Channeling the Cloud

Registry Will Let Cloud Providers Disclose Security Controls

To say cloud providers are less than forthcoming on their approach to cloud security would be an understatement. Call it paranoia or prudence -- customers are demanding more transparency about security practices before making the leap to the cloud.

This fall, the Cloud Security Alliance (CSA), an influential consortium, is set to launch a searchable registry that existing or prospective customers and partners can access free of charge to query how cloud providers are approaching security. The registry will allow you to look up cloud providers and review their security practices.

The CSA Security, Trust & Assurance Registry (STAR) aims to document the security controls put in place by cloud computing providers, letting users determine how their existing or potential providers are addressing security. STAR allows providers to file reports that document security practices.

"The purpose of the registry is to prod the industry a bit to really be more transparent in their security practices," said Jim Reavis, executive director of the CSA. "We need to have security by transparency. It's really going to create a big mindset shift that -- while there are definitely a lot of the details about security practices that must be closely held -- to have cloud actually function as a compute utility, we have to have a lot more knowledge about how it works and operates."

The CSA is looking to strike the right balance between transparency and secrecy, but Reavis believes right now it lies too far on the side of secrecy. As a result, it inhibits the adoption of cloud computing and holds back knowledge of what the security practices of cloud providers are.

"I think that will have far-reaching impact on the whole of security and compliance, and it could even forestall the need for some pretty heavy-handed government regulation of cloud computing, if we're actually are able to show that the industry can self-regulate to a degree and really expose a prudent amount of information about what they're doing," he said.

Open to all types of cloud providers, STAR gives providers the option of submitting two different reports that would indicate their compliance:
  • The Consensus Assessments Initiative, or CAIQ, a questionnaire that lets providers document what security controls exist in their Infrastructure as a Service, Platform as a Service and Software as a Service offerings, based on industry-accepted methods. It consists of 140 questions a customer or auditor might ask of a cloud provider.
  • The Cloud Controls Matrix, or CCM, a spreadsheet-based tool of the CSA's recommended security controls across 13 domains.

STAR should be welcome by customers considering cloud providers. But so far it remains to be seen how many will contribute to the registry. Reavis is confident there will be broad industry participation.

"Under NDA I've seen this documentation that we're asking for from virtually every cloud provider," he said, noting they've had to provide it for their bigger customers. "I think based on the fact that they've already done this work and we've had really positive conversations, we expect most major cloud providers to have this documentation posted very close to our go-live date."

About the Author

Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.


  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft Sets September Launch for Purview Data Governance

    Microsoft's AI-powered Purview solution to address governance and security challenges is set to become generally available on Sept. 1.

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • End of the Road for Kaspersky in the United States

    Kaspersky on Monday said it is shuttering its U.S. operations, just days before a nationwide ban on sales of its security software was set to take effect.