Security evaluation of cloud service providers using third party auditors

Cloud computing is a revolutionary breakthrough in computing technology. It allows businesses to supply their customers with a seemingly endless amount of resources on demand, so long as they are willing to pay for it. From a business perspective, cloud computing is revolutionizing profitability. From a security standpoint, cloud computing presents an alarming amount of risk to customer data. When customers make purchases, they transfer data to a Cloud Service Provider (CSP), but are unable to evaluate which CSP has sufficient security controls to protect their sensitive data. The Cloud Security Alliance (CSA) is an organization whose mission is to suggest best practice security controls and guidelines for CSPs to follow. The CSA provides a questionnaire or risk assessment, known as the Consensus Assessment Initiative Questionnaire (CAIQ) for CSPs to fill out in order to gauge their level of security within their organization. The CSPs access these questionnaires from the CSA's STAR (Security Trust and Assurance Registry) database. This allows for CSUs to base their level of trust in a specific organization on these assessments. However, there is no way for the CSA to validate that the CSP's responses to the questionnaire are accurate. This paper presents a framework that uses a third-party auditor (TPA) to review, audit, and validate the CAIQ responses stored in the STAR repository. Our framework provides a specific group of auditors that can be used to evaluate and validate the security controls of CSPs. Therefore, the primary objective of this research is to formulate the mechanism by which the appropriate auditor(s) can be chosen by the TPA and create a verification system in which CSUs may finally put their trust in.