The recent spread of cloud services has enabled many companies to take advantage of them. Nevertheless, the main concern about the adoption of cloud services remains the lack of transparency perceived by customers regarding security and privacy. To overcome this issue, Cloud Service Certifications (CSCs) have emerged as an effective solution to increase the level of trust in cloud services, possibly based on continuous auditing to monitor and evaluate the security of cloud services on an ongoing basis. Continuous auditing can be easily implemented for technical aspects, while organizational aspects can be challenging due to their generic nature and varying policies between service providers. In this paper, we propose an approach to facilitate the automatic assessment of organizational evidence, such as that extracted from security policy documents. The evidence extraction process is based on Natural Language Processing (NLP) techniques, in particular on Question Answering (QA). The implemented prototype provides promising results on an annotated dataset, since it is capable to retrieve the correct answer for more than half of the tested metrics. This prototype can be helpful for Cloud Service Providers (CSPs) to automate the auditing of textual policy documents and to help in reducing the time required by auditors to check policy documents.

翻译：云服务的广泛普及使众多企业得以充分利用其优势。然而，客户对云服务安全性与隐私性缺乏透明度的担忧，仍是其采用过程中面临的主要问题。为解决这一难题，云服务认证（CSCs）作为提升云服务信任水平的有效方案应运而生，其核心思想是通过持续审计对云服务安全性进行动态监控与评估。尽管持续审计在技术层面的实现较为简便，但由于组织层面证据的通用属性及不同服务提供商政策差异，其评估仍面临挑战。本文提出一种方法，旨在促进组织证据（如从安全策略文档中提取的证据）的自动评估。证据提取过程基于自然语言处理（NLP）技术，特别是问答（QA）模型。基于该方案实现的原型系统在标注数据集上展现出良好性能，能够对半数以上测试指标给出正确答案。该原型可协助云服务提供商（CSPs）实现文本策略文档的自动化审计，并有效缩短审计人员核查策略文档所需时间。