1. The CCM framework consists of 11 Control Areas that are important to be measured, especially when comparing between different cloud provider offering. The method works as follows: Control Areas are defined as the Goals at the Conceptual level CAIQ Questions are placed at the Operational level Metrics The Quantitative level will define the metrics in order to measure the cloud providers’ compliance towards Cloud Controls Matrix. Introduction Cloud computing aims at providing companies with the ability to utilize a tremendous capacity instantly without the need to invest in establishing new infrastructure, training new employees or buying a software license. In spite of the potential benefits towards the adoption of the cloud computing model, it has opened new challenges such as the Lack of Transparency. Transparent security can be defined as “appropriate disclosure of the governance aspects of security design, policies, and practices” [2]. It has been argued that transparency is improving, however, the lack of independent tools that measure the transparency of the cloud providers is the issue. Measuring Cloud Providers’ Transparency: Application of Goal Question Metric Approach on the “Cloud Controls Matrix” Framework Mohammed Almanea, Supervisor: Prof. John Fitzgerald Cloud Controls Matrix + What vulnerabilities exist in my cloud configuration ? What audit events have occurred in my cloud configuration? Who has access to my data now? Where are my data and processing being performed? Source: Cloud Security Alliance Aim of the Study A framework “Cloud Controls Matrix” has been developed by Cloud Security Alliance to encourage transparency in the cloud. it is based on a set of questions that cloud customers or auditors could ask cloud providers about before migrating to the cloud. Cloud Providers will submit their responses to these questions on CAIQ “Consensus Assessments Initiative Questionnaire”. The aim is to augment their framework in order to address issues such as : (1) Assessing the trustworthiness of the cloud providers, (2) Measuring their level of transparency using the Goal Question Metric approach (GQM), and (3) to check if the existing framework has helped cloud customers to make better informed decision towards migrating to the cloud. Conclusions As it has been argued that transparency is improving, and there are more emphasise on the need of the tools for measuring the transparency of the cloud service providers. The study aims at consolidating an existing framework of transparency developed by the Cloud Security Alliance by adding other features that would provide methods for measuring the cloud providers transparency. A tool will be developed letting cloud customers and providers experiment with the augmented CCM and evaluated against the existing one. More importantly, to know if the framework has helped cloud customers to make better informed decisions. [2] Sun Microsystems, 2009. "BUILDING CUSTOMER TRUST IN CLOUD COMPUTING WITH TRANSPARENT SECURITY", White Paper Create View (7) Write (5) Write Write Registration (1) (2) (3) Score Assess CP’s (4) CAIQ Responses Validating Profile CPⁿ CP² CP¹ CCⁿ CC² CC¹ Computing Profile Scores Profile ¹ Profile ² Profile ⁿ Threshold ? High ModerateLow Trustworthiness level? High, Moderate, Low T² T¹ Tⁿ Workflow of the augmented framework: -[1] Cloud Providers will register in order to create a fine-grained history profile -[2] Validating the Cloud Providers’ Profile -[3] Computing a score for the Cloud Providers’ profile. -[4] A threshold value will determine the trustworthiness level based on their scores. -[5] Cloud Providers are now eligible to write their responses on the CAIQ questionnaire. And their T stands for transparency will be measured. -[6] Cloud Customers will be able to view and evaluate and compare the different cloud providers’ transparency The augmented framework will answer these questions: How can the cloud customer assess the trustworthiness of the cloud providers? How can the cloud customer measure the cloud provider’s level of transparency? How can we measure the privacy risk score when CSPs disclose sensitive information? How effective is the framework? by Has it helped them in making better informed decision? Does the framework suite all different types of cloud customers? GQM Architecture Metric Question Goal 1Goal 2 Goal Question Metric Approach [1] Applying GQM on CCM+ M-CO-1.1.1M-CO-1.2.1 M-CO-1.2.2M-CO-1.3.1 M-IS-5.1.1M-IS-5.2.1 Q-CO-1.1 Q-CO-1.2 Q-IS-5.1Q-IS-5.2Q-CO-1.3 G01: ComplianceG05: Information Security Control areaTransparency ScoreProfile Trustworthiness Level CP1CP2CP3CP4CP5CP1CP2CP3CP4CP5 Compliance32%37%50%25%80% 40%LOW 50%MOD 65%MOD 67%MOD 80%HIGH Data Governance45%35%70%55%70% Facility Security15%37%55%75% HR Security56%70%30%65% Information Security70%25%43%45%80% Legal30%42%39%67%91% Operations Management48%60%45%75%40% Risk Management80%87%77%65%70% Release Management10%35%54%55%34% Resiliency37%60%76%35%85% Security Architecture70%50%55%75%90% Transparency Comparison [1] Basili, V. R., Caldiera, G. and Dieter Rombach, H., 1994. The Goal Question Metric Approach, Chapter in Encyclopedia of Software Engineering, Wiley.