The biggest inhibitor to Cloud Computing adoption is, without doubt, security. The Cloud Security Alliance (CSA) has been working to alleviate these concerns–or at least bring transparency to the security procedures and processes of cloud providers. Their mission statement is stated as follows : “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
The CSA have put together a group of initiatives known as the Governance, Risk Management and Compliance (GRC) stack. This provides details and guidelines for all cloud users, from auditors, end users and implementors to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements. Part of the GRC stack is a questionnaire known as the Consensus Assessments Initiative Questionnaire (CAIQ). This questionnaire is provided in spreadsheet format and covers security procedures and processes undertaken by a cloud provider and how they comply with the CSA best practices. It is a form of self-assessment as an organisation completes this themselves.
Any organisation that wishes to publish their assessment can do so at the CSA Security, Trust & Assurance Registry (STAR). This central resource could evolve to be the go-to resource on cloud security best practices. As a start, Microsoft is the first cloud provider to publish their CAIQ response to the STAR. They have done so for the following products:
A major benefit the STAR registry provides cloud consumers is that they are now provided with the transparency on the security of cloud services for registered organisations, in a way that is based on standards (ISO 27001) and best practices and easily accessible for no charge for. The information provided by the CAIQ questionnaire details what procedures are in place without disclosing how they are undertaken, thus protecting the provider from exposing both commercially and technically sensitive information.
With Microsoft leading the way in providing this information, it will be interesting to see if other major providers will follow suit. Amazon for instance have, for a long time now, published many of their processes and procedures at their Security and Compliance Centre. Will they complete the CAIQ questionnaire too ? What about Google, Salesforce.com and the other major vendors ? Over the next few months it will be interesting to see how these, and other vendors react to what Microsoft has done. One thing is for sure: the more information on security and best practices that vendors release, the better informed the cloud adoption decision makers will be to make better choices.
Learn more about cloud computing security with Learning Tree’s course Cloud Security Essentials: Best Practices for Secure Cloud Computing.