Abstract
Cloud services have become an emerging solution for organizations striving to address today’s need for agility, but little research has addressed transitioning multiple, collaborating organizations to what can be referred to as a “value-network cloud.” We know that organizations adopting cloud services to execute business processes must concomitantly reconfigure their security solutions for their integrated intra- and inter-organizational collaborations. We address the question, “What is needed to make it possible for an entire value-network to take secure, collaborative business process executions to the cloud?” Future value-network cloud solutions will require completely new security approaches that will leverage contracted brokering solutions operating as part of the cloud solution. We view value-network cloud security service provisioning as a bundle decision characterized by a mix of communication patterns relevant to intra- and inter-enterprise collaboration. We propose a cloud service broker model—using semantics and SLA based middleware—to serve as a trusted interface between the enterprise, cloud service providers and other organizations collaborating in a value-network. The approach enables IT governance for value-network cloud services. The architectural requirements adapt design principles for infrastructure management tailored from approaches to how business cartels historically conducted secure business dealings.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Adams WJ, Yellen JL (1976) Commodity bundling and the burden of monopoly. Q J Econ 90:475–498
Akkermans H, Baida Z, Gordijn J, Pena N, Altuna A, Laresgoiti I (2004) Value webs: using ontologies to bundle real-world services. IEEE Intell Syst 19(4):57–66
Alturi V, Warner J (2005) Supporting conditional delegation in secure workflow management systems. Proceedings of the symposium on access control models and technologies (SACMAT’05), June, pp 49–58
Anderson J (1972) Computer security technology planning study. US air force electronic systems division tech. Report, (Oct), pp 73–151
Anderson R (2001) Why information security is hard—An economic perspective. Proceedings of 17th annual computer security applications conference (ACSAC), New Orleans, La. 10–14 Dec
AT&T (2004) Network security: managing the risk and opportunity. AT&T point of view, July 1–21
Audin G (2004) A roadmap to convergence. A supplement to business communications review—transforming telephony. Oct 9–12
Axelsson S (2000) The base-rate fallacy and the difficulty of intrusion detection. ACM Trans Inf Syst Secur 3(3):186–205
Babaie E, Hale K, Souza RD, Adachi Y, Ng F (2006) Forecast: IT services, worldwide, 2003–2010, Gartner Forecast, Gartner Group, Stamford, CT, Nov 30
Bakos Y, Brynjolfsson E (1999) Bundling information goods: pricing, profits, and efficiency. Manag Sci 45(12):1613–1630
Bardhan I, Demirkan H, Kannan PK, Kauffman RJ, Sougstad R (2010) An interdisciplinary perspective on IT services management and services science. J Manag Inf Syst 26(4):13–65
Basin D, Doser J, Zurich E (2006) Model driven security: from UML models to access control infrastructures. ACM Trans Softw Eng Methodol 15(1):39–91
Bell D (2005) Looking back at the Bell-La Padula model. Proceedings of 21st annual computer security applications conference, December
Bishop S, Walker M (1999) The economics of EC competition law. Sweet and Maxwell, London
Blakley B (2010) Federated identity. Gartner report, 9 Dec 2010 ID:G00206782
Bodin LD, Gordon LA, Loeb MP (2005) Evaluating information security investments using the analytic hierarchy process. Commun ACM 48(2):79–83
Boeing (2006) http://www.boeing.com/commercial/787family/dev_team.html
Borda A, Careless J, Dimitrova M, Fraser M, Frey J, Hubbard P, Goldstein S, Pung C, Shoebridge M, Wiseman N, Arenas A (2006) Report of working group on virtual research communities for the OST e-infrastructure steering group. VCR Final Report, March 31, 2006
Brown G, Carpenter R (2004) Successful application of SOA across the enterprise and beyond. Intel Technol J 8(4):344–359
Buzzard K (1999) Computer security—what should you spend your money on. Comput Secur 18(4):322–334
Carr NG (2003) IT doesn’t matter. Harvard Bus Rev 81(5):41–49
Cavusoglu H, Mishra B, Raghunathan S (2004) A model for evaluating IT security investments. Commun ACM 47:87–92
Cavusoglu H, Mishra B, Raghunathan S (2005) The value of intrusion detection systems in information technology security architecture. Inf Syst Res 16(1):28–46
Chapman DB, Zwicky ED (1995) Building internet firewalls. O’Reilly and Associates Inc, USA
Cheswick WR, Bellovin SM (1994) Firewalls and internet security: repelling the Wily Hacker, Addison-Wesley, Reading
Cohen E, Thomas RK, Winsborough W, Shands D (2002) Models for coalition-based access control (CBAC). Seventh ACM symposium on access control models and technologies (SACMAT 02), June, Monterey, California, USA
Computer World (2006) 2006 IT Agenda. Computer world special report “Forecast 200, Computer World Data Points, 2, Jan 2006
Cone E (2006) Flying in formation. Ziff Davis CIO Insight 65:35–42
Covington MJ, Long W, Srinivasan S, Dev SA, Ahamad M, Abowd GD (2001) Securing context-aware applications using environment roles. Proceedings of the sixth ACM symposium on Access control models and technologies, May, Chantilly, Virginia, USA, pp 10–20
CPDA (Collaborative Product Development Associates) (2004) Integrated process and technology framework. Collaborative Research Services
Currier G (2011) Emerging technology adoption trends. CIO Insight Research
Daniels TE, Spafford EH (1999) Identification of host audit data to detect attacks on low-level IP. J Comput Secur 7(1):3–35
D’aubeterre F, Singh R, Iyer L (2008) Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes. Eur J Inf Syst 17(5):528–543
Davenport T (2005) The coming commoditization of processes. Harvard Bus Rev 101–108
Deltas G, Serfes K, Sicotte R (1999) American shipping cartels in the pre-world war I era. In: Clarke GC, Sundstrom WA (eds) Research in economic history. JAI Press, Stamford, Conn
Demirkan H, Kauffman RJ, Vayghan JA, Fill H-G, Karagiannis D, Maglio PP (2009) Service-oriented technology and management: perspectives on research and practice for the coming decade. Electron Commer Res Appl J 7(4):356–376
Demirkan H, Cheng HK, Bandyopadhyay S (2010) Coordination strategies in a SaaS supply chain. J Manag Inf Syst 26(4):121–146
Demirkan H, Harmon R, Goul M (2011) Service-oriented web application framework: utility-grade instrumentation of emergent web applications, the special issue of the IEEE IT professional on the future of web applications: strategies and design, pp 15–21, Sep/Oct
Denning D (1987) An intrusion-detection model. IEEE Trans Softw Eng 13(2):222–226
Denning D, Branstad D (1996) A taxonomy of key escrow encryption systems. Commun ACM 39(3):34–40
Dick AR (1996) When are cartels stable contracts? J Law Econ 39(1):241–283
Drecun V, Brown DH (2004) Closing the process/technology gap FERA. Collaborative Product Development Associates, LLC
Edwards PN, Jackson SJ, Bowker GC, Knobel CP (2007) Understanding infrastructure: dynamics, tensions, and design. Report of a NSF workshop on “History & theory of infrastructure: lessons for new scientific cyberinfrastructures”. Ann Arbor, Michigan
FERA-based SOA—Semantion Inc. http://www.ebxmlsoft.com/papers/fera-based-soa.html
Fernández-Medina E, Trujillo J, Piattini M (2007) Model-driven multidimensional modeling of secure data warehouses. Eur J Inf Syst 16(4):374–390
Frincke D (2000) Balancing cooperation and risk in intrusion detection. ACM Trans Inf Syst Secur 3(1):1–29
Georgiadis CK, Mavridis I, Pangalos G, Thomas R (2001) Flexible team-based access control using contexts. Proceedings of ACM symposium on access control model and technology, Chantilly, VA
Gordon L, Loeb M (2001) A framework for using information security as a response to competitor analysis systems. Commun ACM 44(9):70–75
Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans Inf Syst Secur 5(4):438–457
Gordon LA, Loeb M, Lucyshyn W (2003) Sharing information on computer systems security: an economic analysis. J Acc Public Policy 22(6):461–485
Graham G, Denning P (1972) Protection—principles and practice. Proceedings of the AFIPS spring joint computer conference, vol. 40, pp 417–429, Atlantic City, New Jersey
Gregor S (2006) The nature of theory in information systems. MIS Q 30(3):611–642
Gregor S, Jones D (2007) The anatomy of a design theory. J Assoc Inf Syst 8(5):312–335
Huang CD, Hu Q, Behara R (2005a) In search for optimal level of information security investment in risk-averse firms. Proceedings of the third annual security symposium, Tempe, Arizona, Sept 8–9
Huang CD, Hu Q, Behara R (2005b) Investment in information security by a riskaverse firm. Proceedings of the 2005 software conference, Las Vegas, Nevada, 10–11, Dec
Huang CD, Hu Q, Behara R (2006) Economics of information security investment. Proceedings of the fifth workshop on the economics of information security (WEIS 2006), Robinson College, University of Cambridge, England, 26–28, June
Hulsebosch RJ, Salden AH, Bargh MS, Ebben PWG, Reitsma J (2005) Context sensitive access control. Proceedings of the tenth ACM symposium on access control models and technologies, Stockholm, Sweden, 01–03, June
Jackson SJ, Edwards PN, Bowker GC, Knobel CP (2007) Understanding infrastructure: history, heuristics, and cyberinfrastructure policy. First Monday 12(6). http://www.crew.umich.edu/publications/tr_07_10.html
Jenks JW, Clark WE (1917) The trust problem. Doubleday. Page & Company, Garden City, New York
Kai (2009) Press release: IT security spending will increase to match rising cybercrime threat in 2009. The Roer.com Information Security Blog, 12 January. Available at http://www.roer.com/node/446. Last accessed on March 31, 2009
Kang MH, Park JS, Froscher JN (2001) Access control mechanisms for inter-organizational workflows. Proceedings of 6th ACM symposium on access control models and technologies, Chantilly, VA
Kavanagh KM, Pescatore J (2007) Magic quadrant for MSSPs, North America, 1H07. Gartner RAS core research note G00149649, 1 Aug
Larsen A (1999) Global security survey: virus attack. InformationWeek.Com, http://www.informationweek.com/743/security.htm
Loch KD, Carr HH, Warkentin ME (1992) Threats to information systems: today’s reality, yesterday’s understanding. MIS Q 17(2):173–186
Maedche A, Motik B, Silva N, Volz R (2002) MAFRA—A MApping FRamework for distributed ontologies. In: Proceedings of the 13th European conference on knowledge engineering and knowledge management EKAW-2002, Madrid, Spain
Mana A, Montenegro JA, Rudolph C, Vivas JL (2003) A business process-driven approach to security engineering. Proceedings of the 14th international workshop on database and expert system applications (DEXA’03)
Markus ML, Majchrzak A, Gasser L (2002) A design theory for systems that support emergent knowledge processes. Mis Q 26(3):179–212
Matutes C, Regibeau P (1992) Compatibility and bundling of complementary goods in a duopoly. J Ind Econ 40(1):37–54
McKnight DH, Choudhury V, Kacmar C (2002) Developing and validating trust measures for e-Commerce: an integrative typology. Inf Syst Res 13(3):334–359
Mell P, Grance T (2011) The NIST definition of cloud, recommendations of the national institute of standarts and technology. Available at http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
Miller HG, Levine HD, Bates SN (2005) Welcome to convergence: surviving the next platform change. IEEE IT Professional 7(3):18–25
Monteiro E (2006) Future research issues and agendas. Information infrastructures and architectures: international research workshop by National e-Science Centre, Edinburgh, 27 Sept
Newhouse S, Schopf J, Richards A, Atkinson M (2007) Sudy of priorities for e-Infrastructure for e-Research. UK e-Science Core Programme Report, 7 Feb
OASIS (2006a) A reference model for service oriented architecture. OASIS SOA reference model technical committee
OASIS (2006b) Electronic business service oriented architecture. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ebsoa
Osborn S, Sandhu R, Munawer Q (2000) Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans Inf Syst Secur 3(2):85–106
Park I, Lee J, Raghav Rao H, Upadhyaya SJ (2006) Guest editorial part 2: emerging issues for secure knowledge management—results of a delphi study. IEEE Trans Syst Man Cybern Part A: Syst Humans 36(3):421–428
Peffers K, Tuunanen T, Rothenberger MA, Chatterjee S (2007) A design science research methodology for information systems research. J Manag Inf Syst 24(3):45–77
Peppard J (2003) Managing IT as a portfolio of services. Eur Manag J 21(4):467–483
Peyravian M, Roginsky A, Zunic N (1999) Hash-based encryption. Comput Secur 18(4):345–350
Phifer L (2006) Managed security services, 2006 MSSP survey, part 4: managed virtual private networks. ISP Planet, 21 Dec
Pike Research (2011) Cloud computing. http://www.pikeresearch.com/research/cloud-computing-energy-efficiency
Preziosi D (2006) Secure collaboration: working together, without worry. CMP integrated marketing solutions, 23 Oct
Romano L, Kenworthy T (1997) Oklahoma city prosecutor depicts a ‘twisted’ mcveigh. Washington Post 117(21). http://tech.mit.edu/V117/N21/mcveigh.21w.html
Sandhu RS, Coyne EJ, Feinstein HL, Youman CE (1996) Role-based access control models. IEEE Comput 29(2):38–47
Sandhu RS, Bhamidipati V, Munawer Q (1999) The ARBAC97 model for role-based administration of roles. ACM Trans Inf Syst Secur 1(2):105–135
Siddiqi J, Akhgar B, Naderi M, Orth W, Meyer N, Tuisku M, Pipan G, Gallego ML, Garcia JA, Cecchi M, Colin J (2006) Secure ICT services for mobile and wireless communications: a federated global identity management framework. Proceedings of the third international conference on information technology: New Generations (ITNG’06)
Simmons G (1994) Cryptanalysis and protocol failures. Commun ACM 37(11):56–64
Singh A, Liu L (2003) TrustMe: anonymous management of trust relationships in decentralized P2P systems. Proceedings of third international conference on peer-to-peer computing, 2003. (P2P 2003) vol. 3, pp 142–149, 1 Sept
Smith HA, McKeen JD (2006) IT In 2010: the next frontier. MIS Q Executive 5(3):125–136
Sohlenkamp M, Chwelos G (1994) Integrating communication, cooperation, and awareness: the diva virtual office environment. Proceedings of AXM conference on computer supported cooperative work, Chapel Hill, NC, pp 31–343
Soper D, Demirkan H, Goul M (2007) A proactive interorganizational knowledge-sharing security model with breach propagation detection and dynamic policy revision. Special Issue Secur Knowl Manag Inf Syst Frontiers 9(5):469–479
Sorathia V, Laliwala Z, Chaudhary S (2005) Towards agricultural marketing reforms: web services orchestration approach. Proceedings of 2005 IEEE international conference on services computing (SCC’05), vol. 1, pp 260–270
Stigler GJ (1964) A theory of oligopoly. J Polit Econ 72(1):44–61
Straub DW (1990) Effective IS security: an empirical study. Inf Syst Res 1(3):255–276
Straub DW, Welke RJ (1998) Coping with systems risk: aecurity planning models for management decision making. MIS Q 23(4):441–469
Stremersch S, Tellis GJ (2002) Strategic bundling of products and prices: a new synthesis for marketing. J Market 66:55–72
Sure Y, Erdmann M, Angele J, Staab S, Studer R, Wenke D (2002) Ontoedit: collaborative ontology development for the semantic web. In: Proceedings of the 1st international semantic web conference (ISWC2002), 9–12th, June, 2002, Sardinia, Italia, LNCS 2342, pp 221–235. Springer
Talley T (2006) Experts fear Oklahoma City bombing lessons forgotten. The San Diego Union Tribune, 17 April
Thomas RK (1997) Team-based accesses control TMAC): a primitive for applying role-based access controls in collaborative environments. Proceedings of the second ACM workshop on role-based access control, Fairfax, Virginia, 13–19 Nov
Thomas RK, Sandhu R (1994) Conceptual foundations for a model-based authorizations. In: Proceedings of 7th IEEE computer security foundations workshop. Franconia, NH, pp 66–79
Thomas RK, Sandhu R (1997) Task-based authorization controls (TBAC): a family of models for active and enterprise-oriented authorization management. In: Proceedings of the IFIP WG 11.3 workshop on database security, pp 166–181, Lake Tahoe, California, August
Tolone W, Ahn G-J, Pai T, Hong SP (2005) Access control in collaborative systems. CM Comput Survey 37(1):29–41
TrustCom (2005) D22 technology roadmap. http://www.eu trustcom.com/DownDocumentation.php?tipo=docu&id=246—TrustCom—http://www.eu-trustcom.com/
Ulicki M (2003) Security blanket for the HIPAA Era: outsourcing security services. BioMetriTech featured article by Norlight telecommunications, 17 Sept. http://www.tmcnet.com/biomag/features/norlight.htm
VCG (2005) The value chain operations reference (VCOR) model, Value Chain Group, Inc., Wexford, PA
VCOR—MODEL—http://www.value-chain.org/index.asp
Vigna G, Kemmerer RA (1999) NetSTAT: a network-based intrusion detection system. J Comput Secur 7(1):37–71
Wang W (1999) Team-and-role-based organizational context and access control for cooperative hypermedia environments. Proceedings of the 10th ACM conference on hypertext and hypermedia (Hypertext’99). ACM, New York, pp 37–46
Wang H, Osborn SL (2006) Delegation in the role graph model. Proceedings of SACMAT’06, pp 91–100
Wiseman S (1986) A secure capability computer system. Proceedings of the IEEE Symposium on security and privacy, Los Alamitos, CA, pp 86–94
Yadav MS, Monroe KB (1993) How buyers perceive savings in a bundle price: an examination of a bundle’s transaction value. J Market Res 30(3):350–358
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Demirkan, H., Goul, M. Taking value-networks to the cloud services: security services, semantics and service level agreements. Inf Syst E-Bus Manage 11, 51–91 (2013). https://doi.org/10.1007/s10257-011-0186-0
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10257-011-0186-0