A unified framework for cloud security transparency and audit

Abstract

The paradigm of cloud computing has elevated IT to new heights by offering the elasticity to match customer needs, while also reducing capital expenditure on procuring IT infrastructure. Despite the apparent benefits provided by cloud computing, organisations are slow in embracing the technology due to numerous issues that are associated with the lack of security transparency such as trust and accountability. Several contributions have been proposed to address these issues. However, most of the contributions have not provided a definite method by which security transparency can be achieved based on user requirements, and particularly, by probing or auditing cloud service providers. In this paper, we propose a framework for addressing a pressing challenge of cloud security transparency. Our approach includes a process and a supporting auditing tool for vetting cloud service providers and enabling security transparency based on predefined user requirements. The paper builds on our previous work on security transparency framework by incorporating an implementation process. In addition, we have developed a Security Transparency and Audit Tool through which users can collect and analyze evidence from cloud service providers for determining conformity to requirements, as well as for the specification of remedial actions. The tool is designed to be a supplementary component of the proposed framework that enables continuous probing and vetting of cloud provider meets user requirements, thereby enhancing security transparency. The work is novel in its approach because it consolidates various elements to provide a simplified method for organizations to attain security transparency. We also believe that the contributions are significant towards solving the issues and challenges of cloud security transparency in general.