Selecting a Cloud Service Provider in the age of cybercrime

The benefits of resorting to the cloud, as an efficient way to provide services, have long been recognised in the academic and industrial literature. However, as more and more companies are beginning to embrace the trend, it has also become clearer that the model offers unprecedented opportunities to cybercriminals: either by enabling them to compromise a myriad of services in a single shot or by allowing cyber-criminals to amplify their capabilities through a leverage of the technology offered by the cloud.This paper highlights the importance of an informed choice of a Cloud Service Provider (CSP) in minimising one's exposure to the insecurity of a cloud context. The paper proposes a well-defined approach, known as the Complete-Auditable-Reportable or C.A.RE, as a way to minimise one's exposure to the insecurity we live within the cloud. The C.A.RE approach helps to determine the adequacy of a CSP sponsored security by assessing its completeness in addressing most, if not all, risks that a service may be exposed to; the potential of that security to be adapted upon the identification of a security vulnerability during an audit, and how transparently such information is shared with the concerned Cloud Service Consumer (CSC). A level of assurance is associated to each of the C.A.RE parameters in order to help determine the overall trustworthiness of a CSP.The analysis and comparison of the C.A.RE approach to a well-known guideline as the Cloud Service Security Alliance guidelines, reveals that C.A.RE offers a clear and efficient way in determining a Trusted Cloud Service.