How to evaluate, choose and work securely with cloud service providers
A comprehensive collection of articles, videos and more, hand-picked by our editors
The Cloud Security Alliance this week updated two of its industry standards, the Cloud Controls Matrix version 3.0.1 and the Consensus Assessments Initiative Questionnaire version 3.0.1.
The updates seek to eliminate redundancies between the two standards, which were designed as a "one-stop shop" to guide companies in conducting cloud provider security assessments, and the latest versions feature more detailed, clarified language, according to the Cloud Security Alliance (CSA).
The updates also feature improved alignment between the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ) as well as the organization's flagship Security Guidance reference documents and the Security, Trust & Assurance Registry (STAR) program. STAR, which was launched in 2011, is an online registry that documents the security controls offered by participating cloud providers.
Jim Reavis, CEO of the CSA, said the CCM and CAIQ updates are a reflection of the demand for more detailed information from customers who want to invest in cloud technology.
"This is a direct consequence of enterprises and government agencies saying that they're all in on cloud and wanting reassurances about how to move forward," Reavis said. "It's a milestone for us because we've taken what started out as less formal advisory guidelines and moved toward more formal best practices and compliance standards."
Pravin Kotharifounder, chairman and CEO, CipherCloud
For example, Reavis said the update to CAIQ, which is a set of questions for businesses to ask cloud providers before procuring cloud services, drills down even deeper into things like service level agreements, while the CCM, which provides security principles for cloud providers, offers updated mapping to other industry standard, compliance laws and controls such as ISO 27001:2013, FedRAMP security controls and the Payment Card Industry Data Security Standard (PCI DSS) version 3.0.
Reavis also said he expects the improved alignment between the two standards and STAR to help drive additional interest and participation in the STAR program from cloud providers.
"We expect a lot of the fruits of these updates to show up with our STAR program," he said.
Pravin Kothari, founder, chairman and CEO of CipherCloud Inc., a San Jose, California-based cloud security vendor and corporate member of the CSA, said the CCM and CAIQ standards are valuable to companies like CipherCloud because they act as "a stack of guidelines and best practices" upon which customers can build an actual cloud security framework.
"The CSA is leading the charge to put some structure around the security side of the cloud," Kothari said. "Security is a huge, sprawling area but these updates are going to help give customers a better view of what's going on in this space when it comes to cloud."
Kothari also said customers are asking "tougher questions" about cloud security in the wake of high-profile data breaches at corporations such as Target Corp. plus the NSA surveillance revelations from last summer. The CCM and CAIQ updates, therefore, are welcome additions because they can help answer those questions.
"The awareness around cloud security as well as these standards is definitely growing," Kothari said. "If you talk to a chief security officer or a compliance officer in any enterprise, they know these standards."
Diana Kelley explains how the CCM and CAIQ can be used to assess cloud providers' security controls.