Abstract
Tremendous growth and adoption of cloud based services within IT enterprises has generated important requirements for security provisioning. Users need to evaluate the security characteristics of different providers and their offered services. This generates an additional requirement for methods to compare cloud service providers on the basis of their capabilities to meet security requirements. This paper proposes a novel framework to assess and compare cloud services on the basis of their security offerings, leveraging existing best practices and standards to develop new relevant metrics. We provide comparison yardsticks related to security to evaluate cloud services such that the security robustness of cloud services can be computed using easy to evaluate deconstructed metrics. This paper provides a framework that can be leveraged to provide security enhancement plans both for users and providers.
Keywords
This is a preview of subscription content, log in via an institution.
References
Grozev, N., Buyya, R.: Inter-cloud architectures and application brokering: taxonomy and survey. Softw. Pract. Exper. 44(3), 369–390 (2014). http://dx.doi.org/10.1002/spe.2168
Ali, M., Khan, S.U., Vasilakos, A.V.: Security in cloud computing: opportunities and challenges. Inf. Sci. 305, 357–383 (2015)
Cloud Security Alliance. https://cloudsecurityalliance.org/. Accessed 30 Jan 2017
Cloud Computing Synopsis and Recommendations. https://www.nist.gov/sites/default/files/documents/itl/cloud/RATAX-CloudServiceMetricsDescription-DRAFT-20141111.pdf. Accessed 06 Feb 2017
Motion Picture Association of America. http://www.mpaa.org/. Accessed 31 Jan 2017
International Organization for Standardization. http://www.iso.org. Accessed 31 Jan 2017
Control Objectives for Information and Related Technologies. http://www.isaca.org/cobit/pages/default.aspx. Accessed 31 Jan 2017
Health Insurance Portability and Accountability Act of 1996. https://www.hhs.gov/hipaa/. Accessed 31 Jan 2017
Family Educational Rights and Privacy Act. https://ed.gov/policy/gen/guid/fpco/ferpa/index.html. Accessed 31 Jan 2017
Federal Risk and Authorization Management Program. https://www.fedramp.gov/. Accessed 31 Jan 2017
Jericho Forum. https://collaboration.opengroup.org/jericho/index.htm. Accessed 31 Jan 2017
Na, S.-H., Huh, E.-N.: A methodology of assessing security risk of cloud computing in user perspective for security-service-level agreements. In: 2014 Fourth International Conference on Innovative Computing Technology (INTECH), pp. 87–92, August 2014
Shaikh, R., Sasikumar, M.: Trust model for measuring security strength of cloud computing service. Procedia Comput. Sci. 45, 380–389 (2015)
Luna Garcia, J., Langenberg, R., Suri, N.: Benchmarking cloud security level agreements using quantitative policy trees. In: Proceedings of the ACM Workshop on Cloud Computing Security Workshop, pp. 103–112. ACM (2012)
Garg, S.K., Versteeg, S., Buyya, R.: SMICloud: a framework for comparing and ranking cloud services. In: 2011 Fourth IEEE International Conference on Utility and Cloud Computing, pp. 210–218, December 2011
Saripalli, P., Walters, B.: QUIRC: a quantitative impact and risk assessment framework for cloud security. In: 2010 IEEE 3rd International Conference on Cloud Computing (CLOUD), pp. 280–288. IEEE, July 2010. http://dx.doi.org/10.1109/cloud.2010.22
Casola, V., Benedictis, A.D., Rak, M., Rios, E.: Security-by-design in clouds: a security-SLA driven methodology to build secure cloud applications. Procedia Comput. Sci. 97, 53–62 (2016). 2nd International Conference on Cloud Forward: From Distributed to Complete Computing. http://www.sciencedirect.com/science/article/pii/S1877050916320968
Ferrarons-Llagostera, J., Gupta, S., Munts-Mulero, V., Larriba-Pey, J.-L., Matthews, P.: Scoring cloud services through digital ecosystem community analysis. In: Proceedings of the EC-Web 2016: 17th International Conference on Electronic Commerce and Web Technologies (2016)
NIST Cloud Computing Security Reference Architecture. http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Reference-_Architecture_2013.05.15_v1.0.pdf. Accessed 06 Feb 2017
Cloud Controls Matrix. https://cloudsecurityalliance.org/group/cloud-controls-matrix/. Accessed 30 Jan 2017
Consensus Assessments Initiative. https://cloudsecurityalliance.org/research-/initiatives/consensus-assessments-initiative/. Accessed 17 Feb 2017
Habib, S.M., Ries, S., Mühlhäuser, M., Varikkattu, P.: Towards a trust management system for cloud computing marketplaces: using CAIQ as a trust information source. Secur. Commun. Netw. 7(11), 2185–2200 (2014)
Shirey, R.: Internet security glossary, version 2 (rfc4949). https://www.ietf.org/rfc/rfc2828.txt (2007). Accessed 06 Feb 2017
Gupta, S., Muntes-Mulero, V., Matthews, P., Dominiak, J., Omerovic, A., Aranda, J., Seycek, S.: Risk-driven framework for decision support in cloud service selection. In: 2015 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, pp. 545–554, May 2015
Acknowledgment
This work is partially supported by Secretaria de Universitats i Recerca of Generalitat de Catalunya (2014DI031) and conducted as a part of the MUSA project (Grant Agreement 644429) funded by the European Commission within call H2020-ICT-2014-1.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Gupta, S., Ferrarons-Llagostera, J., Dominiak, J., Muntés-Mulero, V., Matthews, P., Rios, E. (2017). Security-Centric Evaluation Framework for IT Services. In: Au, M., Castiglione, A., Choo, KK., Palmieri, F., Li, KC. (eds) Green, Pervasive, and Cloud Computing. GPC 2017. Lecture Notes in Computer Science(), vol 10232. Springer, Cham. https://doi.org/10.1007/978-3-319-57186-7_53
Download citation
DOI: https://doi.org/10.1007/978-3-319-57186-7_53
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-57185-0
Online ISBN: 978-3-319-57186-7
eBook Packages: Computer ScienceComputer Science (R0)