Selecting a Secure Cloud Provider—An Empirical Study and Multi Criteria Approach
Open Access
- 10 May 2020
- journal article
- research article
- Published by MDPI AG in Information
- Vol. 11 (5), 261
- https://doi.org/10.3390/info11050261
Abstract
Security has become one of the primary factors that cloud customers consider when they select a cloud provider for migrating their data and applications into the Cloud. To this end, the Cloud Security Alliance (CSA) has provided the Consensus Assessment Questionnaire (CAIQ), which consists of a set of questions that providers should answer to document which security controls their cloud offerings support. In this paper, we adopted an empirical approach to investigate whether the CAIQ facilitates the comparison and ranking of the security offered by competitive cloud providers. We conducted an empirical study to investigate if comparing and ranking the security posture of a cloud provider based on CAIQ’s answers is feasible in practice. Since the study revealed that manually comparing and ranking cloud providers based on the CAIQ is too time-consuming, we designed an approach that semi-automates the selection of cloud providers based on CAIQ. The approach uses the providers’ answers to the CAIQ to assign a value to the different security capabilities of cloud providers. Tenants have to prioritize their security requirements. With that input, our approach uses an Analytical Hierarchy Process (AHP) to rank the providers’ security based on their capabilities and the tenants’ requirements. Our implementation shows that this approach is computationally feasible and once the providers’ answers to the CAIQ are assessed, they can be used for multiple CSP selections. To the best of our knowledge this is the first approach for cloud provider selection that provides a way to assess the security posture of a cloud provider in practice.Keywords
Funding Information
- Horizon 2020 (830929)
- Seventh Framework Programme (285223)
- European Union (300267102)
This publication has 17 references indexed in Scilit:
- SelCSP: A Framework to Facilitate Selection of Cloud Service ProvidersIEEE Transactions on Cloud Computing, 2014
- A framework to support selection of cloud providers based on security and privacy requirementsJournal of Systems and Software, 2013
- Towards a trust management system for cloud computing marketplaces: using CAIQ as a trust information sourceSecurity and Communication Networks, 2013
- SMICloud: A Framework for Comparing and Ranking Cloud ServicesPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2011
- Cognition and Incomplete ContractsAmerican Economic Review, 2009
- Decision making with the analytic hierarchy processInternational Journal of Services Sciences, 2008
- Applications of the extent analysis method on fuzzy AHPEuropean Journal of Operational Research, 1996
- Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information TechnologyMIS Quarterly, 1989
- Ranking alternatives using fuzzy numbersFuzzy Sets and Systems, 1985
- The Market for "Lemons": Quality Uncertainty and the Market MechanismThe Quarterly Journal of Economics, 1970