Towards a framework for trustworthy data security level agreement in cloud procurement

After the post-Snowden upheavals, there is a growing concern about preserving the confidentiality of sensitive data across government agencies when using global cloud service providers, such as Amazon Web Services and Microsoft Azure. The use of certification schemes is becoming more critical to assure the security of services offered. This situation is problematic because many certification schemes aim to demonstrate compliance with a security standard rather than achieve a specified security level. Despite the benefits of security certification schemes like Common Criteria (CC), an assurance-based certification process does not scale well to service provision. To this end, this paper aims to investigate the concept of system assurance and trustworthiness in service provisioning, especially when government agencies procure cloud-based services. By using work on the Indonesian Government’s data confidentiality requirements, this work develops principles as foundations for a trustworthy data security level agreement (TDSLA) capability framework as a new assurance mechanism for service provisioning based on discrete levels of security assurance incorporated into the formulation of a service level agreement (SLA). The principles which have emerged from the empirical qualitative data collection were evaluated and validated using four approaches, namely: 1) reflection against related work; 2) testimonial validity through participants’ feedback; 3) use cases, and 4) application of transferability using cases from the UK Government Cloud (G-Cloud) and the US Federal Risk and Authorization Management Program (FedRAMP). The TDSLA capability framework can form the basis for constructing a legal language in contracts or SLAs.