Cloud Security Alliance Launches Certification Program, Updates Controls Matrix

Two years after launching a registry that lets cloud providers reveal the security controls they have in place, the Cloud Security Alliance (CSA) is now enabling them to get third-party certification of those claims.

The CSA, joined by BSI Group, on Thursday said it will offer the STAR Certification program. 

Announced at the CSA Congress EMEA in Edinburgh, Scotland, the group also released its Cloud Controls Matrix (CCM) Version 3.0, which it described as the most rigorous standard yet for assessing security risks and controls. But by providing the STAR Certification with BSI Group, the CSA promises to be a welcome offering to those who want validation of the controls providers have in place.

Having that third-party validation should be welcome especially in wake of the revelations leaked by Edward Snowden that the National Security Agency (NSA) had surveillance programs such as the widely publicized PRISM. While the NSA's covert surveillance activities are aimed at thwarting terrorist threats, revelations of their scope and charges that service providers were cooperating with the government have run counter to the compliance requirements of many businesses. It has also led decision makers and consumers alike to wonder to what extent they should trust their providers, as reported by Redmond magazine, which found 70 percent of those responding to an online survey were concerned about the surveillance activities.

BSI Group will provide technology-neutral certifications to ensure cloud providers are meeting the ISO/IEC 27001:2005 management system standard along with the CSA's Cloud Control Matrix, the CSA said. The CSA said BSI Group will assign "management capability" scores to the CSA's 11 control areas which cover compliance, data governance, facility security, human resources, information security, legal, operations management, risk management, release management, resiliency and security architecture.

"In light of recent government revelations, both consumers and providers of cloud-based services have been asking for independent, technology-neutral certification to help them make more informed decisions about the services they purchase and use," said Daniele Catteddu, EMEA managing director at CSA, in a statement. "In providing a rigorous, user-centric assessment, STAR Certification will provide an additional layer of transparency that the industry has been calling for."

As for the new Cloud Controls Matrix 3.0, the CSA outlined three key updates:

• "Five new control domains that address information security risks over the access of, transfer to, and securing of cloud data: Mobile Security; Supply Chain Management, Transparency & Accountability; Interoperability & Portability; and Encryption & Key Management
• "Improved harmonization with the Security Guidance for Critical Areas of Cloud Computing v3
• "Improved control auditability throughout the control domains and an expanded control identification naming convention"

 "The decision to use a cloud service distills down to one question: 'Do I trust the provider enough for them to manage and protect my data?'" stated Sean Cordero, co-chair of the Cloud Controls Matrix Working Group and founder of security consultancy Cloud Watchman, based in San Francisco.

The CSA said it will hold workshops covering the new controls and the certification at the CSA Congress 2013, scheduled for Dec. 3 to 5 in Orlando, Fla.

Posted by Jeffrey Schwartz on 09/26/2013 at 2:03 PM