基于标准化安全指标体系的云服务安全等级评估模型

针对传统云服务安全评估方法中存在的评估指标粒度粗且难以量化以及评估方法主观依赖度高且效率低等问题，提出了一种基于标准化安全指标体系的云服务安全等级评估模型。首先，依据评估指标体系设计原则，以我国云计算服务安全能力要求标准为基础，借鉴国外机构有关云服务的安全控制框架及服务水平协议标准，提出了一种细粒度及可量化的标准化安全指标体系构建方法；然后，基于此指标体系提出了云服务安全等级评估模型，该模型在评估云服务的安全等级时，考虑到安全指标体系中指标类型的差异化及其属性对云服务安全性的影响，设计了一种基于客观指标权重分配的安全等级评估方法，对评估对象的安全等级进行量化评估；最后，分别通过应用案例和性能分析实验，验证了本文所提出的评估模型的有效性以及评估方法的效率。实验结果表明，本文提出的基于标准化安全指标体系的云服务安全等级评估模型不仅能有效、准确地评估不同云服务商的安全能力，而且其安全等级评估方法在性能方面优于传统的基于层次分析法的云服务安全评估方法。

Assessment Model of Cloud Service Security Level Based on Standardized Security Metric Hierarchy

In order to cope with the issues existing in the traditional literature that assessment metrics were coarse-grained and nonquantitative as well as assessment methods were subjective and low efficiency, a could service security level assessment model based on the standardized security metric hierarchy was proposed. First, a fine-grained, quantifiable and standardized cloud service security metric hierarchy was structured according to the principle of evaluation metric system. The content of cloud service security metric hierarchy was composed of both domestic and foreign standards related to the cloud service security. Second, a cloud service security level evaluation model is proposed based on the metric hierarchy. considering the difference of metrics'' type and attributes impacting on the security features of cloud services, the proposed model designs a security level assessment method based on objective weights assignment of the metrics for evaluating the security level of cloud services. Finally, a case study and a performance comparison experiment were respectively conducted to validate effectiveness of the proposed assessment model and efficiency of its evaluation method. Experimental results show that the proposed assessment method was not only efficient and accurate in the cloud service security level assessment, but its evaluation method outperformed the traditional cloud service security assessment methods.