New Cloud Security Certification Program Launches

The Cloud Security Alliance (CSA), an industry group seeking to promote security standards for cloud computing, is offering an online certification program beginning September 1st. The Certificate of Cloud Security Knowledge (CCSK) is a Web-based test for competency in CSA standards for securing private, public or hybrid cloud environments. The certification test sells for $295, although CSA is offering a discounted price of $195 through the end of 2010. The nonprofit CSA, founded in early 2009, has 11,000 individual members and 60 corporate members, including Cisco Systems, Dell, Google, HP, Microsoft and Oracle.

"We're intending to raise the baseline of knowledge on what are the cloud security issues," said Jim Reavis, executive director of CSA, in a recent webcast sponsored by security vendor RSA. "I know it's just another certificate, but there's really nothing else out there that can assert that someone actually has some knowledge in this space."

Security and risk management are major hurdles for enterprises considering adopting public cloud services. Security concerns trumped issues such as performance, technological maturity and vendor viability, according to an April 2010 InformationWeek Analytics report, "Cloud Cover: Managing Risk in a New Paradigm," authored by Greg Shipley, CTO of information security and risk management firm Neohapsis. The report surveyed over 500 IT professionals about cloud computing and risk management. When respondents were asked to rank risks associated with the cloud, the top three were all security-related, including unauthorized leaks of customer and proprietary data.

Is a security certification program going to help address these issues? "The quality of an auditor and the firm he or she works for is important, but I don't see cloud certifications for IT professionals as being the top challenge right now," says Shipley.

"The bigger challenge is simply getting many of these cloud providers to agree to be audited by an outside firm and/or provide some level of evidence that they are actually doing what they say they do," says Shipley. "What we usually find when investigating providers is an abundance of high-level 'security speak' baked into marketing literature and an absolute dearth of material backing up these claims. Third-party verification of a provider's controls is obviously a key to this process, and the Cloud Security Alliance is definitely helping that cause. However, it has been my experience that most cloud providers either have some basic evidence of their controls in the form of a SAS 70 Type-II audit--which they may or may not share with you--or they have nothing all. The main problem we face today is one of visibility."The CSA is also promoting the Cloud Controls Matrix, a framework that describes 98 control specifications related to cloud computing. The matrix was released in April, but a CSA panel is working on version 2.0, which may be available in November. "This could bridge the gap with your current knowledge and current tools to look for the presence of appropriate security controls in any type of cloud environment," says Reavis.

Another effort to make security and audit information more available is CloudAudit.org, a non-profit group developing an API and Web services that will make it easier for providers to make audit information available, and for customers and potential customers to access and consume that information. The CloudAudit group, organized by Chris Hoff, takes advantage of the Cloud Controls Matrix to provide a framework for the kinds of information that providers can make available.

"As consumers of these services, we should be more concerned about what these providers actually do versus what they claim to do," says Shipley. "I think the Cloud Controls Matrix is a great start down the path of defining reasonable security controls, and I would love to see the IT industry get behind it. My question is, how do we get some of these cloud providers to actually adhere to that standard and agree to be audited? I think that's the first problem that needs to be tackled."

Another effort of the CSA is the Trusted Cloud Initiative that helps cloud providers develop their own standards for secure and interoperable identity, access and compliance management. An initial version of the Trusted Cloud Initiative is due in the fourth quarter of this year. Reavis described identity management as critical to ensuring that only people authorized by the customer have access to their cloud computing resources. "If we don't solve that problem we are going to lose a lot of the efficiency for doing public cloud for sure," Reavis added.