Providing security assurance in cloud computing environments isn’t easy, but thankfully, there are a variety of industry cloud computing standards and guidelines that can be used to assess CSP security and ensure cloud service providers (CSP) are following best practices.
This mini learning guide outlines a variety of could computing security standards and guidelines, including CSA’s STAR, NIST’s SP500 and the SSAE16 auditing standard and explains how enterprises can use them to achieve security assurance in in the cloud.
Table of contents:
The Statement on Auditing Standards No. 70 report, usually referred to as SAS 70, has been replaced by the SSAE 16 and SOC reports as the audit standard of enterprise financial and infrastructure-related internal controls. But, do SSAE 16 and SOC reports give organizations any more visibility into a cloud provider’s security?
In this article, security expert Dave Shackleford explains the SSAE standard and SOC reports, and examines how enterprises can use them to evaluate cloud service provider (CSP) security.
The Cloud Security Alliance (CSA) recently announced its Open Certification Framework, a cloud security certification program designed to enable certification that cloud service providers implement security controls in line with the CSA’s guidance. The program involves working with standards bodies such as ISO to enable cloud provider certification as well as offering an independent certification.
The Federal Risk and Authorization Program (FedRAMP), which sets a standard approach for assessing the security of cloud services and products against a baseline of controls with the goal of cutting the cost and time spent on agency cloud authorizations has garnered both optimism and criticism from industry experts. Some argue that while FedRAMP provides some potential benefits, it also faces possible pitfalls.
Enterprises are elevating the need for cloud transparency in negotiations with cloud computing providers. Mechanisms such as the Cloud Security Alliance’s STAR registry provide customers and providers with a standard for sharing security information in a public forum.
In this news piece, learn more about the need and demand for cloud computing security transparency, as well as the standards-based effort to increase and regulate transparency.
In this video interview, conducted at RSA Conference 2012, Tim Rains, director of product management in Microsoft’s Trustworthy Computing group, discusses emerging cloud computing security standards efforts, the need for cloud provider transparency, and Microsoft’s efforts in several of CSA projects, including the Cloud Controls Matrix.
FedRAMP certification is drawing interest from numerous cloud computing providers, according to David McClure, associate administrator of the General Services Administration's Office of Citizen Services and Communication