Steve Young - Fotolia

Which cloud security certifications should providers have?

With numerous security standards and certifications available, evaluating a cloud provider can be tricky. Expert Dan Sullivan explains what to look for during evaluation.

When choosing a cloud provider, which cloud security certifications and standards should they have? Do certain...

certifications match particular types of security services?

Security requirements vary across industries and even within companies, but there are enough common needs to warrant the development of cloud security certifications and standards. Some standards are broadly applicable -- like the SOC standards -- and others are industry-specific -- such as the Health Information Trust Alliance (HITRUST).

There are several major cloud computing security certifications currently available:

  • The SOC 1 certification attests to the quality of control on financial reporting, while the SOC 2 and SOC 3 reports address security, availability, processing integrity and other factors relevant to information systems.
  • ISO 27001 is a family of cross-industry security standards that address requirements, implementation, measurement and codes of practice.
  • The Cloud Security Alliance's STAR certification program is another general security standard -- actually a meta-standard since it incorporates other standards. It is designed specifically for cloud providers and builds on two main components: the Cloud Controls Matrix and the Consensus Assessment Initiative Questionnaire (CAIQ). The Cloud Controls Matrix is a set of principles for evaluating cloud security risks; the CAIQ is a formalized list of questions to help cloud customers evaluate cloud service providers.
  • The HITRUST certification and PCI DSS certification are important to healthcare and payment card industry organizations. HITRUST is an organization of security and healthcare organizations focused on establishing a Common Security Framework (CSF). The CSF includes specifications of implementation requirements and alternative controls. Achieving CSF certification attests to compliance with both HIPAA and HITRUST standards.

In addition to these cloud security certifications -- which certainly overlap in coverage -- it may help to review the National Institutes of Standards and Technology Cybersecurity Framework. It is not a certification, but a framework for assessing security, and the documentation includes references and links to more specific security topics.

Ask the Expert:
Perplexed about cloud security? Send Dan Sullivan your questions today. (All questions are anonymous.)

Next Steps

Don't miss SearchCloudSecurity's intro to cloud computing security certifications

Learn more about the Cloud Security Professional certification and the importance of cloud security certifications

Dig Deeper on Cloud Computing Frameworks and Standards