Cloud Security Alliance pushes for open security certifications

Backed by the European Commission, CSA's Open Certification Framework aims to make cloud services easier to audit

If the cloud is to become a viable platform for the enterprise, security is critical. Cloud providers and users need to be working from the same basic cloud blueprints to ensure that Vendor A's cloud-based storage, Vendor B's compute services, and Vendor C's cloud platform interoperate securely to ensure that Customer Q's operations are safe and in compliance with applicable laws.

To that end, Cloud Security Alliance (CSA) has announced the CSA Open Certification Framework, a program to develop flexible, multilayered certification for cloud providers. Founded in 2009 by ING and eBay, the CSA's mission is to set out best practices for providing security assurance within cloud computing. It's also currently the only cloud organization aggressively pursuing the goal of making the cloud broadly auditable and accountable.

"The Cloud Security Alliance has identified the gaps within the IT ecosystem that are inhibiting market adoption of secure and reliable cloud services. Consumers do not have simple ways to evaluate their providers' resiliency, data protection capabilities and service portability," said Daniele Catteddu, managing director, EMEA for the CSA. "This problem is exacerbated internationally, causing significant barriers to cloud adoption outside of national boundaries."

The CSA Open Certification Framework will be based on the group's GRC (Governance, Risk and Compliance) Stack research projects. The framework will support a range of options and tiers, recognizing the diverse requirements and maturity levels of different providers and consumers. Initiatives will range from the CSA Security, Trust and Assurance Registry (STAR) self-assessment to high-assurance specifications that are continuously monitored.

The CSA's GRC projects include:

  • CloudAudit, aimed at providing an open, secure interface and methodology for cloud computing providers and users to automate the A6 (Audit, Assertion, Assessment, and Assurance) functionality of their cloud environments
  • Cloud Controls Matrix, designed to provide basic guidelines for assessing the overall security risk of a cloud provider
  • Consensus Assessments Initiative, launched to perform research, create tools, and foster industry partnerships to enable cloud computing assessments. The initial deliverable of this project is the Consensus Assessments Initiative Questionnaire, which provides a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider.
  • CloudTrust Protocol, a mechanism by which cloud users can request information about the elements of transparency, the primary purpose being to deliver evidence that everything is happening in cloud exactly as a provider describes

The proposed framework has garnered public support from the European Commission, and the CSA will announce additional partners for the framework on Sept. 25 at CSA Congress Europe. "We're in discussions, but nothing else that we can share publicly at this time. It's still early days," a CSA spokesperson told InfoWorld.

This article, "Cloud Security Alliance pushes for open security certifications," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.