There probably isn't a day that goes by I’m not asked when the Cloud Security Alliance is going to certify cloud providers. We have a professional certification, the Certificate of Cloud Security Knowledge
After that first cup of coffee, I usually have a much better attitude and can provide a more thoughtful response. Deciding to first foray into the area of individual certifications was a pragmatic decision to try to help increase the baseline of industry knowledge and focus on cloud security issues and best practices. The reality is, it is simpler to measure an individual’s knowledge than the security practices of a global provider.
When thinking about cloud security certification, one of the big issues that comes up is the criteria you use. It is always a challenge to avoid getting too detailed and overly prescriptive as there can be many ways to solve a problem and implement security controls. Also, cloud providers are different; some do not use virtualization, even among the subclass we refer to as Infrastructure as a Service (Iaas). So you end up having higher level criteria, and an assessment performed to determine if the detailed implementation meets the objectives of the criteria.
Provider certification is still very much of interest to us, but we want to address this in the
context of other activities underway that we support directly or indirectly. Given that
certification is going to require assessments, one thing we plan to do soon is allow providers to
self assess based on tools in our Governance, Risk and
Compliance (GRC) Stack, and we will publish the results. This is certainly not a full
solution but a step in the right direction. It increases transparency, and even if it’s self
assessment, we can expect that providers will want to “compete” to provide information at least as
good as their competitor provides. Longer term, we are interested in partner projects like
CAMM (Common Assurance Maturity Model), and helped
develop the recent
paper articulating the possibility of a third-party assurance center that tracks security
maturity of providers, understanding that not all services require the same level of
However, even though I think we will have meaningful certification of cloud providers at some point, information security historians would point out that bad breaches -- some of the worst breaches we have seen -- have happened to "compliant" and "certified" organizations. Some of the post-mortems (or perhaps Monday morning quarterbacking is a better term) have pointed out flaws in the particular certification process or made the valid argument that the target company in question made significant changes since their last assessment. Maybe the assessor did a poor job or perhaps the organization misled the assessor in some way.
I agree with and understand these arguments, and because of this, I have had an evolution in thinking (thanks to much smarter people pounding it into my head) to see the importance and feasibility of continuous monitoring in cloud environments. The stakes are too high to not understand these issues in real time. What we ultimately need is to combine the increased transparency on the part of cloud providers with the technical instrumentation of provider and customer systems to enable continuous monitoring of GRC.
This is the idea of two projects that are now part of CSA: CloudAudit and Cloud Trust Protocol (CTP). As an analogy, think of Simple Network Management Protocol (SNMP). CloudAudit enables a provider to make compliance assertions, just like an SNMP agent reports the health parameters of an IP node. CTP would be like the SNMP console that queries the agents. The analogy is an oversimplification, but I am convinced this is the direction we must head.
Certification? Good. Transparency and automation of GRC? Great!
About the author:
Jim Reavis is co-founder and executive director of the Cloud Security Alliance.