Later this year, the Cloud Security Alliance (CSA) will launch a registry for cloud providers who want to document the security controls they have in place on their networks.
CSA ‘s Security, Trust & Assurance Registry (STAR) will go online before the end of December. The annual CSA Congress meeting is scheduled for Nov. 16-17.
The no-cost registry will be made available to end-users looking to check the security of the cloud networks they currently use or are thinking about using. Providers will submit self-asserted evaluations of their networks.
“This is an evolution from our initial development of best practices, then tools and implementable frameworks to now using those tools to drive industry alignment and compliance with our tools and best practices. We see this as cumulative,” said Jim Reavis, executive director of the Cloud Security Alliance.
Security has emerged as a concern for corporations using or evaluating the cloud. A recent study by the 451 Group found that 13% of respondents said one roadblock to cloud adoption was “security worries.”
CSA , a non-profit that began in 2008, is hoping all infrastructure-as-a-service (IaaS,) software-as-a-service (SaaS), and platform-as-a-service (PaaS) cloud vendors to fill out a self-assessment for inclusion in STAR.
"Right now the industry is ready for voluntary self assessment and greater transparency of security practices, and we believe that market forces will create continuous improvement of these practices.,” said Reavis. “I don't think it is CSA's role to create provider certifications or third-party self-assessment schemes, we are already working ISO and ITU on standards that can be certifiable, and we are a
part of CAMM's third-party assessment initiative.”
CSA’s mission is to promote best practices for security assurance in the cloud, and its members include industry practitioners, corporations, associations and other stakeholders. Organizations involved include ING, Barclays, IT Law Group, and Northrop Grumman.
CSA has developed two reports for cloud providers using STAR to show compliance with CSA policies.
The Consensus Assessments Initiative Questionnaire (CAIQ), which was first published in Oct. 2010, has more than 140 questions that probe what security controls are in place in cloud environments.
The Cloud Control Matrix (CCM), provides a controls framework built around security concepts and principals instituted by other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, and NIST.
In addition to self-assessments, CSA will provide a list of providers who have integrated CAIQ and CCM and other components from CSA’s Governance, Risk Management and Compliance (GRC) stack. Besides CAIQ and CCM, the stack includes CloudAudit and the CloudTrust Protocol.
The GRC stack is a free download.
“Beyond CSA STAR and future certifications/third-party assessments, the "bottom half" of our GRC Stack (CloudAudit and CTP) provides the framework for automation of GRC and continuous monitoring, which I think ultimately may be the most important component of assurance,” said Reavis.