The Cloud Security Alliance this week announced a multi-faceted initiative to provide cloud security certifications for cloud service providers.
For example, the framework will provide scoping documentation so a provider could obtain an ISO 27001 certification that incorporates the CSA Cloud Controls Matrix, he said. It also will provide guidance for an SSAE 16 attestation that incorporates the CCM (the SSAE 16 replaced the SAS 70). In each case, the resulting certification will be recognized by the CSA.
The more exclusive type of CSA cloud security certification for providers involves taking an existing STAR entry and considering that to be a level 1 type of self-assessment, similar to the structure of the PCI Data Security Standard, Reavis said. The CSA’s Security, Trust and Assurance Registry (STAR), launched last year, is an online registry of cloud provider security controls. STAR has a handful of participants so far, including Microsoft and Solutionary.
The non-profit CSA hasn’t yet decided if it will have its own third-party assessment of its certification, Reavis said.
While the U.S. has developed a cloud provider security framework with FedRAMP, the CSA is working with other countries to develop their own frameworks based on the CSA GRC Stack and STAR, he said.
“There’s not going to be one certification to rule them all,” Reavis said. “It’s clear in our talk with different governments, while they’ll tip their hat to international standards, several want their own that they control. We’re happy giving them what they need to create their own.”
The drivers for the Open Certification Framework were both positive and negative, he said. On the positive side, the CSA has received a growing number of requests from both government agencies and the private sector for cloud provider certification. “They said, ‘We like the work you do and want to continue to push STAR, but we need more teeth in it; we need to see more specific certifications’,” he said.
On the negative side, the CSA had growing concern that if it waited too long, some regional groups and a couple for-profit entities would soon announce cloud security certifications for providers that don’t follow appropriate best practices, he said. “We don’t want to be the path of least resistance, resulting in certifications lacking in integrity.”
The CSA plans to release a detailed roadmap for the Open Certification Framework in September at CSA Congress Europe. The roadmap will include a plan for continuous controls monitoring, which Reavis said is essential. He expects the first provider certification could be announced in the second quarter of next year.