Cloud Security Alliance Plans Cloud Certification Program
CSA wants to promote secure cloud computing among its partners through its proposed Open Certification Framework.
The CSA, a not-for-profit
coalition of companies, individuals, organizations and "key stake
holders" with an interest in promoting secure cloud computing, proposed its new Open Certification Framework to be a program for
"flexible, incremental and multi-layered cloud provider
certification" aligned with the CSA's security guidance and
control objectives, the organization says.
Essentially the CSA is trying to develop a regulatory regime that
will lead to the creation of a globally recognized certification that
meets its own assurance requirements -- in other words, a set of
best security practices for the cloud.
The certification framework will be based on the control
objectives and continuous monitoring structure defined by the CSA's Governance, Risk, and Compliance (GRC) Stack
projects. The GRC Stack is an evolving toolkit for users and
providers of cloud computing products and services that was designed
to compare both private and public clouds with industry established
best practices, standards and compliance requirements. The framework
will provide "explicit guidance" for use of the GRC Stack
tools in the certification.
The list of GRC projects includes:
- CloudAudit, which provides an open, secure
interface and methodology for cloud computing providers and users to
automate the A6 (Audit, Assertion, Assessment, and Assurance)
functionality of their cloud environments.
- Cloud Controls Matrix, which provides basic
guidelines for assessing the overall security risk of a cloud
- Consensus Assessments Initiative, which performs
research, creates tools, and fosters industry partnerships to enable
cloud computing assessments.
- CloudTrust Protocol, through which
cloud users can request information about the elements of
transparency. The idea is to provide evidence that everything is
happening in cloud exactly as a provider say it is.
The CSA offers an example: "[S]coping documentation will
articulate the means by which a provider may follow an ISO/IEC 27001
certification path that incorporates the CSA Cloud Controls Matrix
(CCM). The CSA will also provide guidance as to how a provider may use
the CCM inside of an AICPA SSAE16 attestation. CSA supports
certify-once, use-often, where possible."
The CSA says the certification program will support several
options and tiers that recognize the different assurance requirements
and maturity levels of various providers and consumers. These levels
will range from the CSA Security, Trust, and Assurance Registry (STAR)
self-assessment to high-assurance specifications that are continuously
monitored. The CSA will also work closely with the assurance community,
the Alliance says, to develop programs for qualified assessors for the
CSA Open Certification Framework.
CSA executive director Jim Reavis allows that "no single
certification, regulation, or other compliance requirement will supplant
all others in governing the future of IT." But his group believes
that the growing popularity of cloud computing "creates a mandate
to better harmonize compliance concerns."
"Both consumers and providers alike will benefit from the
knowledge that their CSA-backed compliance activities will be broadly
applicable within global regulatory regimes," Reavis said in a
Reavis and Nils Puhlmann laid out the initial goals and strategy
of the CSA back in 2008. The Alliance was launched officially at the
2009 RSA security conference with ING and eBay as founding members.
The CSA says it will announce additional partners for the
certification framework project on September 25, 2012, at the CSA
Congress in Amsterdam.