In nearly every survey about cloud computing, security tops the reasons why companies hesitate to adopt cloud-based technologies, and rightly so; if you cannot be sure how your data will be treated, and that it will be adequately protected, then it would be foolhardy to go blindly into the cloud, even if the economic benefits look attractive.
CAMM makes it much easier to get a shortlist
of potential suppliers, and
to be a
better and more thorough audit than most companies could manage themselves.
So how can an organisation confirm whether a cloud service provider is up to scratch? Big companies and government departments maybe have the clout to demand the right to carry out a detailed inspection of the cloud provider’s premises and procedures. Smaller companies, however, are likely to be less welcome.
Several initiatives, most notably from the Cloud Security Alliance (CSA), have tried to help companies at least formulate the right questions to ask of prospective service providers, but that can still be a slow and difficult task. And as already noted, smaller organisations submitting a questionnaire to a big cloud service provider can expect little cooperation, let alone answers.
But hope could be in sight. A new cloud maturity model for rating cloud services companies promises to provide a simple guide to the levels of security they provide, offering benefits both for the prospective purchaser, and for the supplier who now only has to undergo one audit process, instead of one for every customer.
Called the Common Assurance Maturity Model (CAMM), it is the brainchild of Raj Samani, a security veteran who has worked in consultancies, in the public sector, and is now European CTO for McAfee.
Development of CAMM
Samani already knew from an earlier project at a major organisation how hard it can be to deal with large numbers of suppliers. He just didn’t have the resources or money to carry out the necessary checks to ensure they were looking after the information for which he remained responsible under the Data Protection Act.
However, the solution came to him in a conversation with his father, a central London hotel owner: “My Dad was complaining about an awkward customer who wanted to do a detailed check on the hotel, and he was saying how much bother it would cause,” Samani said. “His answer was that it was a one-star hotel, meaning it wasn’t luxurious but it was cheap. That’s all the guy needed to know.”
This incident sowed the seed of a similar five-star rating system that could be applied to cloud computer services. Samani realized that, if widely adopted, such a system could not only make finding the right level of security and service a lot easier for cloud computing customers, but also relieve suppliers of undergoing endless customer audits.
That was two years ago, and since then the effort has been sustained by a team of volunteers from various supporting organisations, although that will change soon when CAMM acquires some full-time professional help. Samani said he will announce full details of that hiring plan at the CSA Summit in San Francisco in February.
The CAMM model is intended to cover baseline controls for security, Samani said, but has been designed to cross-map with other standards such as ISO 27001, COBIT and PCI DSS, where customers have specific needs.
“CAMM provides a base level of controls, and then you can add on different modules on top,” he said. “It means people can pay for the level of security they require. So now if you need a supplier in Germany at Level 3 with the module for PCI, CAMM makes it easier to find one.”
One important aspect of CAMM, Samani said, is that the intellectual property for the framework and the tools for carrying out an audit will be freely available for anyone to use. “It’s been a labour of love,” he added.
The only charges will occur when companies start using the Third Party Assurance Centre (TPAC) component of CAMM. TPAC is a repository of information about service providers, listing their levels of security across a range of measures. The aim is that TPAC will serve as a marketplace for customers and suppliers to meet. Customers will upload their requirements, listing CAMM levels plus any other modules they need, and immediately be presented with a short list of suppliers that fit their requirements.
Samani added that CAMM will help security managers quantify residual risk in terms their bosses can understand. “You go to the CEO and say, “We’re going for a Level 3 company but that leaves some risk,” he said. “The CEO can then ask how much it will cost to go to Level 4 or 5, and then make a judgement understanding the risk. You can’t have that kind of conversation with business executives about security at the moment.”
CAMM recently underwent alpha tests with four pilot users and, once feedback from those tests is digested in February, a series of betas will take place ahead of a full-scale launch before the end of the year.
The project has the support of 150 organisations including major cloud service providers, government bodies, and industry bodies such as the CSA and the Information Systems Audit and Control Association (ISACA).
Reaction to CAMM
The CAMM approach is widely seen as a valuable and promising approach. Paul Simmonds, a board member of the Jericho Forum and a co-author of the CSA’s Security Guidance V3 document, said CAMM fulfils a valuable function.
“CAMM has been pretty well thought out. I’m very impressed,” Simmonds said. “It is modular in its domain areas, so as a user of cloud services, you can stipulate what levels of security you need in different areas. CAMM makes it much easier to get a short list of potential suppliers, and it’s going to be a better and more thorough audit than most companies could manage themselves.”
The initiative has also received strong support from Europe, and includes the European Network & Information Security Agency (ENISA) on its steering committee. “We believe CAMM is key to helping cloud computing take off,” said Giles Hogben, programme manager for secure services at ENISA in Crete, Greece.
Hogben sounded a note of caution, however, saying that any new standard should avoid adding extra costs for companies. He added that measuring maturity on a scale of 1 to 5 “can lead to an over-simplification” and therefore needs to be treated with care.