Abstract
Cloud computing is clearly one of today’s most enticing technologies due to its scalable, flexible, and cost-efficient access to infrastructure and application services. Despite these benefits, cloud service users (CSUs) have serious concerns about the data security and privacy. Currently, there are several cloud service providers (CSPs) offering a wide range of services to their customers with varying levels of security strengths. Due to the vast diversity in the available cloud services, from the customer’s perspective, it has become difficult to decide which CSP they should use and what should be the selection criteria. Presently, there is no framework that can allow CSUs to evaluate CSPs based on their ability to meet the customer’s security requirements. We propose a framework and a mechanism that evaluate the security strength of CSPs based on the customer’s security preferences. We have shown the applicability of our security evaluation framework using a case study.
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs11227-017-2055-1/MediaObjects/11227_2017_2055_Fig1_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs11227-017-2055-1/MediaObjects/11227_2017_2055_Fig2_HTML.gif)
Similar content being viewed by others
References
Peter M, Timothy G (2011) The NIST definition of cloud computing. National Institute of Standards and Technology (NIST), version 15. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
Park J, Spetka E, Rasheed H, Ratazzi P, Han K (2012) Near-real-time cloud auditing for rapid response. In: Proc. of the 26th International Conference on Advanced Information Networking and Applications Workshops, pp 1252–1257. doi:10.1109/WAINA.2012.78
Sen J (2013) Security and privacy issues in cloud computing. In: Antonio R (ed) Architectures and protocols for secure information technology, IGI-Global, USA, 2013. arxiv:1303.4814
Cloud Adoption Practices & Priorities Survey Report (2015) Cloud security alliance (CSA), https://cloudsecurityalliance.org/research/surveys/
Cloud Security Survey 2015: Trends in Cloud Security (2015) Alert Logic. https://www.alertlogic.com/resources/cloud-security-report-2015/
Juels A, Oprea A (2013) New approaches to security and availability for cloud data. Commun ACM 56(2):64–73. doi:10.1145/2408776.2408793
Bender D (2012) Privacy and security issues in cloud computing. Comput Internet Lawyer 29(10):1–15
Silva C, Ferreira A, Geus P (2012) A methodology for management of cloud computing using security criteria. In: Proceedings of the 2012 IEEE Latin America Conference on Cloud Computing and Communications, pp 49–54. doi:10.1109/LatinCloud.2012.6508157
Rees R (2011) PCI virtualization SIG releases guidelines. InFocus, Retrieved from: http://infocus.emc.com/richard_rees/pci-virtualization-sig-releases-guidelines
Litty L, Cavilla H, Lie D (2009) Computer meteorology: monitoring compute clouds. In: Proceedings of the \(12{{\rm th}}\) Conference on Hot Topics in Operating Systems, USENIX Association, Berkeley, CA, USA, pp 4
Xen Hypervisor: the open source standard for hardware virtualization (2013) Xen.org. Retrieved from http://xen.org/products/xenhyp.html
Tholeti B (2011) Hypervisors, virtualization, and the cloud: learn about hypervisors, system virtualization, and how it works in a cloud environment. IBM Developer Works, http://www.ibm.com/developerworks/cloud/library/cl-hypervisorcompare/
Sunyaev A, Schneider S (2013) Cloud services certification. Commun ACM 56(2):33–36. doi:10.1145/2408776.2408789
Modi C, Patel D, Borisaniya B, Patel A, Rajarajan M (2013) A survey on security issues and solutions at different layers of cloud computing. J Supercomput 63(2):561–592
Rizvi S, Ryoo J, Kissell J, Aiken B (2015) A stakeholder-oriented assessment index for cloud security auditing. In: Proceedings of the 9th International Conference on Ubiquitous Information Management and Communication (IMCOM ’15). ACM, New York, NY, USA, Article 55, 7 pages. doi:10.1145/2701126.2701226
The notorious nine: cloud computing top threats in 2013 (2013) Cloud Security Alliance, Tech. Rep., Retrieved from: https://cloudsecurityalliance.org/group/top-threats/
Cappelli D, Moore A, Trzeciak R (2012) The CERT guide to insider threats: how to prevent, detect, and respond to information technology crimes (theft, aabotage, fraud). ser. SEI Series in Software Engineering. 1st edn. Addison-Wesley Professional, Boston
McCormac A, Parsons K, Butavicius M (2012) Preventing and profiling malicious insider attacks. Defence Science and Technology Organisation, Australian Government Department of Defense
Pauley W (2010) Cloud provider transparency: an empirical evaluation. IEEE Secur Priv 8(6):32–39. doi:10.1109/MSP.2010.140
Zeng W, Zhao Y, Zeng J (2009) Cloud service and service selection algorithm research. In: Proceedings of the first ACM/SIGEVO Summit on Genetic and Evolutionary Computation, ACM, pp 1045–1048
Martens B, Teuteberg F, Gräuler M (2011) Design and implementation of a community platform for the evaluation and selection of cloud computing services: a market analysis. In: Proceedings of European Conference on Information Systems
Hussain FK, Hussain OK (2011) Towards multi-criteria cloud service selection. In: 2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), pp 44–48
Gui Z, Yang C, **a J, Huang Q, Liu K, Li Z et al (2014) A Service brokering and recommendation mechanism for better selecting cloud services. PLoS One 9(8):e105297. doi:10.1371/journal.pone.0105297
Habib SM, Varadharajan V, Muhlhauser M (2013) A trust-aware framework for evaluating security controls of service providers in cloud marketplaces. In: Proceedings of the 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp 459–468. doi:10.1109/TrustCom.2013.58
Ko RKL, Jagadpramana P, Mowbray M, Pearson S, Kirchberg M, Qianhui L, Lee BS (2011) TrustCloud: a framework for accountability and trust in cloud computing. In: Proceedings of the 2011 IEEE World Congress on Services (SERVICES), pp 584–588. doi:10.1109/SERVICES.2011.91
Tariq M (2012) Towards information security metrics framework for cloud computing. Int J Cloud Comput Serv Sci 1(4):209–217
Reixa M, Costa C, Aparicio M (2012) Cloud services evaluation framework. In: Proceedings of the Workshop on Open Source and Design of Communication (OSDOC ’12). ACM, New York, NY, USA, pp 61–69
Garg SK, Versteeg S, Buyya R (2013) A framework for ranking of cloud computing services. Futur Gener Comput Syst 29(4):1012–1023. doi:10.1016/j.future.2012.06.006
Rivera J, Yu H, Williams K, Zhan J, Yua X (2015) Assessing the security posture of cloud service providers. In: Proceedings of the 5th International Conference on IS Management and Evaluation—ICIME, pp 103–110
Consensus Assessments Initiative Questionnaire (CAIQ) v3.0.1 by Cloud Security Alliance (CSA). https://cloudsecurityalliance.org/group/consensus-assessments/
Yu H, Williams K, Yuan X (2015) Cloud computing threats and provider security assessment. Algorithms and Architectures for Parallel Processing. Vol. 9532 of the series Lecture Notes in Computer Science pp 238–250
Egea M, Mahbub K, Spanoudakis G, Vieira M (2015) A certification framework for cloud security properties. The Monitoring Path. Accountability and Security in the Cloud. Vol. 8937 of the series Lecture Notes in Computer Science, pp 63–77
Tian L, Lin C, Ni Y (2010) Evaluation of user behavior trust in cloud computing. In: Proceedings of the 2010 International Conference on Computer Application and System Modeling (ICCASM), pp.V7-567-V7-572. doi:10.1109/ICCASM.2010.5620636
Chong SK, Abawajy J, Ahmad M, Hamid IR (2014) Enhancing trust management in cloud environment. In: Proceedings of the 2nd International Conference on Innovation, Management and Technology Research. Vol 129, pp 314–321. doi:10.1016/j.sbspro.2014.03.682
Marudhadevi D, Dhatchayani VN, Sriram VS (2015) A trust evaluation model for cloud computing using service level agreement. Comput J 58:2225–2232. doi:10.1093/comjnl/bxu129
Alhamad M, Dillon T, Chang E (2010) SLA-based trust model for cloud computing. In: Proceedings of the 2010, 13th International Conference on Network-Based Information Systems (NBIS ’10). IEEE Computer Society, Washington, DC, USA, pp 321–324. doi:10.1109/NBiS.2010.67
Haq I, Alnemr R, Paschke A, Schikuta E, Boley H, Meinel C (2010) Distributed trust management for validating SLA choreographies. Grids and Service-Oriented Architectures for Service Level Agreements, pp 45–55. doi:10.1007/978-1-4419-7320-7_5
Ghosh N, Ghosh SK, Das SK (2015) “SelCSP: a framework to facilitate selection of cloud service providers. IEEE Trans Cloud Comput 3(1):66–79. doi:10.1109/TCC.2014.2328578
Mitchell J, Rizvi S, Ryoo J (2015) A fuzzy-logic approach for evaluating a cloud service provider. In: To The 2015 The 1st International Conference on Software Security and Assurance (ICSSA’15), July 27, 2015, Sungkyunkwan University, Korea
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Rizvi, S., Ryoo, J., Kissell, J. et al. A security evaluation framework for cloud security auditing. J Supercomput 74, 5774–5796 (2018). https://doi.org/10.1007/s11227-017-2055-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-017-2055-1