This article is part of our Essential Guide: IT services and managed services guide

Cloud computing security threats: CSA issues provider assessment

To streamline the overwhelming process of assessing cloud service provider security, the Cloud Security Alliance has issued a list of security questions organisations can ask their providers.

LONDON -- The Cloud Security Alliance (CSA) today unveiled a new framework intended to help companies assess the security capabilities of their prospective cloud service providers and in turn mitigate cloud computing security threats.

Lack of trust is the biggest barrier to the adoption of cloud services. Customers just don't know what the provider is doing.


Jim Reavis,
executive directorCSA

The CSA's Consensus Assessments Initiative (CAI) is a list of 145 questions that buyers of cloud services should ask before committing -- and entrusting their data handling -- to a provider.

The CSA, which operates as a cross-industry body promoting good practice in the fast emerging market of cloud computing, formulated the questions based on extensive consultations with a broad range of organisations.

Jason Witty, senior vice president and information protection consulting executive for Bank of America Corp., who was one of the project leaders for CSA, said the body has launched CAI version 1 in order to get broader industry feedback.

The CAI comes in the form of an Excel spreadsheet that can be given to cloud providers to fill out with questions organized by category. The list allows purchasers of cloud services to ask for key information, while also allowing the suppliers to provide the answers just once for all customers, ideally streamlining the information-sharing process for all parties.

The CAI builds on earlier work by the CSA, and is meant to be used in conjunction with its tactical guidance document, Security Guidance for Critical Areas of Focus in Cloud Computing (.pdf), and the CSA Cloud Controls Matrix, which sets out a list of controls that purchasers should be sure to have in place for their cloud data..

"Lack of trust is the biggest barrier to the adoption of cloud services," said Jim Reavis, executive director of the CSA. "Customers just don't know what the provider is doing." He said that by equipping customers with the right set of questions and the providers with a standardized framework for answering the questions, it can help companies assess the security capabilities of providers in a more streamlined way.

The framework is intended to deal with different types of cloud services --Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) -- all of which place a different burden for security on the suppliers. According to Witty, IaaS leaves the responsibility for all security to the customer, while SaaS puts that responsibility onto the provider.

Reavis conceded that security in the cloud can become extremely complex -- such as when customers need to control the geographical location of their data -- and that version 2 of the CAI is likely to incorporate changes once the suppliers have had a chance to test it out. Version 2 is planned for release early next year.

Read more on IT risk management