Royal Holloway 2012: An analysis of cloud security certifications

In his Royal Holloway 2012 thesis, Robert Farrugia analyses cloud security certifications and suggests ways organisations can reduce cloud risks.

2012 Royal Holloway thesis seriesAdoption of cloud services is accelerating as companies take advantage of the more flexible and scalable IT provisioning model created by the cloud.

But how should an organisation check that a cloud service provider is capable of looking after its data? The provider may have been audited for SAS 70, ISO 27001, PCI DSS and a range of other standards, but how valid are those standards for the world of the cloud?

For his MSc thesis at Royal Holloway University of London (RHUL), Robert Farrugia, under the supervision of lecturer Geraint Price, analysed each of the main auditing standards and examined their applicability to cloud computing.

While many of the standards were found to provide some useful reassurance, none of them proved to be adequate in their own right, leaving the authors to conclude that a new cloud certification model will be needed in the future.

Read the article

Download the article by Robert Farrugia on cloud security certifications (.pdf).

Read the full thesis (.pdf).

In an article now published on, the authors provide a detailed mapping of the current cloud security certification standards applicable to the cloud, and illustrate where each standard is lacking. In the absence of a reliable standard, the authors suggest ways organisations might minimise risk when moving their data and processes from a traditional in-house IT infrastructure stack to that of the cloud.

The feature is one of six is publishing this year in collaboration with RHUL.

Read more on Cloud security