TY - GEN
T1 - Security evaluation of cloud service providers using third party auditors
AU - Rizvi, Syed S.
AU - Bolish, Trent A.
AU - Pfeffer, Joseph R.
PY - 2017/3/22
Y1 - 2017/3/22
N2 - Cloud computing is a revolutionary breakthrough in computing technology. It allows businesses to supply their customers with a seemingly endless amount of resources on demand, so long as they are willing to pay for it. From a business perspective, cloud computing is revolutionizing profitability. From a security standpoint, cloud computing presents an alarming amount of risk to customer data. When customers make purchases, they transfer data to a Cloud Service Provider (CSP), but are unable to evaluate which CSP has sufficient security controls to protect their sensitive data. The Cloud Security Alliance (CSA) is an organization whose mission is to suggest best practice security controls and guidelines for CSPs to follow. The CSA provides a questionnaire or risk assessment, known as the Consensus Assessment Initiative Questionnaire (CAIQ) for CSPs to fill out in order to gauge their level of security within their organization. The CSPs access these questionnaires from the CSA's STAR (Security Trust and Assurance Registry) database. This allows for CSUs to base their level of trust in a specific organization on these assessments. However, there is no way for the CSA to validate that the CSP's responses to the questionnaire are accurate. This paper presents a framework that uses a third-party auditor (TPA) to review, audit, and validate the CAIQ responses stored in the STAR repository. Our framework provides a specific group of auditors that can be used to evaluate and validate the security controls of CSPs. Therefore, the primary objective of this research is to formulate the mechanism by which the appropriate auditor(s) can be chosen by the TPA and create a verification system in which CSUs may finally put their trust in.
AB - Cloud computing is a revolutionary breakthrough in computing technology. It allows businesses to supply their customers with a seemingly endless amount of resources on demand, so long as they are willing to pay for it. From a business perspective, cloud computing is revolutionizing profitability. From a security standpoint, cloud computing presents an alarming amount of risk to customer data. When customers make purchases, they transfer data to a Cloud Service Provider (CSP), but are unable to evaluate which CSP has sufficient security controls to protect their sensitive data. The Cloud Security Alliance (CSA) is an organization whose mission is to suggest best practice security controls and guidelines for CSPs to follow. The CSA provides a questionnaire or risk assessment, known as the Consensus Assessment Initiative Questionnaire (CAIQ) for CSPs to fill out in order to gauge their level of security within their organization. The CSPs access these questionnaires from the CSA's STAR (Security Trust and Assurance Registry) database. This allows for CSUs to base their level of trust in a specific organization on these assessments. However, there is no way for the CSA to validate that the CSP's responses to the questionnaire are accurate. This paper presents a framework that uses a third-party auditor (TPA) to review, audit, and validate the CAIQ responses stored in the STAR repository. Our framework provides a specific group of auditors that can be used to evaluate and validate the security controls of CSPs. Therefore, the primary objective of this research is to formulate the mechanism by which the appropriate auditor(s) can be chosen by the TPA and create a verification system in which CSUs may finally put their trust in.
UR - http://www.scopus.com/inward/record.url?scp=85044652696&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85044652696&partnerID=8YFLogxK
U2 - 10.1145/3018896.3025154
DO - 10.1145/3018896.3025154
M3 - Conference contribution
AN - SCOPUS:85044652696
T3 - ACM International Conference Proceeding Series
BT - Proceedings of the 2nd International Conference on Internet of Things and Cloud Computing, ICC 2017
A2 - Hamdan, Hani
A2 - Boubiche, Djallel Eddine
A2 - Hidoussi, Faouzi
PB - Association for Computing Machinery
T2 - 2nd International Conference on Internet of Things and Cloud Computing, ICC 2017
Y2 - 22 March 2017 through 23 March 2017
ER -