Registry Lets Cloud Providers Disclose Security Controls

To say cloud providers are less than forthcoming on their approach to cloud security would be an understatement. Call it paranoia or prudence, customers are demanding more transparency about security practices before making the leap to the cloud.

The Cloud Security Alliance (CSA) this fall will launch a searchable registry that existing or prospective customers can access free of charge to query how cloud providers are approaching security. Customers will be able to look up cloud providers and review their security practices.

The CSA Security, Trust & Assurance Registry (STAR) aims to document the security controls in place by cloud computing providers, letting users determine how their existing or potential providers are addressing security. STAR allows providers to file reports that document security practices.

"The purpose of the registry is to prod the industry a bit to really be more transparent in their security practices," said Jim Reavis, executive director of the CSA. "We need to have security by transparency. It's really going to create a big mindset shift that while there are definitely a lot of the details about security practices that must be closely held, that in fact to have cloud actually function as a compute utility, we have to have a lot more knowledge about how it works and operates."

The CSA is looking to strike the right balance between transparency and secrecy, but Reavis believes right now it lies too far on the side of secrecy. As a result, it inhibits the adoption of cloud computing and holds back knowledge of what the security practices are of cloud providers.

"It's a high-level type of shift in the mentality and mindset in how we protect our systems, how we disclose things, how we respond to audits, how we do due diligence," Reavis said. "But I think that will have far-reaching impact on the whole of security and compliance and it could even forestall the need for some pretty heavy-handed government regulation of cloud computing, if we are actually are able to show that the industry can self-regulate to a degree and really expose a prudent amount of information about what they're doing. That's the big effect we're trying to get."

STAR is open to all types of cloud providers, which have the option of submitting two different reports that would indicate their compliance:

• The Consensus Assessments Initiative (CAI) is a questionnaire that lets providers document what security controls exist in their IaaS, PaaS and SaaS offerings, based on industry-accepted methods. It consists of 140 questions a customer or auditor might ask of a cloud provider.
  
  
• The Cloud Controls Matrix (CCM) is a spreadsheet-based tool of the CSA's recommended security controls across 13 domains.

STAR should be welcome by customers considering cloud providers. But so far, it remains to be seen how many will contribute to the registry. Reavis is confident there will be broad industry participation.

"Under NDA I have seen this documentation that we're asking for from virtually every cloud provider," he said, noting they've had to provide it for their bigger customers. "I think based on the fact that they've already done this work -- and we've had really positive conversations -- we expect most major cloud providers to have this documentation posted very close to our go-live date."

Posted by Jeffrey Schwartz on August 18, 2011