The CCSR: Canadian Cloud Security Rating
July 15, 2012
Canada has a notorious ‘Innovation Gap’, that is seeing the country slip further and further behind the rest of the world embracing the new technology-enabled Knowledge Economy.
They are scoring a ‘D for Innovation‘, which is no surprise given they are also scoring a D for openness to new IT models like Cloud Computing, as Telus reports in this press release.
The principle business benefit of Cloud Computing is that it provides a platform for encouraging and enabling more innovation – More prototyping, faster product development cycles, lower risk for trialling new ideas, and so on…
Failing to exploit these new capabilities means there is less innovation happening than there might be, especially in comparison to other nations like the USA and UK who are wholeheartedly embracing Cloud Computing, hence the downwards direction for Canada.
Safe adoption of Cloud Computing
Therefore as Telus reports there is an urgent need for a mechanism to assess and report on the ability of a Cloud provider to prove their security and compliance credentials to overcome this resistance:
87 per cent of Canadian business and IT leaders have significant concerns about public cloud’s ability to handle data in compliance with regulations and legislation.
Overcoming this specific concern will open the floodgates to safe use of the Cloud and therefore greatly expand innovation capacities and adoption.
To achieve this we have now begun work on developing the standards and implementation program for rolling out the ‘CCSR’ – Canadian Cloud Security Rating. This will provide an equivalent of a credit score rating for this exact point – The extent to which Cloud providers can prove compliance with regulatory and technical compliance requirements.
The background and lead up to this development is captured in this blog I posted almost two years ago – Microsoft Cloud Security for Government Compliance.
This article reviews their documentation that explains how they implement Cloud best practices to achieve a highly secure Azure Cloud environment.
These best practices are a package that blends together those from the Cloud Security Alliance with the ISO and NIST protocols, and by further layering in specific Canadian legislative requirements and also best practices, like Cloud Privacy-By-Design from the Ontario Privacy Commissioner, we’re tailoring these for the Canadian market.
This means that local Canadian providers can implement the same controls that Microsoft have used to secure Azure to the required enterprise-class standards, and then also assessed to measure their compliance with these standards. This compliance level is output as a score (e.g. 600) which will therefore function as the Canadian Cloud Security Rating.