A security metrics framework for the Cloud

Cloud computing is redefining the on-demand usage of remotely-located, and highly available computing resources to the user. Unfortunately, while the many economic and technological advantages are apparent, the migration of key sector applications to the Cloud has been limited due to a major show-stopper: the paucity of quantifiable metrics to evaluate the tradeoffs (features, problems and the economics) of security. Despite the obvious value of metrics in different scenarios to evaluate such tradeoffs, a formal and standard-based approach for the addressing of security metrics in the Cloud is a much harder and very much an open issue. This paper presents our views on the importance and challenges for developing a security metrics framework for the Cloud, also taking into account our ongoing research with organizations like the Cloud Security Alliance and European projects like ABC4Trust, CoMiFin and INSPIRE. This paper also introduces the basic building blocks of a proposed security metrics framework for elements such as a Cloud provider´s security assessment, taking into account the different service and deployment models of the Cloud.