Funded by European Commission

And

rea

s H

erm

sdo

rf  

/ p

ixel

io.d

e

Toolbox Workshop:

Cloud Security Scorecard

Compare different Vendors

Scope & Purpose Usage

2

The purpose of this tool is to facilitate SME companies in their assessments of cloud security offerings.

It is intended to help them score (and possibly compare) different cloud solutions against their security functionalities and characteristics.

Furthermore, it helps its users identify important questions they have to ask their (candidate) cloud provider about their offerings.

Answer the presented list of (security-related) questions for each one of the cloud computing providers that you would like to compare or evaluate.

The «Cloud Security Scorecard» will automatically provide an indicative grading of all the cloud computing providers in terms of their security offerings.

Use the scoring questionnaires multiple times in order to compare vendors!

Enter Provider Label

Klick to answer Questions

There is help to every Question

Finish Questions and submit

Result: Your first Scorecard

Enter next Provider …

… and compare

Compare more …

… and more …

Each question carries a weight and each answer option carries a score.

Score: Sum(question.weight * optionSelectedScore)

MaxScore: Sum(question.weight * max(optionScores))

We extract percentage by Score*100/MaxScore.

Basics

12

Principles of scoring algorithm

13

Score > = 70% is characterized as Excellent

Score < 30 % and < 70% is characterized as OK/Fair

Score < 30 % is characterized as Poor

Basics

Principles of scoring algorithm

Score ConfigurationQuestion Weight Option1 Option1

scoreOption2 Option2

scoreOption 3 Option 3

ScoreOption 4 Option 4

score

1. Is the cloud provider's infrastructure audited by third-parties?

3 NO 0 YES 10        

2. Does the cloud provider offer data portability as part of its services?

3 NO 0 YES 10        

3. Does the cloud provider specify penalties and liabilities for a potential data or system breach?

3 NO 0 YES 10        

4. Does the cloud provider allow you to inspect the cloud facility?

3 NO 0 YES 10        

5. Does the cloud provider provide encryption and key management?

3 NO 0 YES 10        

6. Is the cloud provider implementing single-sign on (i.e. access with one set of credentials) to the applications and services that it provides to you?

3 NO 0 YES 10        

7. Can the cloud provider accommodate your own security policies?

3 ΝΟ 0  PARTIALLY  5 YES 10    

8. Does the cloud provider make provisions for cross-border data transfers?

3 NO 0 YES 10        

9. Does the provider guarantee that your data will remain private?

3 NO 0 YES 10        

10. Does the cloud provider offer application firewalls? 3 ΝΟ 0 PARTIALLY 5 YES 10    

11. Does the cloud provider implements identity management services (i.e. authentication, single-sign on, data analysis)?

3 NO 0 YES 10        

12. Could the cloud provider partition your applications and services from other users/customers?

3 NO 0 ΥΕS 10        

13. Are the above issues taken into account and included in the SLA?

3 NONE 0 FEW OF THEM

3 MOST OF THEM

6 ALL OFΤΗΕΜ

10

14. Is the cloud service vendor ISO 27001 certified? 3 NO 0 ΥΕS 10