A Framework for Compliance and Security Coverage Estimation for Cloud Services

Abstract

Many organizations are adopting cloud services to reduce their computing cost and increase the flexibility of their IT infrastructure. As cloud services are moving to the mainstream to meet major computing needs, the issues of ownership and chain of custody of customer data are becoming primary responsibilities of providers. Therefore, security requirements are essential for all service models (while the degree of defensive measures may vary) along with satisfying industry standard compliances. The authors develop an insurance framework called MEGHNAD for estimating the security coverage based on the type of cloud service and the level of security assurance required. This security coverage estimator may be useful to cloud providers (offering Security as a Service), cloud adopters, and cloud insurers who want to incorporate or market cloud security insurance. This framework allows the user/operator to choose a cloud service (such as Saas, Paas, IaaS) and other pertinent information in order to determine the appropriate level of security insurance coverage. This chapter describes an extension to the MEGHNAD (version 2.0) framework by incorporating security-related compliances. The compliance for each sector requires specific protection for online data such as transparency, respect for context, security, focused collection, accountability, access, and accuracy. The MEGHNAD tool can also generate a SLA document that can be used for monitoring by a certified Third-Party Assessment Organization (3PAO).