Security evaluation of cloud service providers using third party auditors

Syed S. Rizvi, Trent A. Bolish, Joseph R. Pfeffer

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Scopus citations


Cloud computing is a revolutionary breakthrough in computing technology. It allows businesses to supply their customers with a seemingly endless amount of resources on demand, so long as they are willing to pay for it. From a business perspective, cloud computing is revolutionizing profitability. From a security standpoint, cloud computing presents an alarming amount of risk to customer data. When customers make purchases, they transfer data to a Cloud Service Provider (CSP), but are unable to evaluate which CSP has sufficient security controls to protect their sensitive data. The Cloud Security Alliance (CSA) is an organization whose mission is to suggest best practice security controls and guidelines for CSPs to follow. The CSA provides a questionnaire or risk assessment, known as the Consensus Assessment Initiative Questionnaire (CAIQ) for CSPs to fill out in order to gauge their level of security within their organization. The CSPs access these questionnaires from the CSA's STAR (Security Trust and Assurance Registry) database. This allows for CSUs to base their level of trust in a specific organization on these assessments. However, there is no way for the CSA to validate that the CSP's responses to the questionnaire are accurate. This paper presents a framework that uses a third-party auditor (TPA) to review, audit, and validate the CAIQ responses stored in the STAR repository. Our framework provides a specific group of auditors that can be used to evaluate and validate the security controls of CSPs. Therefore, the primary objective of this research is to formulate the mechanism by which the appropriate auditor(s) can be chosen by the TPA and create a verification system in which CSUs may finally put their trust in.

Original languageEnglish (US)
Title of host publicationProceedings of the 2nd International Conference on Internet of Things and Cloud Computing, ICC 2017
EditorsHani Hamdan, Djallel Eddine Boubiche, Faouzi Hidoussi
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781450347747
StatePublished - Mar 22 2017
Event2nd International Conference on Internet of Things and Cloud Computing, ICC 2017 - Cambridge, United Kingdom
Duration: Mar 22 2017Mar 23 2017

Publication series

NameACM International Conference Proceeding Series


Other2nd International Conference on Internet of Things and Cloud Computing, ICC 2017
Country/TerritoryUnited Kingdom

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications


Dive into the research topics of 'Security evaluation of cloud service providers using third party auditors'. Together they form a unique fingerprint.

Cite this