Classifying cloud provider security conformance to cloud controls matrix

Security of cloud services is a major concern to cloud consumers when selecting cloud providers. Sufficient security information should be provided so that consumer trust in cloud services can be built, but in practice, security information is critical and may not be publicized. During the service selection process, cloud consumers therefore have to study published information on the cloud providers' Web sites or the cloud providers registry in order to assess how secure the services are. To assist cloud consumers in service selection, this paper presents an initial attempt to apply text classification to classify published information on the providers' Web pages to determine which security best practices and guidelines the providers have followed in providing their services. We take the security best practices and guidelines from the Cloud Controls Matrix (CCM) and the accompanying Consensus Assessments Initiative Questionnaire (CAIQ), and compile a set of security concepts before using it as a basis for classifying the providers' Web pages. The classification result roughly signifies the security conformance level of the providers. We demonstrate this method and present an evaluation using the case of five public cloud providers.