When choosing a cloud provider, which cloud security certifications and standards should they have? Do certain...
certifications match particular types of security services?
Security requirements vary across industries and even within companies, but there are enough common needs to warrant the development of cloud security certifications and standards. Some standards are broadly applicable -- like the SOC standards -- and others are industry-specific -- such as the Health Information Trust Alliance (HITRUST).
There are several major cloud computing security certifications currently available:
- The SOC 1 certification attests to the quality of control on financial reporting, while the SOC 2 and SOC 3 reports address security, availability, processing integrity and other factors relevant to information systems.
- ISO 27001 is a family of cross-industry security standards that address requirements, implementation, measurement and codes of practice.
- The Cloud Security Alliance's STAR certification program is another general security standard -- actually a meta-standard since it incorporates other standards. It is designed specifically for cloud providers and builds on two main components: the Cloud Controls Matrix and the Consensus Assessment Initiative Questionnaire (CAIQ). The Cloud Controls Matrix is a set of principles for evaluating cloud security risks; the CAIQ is a formalized list of questions to help cloud customers evaluate cloud service providers.
- The HITRUST certification and PCI DSS certification are important to healthcare and payment card industry organizations. HITRUST is an organization of security and healthcare organizations focused on establishing a Common Security Framework (CSF). The CSF includes specifications of implementation requirements and alternative controls. Achieving CSF certification attests to compliance with both HIPAA and HITRUST standards.
In addition to these cloud security certifications -- which certainly overlap in coverage -- it may help to review the National Institutes of Standards and Technology Cybersecurity Framework. It is not a certification, but a framework for assessing security, and the documentation includes references and links to more specific security topics.
Ask the Expert:
Perplexed about cloud security? Send Dan Sullivan your questions today. (All questions are anonymous.)
Don't miss SearchCloudSecurity's intro to cloud computing security certifications
Dig Deeper on Cloud Computing Frameworks and Standards
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading