SAN FRANCISCO -- The Cloud Security Alliance offered a flurry of announcements at its 2013 CSA Summit Monday, designed...
to further its cloud provider security assurance efforts, as well as foster better, more broadly available cloud security training for information security professionals.
CSA Executive Director Jim Reavis announced that 22 providers are now participating in the CSA STAR program. Launched nearly two years ago, the Security, Trust and Assurance Registry (STAR) is an online clearinghouse where cloud providers can submit documentation detailing their security controls for review by potential customers.
Microsoft and Solutionary, an MSSP, were the first two providers to sign up, but it had been growing slowly until Amazon Web Services joined STAR last year, giving the CSA a boost in its mission to increase cloud provider security transparency and enable cloud computing customers to make better, more informed decisions related to cloud provider security.
Reavis said the willingness of the providers participating in STAR to offer transparency on how their security programs align with the CSA's Cloud Controls Matrix (CCM) and its set of baseline standards for cloud security controls, says a lot about their commitment to security.
"It's one thing to get yourself audited," Reavis said, "but to actually publish your security program is pretty powerful."
Reavis said the CSA will roll out STAR certification and attestation programs later this year, and it is working with a variety of organizations on ways to make provider attestation easier, such as a way to achieve an ISO 27001 certification that is scoped with the CSA controls as appropriate.
The CSA is also working with the AICPA, the U.S. national professional association for Certified Public Accountants, to improve its reporting format for STAR, and hopes to have its materials published in machine-readable format in the next 1-2 years to better enable the continuous monitoring of provider certifications and attestations.
Additionally, the CSA announced the draft release of CCM version 3.0. The new version introduces three new "control domains": mobile security, supply chain management, transparency and accountability, and interoperability and portability.
The CCM 3.0 draft is available for review via the CSA through March 27, with a final release slated for April.
In another announcement, the CSA heralded the launch of its new Legal Information Center (CLIC), an online resource for cloud computing stakeholders to provide more clarity on not only the applicability of existing laws in cloud computing scenarios, but also identify laws that may require modification due to the effect of new technology trends.
CCSK gets update, new global partners
Reavis also discussed Friday's launch of version 3.0 of its Certificate of Cloud Security Knowledge (CCSK), a Web-based certification exam for cloud security practitioners seeking to validate their competency in key cloud security issues.
The new 60-question exam is 90 minutes in length. Reavis said beta testers have reported a better experience with the new version. However, version 2.1 will remain available until the end of the year for those who had been studying specifically for that version.
Reavis announced the cost of the CCSK will increase to $345 on May 1, but will remain available for the current price of $295 until then.
In a related announcement, Reavis said the CSA has inked new training partnerships with Hewlett-Packard Co. and Optimus Technology & Telecommunications of Dubai to enable the global expansion of formal CCSK training programs. HP will be the initial partner of a new CSA Master Training Program.
Reavis also foreshadowed a pending announcement with (ISC)2 on new credentials that will seek to address the cloud security skills gap uncovered in (ISC)2's research. Reavis said the credentials will be complimentary to the existing CISSP and CCSK certifications, providing a more formal certification path for those with cloud security-specific knowledge.
View all of our RSA 2013 Conference coverage.