Selecting a Secure Cloud Provider—An Empirical Study and Multi Criteria Approach
1
Faculty of Economics and Business, Goethe University Frankfurt, 60323 Frankfurt, Germany
2
Department of Computer Science, University of Verona, 37134 Verona, Italy
3
Faculty of Computer Science, University of Koblenz, 56070 Koblenz, Germany & Fraunhofer ISST, 44227 Dortmund, Germany
4
Department of Information Sciences and Engineering, University of Trento, 38123 Trento, Italy
*
Author to whom correspondence should be addressed.
Information 2020, 11(5), 261; https://doi.org/10.3390/info11050261
Received: 1 April 2020
/
Revised: 30 April 2020
/
Accepted: 6 May 2020
/
Published: 11 May 2020
(This article belongs to the Special Issue Cloud Security Risk Management)
Security has become one of the primary factors that cloud customers consider when they select a cloud provider for migrating their data and applications into the Cloud. To this end, the Cloud Security Alliance (CSA) has provided the Consensus Assessment Questionnaire (CAIQ), which consists of a set of questions that providers should answer to document which security controls their cloud offerings support. In this paper, we adopted an empirical approach to investigate whether the CAIQ facilitates the comparison and ranking of the security offered by competitive cloud providers. We conducted an empirical study to investigate if comparing and ranking the security posture of a cloud provider based on CAIQ’s answers is feasible in practice. Since the study revealed that manually comparing and ranking cloud providers based on the CAIQ is too time-consuming, we designed an approach that semi-automates the selection of cloud providers based on CAIQ. The approach uses the providers’ answers to the CAIQ to assign a value to the different security capabilities of cloud providers. Tenants have to prioritize their security requirements. With that input, our approach uses an Analytical Hierarchy Process (AHP) to rank the providers’ security based on their capabilities and the tenants’ requirements. Our implementation shows that this approach is computationally feasible and once the providers’ answers to the CAIQ are assessed, they can be used for multiple CSP selections. To the best of our knowledge this is the first approach for cloud provider selection that provides a way to assess the security posture of a cloud provider in practice.
View Full-Text
▼
Show Figures
Figure 1
This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited
- Supplementary File 1:
PDF-Document (PDF, 369 KiB)
MDPI and ACS Style
Pape, S.; Paci, F.; Jürjens, J.; Massacci, F. Selecting a Secure Cloud Provider—An Empirical Study and Multi Criteria Approach. Information 2020, 11, 261. https://doi.org/10.3390/info11050261
AMA Style
Pape S, Paci F, Jürjens J, Massacci F. Selecting a Secure Cloud Provider—An Empirical Study and Multi Criteria Approach. Information. 2020; 11(5):261. https://doi.org/10.3390/info11050261
Chicago/Turabian StylePape, Sebastian, Federica Paci, Jan Jürjens, and Fabio Massacci. 2020. "Selecting a Secure Cloud Provider—An Empirical Study and Multi Criteria Approach" Information 11, no. 5: 261. https://doi.org/10.3390/info11050261
Find Other Styles
Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.
