Assessing the Security Posture of Cloud Service Providers

Cloud computing offers on-demand scalable resources and IT-based solutions without the need to invest in new infrastructure or train new personnel. Despite its economic advantages, cloud computing has faced scrutiny regarding security risks involved with allowing sensitive data to be controlled and handled by third-party, off-site vendors. Many businesses with interest in using cloud services do not have a process to assess cloud providers security posture. To aid this issue, the Cloud Security Alliance (CSA) has developed the Consensus Assessments Initiative Questionnaire (CAIQ), which has quickly become an industry-accepted way to document security controls found within cloud services. The CSA CAIQ document provides prospective clients an in-depth look into the security controls of a given cloud service provider (CSP). The assessment process is very complicated because it requires clients to examine over 140 questions spanning over eleven security control categories in CAIQ, answer yes/no followed by explanatory comments related to the corresponding question. How cloud consumers can objectively use the CAIQ to assess CSP security levels becomes an important and urgent problem. A Fuzzy Likert System (FLS) was employed that uses fuzzy logic, Likert scales and decision making technologies to assess the Security Posture Score (SPS) for cloud service providers based on client evaluations of CSP feedback on the CAIQ document and client-defined weights signifying the relative importance of each CAIQ category. The FLS allows clients to numerically evaluate the CSA CAIQ and provides weights for each CAIQ category. Upon doing so, the FLS provides a score indicating the security posture of the given CSP. A one-tailed F-test is used to perform a statistical analysis comparing the standard deviation between 1000 random SPSs calculated with our FLS and a traditional weighted-average system. Experimental results indicate that the null hypothesis, which states that the two standard deviations are the same, can be rejected in favor of the alternate hypothesis, thus claiming that with 95% confidence there is a significant difference between scoring methods.