Security-Centric Evaluation Framework for IT Services

  • Smrati GuptaEmail author
  • Jaume Ferrarons-Llagostera
  • Jacek Dominiak
  • Victor Muntés-Mulero
  • Peter Matthews
  • Erkuden Rios
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10232)


Tremendous growth and adoption of cloud based services within IT enterprises has generated important requirements for security provisioning. Users need to evaluate the security characteristics of different providers and their offered services. This generates an additional requirement for methods to compare cloud service providers on the basis of their capabilities to meet security requirements. This paper proposes a novel framework to assess and compare cloud services on the basis of their security offerings, leveraging existing best practices and standards to develop new relevant metrics. We provide comparison yardsticks related to security to evaluate cloud services such that the security robustness of cloud services can be computed using easy to evaluate deconstructed metrics. This paper provides a framework that can be leveraged to provide security enhancement plans both for users and providers.


Cloud computing best practices Certifications Security controls 



This work is partially supported by Secretaria de Universitats i Recerca of Generalitat de Catalunya (2014DI031) and conducted as a part of the MUSA project (Grant Agreement 644429) funded by the European Commission within call H2020-ICT-2014-1.


  1. 1.
    Grozev, N., Buyya, R.: Inter-cloud architectures and application brokering: taxonomy and survey. Softw. Pract. Exper. 44(3), 369–390 (2014). CrossRefGoogle Scholar
  2. 2.
    Ali, M., Khan, S.U., Vasilakos, A.V.: Security in cloud computing: opportunities and challenges. Inf. Sci. 305, 357–383 (2015)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Cloud Security Alliance. Accessed 30 Jan 2017
  4. 4.
  5. 5.
    Motion Picture Association of America. Accessed 31 Jan 2017
  6. 6.
    International Organization for Standardization. Accessed 31 Jan 2017
  7. 7.
    Control Objectives for Information and Related Technologies. Accessed 31 Jan 2017
  8. 8.
    Health Insurance Portability and Accountability Act of 1996. Accessed 31 Jan 2017
  9. 9.
    Family Educational Rights and Privacy Act. Accessed 31 Jan 2017
  10. 10.
    Federal Risk and Authorization Management Program. Accessed 31 Jan 2017
  11. 11.
    Jericho Forum. Accessed 31 Jan 2017
  12. 12.
    Na, S.-H., Huh, E.-N.: A methodology of assessing security risk of cloud computing in user perspective for security-service-level agreements. In: 2014 Fourth International Conference on Innovative Computing Technology (INTECH), pp. 87–92, August 2014Google Scholar
  13. 13.
    Shaikh, R., Sasikumar, M.: Trust model for measuring security strength of cloud computing service. Procedia Comput. Sci. 45, 380–389 (2015)CrossRefGoogle Scholar
  14. 14.
    Luna Garcia, J., Langenberg, R., Suri, N.: Benchmarking cloud security level agreements using quantitative policy trees. In: Proceedings of the ACM Workshop on Cloud Computing Security Workshop, pp. 103–112. ACM (2012)Google Scholar
  15. 15.
    Garg, S.K., Versteeg, S., Buyya, R.: SMICloud: a framework for comparing and ranking cloud services. In: 2011 Fourth IEEE International Conference on Utility and Cloud Computing, pp. 210–218, December 2011Google Scholar
  16. 16.
    Saripalli, P., Walters, B.: QUIRC: a quantitative impact and risk assessment framework for cloud security. In: 2010 IEEE 3rd International Conference on Cloud Computing (CLOUD), pp. 280–288. IEEE, July 2010.
  17. 17.
    Casola, V., Benedictis, A.D., Rak, M., Rios, E.: Security-by-design in clouds: a security-SLA driven methodology to build secure cloud applications. Procedia Comput. Sci. 97, 53–62 (2016). 2nd International Conference on Cloud Forward: From Distributed to Complete Computing. CrossRefGoogle Scholar
  18. 18.
    Ferrarons-Llagostera, J., Gupta, S., Munts-Mulero, V., Larriba-Pey, J.-L., Matthews, P.: Scoring cloud services through digital ecosystem community analysis. In: Proceedings of the EC-Web 2016: 17th International Conference on Electronic Commerce and Web Technologies (2016)Google Scholar
  19. 19.
  20. 20.
    Cloud Controls Matrix. Accessed 30 Jan 2017
  21. 21.
  22. 22.
    Habib, S.M., Ries, S., Mühlhäuser, M., Varikkattu, P.: Towards a trust management system for cloud computing marketplaces: using CAIQ as a trust information source. Secur. Commun. Netw. 7(11), 2185–2200 (2014)CrossRefGoogle Scholar
  23. 23.
    Shirey, R.: Internet security glossary, version 2 (rfc4949). (2007). Accessed 06 Feb 2017
  24. 24.
    Gupta, S., Muntes-Mulero, V., Matthews, P., Dominiak, J., Omerovic, A., Aranda, J., Seycek, S.: Risk-driven framework for decision support in cloud service selection. In: 2015 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, pp. 545–554, May 2015Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Smrati Gupta
    • 1
    Email author
  • Jaume Ferrarons-Llagostera
    • 1
  • Jacek Dominiak
    • 1
  • Victor Muntés-Mulero
    • 1
  • Peter Matthews
    • 1
  • Erkuden Rios
    • 2
  1. 1.CA Strategic Research, CA TechnologiesCornellà de LlobregatSpain
  2. 2.TecnaliaDerioSpain

Personalised recommendations