An assessment of security requirements compliance of cloud providers

Cloud provider assessment is important for cloud consumers to determine, when outsourcing computing work, which providers can serve their business and system requirements. This paper presents an initial attempt to assess security requirements compliance of cloud providers by following the Goal Question Metric approach and defining a weighted scoring model for the assessment. The security goals and questions that address the goals are taken from Cloud Security Alliance´s Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire. We then transform such questions into more detailed ones and define metrics that help provide quantitative answers to the transformed questions based on evidence of security compliance provided by the cloud providers. The scoring is weighted by quality of evidence, i.e. its compliance with the associated questions and its completeness. We propose a scoring system architecture which utilizes CloudAudit and assess Amazon Web Services as an example.