A Security Framework For Evaluating Trustworthy Cloud Service Providers

Cloud computing and services offer major business benefits and IT functionalities that organizations are looking to take advantage of.Cloud service adoption presents serious and unique security risks based upon the Cloud Security Risk Model.Moving an organization's sensitive data into the hands of cloud providers expands and complicates the risk landscape in which the organization operates.This paper highlights the significance and ramifications of a systematic and structured selection of a Cloud Service Provider in achieving the required assurance level based on an organization's specific information security risk posture which is analyzed based on proposed security risk profile analysis methodology.This paper proposes a holistic model,known as the Function,Governability,and Interoperability or F-G-I,as an approach to help a Cloud Service Consumer to engage and select a trusted Cloud Service Provider through an integrated information security trust model(IISTM).The IISTM discussed in this paper consists of two main domains which are Hard Trust Evaluation and Soft Trust Evaluation.Hard Trust refers to objective and verifiable trust relationship with certainty.On the contrast,Soft Trust indicates subjective trust confidence based on satisfaction and reputation.Hard Trust and Soft Trust are not conflict but complement each other in the CISTM.With respect to Hard Trust Evaluation,this paper proposes an ALOPA-oriented logic describing language to illustrate the nexus among defined security components.Based on that,a Hard Trust Fuzzy Validation Model(HTFVM) is deliberated to help the Cloud Service Consumer to assess the Hard Trust level of Cloud Service Providers.In order to evaluate Soft Trust,the concept of confidence certainty is recommended and three branches of Soft Trust Evaluation Methodology are fully explored,including Direct Experience Soft Trust Model(DESTM),Indirect Experience Soft Trust Model(IESTM)and Confidence Inference Soft Trust Model(CISTM).The research regarding the ratio of Hard Trust to Soft Trust is also discussed and a golden ratio rate model is proposed.A case study with a school board reveals the F-G-I approach based on risk profile analysis offers an objective and efficient way to select appropriate security properties and controls and in turn this method is able to help Cloud Service Consumer to choose a qualified and trusted Cloud Service Provider.