ORLANDO, Fla. -- The Cloud Security Alliance (CSA) on Wednesday released the third version of its Security Guidance for Critical Areas of Focus in Cloud Computing (.pdf), which includes more practical advice and a new section on cloud-based security services.
The CSA guidance, unveiled here at the Cloud Security Alliance Congress 2011, is a set of cloud security best practices for 14 domains, including compliance and audit, incident response, encryption and key management and application security.
Jim Reavis, CSA co-founder and executive director, said in a keynote Q&A that the updated CSA guidance provides more detailed, practical information than the previous two versions. Due to the lack of cloud maturity and lessons learned, the first two were focused on governance, he said.
“In version three, we still have a lot of high-level governance issues, but also another level of steps and practices you can put into place,” he said.
The new Security as a Service domain addresses benefits and concerns with cloud-based security services, and also looks at the range of services available. “One of the milestones of the maturity of cloud as a platform for business operations is the adoption of Security as a Service (SecaaS) on a global scale and the recognition of how security can be enhanced,” according to the guidance.
“The whole security industry is going to be changed sooner than people think,” Reavis said, referring to the rise of cloud-based security.
The CSA also announced that several major providers of cloud services plan to submit reports to the CSA Security, Trust and Assurance Registry (STAR), a free, publicly available registry that documents the security controls of cloud providers. Google, Verizon, Intel, McAfee, and Microsoft plan to participate in STAR, which the CSA launched in August and plans to have online before the end of the year.
In addition, major customers of cloud services plan to require STAR reports as part of their procurement process, according to the CSA.
“As the world’s largest online marketplace, we recognize the importance of protecting our users’ privacy and security,” Dave Cullinane, CISO of eBay, said in a prepared statement. “To help us further this goal, we will be requiring every cloud vendor we work with to submit an entry to the CSA STAR, so we may evaluate their security controls in a consistent, open manner.”
Reavis said STAR is a move towards cloud provider transparency. The CSA plans to conduct outreach to cloud users to persuade them to use the STAR registry as part of their vendor assessment process, he said, adding that a critical mass of cloud customers will attract more cloud providers to participate in STAR.
He acknowledged that the CSA needs to do more work to encourage cloud customers to actually use its guidance and other tools. Cloud users know about the CSA but aren’t necessarily using its tools, he said.