Q
Problem solve Get help with specific problems with your technologies, process and projects.

Which cloud security certifications should providers have?

With numerous security standards and certifications available, evaluating a cloud provider can be tricky. Expert Dan Sullivan explains what to look for during evaluation.

When choosing a cloud provider, which cloud security certifications and standards should they have? Do certain...

certifications match particular types of security services?

Security requirements vary across industries and even within companies, but there are enough common needs to warrant the development of cloud security certifications and standards. Some standards are broadly applicable -- like the SOC standards -- and others are industry-specific -- such as the Health Information Trust Alliance (HITRUST).

There are several major cloud computing security certifications currently available:

  • The SOC 1 certification attests to the quality of control on financial reporting, while the SOC 2 and SOC 3 reports address security, availability, processing integrity and other factors relevant to information systems.
  • ISO 27001 is a family of cross-industry security standards that address requirements, implementation, measurement and codes of practice.
  • The Cloud Security Alliance's STAR certification program is another general security standard -- actually a meta-standard since it incorporates other standards. It is designed specifically for cloud providers and builds on two main components: the Cloud Controls Matrix and the Consensus Assessment Initiative Questionnaire (CAIQ). The Cloud Controls Matrix is a set of principles for evaluating cloud security risks; the CAIQ is a formalized list of questions to help cloud customers evaluate cloud service providers.
  • The HITRUST certification and PCI DSS certification are important to healthcare and payment card industry organizations. HITRUST is an organization of security and healthcare organizations focused on establishing a Common Security Framework (CSF). The CSF includes specifications of implementation requirements and alternative controls. Achieving CSF certification attests to compliance with both HIPAA and HITRUST standards.

In addition to these cloud security certifications -- which certainly overlap in coverage -- it may help to review the National Institutes of Standards and Technology Cybersecurity Framework. It is not a certification, but a framework for assessing security, and the documentation includes references and links to more specific security topics.

Ask the Expert:
Perplexed about cloud security? Send Dan Sullivan your questions today. (All questions are anonymous.)

Next Steps

Don't miss SearchCloudSecurity's intro to cloud computing security certifications

Learn more about the Cloud Security Professional certification and the importance of cloud security certifications

This was last published in December 2015

Dig Deeper on Cloud Computing Frameworks and Standards

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Which cloud security certifications does your organization look for in its cloud providers?
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close