Industry bodies launch security certification to boost confidence in cloud

BSI and Cloud Security Alliance together launch Star certification to assess security of cloud providers

The British Standards Institution (BSI) and not-for-profit industry body Cloud Security Alliance (CSA) have together launched Star certification programme, a third-party independent assessment of the security capabilities of cloud service providers.

Although cloud adoption is gathering pace, security remains one of the biggest hurdles to cloud adoption. Organisations that outsource services to cloud service providers have a number of concerns about the security of their data and information, according to BSI.

By achieving the Star certification, cloud and datacentre providers of all sizes will be able to give prospective customers a greater understanding of their levels of security controls, the standards body said.

Research by Ponemon Institute in March 2013 revealed that half of IT leaders are concerned about the security of cloud computing resources, while an Ernst & Young study from 2011 found nine out of 10 IT decision-makers believed external certification would increase their trust in cloud computing.

The cloud computing sector is forecast to grow at a pace of 36% every year, reaching revenues of $20bn (£12.7bn) by 2016.

More on cloud adoption and hurdles

The newly launched technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard, together with the CSA’s Cloud Control Matrix, a specified set of criteria that measures the capability levels of the cloud service.

ISO 27001 is a specification for an information security management system. It uses a top-down, risk-based approach, and is technology-neutral.

The Star certification will cover cloud computing security issues across 11 areas (see box).

“Especially in light of recent government revelations, both consumers and providers of cloud-based services have been asking for independent, technology-neutral certification to help them make more informed decisions about the services they purchase and use,” said Daniele Catteddu, managing director for Europe at CSA.

“In providing a rigorous, user-centric assessment, the certification will provide an additional layer of transparency that the industry has been calling for,” she said.

The 11 areas to be covered by Star certification

  1. Compliance
  2. Data governance
  3. Facility security
  4. Human resources
  5. Information security
  6. Legal
  7. Operations management
  8. Risk management
  9. Release management
  10. Resiliency
  11. Security architecture

BSI will assign a management capability score to each of the 11 control areas. Each control will be scored on a specific maturity and will be measured against five management principles.

The internal report will show cloud and datacentre providers how mature their processes are and what areas they need to consider improving on to reach an optimum level of maturity.

These maturity levels will be designated “no”, “bronze”, “silver” or “gold” awards.

“Technological developments in the workplace and desire for employees to be able to work flexibly have led to increased business demand for cloud services. However, many organisations are wary of cloud services due to a variety of security concerns,” said Elaine Munro, head of global portfolio management at BSI.

“The Star certification will help alleviate this problem, as it will provide organisations and consumers with a clear benchmark on which to evaluate the performance of a cloud service provider.”  

Read more on Datacentre performance troubleshooting, monitoring and optimisation