Cloud Security Compliance List Attracts Star Players

A Cloud Security Alliance (CSA) resource to help customers compare how closely cloud service providers comply with the organisation’s security practices has drawn in some big guns.

Google, Intel, McAfee, Microsoft, and Verizon have all joined the voluntary programme by submitting compliance reports to CSA’s Security Trust and Assurance Registry (Star). This will help customers to match their security requirements to a cloud service and speed up the due diligence process when selecting a supplier.

Reducing due diligence overheads

The CSA is pushing its Star service by encouraging businesses to insist that their suppliers contribute information to the registry. In this regard, eBay is one of the first to act by putting pressure on its suppliers.

“As the world’s largest online marketplace, we recognise the importance of protecting our users’ privacy and security,” said Dave Cullinane, CISO for eBay. “To help us further this goal, we will be requiring every cloud vendor we work with to submit an entry to the CSA Star so that we may evaluate their security controls in a consistent, open manner.”

CSA Star, which is open to all cloud providers whether aligned with CSA or not, is requesting companies to file self-assessment reports documenting their compliance with CSA’s published best practices. The searchable registry will be accessible online by the end of this year.

Cloud providers interested in submitting reports can download either a Consensus Assessments Initiative Questionnaire (CAIQ) or Cloud Controls Matrix(CCM) response to indicate their compliance with CSA standards.

CAIQ is a set of over 140 questions a cloud consumer or auditor may wish to ask of a provider. The form contains industry-accepted ways to document which security controls exist in infrastructure, platform and software as a service (IaaS, PaaS, and SaaS) offerings.

CCM is a framework, tailored to the cloud industry, that details how organisations should provide structure, detail and clarity when providing information about their security measures. CSA said the documentation gives the provider a detailed understanding of security concepts and principles aligned with the Alliance’s guidance.

In addition to cloud provider self-assessments, CSA Star will also provide listings of solution providers that have integrated CAIQ, CCM and other GRC Stack (governance, risk management, compliance) components into their compliance management tools. This will help customers extend their GRC monitoring and reporting across their enterprise and across multiple cloud provider relationships.

CSA is a not-for-profit organisation that defines and promotes best practices for securing online services.