Selecting a secure cloud provider - an empirical study and multi criteria approach

  • Security has become one of the primary factors that cloud customers consider when they select a cloud provider for migrating their data and applications into the Cloud. To this end, the Cloud Security Alliance (CSA) has provided the Consensus Assessment Questionnaire (CAIQ), which consists of a set of questions that providers should answer to document which security controls their cloud offerings support. In this paper, we adopted an empirical approach to investigate whether the CAIQ facilitates the comparison and ranking of the security offered by competitive cloud providers. We conducted an empirical study to investigate if comparing and ranking the security posture of a cloud provider based on CAIQ’s answers is feasible in practice. Since the study revealed that manually comparing and ranking cloud providers based on the CAIQ is too time-consuming, we designed an approach that semi-automates the selection of cloud providers based on CAIQ. The approach uses the providers’ answers to the CAIQ to assign a value to the different security capabilities of cloud providers. Tenants have to prioritize their security requirements. With that input, our approach uses an Analytical Hierarchy Process (AHP) to rank the providers’ security based on their capabilities and the tenants’ requirements. Our implementation shows that this approach is computationally feasible and once the providers’ answers to the CAIQ are assessed, they can be used for multiple CSP selections. To the best of our knowledge this is the first approach for cloud provider selection that provides a way to assess the security posture of a cloud provider in practice.

Download full text files

Export metadata

Additional Services

Share in Twitter Search Google Scholar
Author:Sebastian PapeORCiDGND, Federica PaciORCiD, Jan JürjensORCiDGND, Fabio MassacciORCiDGND
Parent Title (German):Information
Place of publication:Basel
Document Type:Article
Date of Publication (online):2020/05/11
Date of first Publication:2020/05/11
Publishing Institution:Universitätsbibliothek Johann Christian Senckenberg
Release Date:2020/06/12
Tag:cloud service provider; risk assessment; security assessment; security self-assessment
Page Number:27
First Page:1
Last Page:27
Institutes:Wirtschaftswissenschaften / Wirtschaftswissenschaften
Dewey Decimal Classification:0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 004 Datenverarbeitung; Informatik
3 Sozialwissenschaften / 33 Wirtschaft / 330 Wirtschaft
Licence (German):License LogoCreative Commons - Namensnennung 4.0