algorithm and compared their results doing three experiments. In the experiment 1, worm characteristics are in the same packet.. in the experiment

agreement (SLA), by standards defining services on offer inclusive of their characteristics. However, current SLA is more centred on Quality of Service (QoS), adversely resulting in lacking a vast content of other crucial security concerns.  Aims and Objectives: Aim to study in-depth, existing SLA standards such as WS-Agreement and WSLA, examining the possibility of extending them to incorporate other security concerns (crucial elements) such as confidentiality and integrity. Methods: Section of the project focuseson proposal for a solution that will extent SLA security concerns, with the aim to improve the current state and bridge security gaps for other overlooked security elements such as confidentiality and integrity among othersA project proposal is derived from a combination of results obtained from internet users’ survey and existing literature on SLA security concerns.  Findings/Results: Revealed that a significant number of internet users are aware of existence of security concerns despite high dependency on the internet. Security concerns in Web-based services and SLA were also identified through literature review. The results of which is a clear indication that mitigation of security issues is a battle yet to be won regardless of the subject being widely explored in research community. Conclusion and future work: Like Web Services, Service Level Agreements are faced with security challenges. This depend on the parameters on which the Service Level Agreement offers. Currently more focus has been found to be on Quality of Service. Therefore, the project is in appeal to Web Services providers and consumers to include other security concerns such as confidentiality and integrity. This is in anticipation for enhanced security in SLA through adoption of lacking parameters. Future recommendations are to review the new SLA to, identify strengths and weaknesses as well as adaptation to future requirements and contingency planning for possible dysfunctions. Key words: Web-based service, Service Level Agreement (SLA), security concerns, Quality of Service (QoS), confidentiality, integrity Table of Contents CHARPTER 1: INTRODUCTION 1.1 Study Title: Analysing security in Service Level Agreement (SLA) 1.2 Motivation and Background 1.3 Concept of security concerns in SLA 1.4 Problem and hypothesis analysis 1.5 Aims 1.6 Objectives 1.7 Research Questions (RQs) 1.8 Relevance and Significance 1.9 Overview of the project structure CHAPTER 2: LITERATURE REVIEW 2.1 Definition of Web Services 2.1.2 Web Services architecture Figure 1. Web services architecture Web Services Architecture roles How a Web Service Architecture Operates 2.2 Understanding Service Level Agreements (Answers to Research Questions) Figure 2: SLA Lifecycle 2.3 Linking SLA to Web Services and addressing security issues Figure 2. Interoperability in web services 2.4 Existing Service Level Agreements CHAPTER 3: PROPOSED SOLUTION Table 1. Questionnaire results Table 2. Question 1 data analysis Chart 1: Question 1 results Table 3. Question 2 data analysis Chart 2: Question 2 results Table 4. Question 3 data analysis Chart 3: Question 3 results Table 5. Question 4 data analysis Chart 4: Question 4 results Table 6. Question 5 data analysis Chart 5: Question 5 results Table 7. Question 6 data analysis Chart 5: Question 6 results Table 8. Question 7 data analysis Chart 6: Question 7 results Table 9. Question 8 data analysis Chart 7: Question 8 results Table 10. Question 9 data analysis Chart 8: Question 9 results Table11. Question 10 data analysis Chart 9: Question 10 results Table 12. Question 11 data analysis Chart 10: Question 11 results Table 13. Question 12 data analysis Chart 11: Question 12 results Table 14. Question 13 data analysis Chart 12: Question 13 results 3.4 Problem Requirements 3.4.1 Requirements definitions for SLA SLA Measurable requirements (Qualities) SLA unmeasurable requirements (Qualities) 3.5 Design and Development 3.5.1 Proposed solution: An Approach to Secure Service Level Agreements SLA Security management CHAPTER 4: CRITICAL ANALYSIS OF PROPOSED SOLUTION 4.1 Evaluation 4.1.2 Advantages 4.1.3 Proposed solution limitations CHAPTER 5:  EVALUATION, CONCLUSION AND FUTURE WORK 5.1 Conclusions 5.2 future work Appendix 1: Analyzing security in Service Level Agreement questionnaire based Survey Appendix 2:  Survey respondent Consent Appendix 3: Records of monthly supervision meetings November Report December Report January Report February Report March Report Appendix 4: Report Structure Documentation                                             CHARPTER 1: INTRODUCTION Chapter overview This chapter introduces the project giving an insight to its hypothesis, “Web Services are widely deployed and play an important role in today’s Internet paradigm”. Security concerns are at the core of the discussions in the study. Focus is more directed to lack of security concerns in Service Level agreement (SLA) such as, confidentiality and integrity, and their role in SLA. The role of web services in today’s internet paradigm and SLA security concerns are to be explored in elaboration to the hypothesis. Study title, motivation and background, concept of security in SLA an insight to the problem and hypothesis analysis, research aims and objectives, research questions, relevance and significance will be included. Finally, in conclusion to the chapter is an overview of the project structure.

  1. Study Title: Analysing security in Service Level Agreement (SLA)

  Security concerns are remaining a huge focus on today’s internet paradigm (Aljazzaf et al, 2010; Toms, 2004; Wang and Vassileva, 2007; Zhou et al 2014).  This is for example in widely deployed/distributed computing services of huge importance to the current internet paradigm. For instance, cloud computing, email, storage, all falling under web-based services (Toms 2004).  “Web Services” can be defined as systems using Extensible Mark-up Language (XML) in communicating among distributed computing environments (Park et al 2007; Zhou et al, 2013). Latest businesses are now functioning globally through exploitation of web services by distribution of their applications (Frankova 2010). Web services researchers have a more focus on security research on establishing safety regulations for services (JIANG et al 2016; Park et al 2007).  Often exploitation of web services comes with a regulatory agreement between themselves and consumers on what services they offer and any consequences because of breach (Meland et al 2012). An example of web services security regulations is a Service Level Agreement (SLA). SLAs has a relationship regulatory role between the providers and consumers (Meland et al 2012). This project is going to focus on analysing Service Level Agreement security concerns beyond Quality of Service (QoS), which is currently the focus of SLA, lacking other crucial security concerns such as confidentiality and integrity (Zhou et al 2014).  In addition to the analysis of SLA, a proposal will be made to extend security concerns in SLA to include confidentiality and integrity as crucial aspects in security. Three objectives are to be satisfied as follows;

  1. Explore and elaborate the project hypothesis. An in-depth research is taken to understand parameters in Service Level Agreement with the motivation/view to establish other security concerns differing from Quality of Service (QoS). Example security concerns of main interest in the project are confidentiality and integrity.
  2. Investigate most challenging SLA security concerns and suggest why the focus seems to be currently on Quality of Service rather than other security concerns which have a great potential to tarnish the image of the service provider with possibility of facing lawsuits resulted through security breach scandals.
  3. Based on the study findings, will make a proposal for a solution to extend security       concerns in SLA to include confidentiality and integrity.
  1. Motivation and Background

  Web-based services are among widely distributed and dominant technology on the internet, with many diversified services (JIANG et al 2016; Masood and Java 2015; Toms 2004). Such is a dilemma for consumers in terms of making a choice as all equally functional, possibly differing in cost, quality and security (Zhou et al 2014). They are featured with “self-contained and self-descriptive” applications composed of modules that are invokable on the internet once deployed.  Currently, web-based services are the most favourable medium for exchanging information (Toms 2004). These modular applications (self-contained units) are platform independent (Tidwell 2000; Zhou et al 2014). Web services operate on a Service Oriented Architecture (SOA) (Park et al 2007; Zhou et al, 2013). For instance, research by Zhou et al, 2014, identified majority studies to have a significant concentration on Quality of Service aspects not fully addressing security concerns. Cloud computing is also vastly growing providing Infrastructure, Software or platform as a service. All either exposing or consuming Web Services from another platform or Infrastructure. Consequently, results in complex interaction management, adversely making it difficult to manage the security aspect of things (Baun et al. 2011; Deshmukh et al 2013).  A significant number of contributions from research community indicates proven factors that the security challenges battle in distributed computing is continuous (CSGE, 2014; Kumar et al 2015; Mukherjee et al 2013; Schwarz et al 2005). This makes it a more crucial requirement for the service providers to tighten up security measures while giving the consumer some form of guarantee that they are to satisfy certain security parameters apart from the traditionally known focus on Quality of Service (QoS) (Zhou et al 2014).  Example of a guarantee of services from the provider of web-based services is a Service Level Agreement (Undheim, Chilwan, & Heegaard, 2011, p. 2). This project is motivated by exploring and investigating SLA security concerns beyond Quality of Service (QoS). Findings drawn from the in-depth study forms the basis for deciding whether it is feasible to propose a solution to improve security concerns in SLA.  

  1. Concept of security concerns in SLA

Casola et al (2015) addressed questions as to whether security can be provided in form of a service, or could a SLA be sufficing in meeting security requirements. These questions are no doubt a centre of controversy in web-based services. In support to that fact, Bianco et al 2008; Zhou et al 2014 pointed that despite security challenges faced in the SOA, majority of current SLA focus is more directed in Quality of Service. This is evident that it is a shared view that current SLAs are rather based on quality provision, not making it clear to consumers of underlying security concerns compromising the so called “Quality of Service”. Given such, security issues that may rise because of failing to implement a Service Level Agreement with more coverage of security concerns may be overwhelming. Security measures in a diversified environment may be quite challenging due to data complexity (CSGE, 2014; JIANG et al 2016; Kumar et al 2015; Mukherjee et al 2013; Schwarz et al 2005).  Therefore, it should be in the best interest of web series providers to give maximum security assurance to their consumers in SLA. Such is paramount in establishing strong business relationships in web services (Belanger et al 2002). Numerous research indicates that the appalling rate of security issues in e-commerce makes it hard to win the trust of consumers (Belanger 2002; Cyra and Górski 2008; Motallebi et al 2012; Aris et al 2011).  This opens argumentative ideologies such as whether a more secure SLA may prove a positive difference? It is anticipated that some of the questions are to be answered in this study. Inclusion of security concerns such as confidentiality and integrity to QoS is the basis on which this study aims at answering some of such questions.

  1. Problem and hypothesis analysis

This project puts the following hypothesis to test, “Web Services are widely deployed and play an important role in today’s Internet paradigm”. What makes web services unique is that despite being made by different companies they are interoperable. Their interoperability enables them to discover and communicate among themselves (Li-jie Jin et al 2002). The wide deployment means a large pool of services with same functionalities are located and invoked (Zhou et al 2014). Zhou et al (2014) views systems with huge diverse resources as the most vulnerable to security challenges while, JIANG et al (2016) echoes the same idea. As web services deployment vastly expands to accommodate the increasing demand of the new trend, so does the security concerns (CSGE 2014; Mukherjee et al 2013). To establish more security and consumer satisfaction in web services, security concerns must be prioritised (Zhou et al 2014). It is in the interest of service providers attend to numerous security concerns that may affect consumers and cost them money. This is crucial in delivering secure services to consumers as a competitive weapon in business (Belanger et al 2002). There have been many efforts done to regulate services as a measure to promise users security (Kelly 2012; Tomlinson and Lewicki 2015; Undheim, Chilwan, & Heegaard, 2011, p. 2; Verma 2004). Increased deployment of web services to cope with consumer demands, results in interaction complexity between providers and consumers. Therefore, security hold the key to protection of interactions (Deshmukh et al 2013).

  1. Aims

Overall, this study is aimed at analysing existing SLA security concerns in web – based services to identify lacking security concerns.

  1.  Objectives

Focus is directed in achievement of the aim through investigating security concerns in Service Level Agreement of web-based services. This is to establish the basis of which a solution can be proposed to extent SLA security concerns through inclusion of confidentiality and integrity in current parameters. To explore and suffice the requirements of the hypothesis being put to test, existing literature is to be studied to investigate the following;

  • Web-based services and their functionality aspects
  • Exploring the role of Service Level Agreement in Web services
  • Parties involved in a Service Level Agreement
  • Identify security concerns apart from Quality of Service
  • Investigate the importance of security concerns such as confidentiality and integrity, and identify the consequences that may befall the Service provider if security breach occurs because of lacking the two
  • Based on the study from literature review, security holes resulting from lack of confidentiality and integrity will be addressed forming the basis of viability of the idea to extend security concerns in SLA to include confidentiality and integrity.
  1. Research Questions (RQs)

  Based on the research aims in 1.5 and research objectives in 1.6, the following research questions have been formulated;   RQ1. What is the role of SLA in Web Services? Formulation of this research question is based on identifying the importance of SLA in web services.  Answers to RQ1 will give an understanding of security issues affecting web services and relevancy of SLA. RQ1.1 What are relevant security threats affecting SLA? RQ2. What SLA security parameters currently exist in Web services? The key objective to this question is based on investigating current focus on security in SLA to identify lacking security parameters. This will assist in suggesting what can be done to include new parameters that can provide enhanced security in SLA.   RQ3Who has the responsibility to ensure security concerns are investigated in SLA? This question assists in identifying who is accountable for initiating and deploying SLA. RQ4. Do Web services achieve an added value from SLA? This question analyses effects of adding new security concerns to the consumers. Formulation of the question is useful as the web services providers interest lies on establishing and building strong relations with consumers. Therefore, it crucial to establish security as a token for enhanced SLA.  

  1. Relevance and Significance

In consideration to web-based services such as cloud computing, email, storage, it is crucial to establish Service Level Agreements fit for purpose. This is crucial as part of contractual agreements as it establishes trust into the service provider by the consumer (Dukee 2010; Li-jie Jin et al 2002; Verma, 2004). A Service Level Agreement (SLA) is a consensus/agreement as part of a contract between two parties namely, service provider and the service consumer (user), (Kelly 2012; Tomlinson and Lewicki 2015; Undheim, Chilwan, & Heegaard, 2011, p. 2; Verma 2004). The SLA is made up of parameters offered to the consumer by the provider. The SLA underlines the expectation of the customer from the service providers, as well as addressing the obligations of both the parties partaking in the agreement. The service provider is under obligation to provide services being paid for by the consumer. Failure to which the service provider consequently suffers financial reparation’s (Li-jie Jin et al 2002).  Additionally, and most importantly, SLA includes the terms regarding availability, performance and security of the service among other parameters from the provider’s end, inclusive of all that is to be adhered once the agreement takes place (Verma, 2004).  From the provider’s side, this guarantees service provisions while the consumer signs in agreement to what is offered to them. The agreement between the two stakeholders is voluntary. However, the term “agreement” is not as easy as the word sounds, for both stakeholders to reach to that stage, it may take a lot of controversial ideologies about parameter expectations (Kelly 2012; Tomlinson and Lewicki 2015). A yet another difficult situation, “negotiation” will be faced in compromise to reach an agreement by both parties’ through surrendering a certain measure of their freedom. Negotiation becomes necessary where there are conflicting ideas (Tomlinson and Lewicki 2015). A comprehensive study is to be taken in anticipation to assist both stake holders understand each other’s view point to ease the agreement process (Hamilton 2015). To overcome security holes resulted on failing to implement security measures that will protect the current SLA from security vulnerabilities, this study proposes a solution. Therefore, relevancy and significance is formed efforts to seal security holes in SLAs, by proposing a more secure SLA.  

  1. Overview of the project structure

Considering the overwhelming size of the project, this section act as a project pointer as it gives an overview of how work is being approached as follows; Chapter 1:  This is formed of an introduction to the project, hypothesis (main subject of the study), “Web Services are widely deployed and play an important role in today’s Internet paradigm”. Title of study, Motivation and background, security concerns in Service Level Agreement (SLA), problem and hypothesis analysis, aims and objectives are all in the first chapter. Research question are to be addressed with justification for significance of study and rationale. Chapter 2: Second chapterexplores Service Level Agreements and related security concerns, including existing literature review. More focus on this chapter is centred on literature review for establishment of security concerns. To give an understanding of the subject, an overview of web services, and that of SLA. Overviews are to establish the relationship between web services and SLAs in detail. The outcome of studying existing SLAs will determine proposition of a solution that will extent SLA security concerns, with the aim to improve the current state and bridge security gaps for other overlooked security elements. Chapter 3: Design and development work is undertaken in this chapter. This is where requirements specifications for proposing a solution that will extend security concerns in SLA will be addressed. A combination of results from questionnaire survey and literature review form the basis of proposing a solution. This is an action executed to reduce security holes resulted due to more focus on (QoS) in current SLAs. Chapter 4: Critical Analysis of Proposed Methodology or Artefact will take place in this chapter. An overall analysis will be made to outline the origin of the proposal ideology, the proposed solution, advantages and disadvantages that are likely to result. Also, limitations of the project.  Chapter 5: Evaluation of the proposed solution will take place on this chapter discussing methods for evaluation including results from the discussion. Overall work done throughout the project will be discussed in summary to all previous chapters.  Most importantly project conclusion and the direction of project future.                                              CHAPTER 2: LITERATURE REVIEW Chapter overview An in-depth study of existing work on existing SLA standards such as WS-Agreement and WSLA, investigating their content to identify the extend in covering security concerns, such as confidentiality and integrity.  Results of the investigation anticipate identifying security holes or shortfalls such as lack of focus on confidentiality and integrity. To give a clear picture of the study elements, the chapter will start with an overview of web services and Service Level Agreements. More focus of the overview will be on security concerns as they are the basis of the work undertaken in the project. Results from the literature review will contribute to the establishment of an idea to be used in proposing a solution for incorporation of security concerns such as integrity and confidentiality.     2.1 Definition of Web Services Web services are among the growing software architecture trends.  They do not have a standard definitive term but various terms (Xiang, 2007). Software components build to operate platform-independently, are defined as web services (Li-jie Jin et al 2002; Zhou et al 2014). Web services have provided dynamic interoperability among in e-commerce (Wang et al, 2004). Once deployed, they are discoverable and invokable by other applications (Fensel and Bussler, 2002). Cloud is an example of Web -based services currently being viewed as the IT industry backbone (El-Awadi et al., 2015; Toms 2004). Figure 2.1.2.  elaborates the typical architecture of a web services. However, the architecture is not limited to the attributes in 2.1.2. Composition varies with considering of principles and parameters included. Justification of diagram choice for illustration of web services architecture in this study is based on relevancy. 2.1.2 Web Services architecture Figure 1. Web services architecture (Balaji et al, 2013).      Web Services Architecture roles  

  • Service provider: Respectively there are two perspectives in which the provider can be addressed, depending on the situation. These are the following; owner or a host platform. Form a business view point the provider is the service owner. Relating to architectural view point, the host platform is referred to as the service provider Kreger 2001; Q Yu et al 2006.
  • Service requester: This is also viewed from business and architectural view point. From the business view, this is the consumer or business with expectations for functions from the provider. From architectural view point, it is an application which discovers and invoke services or initiate interactions with services Kreger 2001; Q Yu et al 2006.
  • Service registry: This is service register used by providers in publishing their services. This is also known as the directory of registered services (Bansal et al, 2010). The registry plays a services or communication initiation role between the provider and the consumer (service requester) Kreger 2001; Q Yu et al 2006.

  How a Web Service Architecture Operates   There are three contributory elements through which web services can be exploited as follows; publish, find and bind (Kreger, 2001). A publication describing the service, a quest for the service, followed by invocation of a service(s).

  • Publish: Service descriptions are published by the service provider, describing the service.
  • Find: A consumer makes a quest for a service. This could be either directly or through the service registry.
  • Bind: Service invocation or initiation with the interaction runtime takes place.

2.2 Understanding Service Level Agreements (Answers to Research Questions) Consumers have lately been faced with being indecisive on which services among the widely distributed and diversified web services due to competitive providers.  As an intervention strategy to the situation, a mechanism to overcome that becomes necessary in form of a contract. This contract is used to initiate negotiations and is known as a Service Level agreement (SLA). SLA has a centralized role through assisting service providers in the process of defining services to be delivered to consumers (Bouras et al., 2005).  Answering research questions below will define the role of SLA in web services, address security threats affecting SLA, outline existing SLA security parameters in web services, clarifying stake holder responsibilities and suggest the value of SLA to web services. RQ1. What is the role of SLA in Web Services?   A service level agreement (SLA) refers to a contract between the service provider and its internal as well as external customers that details what services will be rendered by the provider and the level or standards of performance that will be met by the provider. A major of the SLA is establishing customer expectations in respect to the standard of performance and the quality of work to be rendered by the provider (Kelly 2012; Tomlinson and Lewicki 2015). SLA helps the parties define the availability and uptime of the services, that is, it helps set the percentage of time the services will be available. SLA key performance benchmarks are developed upon which the actual performance will be compared. This ensures quality work throughout the stipulated time.  SLA also provides a notification schedule respect to failure or network issues. In addition, it will indicate the expected response time for the different type of issues that may arise. SLA provides a documentation of how a downtime will be addressed and how the customer will be compensated in case of a contract breach. Security promises are also outlined in SLA, although presently, most research materials seem to have a concentrated focus in the Quality of Service Aspects. Research by Bouguettaya, 2013 regards SLA as posessing or serviong as a composion of blueprint and guarantee for cloud services. RQ1.1 What are relevant security threats affecting SLA? There are numerous security threats affecting SLA as identified by the European Network and Information Security Agency (ENISA) (2009) make sure this is appearing in master ref list. SLAs are more than often affected by loss of governance. This happens especially at the drafting of the SLAs where most of them are poorly drafted and affected by customer not being specific during the drafting process (reference if possible). Research suggests that when SLAs are not soundly deployed will have adversities (Li-jie Jin et al 2002; IBP, 2013). RQ2. What SLA security parameters currently exist in Web services?   Casola et al, (2015) expresses security as existing among factors representing major limitations in adopting cloud computing. They mentioned this is due to lack of transparency in how service providers grant security, but rather focusing on service aspects such as availability and performance. Where secure SLAs are implemented and deployed, proves security can be offered as a service. Zhou et al, (2014) echoes that security should be treated as a priority for achievement of established consumer satisfaction in web services. They also pointed that current SLA is overshadowed by Quality of Service. This is evident that security parameters are yet to be dominant in web services SLAs.   RQ3Who has the responsibility to ensure security concerns are investigated in Service Level Agreements (SLA)?   Service level agreements are based on agreement between the provider, consumer and any third party (Kelly 2012; Tomlinson and Lewicki 2015). However, for that agreement to be reached, it somehow originates from the provider as it describes services which the provider is willing to commit to provide (Bouras et al., 2005). In this case, the provider initiates the SLA to guarantee services to the consumer. From consumers’ perspective, it is the description of expectations such as quality of services (Bianco et al 2008). To reach to a consensus, an SLA is drafted outlining provider and consumers’ obligations and responsibilities (Bouras et al., 2005).  During the entire lifecycle of the SLA, more responsibilities require service providers to ensure they meet their security promises through investigation any security issues. (Li-jie Jin et al, (2002) mentioned that should the service provider fail to meet their obligations, this may have adverse effects such as financial loss.  In consideration to findings, the answer to this question identifies the service provider as the party accountable for initiating and deploying, and reviewing SLA. RQ4. Do Web services achieve an added value from SLA?   Using Service Level Agreements (SLAs) in web services is essential for provision of added value (Soomro, Aijaz, Ahmed 2016). This ensures consumer satisfaction due to successful deliverance of Quality of Service (QoS) as expected. Availability, reliability, performance and quality of services are all defined by the SLA. SLA definition also includes ensuring timely, safe and secure message or information delivery (Bianco eta l, 2008). A well implemented SLA satisfying crucial security elements such as confidentiality and integrity offers added value to web services (CISCO, 2005; Soomro, Aijaz, Ahmed 2016). By satisfying security requirements in SLA deployment, trust is built in consumers, thereby resulting in the web services being able to cease more business opportunities with consumers through recommendations (Zeginis and Plexousakis, 2010). Unlike placing entire responsibility on the service provider, SLAs establishment follows a two-way service accountability. This means consumers are also responsible for failure to abide by agreed SLA terms and conditions (CISCO, 2005). In the service lifecycle, SLAs play a critical role through influencing engineering and operational decisions. Popularity of cloud computing is partly due to SLA implementation (Müller et al. 2014). SLAs are used widely in service-oriented architectures and distributed systems. Through these agreements, entities can agree on what services will be offered and with clearly agreed terms for delivery. Service level agreements also include who will be responsible for completion, execution, privacy aspects, and potential failures. More importantly, SLAs are limited to the description of responsibilities and expectations. The best way to understand these agreements is to break them down into schemas, negotiation protocols, SLM management, and implementations (You et al. 2015). A service level agreement cannot guarantee the availability of the service described. Additionally, it cannot deliver a good service out of a poor one. However, it can mitigate the risk of subscribing to a bad service (You et al. 2015). An SLA suitable for purpose enforces service provision and limits (Casola et al, 2015). A service level agreement needs supporting tools and mechanisms applied during different phases of its lifecycle, which requires monitoring of service execution adherence to the shared terms and enforcement. The figure below shows the SLA lifecycle; Figure 2: SLA Lifecycle (IBM Version 8.5) requires relocating ref and add to list. If not to replace diagram Figure 5.8: Service Level Agreement Life-Cycle [57]  
                                 2.3 Linking SLA to Web Services and addressing security issues   There is a wide coverage research on SLAs (Clark and Gilmore 2006; Miller 2012; Stanik et al 2014). However, it is a proven factor that majority existing SLAs are lacking confidentiality and integrity while focusing more on Quality of Service (Zhou et al 2014). The scenario in figure 2 below, shows how web services are exploited and gives an analysis of elements that consumers are likely to be enticed by, to an extent of prioritising Quality of Service. This indicates the focus on Quality of Services seem to have a stronghold in relationships between providers and consumers (Mani and Nagarajan 2002).   Current research suggests that Service Level agreements on a Service Oriented architecture focus on Quality of Service (QoS) (Bianco et al 2008; Zhou et al 2014). Dukee (2010) suggested SLAs are a form of security to the consumer as compensation is provided in breach of the agreement. El-Awadi et al (2015) pointed out there is a lot of scepticism from numerous consumers relating cloud providers’. The scepticism is a result of the gap between their Quality of Service promises and what the SLA has on offer. As a result, focus on QoS with diverted attention from other security parameters, potentially resulting in economic adversities has been identified in this study as an unresolved issue that has existed for a long time (Li-jie Jin et al 2002).   The pictorial diagram below, named figure 2 is a typical demonstration of web services interoperability in day to day business between the providers and consumers (Li-jie Jin et al 2002).  In the picture, Ouzzanni and Bouguettaya (2004), gave a three-step scenario a consumer named Ravi takes in planning his journey. In step (a) Ravi makes a query for an air ticket with 3 air lines named Western Air Lines, Alpha Airlines and Unified Airlines. In step (b) Ravi makes a query for accommodations among Country Hotel, StayInn and Blueridge Inn, then (c) a car from a rental company between SmartCars, CarForLess, MegaHertz. All the required services for Ravi’s quest are accessible in a large pool (Frankova 2010). An in-depth analysis of the diagram above proves the fact that the consumer’s quest is more focused on elements such as “best quality” which is to do with transactional Quality of Service (QoS) in Web services (Bianco et al 2008).  Based on QoS focus of web services, my assumption is that SLA focus in pursuit of the same idea may be to satisfy consumers passion for quality.  The final decision made by Ravi indicates that Quality of services is at the top of consumers’ priorities followed by others such as cost and availability among others.  It is therefore necessary for providers to put more effort in addressing security parameters such as confidentiality and integrity. This study anticipates that Extending security concerns to SLA to include confidentiality and integrity, may positively add value to SLA. Figure 2. Interoperability in web services (Ouzzani and Bouguettaya 2004) 2.4 Existing Service Level Agreements Investigating the extend in which security concerns such as confidentiality and integrity are covered in existing WS-Agreement and WSLA, CHAPTER 3: PROPOSED SOLUTION   Chapter overview Work in this chapter focuses on proposing a solution to extend security concerns to incorporate confidentiality and integrity. Questionnaire based survey results are to be included in this section and identified security holes from literature review will be addressed, followed by a suggested solution to improve security in SLA. A suggested solution will be used for as project proposal for improvement.   3.1 Questionnaire Survey   A questionnaire is a research tool used in obtaining information from a representative population selected to take part in a survey. Information obtained through questionnaires is motivated by various reasons such as identifying consumer trends, patterns, opinions and trends. Questionnaires with the objective to analyse results are normally made up of closed questions.  The objective of this survey is to collect information relevant to web services consumers and their online behaviour, while abiding to Data Protection Act 1998 (Tipping, 2016). Data protection Act is in force in the interest to protect information relating to individuals. This makes it illegal for the individual conducting a survey to use data in any way apart from what it had been obtained for (Tipping, 2016). Displaying that data in one table makes it easier to count number of opted answers for each question. By so doing it makes it easier to plot charts/graphs for analysing the results. This also eases the process of converting data to information for presentation to individuals whom it may need to be shown to (Durbin, 2004) A questionnaire based survey has been used in this project for consumer involvement. Results drawn from the survey ascertains relevance of the survey to the study. An in-depth results analysis has been done on each question in this study. This has been done with consideration to make it easier for disseminating information as there are many questions.   3.1.1 Survey Data Results Key: P1 to P20 = Participant 1 to participant 20 Q1 to Q13 = Survey Questions Numbers for example 5,3,1,2 represent opted answers in the survey by each participant. The table had been designed in way that makes participant numbers to tally with their opted responses and question numbers. Table 1 is made up of all the data results from the questionnaire survey. P 1 to P 20 represents number of participants to promote anonymity in the survey. Instructions for using table 1 data   Formation of table 1 has been formulated as a time management strategy. This has been done by displaying all data from the survey in one table for use in analysing results.by so doing it makes it presentable rather than having to keep counting responses throughout the analysis. The following is a breakdown on how table 1 has been used in displaying all results; Using a combination of P1 to P 20 and Q1 to Q13, numbers in between are opted responses to be matched with participant, question number. By so doing, small tables of data had been produced faster for all questions.  3 D pie charts displaying results in fractions (%) had been produced using data from results obtained from each question. For more clarification, reference can also be made through the key above. Table 1. Questionnaire results

 
Project Questionnaire responses  
Participants
  Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13
P1 5 3 2 1 1 2 1 5 2 5 1 4 1
P2 4 1 2 1 2 4 1 1 2 3 1 4 2
P3 5 3 3 3 2 4 1 2 3 1 1 3 2
P4 5 2 3 1 3 1 1 3 3 4 1 4 2
P5 5 1 2 1 1 4 2 2 3 1 1 3 2
P6 4 1 3 3 1 2 2 5 2 2 1 3 2
P7 4 3 3 1 4 3 2 2 3 5 1 1 1
P8 4 1 4 1 4 3 3 3 2 4 1 4 3
P9 5 1 4 1 5 3 1 3 3 3 1 4 2
P10 3 1 4 3 1 4 1 2 3 4 1 4 4
P11 5 3 5 1 1 4 1 2 3 4 1 4 4
P12 5 2 4 3 1 2 1 2 1 3 1 3 2
P13 5 1 4 3 1 2 1 3 3 4 2 3 4
P14 5 1 3 1 3 1 2 2 3 2 3 4 2
P15 4 2 4 3 1 4 3 3 3 3 2 4 3
P16 5 1 2 1 2 1 1 2 1 4 2 2 3
P17 4 2 4 3 1 4 3 3 3 3 2 4 3
P18 5 2 4 3 1 2 2 1 3 1 3 3 2
P19 4 1 5 1 2 3 1 3 2 3 1 4 2
P20 5 4 3 1 4 1 1 2 2 4 2 2 3

3.1.2 Survey Data Display and analysis Question 1: How frequently do you use cloud based applications for instance, (banking, business applications, social media, etc.)?   Question 1 formation is based on investigating level of consumer dependence in cloud based applications and many others which are part of the widely-deployed web services. Obtaining user online behaviour gives an insight to their likeliness of falling victims to security issues in web services. 0% in responses one less people using could-based services. Nowadays many people use internet banking which is cost effective in terms of travelling and time (Kumar et al., 2016).  Suggestively, the population between 5% and 35% are beginning to exploit e-banking and business applications such as, video interview applications among others. Majority of consumer representative population at 60% indicates popularity of web-bases services and their increased demand. This results in complexity of web services security management. As a result, needs, continuous review and restructuring of SLA security elements to include more security concerns. Table 2. Question 1 data analysis

Response 1 Response 2 Response 3 Response 4 Response 5  
Much Less 1—————2—————3———–4————–5 Very Frequent
0 0 1 7 12

    Chart 1: Question 1 results    Question 2: Do you store any personal data in the cloud? This question is aimed at generating statistics on cloud storage use. Although this is being tested on a significant number of consumer population, any data obtained will be generated into useful information as it is not practical to obtain information from a majority population. Responses given indicate 21% as the least number of people using cloud storage. This could be due to various things such as lack of knowledge on the type of technology, insecurities towards the cloud among others. 26% being the median number who may have intermediate knowledge or any other reasons. The highest population at 53% presumes the growth dependency in web-based services. This may also mean majority population of consumers find cloud storage the most reliable due to the ability to access stored data from anywhere (Sun et al., 2014). Table 3. Question 2 data analysis

Response 1 Response 2 Response 3  
Personal Professional Both
10 5 4

  Chart 2: Question 2 results    Question 3: Do you store any personal or professional data in the cloud? This is just to have a view on whether consumers participating in the survey utilise any cloud storage services. For those who indicated to use cloud, more further requirements of the question were that they indicate the type of data they store. In this question, a Likert scale was used. The approach of setting scales in answering questions, allows participant to have a judgement within the scale (Moors et al., 2014). Table 4. Question 3 data analysis

Response 1 Response 2 Response 3 Response 4 Response 5  
Not at all —————2—————3———–4————–5 Very Much
0 4 6 8 2

  Chart 3: Question 3 results      Question 4: Of the applications that you use, which are you most concerned about someone hacking into? Motivation of the question lies on investigating the type of web-based applications that consumers feel insecure about despite need for exploitation. The different responses of 0%, 40 and 60% is a clear indication that despite the growing number of consumers exploiting web services, there are also growing security concerns.  Complex security management in widely distributed computing environments is resulted by increased demand their use (Armoni, 2002) Table 5. Question 4 data analysis

Response 1 Response 2 Response 3 Response 4
Banking Email Social Networking Cloud Storage  
12 0 8  

  Chart 4: Question 4 results    Question 5: Which Social networking website are you mostly concerned about for misuse of your data from hackers? This is just to have a view of social networking security concerns from the representative consumers’ view point. By so doing it assists web services providers in working towards gaining consumer trust in those sites through improving SLA to adopt critical security concerns such as confidentiality and integrity. Despite Facebook being one of the most dominant social networks with survey results made up of majority population at 50%, is also the highest opted response indicating security concerns from users.       Table 6. Question 5 data analysis

Response 1 Response 2 Response 3 Response 4  
Facebook Snapchat Instagram WhatsApp
10 4 3 3

    Chart 5: Question 5 results    Question 6: Which Cloud storage are you mostly concerned about for misuse of your data from hackers? Formulation of this question is based on an insight to consumers’ insecurities named cloud storages. By so doing it may lead into speculating the reason behind their insecurity. This will be useful in proposing addition of those security parameters in the new SLA solution. By so doing it is anticipated that this will make the SLA negotiation less difficult. Table 7. Question 6 data analysis

Response 1 Response 2 Response 3 Response 4 Response 5  
Dropbox One Drive Google Drive iCloud Other
4 5 4 6 0

    Chart 5: Question 6 results    Question 7:  Which email providers are you mostly concerned about for misuse of your data from hackers? This is an investigation to find out email providers whose email services have a history of being hacked adversely affected consumers’. A further investigation will be on the security breaches faced by the email services to ascertain inclusion in SLA. Relating varying percentages representing consumer insecurities, it is a clear indication that if consumer scoring is to be used in email accounts, Yahoo at 60% will be highly likely to attract a lot of criticism. Another indication is that Hotmail/Outlook at 25% in still being viewed with a benefit of the doubt. It is therefore reasonable to say Gmail is the most trusted of the representative email based applications (Zara 2014).   Table 8. Question 7 data analysis

Response 1 Response 2 Response 3 Response 4  
Yahoo Hotmail/Outlook Gmail Other
12 5 3 0

  Chart 6: Question 7 results      Question 8: What system for file storage and sharing does your peer ask you to use? This question is aimed at investigating consumers’ peer to peer networking preferences. Analysing peer-to peer networking is beneficial in network security is it gives a view of consumer trust levels in web services (Manoj et al., 2013). The level in which a web service may be preferred to others is mostly related to Quality of Service parameters such as reliability, availability and security concerns (Junqing et al., 2012).     Table 9. Question 8 data analysis

Response 1 Response 2 Response 3 Response 4 Response 5  
Internal Network Dropbox iCloud One Drive Google Drive
2 8 7 0 2

  Chart 7: Question 8 results                          Question 9: What email provider does your peer ask you to use? This is just to investigate the most favourable email applications/ services among peers. By so doing it assists in making further investigation for the choice of service.   Table 10. Question 9 data analysis

Response 1 Response 2   Response 3 Response 4
Yahoo Hotmail/Outlook Gmail Other
2 6 12 0

  Chart 8: Question 9 results      Question 10: When it comes to your data privacy, who are you most concerned with? This question is based on investigating consumer worries about data privacy. Data privacy is related to security elements such as confidentiality and integrity. Table11. Question 10 data analysis

Response 1 Response 2 Response 3 Response 4 Response 5  
Government Family Blackmailers Marketing Companies Not Concerned
3 2 6 7 2

  Chart 9: Question 10 results      Question 11: How do you most frequently share documents? Consulting participant frequency in sharing documents or files gives a view on their level of exploitation of file sharing applications in distributed computing environments. This opens discussions as to whether this is about Quality of Services or crucial security elements such as an SLA promising security concerns such as integrity and confidentiality        Table 12. Question 11 data analysis

Response 1 Response 2 Response 3  
Email Cloud Storage I do not share
13 5 2

  Chart 10: Question 11 results      Question 12: What are your main worries regarding data insecurity/exposure? This question indicates the level of data security concerns, worrying consumers about invasion of privacy and data integrity compromisation. While a minority representative population indicates that they do not have data insecurity worries, most seem to worry about access of their private information from the government. Worries relating the government being able to access web services consumer private information, could be perceived to lack of knowledge that the government operate legally on a need to know basis. To elaborate this, it is mostly in the public interest that certain individuals may find themselves in such a situation. This is for example, if a serious crime that puts the public at risk occurs, this may attract the government’s involvement (Zoonen, 2016).   Unlike the others, marketing firms are associated with cold calling which is an example that some services sale consumer information to third party (Phelps et al., 2000). This in most cases is a result of consumer activities online. Table 13. Question 12 data analysis

Response 1 Response 2 Response 3 Response 4  
Nothing My peers will know my secret Government will have access to my private data Marketing firms will have access to my private data
1 0 6 11

  Chart 11: Question 12 results        Question 13: What is your age group? A total 20 students between 19-33+ participated in the survey. All participants are within Liverpool John Moores School of Computing and Mathematical Sciences took part in a voluntary survey for this project. 0% participated between 12-18. There are two main reasons as follows, anyone under 18 and is obliviously under normal circumstances would need parental consent to take part (). Obtaining parental consent for participants to satisfy legal and ethical issues will take time considering project time scale. 17% was made up of those aged 19 to 25, 39% was made up of participants in age 26 to 32. 44% indicates mature students were among those who were in the labs at the time of the survey. Table 14. Question 13 data analysis

Response 1   Response 2 Response 3 Response 4  
12-18 19-25 26-32 33 +  
0 3 7 8

Chart 12: Question 13 results  3.2 Analysing the questionnaire based survey Questionnaires provide a relatively cheap, quick, and efficient way of obtaining information from diverse audiences. Compared to the long and tedious research methods such as face to face interviews, questionnaires are among the most cost effective. You don’t need hire surveyors to ask people questions. A questionnaire can be placed on a website or simply sent via email. This eliminates printing costs and the need for the researcher to be present when the questionnaire is being administered (Brace, 2008). Questionnaires allow the researcher to reach unlimited number of respondents since they are not constrained by the need of field researchers who can only cover a specific geographic area. For example, a researcher may decide to send mass emails to respondents across any region of choice. This greater reach also gives the researcher a unique opportunity of predefining a representative sample. For example, the researcher can choose emails as per pre-set variables and thus avoid sending random surveys. Due to the highly-structured nature of questionnaire, it makes data analysis easier. Not only this but conducting advanced statistical tests been found to be seamless as the researcher is able to control the kind of data to expect from the respondents. This has time efficiency benefits. Therefore, where results are needed within a short space of time, it eases the process (Mitchell, 2009). Finally, due to their static nature, questionnaires that are well designed and tested can always be re-used across different audiences with just some minor tweaks. Given the fact that questionnaire design can be time consuming, this capability greatly saves on the time taken to design and execute the surveys Limitations of Questionnaire based surveys   Just like other research methods, questionnaires despite their wide usage have their own limitations. A major limitation arises due to the lack of physical contact between the researcher and the respondents. Mostly questionnaires are administered through digital platforms; online surveys and mobile surveys. This introduces a physical distance between the researcher and the respondents (Athanasiou, 2010).   One of the major disadvantages faced through questionnaires is that responses may be biased. This makes it hard to verify data authenticity in such cases (Athanasiou, 2010).   The process of producing and deploying questionnaires may be time consuming as it involves finding participants, appropriate environment and specified deadlines. In this case, the project is to be done within six months. This makes it hard as they are procedures to be followed such as legal and ethical issues. To figure out whether one can be part of the representative population, confirmation of their age is required, and this may mean approaching an alternative individual should age restrictions fail to be met. The survey in this study had been contacted on a voluntary basis, which leaves no obligations to any of the participants should they wish to opt out last minute.   Rationale of survey Every dissertation is guided by a research question or hypothesis. After formulating the research question, the researcher chooses a data collection method suitable for gathering the required information. There are various ways in which data can be obtained in surveys. Data required for the survey somehow suggests the best approach to obtain it. Carrying out a survey is a crucial element in proposing projects involving consumers. This gives an insight in what is expected of the provider (Zhang, 2009). Studies show that respondents are more honest and are willing to share rather sensitive information through surveys than face to face interview (Bowden et al., 2015).  This gives surveys created around sensitive information an edge in terms of obtaining accurate and reliable information (Edward, 2009). A dissertation survey provides the data needed for analysis. A survey provides data that can be used to compare the dissertation findings with past research. Being able to compare the findings with past data is very important in establishing approaches in bridging gaps. Through the survey, the researcher can compare their research with past data. Apart from suggesting or producing a solution to bridge gap, a survey helps formulate recommendations for further research (Ilieska, 2013). 3.3 Analysis of problem Quantifiable literature proves complexity on focus on Quality of service by existing work in Service Level Agreements (;; ; ; ; ; 😉 as many refs as possible to justify quantifiability, at least 4-6 refs from lit review. This is a significant fact that focus on crucial security parameters in SLA, such as confidentiality and integrity is still immature in the research area. Meeting as many as possible security parameters in SLA will earn web services and SLA alike trust from consumers (Stankov et al, 2012). Meeting security requirements is the key to success in any business (reference). Zhou et al (2013) also addressed security issues as an important factor shadowing the SOA platform and development of applications associated with it. JIANG et al (2016) echoed web services dominance is also associated with multiple security issues adversely affecting reliability, confidentiality and data non-repudiation. This assumes more focus is directed in satisfying consumers’ measurable quality expectations such as speed, reliability, Accuracy, capacity, Scalability and costs. By doing so, a result of serious consequences such as financial loss to the web service providers may occur. In justification to this ideology, the provider has a responsibility to ensure security failure which should be compensated for. For instance, work in the following studies, Kuan Hon et al., 2012. Considering work by Zhou et al, 2013 and JIANG et al, this is evident that security parameters are an area still requiring to be fully addressed in the research community. If the research community put more focus in inclusion of security parameters such as confidentiality and integrity, this will ensure providers, consumers and any other third parties are fully informed on the gravity of security failures.  As a strategic approach, this study will suggest a SLA QoS solution that will incorporate crucial security elements such confidentiality 3.4 Problem Requirements This identifies requirements needed to make a proposal for a solution that will extend SLA to include security parameters such as confidentiality and integrity. This is done in anticipation for future requirements which may require modification. Therefore, features modifiability in the unmeasurable requirements section 3.4.1 Requirements definitions for SLA SLA Measurable requirements (Qualities) Theoretically, SLA quality specifications can be addressed and specified if both stake holders have an understanding on measuring and verification of the outcome (Dobson, 2005; Bianco et al, 2008). The following requirement specifications are based on measurable and unmeasurable qualities; Accuracy: This is measurable by errors in service delivery. Periodically, errors can be collected to ascertain average occurrence. Capacity: This is a measurement of data handling capacity. In web services, it measures reasonable number of requests that can be made over a stipulated time. Cost: This refers to costs such as; (i) service requests costs per service, (ii) data size (ii) peak hours requests Latency: This is defined by the time taken between a service request and execution. Trial/ Provisioning time: This is the time between consumer registration and initial service exploitation.   Reliability: This concerns delivery mechanism and guarantee. This also includes that criteria in which message delivery takes place. For instance, by priority order.   Scalability:  This concerns service elasticity. To elaborate this fact, it regards to the ability to maintain speed while coping with increasing demands from consumers with time. This is inclusive of other factors such as reliability and possibility to remove or add instances. Reversibility: In web-based services such as cloud, retrieval and deletion of data by the provider and consumer can be done as agreed in the contract. SLA unmeasurable requirements (Qualities) Interoperability: This concerns communication facilitation between different entities.Given such, information is communicated via semantics operating as agreed (Brownsword, 2004). Modifiability: This concerns the ability to adapt to relevant changes as required to accommodate factors such as change in requirements. Possible changes relevant to modifiability are such as;

  1. interface
  2. implementation.

Security: This is the ability of a system or service to reject unauthorised exploitation of resources, requests and privileges among others.  Apart from committing to provisioning of quality aspects such as uptime and connectivity, providers need to prioritise security. For the security equation to balance, the provider need to address the importance of security over other quality related parameters to the consumers. Addressing security issues to consumers smoothens the process of initiation for security negotiation.   When implementing security as a measure for resistance of unauthorised access or exploitation, this can be done through the following mechanisms (Bianco et al 2008);

  1. consumer/user authentication – This is an access control strategy to ensure that services exploitation is based on authorisation rather than random access.  A complete protocol for authentication normally holds user/ consumer attributes such as the following, an email address, unique identifier and a personalised greeting to address the consumer when they log in, such as, “Good evening, Isaac”.  Should this be the users first time to make a service request, they are automatically requested to go through registration procedures and create a password.

 

  1. consumer/ user authorisation – This is a state of being granted access to resources following being authenticated. For example, the consumer trying to gain access to a web based service, they make a quest after discovery process. When they quest for a service they may be granted access following successful authentication of their details.

 

  1. data encryption- In web based services, data encryption takes place on applications and Simple Object Access Protocol (SOAP). Data encryption in web services is done by use of numerous encryption algorithms. However, each algorithm poses own limitations. Combining cryptography algorithm can be done to overcome the limitations (Kadam and Khairnar, 2015).

  Key parameters that can be used in defining security qualities are such as the ability of a system or web service to provide (Manoj and Chandrasekar, 2013; Siddique and Muhammad, 2014);

  • Non-repudiation: This is a security control feature for making senders and recipients accountable for having send or received communicated messages non-denial.
  • Confidentiality: This is achieved by use of cipher text. Text is encrypted and decrypted to originality on the other end
  • Integrity: This is a measure for ensuring accuracy. Data accuracy is ensured by restriction of unauthorised modification when data is being stored or processed.

 

  • Assurance:  This is a promise made for provision of security to the consumers. For the consumers to have confidence in the provider (s), promises made shall be met.
  • Auditing: In Service Level agreement security audits are carried out systematically. This is a way to ensure that their existence last as they are just contacts rather than legally bound agreements (Barbosa et, al 2006). This can be done in the following ways;
  1. Manual/technical assessment
  2. Vulnerability scans
  3. Application reviews to identify violations

3.5 Design and Development 3.5.1 Proposed solution: An Approach to Secure Service Level Agreements Proposed Service Level Agreement Composition   The proposed SLA will be composed of the following;

  • Negotiation: (Blackwell and Dixon, 2003; Rahman, 2000; The Art of Service, 2001)

Responsibilities for each entity (provider and consumer) should be negotiated. Negotiation should be done in consideration to requirements and constrains from each entity. This strategy anticipates optimised SLA provisions.

  • Agreement: (Blackwell and Dixon, 2003; The Art of Service, 2001)

An agreement should be reached through negotiation. Establishment of an agreement from both entities in negotiated specifications/aspects, is crucial as it lays a foundation for successful deployment. During the process of negotiation and reaching an agreement, both stakeholders become more informed. Due to understanding each other’s needs, preferences, and priorities, among others, a strong relationship develops.

  • Quantifying service levels: (Blackwell and Dixon, 2003; Rahman, 2001)

This is a performance assessment. Key performance indicators (KPIs) are among the most appropriate tools for testing the pilot project Velimirovic et al., (2011) This project anticipates use of security management as equality effective for monitoring and determining performance. This may also involve exploring consumer preferences or requirements. By doing so costs and gains become justifiable.

  • Clarification of responsibilities: (Blackwell and Dixon, 2003; The Art of Service, 2001)

For guaranteed QoS provision, responsibilities should be clarified between provider and consumer. All responsibilities assigned in the agreement process are featured in the proposed SLA.

  • Security obligations: (Prasad Padhy et al, 2012)

For successful implementation of security parameters in the proposed solution, both parties should act responsibly abiding by the agreement made. The provider has the sole responsibility to ensure implementation and management of security parameters as agreed. On the other hand, the consumer should also abide by the terms of the agreement. Failure of the service provider to commit o their promise may result in financial loss. On the other hand, where the consumer is found failing to abide or responsible for security violation, there are consequences too.  The Lifecyle below in figure 4, indicates how the proposed solution may be implemented, while figure 5 shows the security management; Figure 4: Proposed solution Lifecycle

Phase 1: Negotiation Phase Handshake Provider and Consumers Agree on;

  • Inclusion of confidentiality and integrity to QoS
  • Metrics

Phase 2: Enforcement and Deployment phase Gears

  • Activation of security parameters/mechanism
Phase 3: Management and Monitoring phase  Image result for monitoring icon

  • Investigating security breaches
Phase 4: Remediation Image result for remediate

  • Identification of security violations and application of counter measures/remedies
Phase 5: Review/Termination Image result for tug of war silhouette

  • Renegotiation
  • Restructuring of SLA terms, In some cases, possible dissolution

    Use of phases in the SLA lifecycle promotes effective management in web based services. This is crucial considering shared responsibilities between both stakeholders of the agreement. Additionally, using a lifecycle is among development fundamental aspects in the web services paradigm (Rojas et al, 2016).   Phase 1 – Negotiation Phase: In relation to the proposed solution. The following takes place between the provider and consumer parties in phase 1;

  • Defining terms of agreement
  • Requirements specification for security parameters for extension of QoS in SLA
  • Negotiation

Phase 2 –  Enforcement and Deployment:  This is the stage at which the negotiated security parameters are enforced in SLA and delayed.  The provider and consumer trade on the following conditions;

  • Finance
  • Acceptable services

Phase 3 – Management and Monitoring phase Required services execution and management takes place. This is done subject to obligation of defined security parameters. Management takes place in form of the following tasks;

  • Real-time monitoring of the SLA
  • Ensuring compliance
  • Performance reports
  • Reactive procedures
  • Enforcement of polices
  • Investigation and controlling of SLA security violations

Phase 4 – Remediation:This is a phase at which a remediation takes place between both stakeholders in respect of the following;

  • Corrective procedures following identification of any area of dysfunction

  Phase 5 – Review/Termination: The “agreement” is thereby goes through dissolution procedures. Outcome of this phase is determined by the following reasons;

  • Expiration of the agreement/contract
  • Security or contractual violations
  • Request from the consumer

  SLA Security management Security Management: Aparecida de Chaves et al. (2010). For effective functionality and sustainability and promotion of “fitness for purpose”, once successfully established, the proposed solution needs continuous/ongoing management. Ongoing management will be done in corporation of entire lifecycle parameters. This is crucial due to constant changing nature of web services deployment.  Diagram Figure 5 below, had been developed for this study in Microsoft Visio(2017) However, due to nature of moving components it has been found reasonable to display a screenshot version..             Figure 5: SLA Security Management            CHAPTER 4: CRITICAL ANALYSIS OF PROPOSED SOLUTION Chapter overview   A critical analysis of the methodology will take place in this chapter.  Results from the survey, study form existing work and the proposal are all scrutinized. This will be used to identify advantages and disadvantages that may be associated with the new solution.   4.1 Evaluation To identify significance of this project, work has been centered on an in-depth study on Service Level Agreements (SLA) security concerns. With consideration to wider deployment of web services and the need to elevate security principles, it has been found in this study that secure Service Level Agreements are crucial. Research findings revealed a concentrated focus on Quality of Service aspects features such as speed and availability while security has been overlooked. Relevancy and suitability of the proposition made in the study is based on a combination of survey results and literature review on web services and SLA respectively. Focus on this project has been centered on addressing the importance of security aspects to aid QoS. Significance of addressing security issues and proposing a solution for securing SLA, lies on an effort to bridge the security gaps resulted by lack of focus on security concerns in SLA (Cottrell, 2003). 4.1.2 Advantages  

  1. The proposed solution is a strategic measure for inclusion key security parameters to extend SLA Quality of Service. Improvement of the SLA thorough inclusion confidentiality and integrity establishes robust SLA suitable for purpose.
  2. Considering the rate at which security threats are growing in distributed computing, there is a need for entering SLA agreement that promises security.
  3. A secure SLA gives more assurance to consumers and gains trust.
  4. Offering security as a service is a valuable competitive weapon, considering wide deployment nature of web services, it makes those that promise security more favorable as opposed to quality centered.
  5. An Approach to Secure Service Level Agreements sounds very promising and is anticipated to elevate security standards in web based services.  This may attract positive feedback from consumers.

  4.1.3 Proposed solution limitations  

  1. Acceptance of something new may be quite challenging. This could be faced with conflicting ideologies some of regarding it limited in research. Consumers on the other hand may feel it sounds too good to be true, thereby resulting in skepticism/doubts.
  2. They may be costs associated in dissolving existing agreements, resulting in web services providers not considering change.
  3. The newly proposed solution needs constant reviews to keep up with advancing technology.

  4.2 Challenges of An Approach to Secure Service Level Agreements   Considering current research mainly focus on Quality of Service, several challenges may threaten success of proposed solution. This for example;

  • Implementation issues

Implementation of the newly proposed idea often proves difficult. This is a dysfunctional threat.

  • Data complexity

Due to increased data complexity in distributed computing, it may prove very difficult to introduce the proposed solution and expect guaranteed efficiency. Constant reviews are crucial, therefore makes management a huge challenge.

  • Management of the proposed solution

Due to implementation and data complexity issues, management becomes a role that may need to be fully assigned to a security expert. This may come costs. 4.4 Project Limitations Shortfall of security concerns in Service Level Agreement has been at the centre of this study.  A significant number of sources has been consulted for literature review in the study. The result of which is complexity of information spanning from early 2000s to present. Given the stipulated guidelines in which the work had to be carried out among other obstacles, time management has been affected in many ways. Therefore, with regards to the survey carried out in the study, it has not been possible to revisit participants for feedback.   CHAPTER 5:  EVALUATION, CONCLUSION AND FUTURE WORK Conclusive summary Research and all work carried out in this study aimed at determining other parameters outside Quality of Service that are crucial in establishing successful SLAs in web-based services. This chapter concludes the study taken on SLA. It gives an overview of all the project chapters (chapter 1, chapter 2, chapter 3 and chapter 4) including suggested future dimension of the project. Chapter 3: PROPOSED MODEL 5.1 Conclusions The following hypothesis has been put to test in this study, “Web Services are widely deployed and play an important role in today’s Internet paradigm”. Example of web services are such as holiday booking, flight booking systems and amazon web services in e-commerce among other mission critical services. The unique nature of web services deployment enables collection of numerous service providers in one pool making consumer quests for services easier. Service Level Agreements (SLA) are increasingly gaining popularity in web based services such as email, e-commerce, cloud and many other distributed computing environments. A comprehensive study on SLA has been done in this project to examine the extent at which existing work in SLA covers security parameters. Focus has been directed on investigating the extend in which security concerns such as confidentiality and integrity are covered in existing WS-Agreement and WSLA. Work in this report does not only examine Service Level Agreements but also proposed a solution that will extend QoS to include security parameters such as confidentiality and integrity. In addition, a dissemination of the SLA composition has been carried out and pros, cons and challenges of implementing a newly proposed have been considered through critical analysis of the methodology. The overwhelming amount of literature consulted in this study is evident that majority SLA focus is concentrated on QoS quality aspects such as availability, reliability and speed among others but failing to attend to security related aspects. This project has been carried out in anticipation for enhanced security in SLA through adoption of lacking parameters. For ensuring “fitness for purpose” and improved effectiveness, a representative number of supposed consumers had been selected randomly to take part in a voluntary survey. Inclusion of consumers’ is important as they will have an opportunity to voice their security concerns. The results of which had been used in consideration for consumer requirements in the proposal. Overall, Chapter 1 marked the introduction of the study, Chapter 2 gave an overview of web services to give the reader a clear understanding on them. In addition, chapter 2 includes establishment of the relationship between web services and Service Level agreements and includes literature review of existing work on SLA. Work on existing SLA is the core attribute of this project as the proposed solution is based on it. Design and development of the proposed solution took place in Chapter 3, while a critical analysis of the proposed solution had been done in chapter 4. Conclusively, Chapter 5 accounts for the hypothesis and all work carried out through the report and suggests future work. 5.2 future work As this is a pilot project. Future work suggests testing the solution for use in a distributed computing environment. Another suggestion for future improvement is to make constant reviews to the solution. This will assist in identifying strengths and weaknesses as well as planning towards adoption of future requirements and disaster planning in case of possible SLA failures.   Reminder Comment: Now work in this study excluding Literature review is totals 11670                                                             Appendices  

                                     APPENDICES  

Appendix 1: Analyzing security in Service Level Agreement questionnaire based Survey Attention to applicant “Web Services are widely deployed and play an important role in today’s Internet paradigm”.  For satisfaction of user requirements and legal fulfillment, it is currently crucial for web- based services to have a Service Level Agreement (SLA) in place.  Given such, as part of a project on analyzing (SLA) for user involvement, am conducting a survey to investigate user security awareness in services such as, email, storage and cloud all falling under web-based services. This survey is expected to be taken in an average of 5 minutes. Your contribution is much appreciated without critics. In consideration to Data Protection 1998 relating to user participant details, information given in this survey is anonymized and is used appropriately with relevancy to project. Note: participation in this survey is voluntary and not subject to any obligations and contractual agreements. Therefore, please feel free to exclude yourself from the study at any time without notice.

  1. How frequently do you use cloud based applications (i.e. Banking, business applications, social media, etc.)?

Much Less                                                                                       Very Frequent 1——————–2—————-3—————-4—————5

  1. Do you store any personal or professional data in the cloud?

☐ Personal            ☐ Professional        ☐ Both

  1. Are you worried at all about the security of the cloud-based applications or data stored in the cloud?

Not at all                                                                         Very Much 1——————–2—————-3—————-4—————5

  1. Of the applications that you use, which are you most concerned about someone hacking into?

☐ Banking  ☐ Email ☐ Social Networking ☐ Cloud Storage

  1. Which Social networking website are you mostly concerned about for misuse of your data from hackers?

☐ Facebook ☐ Snapchat ☐ Instagram ☐ WhatsApp

  1. Which Cloud storage are you mostly concerned about for misuse of your data from hackers?

☐ Dropbox ☐ One Drive ☐ Google Drive ☐ iCloud ☐ Other

  1. Which email providers are you mostly concerned about for misuse of your data from hackers?

☐ Yahoo ☐ Hotmail/Outlook ☐ Gmail ☐ Other

  1. What system for file storage and sharing does your peer ask you to use?

☐ Internal network ☐ Dropbox ☐ Google Drive ☐ iCloud ☐ One Drive

  1. What email provider does your peer ask you to use?

☐ Yahoo ☐ Hotmail/Outlook ☐ Gmail ☐ Other

  1. When it comes to your data privacy, who are you most concerned with?

☐ Government  ☐ Family  ☐ Blackmailers  ☐ Marketing companies  ☐ Not concerned

  1. How do you most frequently share documents?

☐ Email  ☐ Cloud Storage  ☐ I don’t share

  1. What are your main worries regarding data insecurity/exposure?

☐ Nothing ☐ My peers will know my secret  ☐ Govt. will have access to my private data  ☐ Marketing firms will have access to my private data

  1. What is your age group?

☐ 12-18   ☐ 19-25   ☐ 26-32 ☐ 33 and above 14) What do you consider as level of your IT/ internet security awareness? ☐ none   ☐ beginner   ☐ intermediate ☐ proficient 15) What is your gender? Male ☐  female ☐  prefer not to say☐  Signature of participant            Date: Name of researcher: Signature of researcher                                                              Date:    Appendix 2:  Survey respondent Consent Project Title: Analysing security in Service Level Agreement (SLA) Researcher: Isaac Zennah Participant: University: Liverpool John Moores School: Computing and mathematical Sciences Average Survey time: 5 minutes Key: ☐ tick box

  1. I have been given full information on the subject and have agreed to take part. ☐
  1. I understand that this survey is subject to voluntary conditions. Therefore, I have been informed that I can opt out any time without any obligations                             ☐
  1. Assurance had been given that under Data Protection Act 1998 any information given will be used with relevance to the study. I will be consulted should there be any need for third party distribution.                                                                                                  ☐
  1. I agree to take part in the survey that the researcher is conducting for analysis as required for a project above.                                                                                                   ☐
  1. I had been informed any future use of information from the survey related to the study remains confidential                                                                                                                ☐

Researcher: ___________________     Date: Signature: _____________________ Participant: ____________________     Date: Signature: ____________________   Appendix 3: Records of monthly supervision meetings   November Report   6000PROJ / 6001PROJ Final Year Project Monthly Supervision Meeting Record Student: Isaac Zennah                                                                                      Date: 4th November 2016

Main issues / Points of discussion / Progress made
Main issues –  Completing ethics application form Points of discussion –  Question about creating project topic from the original idea, and to understand how survey data can be collected and used in a legally acceptable manner that meets LJMU standards. Progress made – Submission of project specification was made within deadline.
Actions for the next month
To search a variety of academic resources for journals, research papers and textbooks that relate to my project and compile them base on their relevance.
Deliverables for next time
Draft literature review.
Other comments
I Plan to attend Academy Skill support workshops during the reading week. I believe the workshops covering critical analysis and thinking, researching, paraphrasing, and referencing are crucial to my project’s success.

 December Report   6000PROJ / 6001PROJ Final Year Project Monthly Supervision Meeting Record Student: Isaac Zennah                                                                           Date:……………02/12/12

Main issues / Points of discussion / Progress made
Main issues –  Not being able to submit Literature review as planned due to family problem. Point of discussion – Setting new date to complete Literature Review, also the issue of designing and developing project questionnaires Progress made – No substantial progress has been made this month, reason being I was unable to meet deliverable set by my supervisor last month.
Actions for the next month
  • To complete Literature Review and project questionnaires
  • Allocate more time to my project to recover lost progress
  • Endeavour to meet all recommendations
Deliverables for next time
Focus more on the project for the next month as time is running out.
Other comments

Supervisor signature: Microsoft Office Signature Line...…………………… Student signature: …………………….. January Report   6000PROJ / 6001PROJ Final Year Project Monthly Supervision Meeting Record Student: Isaac Zennah                                                                           Date: 20/01/2017

Main issues / Points of discussion / Progress made
  • Questionnaires in finish stages, about to be sent out
  • Previous recommendation was acted upon by finishing my Literature review over the Christmas holiday.
  • Currently working on my proposed solution – what I intend to achieve in my project
Actions for the next month
  • Will chase and collect questionnaires from participants
  • Plan to complete methodology
Deliverables for next time
Check the marking criteria and prepare your report in the expected format. Analyse the problem and requirements before the solution so that your solution will address those issues you identified during analysis.
Other comments

Supervisor signature: Microsoft Office Signature Line...…………………… Student signature: …………………….. February Report   6000PROJ Final Year Project Monthly Supervision Meeting Record Student: ……………………………..Isaac Zennah                                                                                 Date: February 2017

Main issues / Points of discussion / Progress made
  • To discuss issues concerning setbacks I have experienced
  • I have completed chapter 1 and 2
Actions for the next month
  • To work on analysis of problem and problem requirement
Deliverables for next time
Other comments
I feel I am losing time – I wrote quite a bit but I had to rewrite most of it because I realised some ideas were not well developed. However, I have increased the time I spend on my project to make up for lost time.

Supervisor signature: …………………… Student signature: ……………………………………….         March Report   6000PROJ Final Year Project Monthly Supervision Meeting Record Student: Isaac Zennah                  Date: March 2017

Main issues / Points of discussion / Progress made
  • To approve questionnaire
  • To discuss project structure
  • On reflection of last supervisory meeting, I have Written reference of every project research – therefore I have come up with project structure which if approved I wish to follow in my project
  • I have drafted the abstract to follow as the project progresses, namely: –
  • Hypothesis
  • Aims
  • Methodology
  • Findings
  • Conclusion
Actions for the next month
If questionnaire is approved I will distribute 25 – 27 in return for 18-20 to accommodate an expected withdrawal of participants.
Deliverables for next time
Other comments

Supervisor signature: Microsoft Office Signature Line...…………………… Student signature: ……………………..   Appendix 4: Report Structure Documentation

                                                    Report Structure Documentation
  1. SUBJECT

Analysing security in Service Level Agreement (SLA)

  1. SUBMISSION DATE

21 April 2017

  1. REPORT TYPE

Final Year Project (36%) of the undergraduate BSc (Hons) Cyber Security

  1. AUTHOR

Isaac Zennah

  1. UNIVERSITY NAME

Liverpool John Moores

  1. ABSTRACT (376 words)

A total of 5 paragraphs

SUBJECT KEY WORDS Web-based services, Service Level Agreement (SLA), Quality of Service (QoS), confidentiality, integrity NUMBER OF SOURCES CONSULTED IN THE STUDY

     



Recommendation
EssayHub’s Community of Professional Tutors & Editors
Tutoring Service, EssayHub
Professional Essay Writers for Hire
Essay Writing Service, EssayPro
Professional Custom
Professional Custom Essay Writing Services
In need of qualified essay help online or professional assistance with your research paper?
Browsing the web for a reliable custom writing service to give you a hand with college assignment?
Out of time and require quick and moreover effective support with your term paper or dissertation?
Did you find someone who can help?

Fast, Quality and Secure Essay Writing Help 24/7!