Channeling the Cloud

Registry Will Let Cloud Providers Disclose Security Controls

To say cloud providers are less than forthcoming on their approach to cloud security would be an understatement. Call it paranoia or prudence -- customers are demanding more transparency about security practices before making the leap to the cloud.

This fall, the Cloud Security Alliance (CSA), an influential consortium, is set to launch a searchable registry that existing or prospective customers and partners can access free of charge to query how cloud providers are approaching security. The registry will allow you to look up cloud providers and review their security practices.

The CSA Security, Trust & Assurance Registry (STAR) aims to document the security controls put in place by cloud computing providers, letting users determine how their existing or potential providers are addressing security. STAR allows providers to file reports that document security practices.

"The purpose of the registry is to prod the industry a bit to really be more transparent in their security practices," said Jim Reavis, executive director of the CSA. "We need to have security by transparency. It's really going to create a big mindset shift that -- while there are definitely a lot of the details about security practices that must be closely held -- to have cloud actually function as a compute utility, we have to have a lot more knowledge about how it works and operates."

The CSA is looking to strike the right balance between transparency and secrecy, but Reavis believes right now it lies too far on the side of secrecy. As a result, it inhibits the adoption of cloud computing and holds back knowledge of what the security practices of cloud providers are.

"I think that will have far-reaching impact on the whole of security and compliance, and it could even forestall the need for some pretty heavy-handed government regulation of cloud computing, if we're actually are able to show that the industry can self-regulate to a degree and really expose a prudent amount of information about what they're doing," he said.

Open to all types of cloud providers, STAR gives providers the option of submitting two different reports that would indicate their compliance:
  • The Consensus Assessments Initiative, or CAIQ, a questionnaire that lets providers document what security controls exist in their Infrastructure as a Service, Platform as a Service and Software as a Service offerings, based on industry-accepted methods. It consists of 140 questions a customer or auditor might ask of a cloud provider.
  • The Cloud Controls Matrix, or CCM, a spreadsheet-based tool of the CSA's recommended security controls across 13 domains.

STAR should be welcome by customers considering cloud providers. But so far it remains to be seen how many will contribute to the registry. Reavis is confident there will be broad industry participation.

"Under NDA I've seen this documentation that we're asking for from virtually every cloud provider," he said, noting they've had to provide it for their bigger customers. "I think based on the fact that they've already done this work and we've had really positive conversations, we expect most major cloud providers to have this documentation posted very close to our go-live date."

About the Author

Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.