Abstract

While Cloud usage increasingly involves security considerations, there is still a conspicuous lack of techniques for users to assess/ensure that the security level advertised by the Cloud Service Provider (CSP) is actually delivered. Recent efforts have proposed extending existing Cloud Service Level Agreements (SLAs) to the security domain, by creating Security SLAs (SecLAs) along with attempts to quantify and reason about the security assurance provided by CSPs. However, both technical and usability issues limit their adoption in practice. In this paper we introduce a new technique for conducting quantitative and qualitative analysis of the security level provided by CSPs. Our methodology significantly improves upon contemporary security assessment approaches by creating a novel decision making technique based on the Analytic Hierarchy Process (AHP) that allows the comparison and benchmarking of the security provided by a CSP based on its SecLA. Furthermore, our technique improves security requirements specifications by introducing a flexible and simple methodology that allows users to identify their specific security needs. The proposed technique is demonstrated with real-world CSP data obtained from the Cloud Security Alliance's Security, Trust and Assurance Registry.