CSA Registry Strives for Security Transparency of Providers
Recognizing just how important security is to potential and current cloud services customers, the Cloud Security Alliance is launching a registry that documents the security controls of cloud computing providers.
The CSA Security, Trust and Assurance Registry (STAR) strives to “encourage transparency of practices within cloud providers,” according to the alliance. The document will be available free of charge to anyone interested in how (and how well) cloud service providers are locking down their offerings.
One caveat: STAR is a vendor-created document, and vendors that choose to take part submit self-assessments to document their compliance to the best practices published by CSA. CSA doesn’t go out and gather the information itself; users basically will have to trust that what the vendor says is true.
STAR, which will go online in the fourth quarter of 2011, will include two types of reports submitted by the vendors: the Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings; and the Cloud Controls Matrix (CCM), which provides a controls framework to show the vendor understands and practices the guidance put forth by the CSA.
STAR will also list solution providers that have integrated CAIQ, CCM and other GRC Stack components into their compliance management tools so users can more easily extend their GRC monitoring across their entire enterprise and work with multiple cloud providers, according to the CSA.
Once STAR goes online, interested cloud providers can submit their reports for either of the two categories.
Considering the high-profile security breaches in the cloud space over the past 12 months, the CSA may be on to something with this registry. However, its success will depend largely on the information provided by the vendors. And when it comes to the security of data in the cloud, that’s something vendors don’t want to mess around with.