Storage and search tool for cloud provider security information in CSA STAR

Abstract

At present, cloud computing is becoming a major IT service model. As the number of cloud providers is growing, prospective cloud consumers face difficulties in choosing the right provider for their use. As security is among the most important factors for the consumers to decide whether or not to adopt cloud services, cloud providers have to assure prospective consumers that the provided service is secure and can be trusted. One way is to publish security information of the service on Cloud Security Alliance's Security, Trust, & Assurance Registry (or CSA STAR) website. STAR offers three levels of providers' security information, i.e. self-assessment, 3rd-party-assessment-based certification, and continuous-monitoring-based certification. However, the STAR website does not provide a convenient and useful way for cloud consumers to find security information of the providers when they are selecting a cloud service. The consumers, for example, have to know provider names and cannot search for providers by certain security criteria. To address such limitations, this paper presents a development of a storage and search tool based on the security information published on the STAR website. The tool stores and synchronizes providers' security information with the CSA STAR website, and allows consumers to search by different security criteria based on CSA's Cloud Controls Matrix (CCM) security guideline and its accompanying CAIQ security questionnaire. The tool can also compare and visualize providers' security information. Hence it makes the CSA STAR information more accessible and more useful to prospective consumers when selecting cloud services.