In early August, the Cloud Security Alliance presented its plans to facilitate transparency in the cloud, via an online registry where service providers can detail their compliance with CSA’s best practices. Scheduled to be online by the end of the year, the Security Registry will be free, publicly available and open to search. It is designed to help cloud service customers verify the cloud security practices of their suppliers. Or at least those who will agree to participate in the initiative. Star will also provide a list of technology brick suppliers that have agreed to integrate components from the CSA GRC (Government, Risk Management and Compliance) stack.
To begin with, CSA has asked vendors to provide their own information, the Cloud Controls Matrix (CMM) or the Consensus Assessments Initiative Questionnaire (CAIQ), says Phil Agcaoili, a founding member of CSA and co-founder. of the Star, as well as co-chair of its committee. CMM and CAIQ are components of the GRC stack of CSA. “Several of the best-known cloud service providers have already adopted this approach on their own as part of their differentiation initiatives, and have called for a central registry to allow customers and simplify their verification processes, “explains Phil Agcaoili. “We believe that a free service like this goes up that transparency and self-regulation are what the cloud industry needs as this market matures,” he adds.
“Frankly, with all the existing regulatory requirements, CSA is cautiously approaching the creation and management of certification for suppliers. For the time being, we believe that this level of self-certification is appropriate and will effectively reduce the number of unique audit requests that service providers must meet. In the end, over time, it will reduce the weight of compliance. “
Jim Reavis, Co-Founder and Executive Director of CSA, recently wrote about the complexity of cloud service provider cloud security certification. And while cloud computing is so dynamic, CSA wants to let service providers choose the level of cloud security control appropriate to their market, says Agcaili. “If a sufficient number of organizations participate, it will be a very strong element that CSA will be able to use in its dealings with governments around the world that want to regulate the cloud security.”
CSA is also involved in a number of third-party evaluation, standardization and certification projects, including the Common Assurance Maturity Model (CAMM): “We believe that Star provides an intermediate step for the industry until these projects are successful. “Explains Agcaoili. Doubt pushes US government’s cloud initiative into private cloud
Pushed to go to Cloud Computing by the US budget office, despite strong reservations on the protection of sensitive data, many heads of government agencies opt for the private cloud, which they consider safer than public cloud environments. At the Census Bureau, for example, management focuses 90% of its cloud effects on creating a private internal cloud that will be hosted by the administration’s computing center in Bowie, Maryland, says its CIO, Avi Bender.
“We work before a lot of private data protected by law, including all the information collected in the course of our investigations, but data from IRS – the US tax authorities – so we have to be careful about the control and security of these data. data, “he says. “Frankly, At the moment, certain aspects of the Cloud are totally unacceptable to us from this point of view. “
Bender explains that the issue of data security is so important to his agency that he cannot afford a single mistake. “One flaw in a taxpayer’s data and we are in a very bad position.”