June 24, 2013 19:18 International Journal of Computer Mathematics fm-cloud-journal International Journal of Computer Mathematics Vol. 00, No. 00, August 2012, 1–28 RESEARCH ARTICLE Formalising Workflows Partitioning over Federated Clouds: Multi-Level Security and Costs Leo Freitas & Paul Watson a∗ a School of Computing Science, Newcastle University, Newcastle, NE1 7RU, UK (v3.6 released August 2012) This paper presents an formalisation of federated cloud workflows using the Z notation. It is an abstract specification with properties of interest being observed by the possible deployments, which are symbolically calculated by the Z/EVES theorem prover. Mathematical rules are used to define these properties by restricting valid options for security, cost, dependability, etc. A Haskell implementation of these proved properties is also presented. We have a Haskell implementation of the approach that is used to generate valid workflow deployment options, given the user workflow input and the security and cost properties of interest. The result is a set of (sub)-workflows as GraphWiz files respecting these properties. Keywords: Federated Clouds, Formal proof, Bell-LaPadula, Haskell, Z/EVES AMS Subject Classification: ???? 1. Introduction Concerns about security are one of the main barriers to the adoption of cloud computing. Security presents a significant barrier to the wider adoption of cloud computing. While many organisations see data held on their own servers as secure, they worry about the security of transferring data over the Internet to a public cloud for storage and processing. At the same time, many of those same organisa- tions see the potential benefits to them in terms of the agility, scalability and cost reduction offered by clouds. Considering the security concerns of each application represents one way of re- solving this tension. Those applications with high-security requirements (usually run on servers that are referred to, and managed, as a private cloud) can be kept within the organisation, restricting the use of public clouds to those with lesser requirements. How the decision on security requirements is made raises a number of issues as applications often combine a set of data and computational services. Each service has its own security requirements, complicating the decision on overall security requirements. Deciding where to run an application through a “binary” decision- making process ignores opportunities to combine the best of private and public clouds by restricting secure parts of the flow to internal processing, but running less critical parts of the application on public clouds to take advantage of the scalability and cost reduction they offer. * Corresponding author. Email: leo.freitas@newcastle.ac.uk ISSN: 0020-7160 print/ISSN 1029-0265 online c  2012 Taylor & Francis DOI: 0020716YYxxxxxxxx http://www.informaworld.com