SpringerLink
Log in

A security evaluation framework for cloud security auditing

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

Cloud computing is clearly one of today’s most enticing technologies due to its scalable, flexible, and cost-efficient access to infrastructure and application services. Despite these benefits, cloud service users (CSUs) have serious concerns about the data security and privacy. Currently, there are several cloud service providers (CSPs) offering a wide range of services to their customers with varying levels of security strengths. Due to the vast diversity in the available cloud services, from the customer’s perspective, it has become difficult to decide which CSP they should use and what should be the selection criteria. Presently, there is no framework that can allow CSUs to evaluate CSPs based on their ability to meet the customer’s security requirements. We propose a framework and a mechanism that evaluate the security strength of CSPs based on the customer’s security preferences. We have shown the applicability of our security evaluation framework using a case study.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Germany)

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

References

  1. Peter M, Timothy G (2011) The NIST definition of cloud computing. National Institute of Standards and Technology (NIST), version 15. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

  2. Park J, Spetka E, Rasheed H, Ratazzi P, Han K (2012) Near-real-time cloud auditing for rapid response. In: Proc. of the 26th International Conference on Advanced Information Networking and Applications Workshops, pp 1252–1257. doi:10.1109/WAINA.2012.78

  3. Sen J (2013) Security and privacy issues in cloud computing. In: Antonio R (ed) Architectures and protocols for secure information technology, IGI-Global, USA, 2013. arxiv:1303.4814

  4. Cloud Adoption Practices & Priorities Survey Report (2015) Cloud security alliance (CSA), https://cloudsecurityalliance.org/research/surveys/

  5. Cloud Security Survey 2015: Trends in Cloud Security (2015) Alert Logic. https://www.alertlogic.com/resources/cloud-security-report-2015/

  6. Juels A, Oprea A (2013) New approaches to security and availability for cloud data. Commun ACM 56(2):64–73. doi:10.1145/2408776.2408793

    Article  Google Scholar 

  7. Bender D (2012) Privacy and security issues in cloud computing. Comput Internet Lawyer 29(10):1–15

    Google Scholar 

  8. Silva C, Ferreira A, Geus P (2012) A methodology for management of cloud computing using security criteria. In: Proceedings of the 2012 IEEE Latin America Conference on Cloud Computing and Communications, pp 49–54. doi:10.1109/LatinCloud.2012.6508157

  9. Rees R (2011) PCI virtualization SIG releases guidelines. InFocus, Retrieved from: http://infocus.emc.com/richard_rees/pci-virtualization-sig-releases-guidelines

  10. Litty L, Cavilla H, Lie D (2009) Computer meteorology: monitoring compute clouds. In: Proceedings of the \(12{{\rm th}}\) Conference on Hot Topics in Operating Systems, USENIX Association, Berkeley, CA, USA, pp 4

  11. Xen Hypervisor: the open source standard for hardware virtualization (2013) Xen.org. Retrieved from http://xen.org/products/xenhyp.html

  12. Tholeti B (2011) Hypervisors, virtualization, and the cloud: learn about hypervisors, system virtualization, and how it works in a cloud environment. IBM Developer Works, http://www.ibm.com/developerworks/cloud/library/cl-hypervisorcompare/

  13. Sunyaev A, Schneider S (2013) Cloud services certification. Commun ACM 56(2):33–36. doi:10.1145/2408776.2408789

    Article  Google Scholar 

  14. Modi C, Patel D, Borisaniya B, Patel A, Rajarajan M (2013) A survey on security issues and solutions at different layers of cloud computing. J Supercomput 63(2):561–592

    Article  Google Scholar 

  15. Rizvi S, Ryoo J, Kissell J, Aiken B (2015) A stakeholder-oriented assessment index for cloud security auditing. In: Proceedings of the 9th International Conference on Ubiquitous Information Management and Communication (IMCOM ’15). ACM, New York, NY, USA, Article 55, 7 pages. doi:10.1145/2701126.2701226

  16. The notorious nine: cloud computing top threats in 2013 (2013) Cloud Security Alliance, Tech. Rep., Retrieved from: https://cloudsecurityalliance.org/group/top-threats/

  17. Cappelli D, Moore A, Trzeciak R (2012) The CERT guide to insider threats: how to prevent, detect, and respond to information technology crimes (theft, aabotage, fraud). ser. SEI Series in Software Engineering. 1st edn. Addison-Wesley Professional, Boston

  18. McCormac A, Parsons K, Butavicius M (2012) Preventing and profiling malicious insider attacks. Defence Science and Technology Organisation, Australian Government Department of Defense

  19. Pauley W (2010) Cloud provider transparency: an empirical evaluation. IEEE Secur Priv 8(6):32–39. doi:10.1109/MSP.2010.140

    Article  Google Scholar 

  20. Zeng W, Zhao Y, Zeng J (2009) Cloud service and service selection algorithm research. In: Proceedings of the first ACM/SIGEVO Summit on Genetic and Evolutionary Computation, ACM, pp 1045–1048

  21. Martens B, Teuteberg F, Gräuler M (2011) Design and implementation of a community platform for the evaluation and selection of cloud computing services: a market analysis. In: Proceedings of European Conference on Information Systems

  22. Hussain FK, Hussain OK (2011) Towards multi-criteria cloud service selection. In: 2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), pp 44–48

  23. Gui Z, Yang C, **a J, Huang Q, Liu K, Li Z et al (2014) A Service brokering and recommendation mechanism for better selecting cloud services. PLoS One 9(8):e105297. doi:10.1371/journal.pone.0105297

    Article  Google Scholar 

  24. Habib SM, Varadharajan V, Muhlhauser M (2013) A trust-aware framework for evaluating security controls of service providers in cloud marketplaces. In: Proceedings of the 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp 459–468. doi:10.1109/TrustCom.2013.58

  25. Ko RKL, Jagadpramana P, Mowbray M, Pearson S, Kirchberg M, Qianhui L, Lee BS (2011) TrustCloud: a framework for accountability and trust in cloud computing. In: Proceedings of the 2011 IEEE World Congress on Services (SERVICES), pp 584–588. doi:10.1109/SERVICES.2011.91

  26. Tariq M (2012) Towards information security metrics framework for cloud computing. Int J Cloud Comput Serv Sci 1(4):209–217

    Google Scholar 

  27. Reixa M, Costa C, Aparicio M (2012) Cloud services evaluation framework. In: Proceedings of the Workshop on Open Source and Design of Communication (OSDOC ’12). ACM, New York, NY, USA, pp 61–69

  28. Garg SK, Versteeg S, Buyya R (2013) A framework for ranking of cloud computing services. Futur Gener Comput Syst 29(4):1012–1023. doi:10.1016/j.future.2012.06.006

    Article  Google Scholar 

  29. Rivera J, Yu H, Williams K, Zhan J, Yua X (2015) Assessing the security posture of cloud service providers. In: Proceedings of the 5th International Conference on IS Management and Evaluation—ICIME, pp 103–110

  30. Consensus Assessments Initiative Questionnaire (CAIQ) v3.0.1 by Cloud Security Alliance (CSA). https://cloudsecurityalliance.org/group/consensus-assessments/

  31. Yu H, Williams K, Yuan X (2015) Cloud computing threats and provider security assessment. Algorithms and Architectures for Parallel Processing. Vol. 9532 of the series Lecture Notes in Computer Science pp 238–250

    Chapter  Google Scholar 

  32. Egea M, Mahbub K, Spanoudakis G, Vieira M (2015) A certification framework for cloud security properties. The Monitoring Path. Accountability and Security in the Cloud. Vol. 8937 of the series Lecture Notes in Computer Science, pp 63–77

  33. Tian L, Lin C, Ni Y (2010) Evaluation of user behavior trust in cloud computing. In: Proceedings of the 2010 International Conference on Computer Application and System Modeling (ICCASM), pp.V7-567-V7-572. doi:10.1109/ICCASM.2010.5620636

  34. Chong SK, Abawajy J, Ahmad M, Hamid IR (2014) Enhancing trust management in cloud environment. In: Proceedings of the 2nd International Conference on Innovation, Management and Technology Research. Vol 129, pp 314–321. doi:10.1016/j.sbspro.2014.03.682

    Article  Google Scholar 

  35. Marudhadevi D, Dhatchayani VN, Sriram VS (2015) A trust evaluation model for cloud computing using service level agreement. Comput J 58:2225–2232. doi:10.1093/comjnl/bxu129

    Article  Google Scholar 

  36. Alhamad M, Dillon T, Chang E (2010) SLA-based trust model for cloud computing. In: Proceedings of the 2010, 13th International Conference on Network-Based Information Systems (NBIS ’10). IEEE Computer Society, Washington, DC, USA, pp 321–324. doi:10.1109/NBiS.2010.67

  37. Haq I, Alnemr R, Paschke A, Schikuta E, Boley H, Meinel C (2010) Distributed trust management for validating SLA choreographies. Grids and Service-Oriented Architectures for Service Level Agreements, pp 45–55. doi:10.1007/978-1-4419-7320-7_5

    Chapter  Google Scholar 

  38. Ghosh N, Ghosh SK, Das SK (2015) “SelCSP: a framework to facilitate selection of cloud service providers. IEEE Trans Cloud Comput 3(1):66–79. doi:10.1109/TCC.2014.2328578

    Article  Google Scholar 

  39. Mitchell J, Rizvi S, Ryoo J (2015) A fuzzy-logic approach for evaluating a cloud service provider. In: To The 2015 The 1st International Conference on Software Security and Assurance (ICSSA’15), July 27, 2015, Sungkyunkwan University, Korea

Download references

Author information

Authors and Affiliations

  1. Department of Information Sciences and Technology, Pennsylvania State University, Altoona, PA, USA

    Syed Rizvi, Jungwoo Ryoo, John Kissell & William Aiken

  2. Department of Computer Engineering, Santa Clara University, Santa Clara, CA, USA

    Yuhong Liu

Authors
  1. Syed Rizvi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jungwoo Ryoo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. John Kissell
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. William Aiken
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yuhong Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Syed Rizvi.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Rizvi, S., Ryoo, J., Kissell, J. et al. A security evaluation framework for cloud security auditing. J Supercomput 74, 5774–5796 (2018). https://doi.org/10.1007/s11227-017-2055-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-017-2055-1

Keywords

Search

Navigation