I. INTRODUCTIONWhile cloud based so

I. INTRODUCTION
While cloud based solutions are attractive for their cost savings
and rapid provisioning/scaling; privacy and security of cloud
data remains a concern for most consumers [8] and a key barrier
in adoption of the cloud. In recent years, various cloud security
standards have been proposed or are being developed by
standards bodies like Cloud Security Alliance (CSA) [9][10],
International Organization for Standards (ISO) [14][15],
National Institute for Standards and Technology
(NIST)[18][19][20], etc. Most cloud providers are
implementing a mish-mash of security and privacy controls.
This has led to confusion and concern among consumers as to
what security measures they should expect from the cloud
services and what compliance policies to adopt for their
enterprise data on the cloud.
This work makes three key contributions. First, we have
conducted a comprehensive study to review the potential threatsfaced by cloud consumers and determined the compliance
models and security controls that should be in place to manage
the risk. We analyzed more than 20 security standards in cloud
computing as well as in IT management. We also reviewed the
security controls implemented by more than 100 cloud
providers by studying the security related whitepapers on their
websites. Second, based on this study, we have developed an
ontology describing the cloud security controls, threats and
compliances which is used to capture and store this information
from standards and cloud providers in W3C standard semantic
web languages. It provides us the capability in ongoing work to
reason over it. Finally, we have developed a web-based
application that can be used by consumer organization. It
suggests, given the threats an organization faces, appropriate
cloud security policies and providers that support them. This
application classifies the threats faced by cloud users and
determines the security and compliance policy controls that
have to be activated for each threat. The application also
displays the existing cloud providers that support the security
policies. The focus of this paper is on the first and third
contributions.
In section III of this paper, we present our analysis of the
various cloud security control models, compliance models and
threats. The ontology we have developed for cloud security
compliances and security standards is very briefly covered in
section IV, and is not a focus of this paper. We describe our
recommendation application in detail in section V and end with
conclusions and future work.