Nonprofit will publish how providers secure cloud
Soon anyone may only be a few clicks away from learning whether a cloud provider is up to snuff when it comes to security, SCMagazineUS.com has learned exclusively.
The nonprofit Cloud Security Alliance (CSA) is planning to develop and maintain on its website a public registry documenting the security controls that exist in various cloud computing offerings. The initiative was discussed Wednesday during a keynote presentation at SC Magazine's “Securing the Cloud” eConference by speaker Phil Agcaoili, CISO of Cox Communications and a founding CSA member.
The repository, to be called CSA Security, Trust & Assurance Registry (STAR), will help cloud users assess the security of potential and existing providers, Jim Reavis, executive director of the CSA, told SCMagazineUS.com on Thursday.
The registry builds upon the group's Consensus Assessments Initiative, a project launched to increase the transparency of cloud computing security controls.
Last October, the CSA released a document that includes more than 140 sample questions to ask cloud providers, such as whether they conduct regular vulnerability assessment scans and have controls in place to prevent data leakage.
The registry essentially will be a compilation of all of those answers, as obtained by the CSA.
The group currently is in the process of reaching out to cloud providers to obtain their self-assessments, Reavis said. The group has received “very positive feedback from major cloud providers,” all of whom have indicated they will submit their completed questionnaires to be published.
“There are thousands of smaller SaaS [software-as-a-service] cloud providers, and it's just as important that we will get them included,” Reavis said.
Reavis called the initiative a “major industry step” toward the goal of certifying the security of cloud providers.
“We think it's very much needed and going to be an impactful program,” Reavis said.
The initiative is expected to be announced next week at the Black Hat security conference in Las Vegas, Reavis said. However, the registry likely won't go live until the fall.
Several cloud providers have asked the CSA to wait a few months before publishing the assessments so they have time to review their answers, Reavis said.
Some providers have already demonstrated interest in publicizing the details of their security controls, Reavis said. Microsoft, for example, has published a white paper detailing the security of Office 365, the computing giant's first foray into the cloud.
As a separate project, the Atlanta chapter of CSA is developing a service-level agreement (SLA) template that can be used when contracting with cloud providers.
That project should be released soon as well, Cox Communications' Phil Agcaoili, told SCMagazineUS.com this week.