CSA talks up cloud certification scheme

Grazed from CRN. Author: Doug Woodburn.

The industry body behind a new security stamp for cloud computing providers is confident it will carry the same clout as an ISO badge.

The Cloud Security Alliance (CSA) is rolling out what it claims is the world’s first security-focused certification scheme for cloud computing providers, in partnership with the British Standards Institution (BSI).

The CSA Open Certification Framework is divided into three tiers: a basic, self-certification tier that is already available; a second, independently assessed tier set to go live next year and that draws on ISO 27001; and a top tier structured around a continuous monitoring-based certification that is still under development…

Founded in January 2009, the CSA promotes best practices for security in cloud computing.

Daniele Catteddu, CSA’s managing director EMEA, asserted that adoption of cloud computing had been held back by end-user concerns about transparency and assurance.

"Certification by a third party in our opinion is the best way to bring more transparency to the market," Catteddu told ChannelWeb.

He indicated that cloud computing giants Amazon Web Services and Microsoft would be among the first through the gate, although he argued that the certification will not debar smaller SaaS providers.

"Any cloud provider that wants to differentiate itself on the basis of security and reliability will need to have our certification," he said.

Catteddu conceded that ISO, a community with which CSA has strong ties, is working on a cloud computing standard (ISO 27017), but said it may not see the light of day until 2015 or beyond.

"ISO 27001 is a very good information security certification but it is not sufficient to address specific issues around cloud computing," he said. "There is no time to wait and we can offer something that can be used right away."

Andy Burton, chairman of the Cloud Industry Forum (CIF) – which has its own code of practice for cloud service providers – welcomed the CSA’s move.

"Any well-constructed activity that helps drive transparency, capability and accountability of the service provider to the end-user community is good and should be encouraged as it will only benefit cloud adoption and therefore the wider industry," he said.

Burton did not see a conflict between the CSA and BSI’s initiative and his own as the duo is focused on information security, rather than the "wider issue of demonstrating clarity of commercial operations".

Although the global cloud computing market is set to grow to $241bn (£153bn) by 2020, according to analyst Forrester, Catteddu said security concerns had stunted adoption, particularly in Europe and Asia-Pacific.

"There are concerns among European customers regarding the use of non-Europe-based providers," he said. "Through this certification scheme, we can remove the barriers that have stopped the cloud market developing."