New Security Certification On The Horizon For Cloud Services

Cloud security cert would go beyond existing SAS 70, ISO 27001 standards
A first-ever security certification dedicated to cloud services is in the works amid enterprise concerns of the safety of their data in the cloud.

There's no official security certification for cloud security service providers today: some use the SAS 70 or the ISO 27001 standards as their security certifications, neither of which is sufficient for providing potential cloud customers with assurances that the provider has deployed the proper security or that their data is sufficiently locked down, experts say.

"There needs to be a certification that is specifically for cloud providers," says Jim Reavis, co-founder and executive director of the Cloud Security Alliance. The Cloud Security Alliance is working with other key players in cloud security and auditing to determine which organizations should provide the certification, as well as what such a certification should include.

"This is going to be a shared thing," he says, noting that the certification is likely to be managed by multiple bodies. He says to expect a statement of direction for a cloud security certification around the first quarter of 2010.

"We are seeing a lot of demand," Reavis says. "We've got to move pretty quickly ... we've got some pressure" on us to get it done, he says.

But there's still a lot of work to do: Reavis says the entire cloud model of computing as a utility and its dynamic characteristics makes this a whole new ballgame for certification. "[Cloud computing] brings everything into question: where the machines are, what is the nature of data. If data is encrypted on the public cloud providers' [systems] and the key held by a separate cloud [provider] -- is that even data? There's some rethinking we need to do," Reavis says.

An enterprise's own security controls and their cloud security provider's controls must go hand in hand as well, says Bret Hartman, chief technology officer at RSA. "It's complicated with cloud computing because there are multiple parties involved," Hartman says.

"I think it's time for us to think about what a cloud certification would be ... and there would be different levels of certification required," Hartman says. "It would be different than SAS 70."

SAS 70 is basically a set of self-defined certifications for the internal business controls of an organization. It's everything from how human resources handles backup checks to data backup, patch management, and client administration, but it doesn't specifically address issues affecting cloud-based services.

The main catch is that one company's SAS 70 certification isn't the same as another's: "You define the controls as the service provider and the auditor comes in and makes a judgment whether these controls are sufficient or not" with testing, says Chris Day, chief security architect at cloud computing provider Terremark, which is holds a SAS 70 certification. "SAS 70 is very enterprise-specific: my SAS 70 is different from yours or IBM's, for example. It's difficult to know whether my SAS 70 is more comprehensive as yours, which would be troubling for something as complex as cloud security."

Day says PCI is actually a better standard to gauge data security because it dictates a series of controls and how they should be implemented, and what level of logging should be deployed. "We have SAS 70, but that it doesn't necessarily tell the whole story. SAS 70 is a foundational certification," he says.

The Cloud Security Alliance's Reavis says ISO 27001 is actually better for cloud services than SAS 70. "It's more holistic and covers more ground," he says. ISO 27001 specifies how an organization should handle is information security management, including security controls, risk assessment, and other issues.

Like SAS 70, it's also self-defined by each organization that uses the certification, however. "You can exclude from the certification some very important things," Reavis says. Even so, he says, ISO 27001 makes the most sense for now: "We feel that until we can get a cloud security certification, ISO is a better interim step" because it's more broad than SAS 70, he says.

But most cloud service providers don't even bother with SAS 70 or ISO 270001 certifications at all, Reavis says. "SAS 70 is the most common certification for those who [cloud providers] are doing anything" certification-wise, he says.

Dyke Hensen, CMO at PivotLink, a business intelligence provider that's SAS 70 Type II-certified, says SAS 70 alone isn't enough for cloud services, but it's as good as most mid-market companies have today security-wise. "SAS 70 is a move in the right direction, but it's not for everything," Hensen says.

Meanwhile, prospective cloud customers are starting to ask more questions about the security of their data in the cloud. "What I hear from customers is 'how do I know my data is being protected by this cloud service?'" RSA's Hartman says. They want assurance that their sensitive data is protected, and that they can demonstrate that to their auditors and upper management, he says.

"If there were a widely accepted and reliable certification for this, it would be a great way to address those requirements [for customers]," Hartman says.

RSA and VMWare today released best practices for identity and data protection in a cloud environment. Among the recommendations are setting policies for protecting data; transparency of the cloud provider so that customers can see their logs and events, for example; adoption of data encryption and masking, so that your data isn't accessible by another customer of the cloud provider; and federated identity management.

These are all areas that could be part of a cloud security certification, Hartman says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.