A Hierarchical Security-Auditing Methodology for Cloud Computing

Security concerns are frequently mentioned among the reasons why organizations hesitate to adopt cloud computing. Given the numerous choices of cloud-resource providers, clients often find it difficult to assess their relative advantages and shortcomings with respect to security, which may prevent them from making any choice. In this paper, we describe our methodology for a hierarchical security-audit method for cloud-computing services. Our method examines the overall security of the cloud offering, based on the examination of a comprehensive set of security concerns at the IaaS, PaaS, and SaaS layers. For each layer, relevant evidence regarding its security is collected and subsequently synthesized into an overall security score. We illustrate our method through a case study, examining the relative security merits of the Google Cloud and the Microsoft Azure Cloud.