Cloud Security Alliance introduces open certification framework
By Asia Cloud Forum editors 10-May-2012
The Cloud Security Alliance (CSA) today announced the CSA Open Certification Framework at the SecureCloud 2012 conference held on May 9-10 in Germany.
The CSA Open Certification Framework is an industry initiative to allow global, trusted certification of cloud providers.
The Framework provides a program for incremental and multi-layered cloud provider certification according to the Cloud Security Alliance's security guidance and control objectives. It will support popular third-party assessment and attestation statements developed within the public accounting community.
CSA's Executive Director Jim Reavis said: "We all recognize that no single certification, regulation or other compliance requirement will supplant all others in governing the future of IT. However, the rise of cloud as a global compute utility creates a mandate to better harmonize compliance concerns. Both consumers and providers alike will benefit from the knowledge that their CSA-backed compliance activities will be broadly applicable within global regulatory regimes."
European Commission action
Carl Christian Buhr, European Commission cabinet member of vice president Neelie Kroes, during his keynote at SecureCloud 2012, said the European Commission (EC) will include in the European Cloud Strategy document, which will be published this summer, an action on certification.
"The EC doesn't foresee any European mandatory certification scheme, but encourages and supports a market-driven, bottoms-up approach for security certification for cloud computing services or providers. This voluntary approach must bring together the 'right people,' in order to be accepted by the market and by national regulators," Buhr added.
Varied assurance requirements
The CSA Open Certification Framework is based on the control objectives and continuous monitoring structure as defined within the CSA GRC (governance, risk and compliance) Stack research projects.
"Consumers do not have simple ways to evaluate their providers' resiliency, data protection capabilities and service portability."
-- Daniele Catteddu, managing director, EMEA, Cloud Security Alliance
The CSA Open Certification Framework will support several options and tiers, recognizing the varying assurance requirements and maturity levels of providers and consumers. These will range from the CSA Security, trust and assurance registry (STAR) self-assessment to high-assurance specifications that are continuously monitored. CSA will also work closely with the assurance community to develop programs for qualified assessors for the CSA Open Certification Framework.
"The Cloud Security Alliance has identified the gaps within the IT ecosystem that are inhibiting market adoption of secure and reliable cloud services. Consumers do not have simple ways to evaluate their providers' resiliency, data protection capabilities and service portability," said Daniele Catteddu, managing director, EMEA for the CSA.
"This problem is exacerbated internationally, causing significant barriers to cloud adoption outside of national boundaries. The CSA Open Certification Framework provides a path for any region to address compliance concerns with trusted, global best practices," Catteddu said.
The CSA Open Certification Framework will provide explicit guidance for providers to use GRC Stack tools for multiple certification efforts. For example, scoping documentation will articulate the means by which a provider may follow an ISO/IEC 27001 certification path that incorporates the CSA Cloud Controls Matrix (CCM). The CSA will also provide guidance as to how a provider may use the CCM inside of an AICPA SSAE16 attestation. CSA supports certify-once, use-often, where possible.
By leveraging the CSA Open Certification Framework and tools within the GRC Stack, it will be possible for a regulatory regime to create a globally recognized certification that meets their own exacting assurance requirements," said Aloysius Cheang, managing director, APAC for the CSA, "For example, we expect governments to be heavy adopters of the CSA Open Certification Roadmap to layer their own unique requirements upon the GRC Stack and provide agile certification of public sector cloud usage."
Initial partners for the CSA Open Certification Framework will be announced on 25 September at CSA Congress Europe, together with a detailed timeline of deliverables.