Cloud Security Alliance Working Toward Cloud- Specific
Certifications Cloud Computing

The Cloud Security Alliance (CSA) is working with other key players in cloud security and auditing to determine which organizations should provide the certification, as well as what such a certification should include Certification is likely to be managed by multiple bodies.

[The CSA’s] research identifies the vulnerabilities that threaten to hinder cloud service offerings from reaching their full potential. For example, companies must be aware of “abuse and nefarious use of cloud computing,” which includes exploits such as the Zeus botnet and InfoStealing trojan horses, malicious software that has proven especially effective in compromising sensitive private resources in cloud environments. However, not all of the threats in this category are rooted in malicious intent.

As the social Web evolves, more sites are relying on application programming interfaces (APIs), a set of operations that enable interaction between software programs, to present data from disparate sources. Sites that rely on multiple APIs often suffer from the “weakest link security” in which one insecure API can adversely affect a larger set of participants. Together, these threats comprise a combination of existing vulnerabilities that are magnified in severity in cloud environments as well as new, cloud-specific techniques that put data and systems at risk.

Additional threats outlined in the research include:

  • Malicious Insiders
  • Shared Technology Vulnerabilities
  • Data Loss/Leakage
  • Account/Service and Traffic Hijacking

The entire cloud model of computing as a utility and its dynamic characteristics makes this a whole new ballgame for certification. Jim Reavis, CSA’s Co-founder and Executive Director, quoted in Dark Reading, says, “[Cloud computing] brings everything into question: where the machines are, what is the nature of data. If data is encrypted on the public cloud providers’ [systems] and the key held by a separate cloud [provider]—is that even data? There’s some rethinking we need to do.”

In the same article, Bret Hartman, chief technology officer at the RSA, states that an enterprise’s own security controls and their cloud security provider’s controls must go hand in hand as well. “It’s complicated with cloud computing because there are multiple parties involved,” Hartman says. “I think it’s time for us to think about what a cloud certification would be ... and there would be different levels of certification required,” Hartman says. “It would be different than SAS 70.”

CSA Goes Beyond SAS 70 and ISO 27001
SAS 70 is a set of self-defined certifications for the internal business controls of an organization: everything from how human resources handles backup checks to data backup, patch management, and client administration. However, it doesn’t specifically address issues affecting cloud-based services.

The issue is that one company’s SAS 70 certification isn’t the same as another’s: “You define the controls as the service provider and the auditor comes in and makes a judgment whether these controls are sufficient or not” with testing, says Chris Day, chief security architect at cloud computing provider Terremark, a major cloud services provider, which holds a SAS 70 certification. “SAS 70 is very enterprise-specific: my SAS 70 is different from yours or IBM’s, for example.

It’s difficult to know whether my SAS 70 is more comprehensive as yours, which would be troubling for something as complex as cloud security.” Day says that the PCI Security Standards Council (PCI) is actually a better standard for gauging data security, because it dictates a series of controls, how they should be implemented, and what level of logging should be deployed.

PCI is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.

Continues Day, “We have SAS 70, but that it doesn’t necessarily tell the whole story. SAS 70 is a foundational certification.”

Reavis of the CSA says ISO 27001 is actually better for cloud services than SAS 70. “It’s more holistic and covers more ground,” he says. ISO 27001 specifies how an organization should handle its information security management, including security controls, risk assessment, and other issues. However, like SAS 70, ISO 27001 is self-defined by each organization that uses the certification. “You can exclude from the certification some very important things,” Reavis says. Even so, he says, ISO 27001 makes the most sense for now: “We feel that until we can get a cloud security certification, ISO is a better interim step” because it’s more broad than SAS 70, he says.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status

Cloud Computing Topics