Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Cloud Security Alliance Looks To Bring Transparency To Security Practices

Is secrecy the key to security? Not according to the Cloud Security Alliance, which is looking to gather up information on how cloud service providers are securing their services. The truth of the matter is that it is not secrecy that builds effective security; it is adopting and adhering to best practices and standards that create a secure environment. Secrecy is best left to end users protecting their passwords and logon credentials.

Perhaps that is the point the CSA is trying to get across to the purveyors of cloud services with STAR, which is open to all cloud providers. STAR allows cloud providers to submit self-assessment reports that document compliance to CSA published best practices. According to the CSA, the searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences.

The CSA claims that STAR will offer a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator. Ideally, STAR can become another metric for customers to validate if a cloud service provider meets their internal security needs, especially in the world of compliance, where security practices are often dictated by law.

For those looking to build private clouds or internal clouds, the results of the assessment process could provide valuable guidance and clues on how to implement security for internal cloud services. What’s more, the best practices offered by the CSA will further speed the security planning process for those building clouds.

CSA STAR will be online in the fourth quarter. Cloud providers can submit two different types of reports to indicate their compliance with CSA best practices:

  • The Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document what security controls exist in infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) offerings. The questionnaire (CAIQ) provides a set of more than 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. Providers may opt to submit a completed CAIQ.
  • The Cloud Controls Matrix (CCM), which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. Providers may choose to submit a report documenting compliance with CCM.

    In preparation for the public launch of the CSA STAR, providers are encouraged to select their compliance option and prepare a report for submission. CSA volunteers will be available to answer questions about report content. CSA strongly encourages all IaaS, SaaS and PaaS providers, large and small, to complete a self-assessment for publication. In doing so, they will address some of the most urgent and important security questions buyers are asking, and can dramatically speed up the purchasing process for their services.

    In addition to cloud provider self-assessments, CSA STAR will provide listings to solution providers that have integrated CAIQ, CCM and other GRC stack components into their compliance management tools. This will help customers extend their GRC monitoring and reporting across their enterprise and in concert with multiple cloud provider relationships. Providers interested in submitting should monitor for more details and updates.

    CSA STAR shines a light on cloud security practices; some may find this a bit disconcerting, and will worry that transparency will expose them to attacks and breaches. However, transparency also leads to better understanding and improvements in security by exposing possible flaws and weaknesses--in effect, strengthening security.

    See more on this topic by subscribing to Network Computing Pro Reports Return of the Silos (subscription required).