News

Security Alliance Proposes Cloud Certification Framework

• By John K. Waters
• May 17, 2012

The Cloud Security Alliance (CSA), a not-for-profit coalition of companies, individuals, organizations and "key stake holders" with an interest in promoting secure cloud computing, has disclosed plans to offer a certification program for providers of cloud-based products and services.

The new Open Certification Framework will be a program for "flexible, incremental and multi-layered cloud provider certification" aligned with the CSA's security guidance and control objectives, the organization says.

Essentially the CSA is trying to develop a regulatory regime that will lead to the creation of a globally recognized certification that meets their own assurance requirements -- in other words, a set of best security practices for the cloud.

The certification framework will be based on the control objectives and continuous monitoring structure defined by the CSA's Governance, Risk, and Compliance (GRC) Stack projects. The GRC Stack is an evolving toolkit for users and providers of cloud computing products and services that was designed to compare both private and public clouds with industry established best practices, standards and compliance requirements. The framework will provide "explicit guidance" for use of the GRC Stack tools in the certification.

The list of GRC projects includes:

• CloudAudit, which provides an open, secure interface and methodology for cloud computing providers and users to automate the A6 (Audit, Assertion, Assessment, and Assurance) functionality of their cloud environments.
• Cloud Controls Matrix, which provides basic guidelines for assessing the overall security risk of a cloud provider.
• Consensus Assessments Initiative, which performs research, creates tools, and fosters industry partnerships to enable cloud computing assessments.
• CloudTrust Protocol, through which cloud users can request information about the elements of transparency. The idea is to provide evidence that everything is happening in cloud exactly as a provider say it is.

The CSA offers an example: "[S]coping documentation will articulate the means by which a provider may follow an ISO/IEC 27001 certification path that incorporates the CSA Cloud Controls Matrix (CCM). The CSA will also provide guidance as to how a provider may use the CCM inside of an AICPA SSAE16 attestation. CSA supports certify-once, use-often, where possible."

The CSA says the certification program will support several options and tiers that recognize the different assurance requirements and maturity levels of various providers and consumers. These levels will range from the CSA Security, Trust, and Assurance Registry (STAR) self-assessment to high-assurance specifications that are continuously monitored. The CSA will also work closely with the assurance community, the Alliance says, to develop programs for qualified assessors for the CSA Open Certification Framework.

CSA executive director Jim Reavis allows that "no single certification, regulation, or other compliance requirement will supplant all others in governing the future of IT." But his group believes that the growing popularity of cloud computing "creates a mandate to better harmonize compliance concerns."

"Both consumers and providers alike will benefit from the knowledge that their CSA-backed compliance activities will be broadly applicable within global regulatory regimes," Reavis said in a statement.

Reavis and Nils Puhlmann laid out the initial goals and strategy of the CSA back in 2008. The Alliance was launched officially at the 2009 RSA security conference with ING and eBay as founding members.

The CSA says it will announce additional partners for the certification framework project on September 25, 2012, at the CSA Congress in Amsterdam.