informa
/
Risk
Commentary

Cloud Security Certification In Development, But It Won't Be Quick

The news that formal security certification for cloud-based services is in development is welcome news indeed. The news that the players involved understand just how complicated devising a certification will be is also good news, however little it may seem so at the moment.
The news that formal security certification for cloud-based services is in development is welcome news indeed. The news that the players involved understand just how complicated devising a certification will be is also good news, however little it may seem so at the moment.At the moment, as Kelly Jackson Higgins points out in a good, thorough piece, there's no specific security certification for cloud-based services.

As a result, providers are using either SAS 70 or ISO 27001,generally established before the cloud was anything more than an idea.

That's changing.

The Cloud Security Alliance (CSA) has announced that it's working to put together both a list of who should be the issuing authority behind a cloud-specific security standard, as well as what the standards should address.

The process won't necessarily be quick; an initial statement of direction is expected during the first quarter of next year.

By which time, of course, the cloud and its nature will have continued its explosive growth in both popularity and security concerns.

Still, there's cause for optimism in the very fact that the matter is being addressed, and that CSA is well aware of and attendant to how the diffuse nature of the cloud itself will require a certain diffusion of authority in the setting of standards.

Higgins quotes CSA executive director as saying, "This is going to be a shared thing."

It's going to have to be to have any hope of effectiveness.

A broad-based group addressing the standards issue(s), will by the nature of its breadth and membership help define what the standards-setters at least see not only as the key players but also the key issues and how standards will be established.

There's likely to be a pretty good wrangle as the standards move from statement of direction to actual development, but that too will help refine the sense of what the cloud is, at least to what we can hope really will be a broad and inclusive group putting together broad, inclusive, and above all effective and usable standards for cloud security service.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5