The Cloud Security Alliance (CSA), an industry group seeking to promote security standards for cloud computing, is offering an online certification program beginning September 1st. The Certificate of Cloud Security Knowledge (CCSK) is a Web-based test for competency in CSA standards for securing private, public or hybrid cloud environments. The certification test sells for $295, although CSA is offering a discounted price of $195 through the end of 2010. The nonprofit CSA, founded in early 2009, has 11,000 individual members and 60 corporate members, including Cisco Systems, Dell, Google, HP, Microsoft and Oracle.
"We're intending to raise the baseline of knowledge on what are the cloud security issues," said Jim Reavis, executive director of CSA, in a recent webcast sponsored by security vendor RSA. "I know it's just another certificate, but there's really nothing else out there that can assert that someone actually has some knowledge in this space."
Security and risk management are major hurdles for enterprises considering adopting public cloud services. Security concerns trumped issues such as performance, technological maturity and vendor viability, according to an April 2010 InformationWeek Analytics report, "Cloud Cover: Managing Risk in a New Paradigm," authored by Greg Shipley, CTO of information security and risk management firm Neohapsis. The report surveyed over 500 IT professionals about cloud computing and risk management. When respondents were asked to rank risks associated with the cloud, the top three were all security-related, including unauthorized leaks of customer and proprietary data.
Is a security certification program going to help address these issues? "The quality of an auditor and the firm he or she works for is important, but I don't see cloud certifications for IT professionals as being the top challenge right now," says Shipley.
"The bigger challenge is simply getting many of these cloud providers to agree to be audited by an outside firm and/or provide some level of evidence that they are actually doing what they say they do," says Shipley. "What we usually find when investigating providers is an abundance of high-level 'security speak' baked into marketing literature and an absolute dearth of material backing up these claims. Third-party verification of a provider's controls is obviously a key to this process, and the Cloud Security Alliance is definitely helping that cause. However, it has been my experience that most cloud providers either have some basic evidence of their controls in the form of a SAS 70 Type-II audit--which they may or may not share with you--or they have nothing all. The main problem we face today is one of visibility."