Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/4/2009
05:25 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New Security Certification On The Horizon For Cloud Services

Cloud security cert would go beyond existing SAS 70, ISO 27001 standards

A first-ever security certification dedicated to cloud services is in the works amid enterprise concerns of the safety of their data in the cloud.

There's no official security certification for cloud security service providers today: some use the SAS 70 or the ISO 27001 standards as their security certifications, neither of which is sufficient for providing potential cloud customers with assurances that the provider has deployed the proper security or that their data is sufficiently locked down, experts say.

"There needs to be a certification that is specifically for cloud providers," says Jim Reavis, co-founder and executive director of the Cloud Security Alliance. The Cloud Security Alliance is working with other key players in cloud security and auditing to determine which organizations should provide the certification, as well as what such a certification should include.

"This is going to be a shared thing," he says, noting that the certification is likely to be managed by multiple bodies. He says to expect a statement of direction for a cloud security certification around the first quarter of 2010.

"We are seeing a lot of demand," Reavis says. "We've got to move pretty quickly ... we've got some pressure" on us to get it done, he says.

But there's still a lot of work to do: Reavis says the entire cloud model of computing as a utility and its dynamic characteristics makes this a whole new ballgame for certification. "[Cloud computing] brings everything into question: where the machines are, what is the nature of data. If data is encrypted on the public cloud providers' [systems] and the key held by a separate cloud [provider] -- is that even data? There's some rethinking we need to do," Reavis says.

An enterprise's own security controls and their cloud security provider's controls must go hand in hand as well, says Bret Hartman, chief technology officer at RSA. "It's complicated with cloud computing because there are multiple parties involved," Hartman says.

"I think it's time for us to think about what a cloud certification would be ... and there would be different levels of certification required," Hartman says. "It would be different than SAS 70."

SAS 70 is basically a set of self-defined certifications for the internal business controls of an organization. It's everything from how human resources handles backup checks to data backup, patch management, and client administration, but it doesn't specifically address issues affecting cloud-based services.

The main catch is that one company's SAS 70 certification isn't the same as another's: "You define the controls as the service provider and the auditor comes in and makes a judgment whether these controls are sufficient or not" with testing, says Chris Day, chief security architect at cloud computing provider Terremark, which is holds a SAS 70 certification. "SAS 70 is very enterprise-specific: my SAS 70 is different from yours or IBM's, for example. It's difficult to know whether my SAS 70 is more comprehensive as yours, which would be troubling for something as complex as cloud security."

Day says PCI is actually a better standard to gauge data security because it dictates a series of controls and how they should be implemented, and what level of logging should be deployed. "We have SAS 70, but that it doesn't necessarily tell the whole story. SAS 70 is a foundational certification," he says.

The Cloud Security Alliance's Reavis says ISO 27001 is actually better for cloud services than SAS 70. "It's more holistic and covers more ground," he says. ISO 27001 specifies how an organization should handle is information security management, including security controls, risk assessment, and other issues.

Like SAS 70, it's also self-defined by each organization that uses the certification, however. "You can exclude from the certification some very important things," Reavis says. Even so, he says, ISO 27001 makes the most sense for now: "We feel that until we can get a cloud security certification, ISO is a better interim step" because it's more broad than SAS 70, he says.

But most cloud service providers don't even bother with SAS 70 or ISO 270001 certifications at all, Reavis says. "SAS 70 is the most common certification for those who [cloud providers] are doing anything" certification-wise, he says.

Dyke Hensen, CMO at PivotLink, a business intelligence provider that's SAS 70 Type II-certified, says SAS 70 alone isn't enough for cloud services, but it's as good as most mid-market companies have today security-wise. "SAS 70 is a move in the right direction, but it's not for everything," Hensen says.

Meanwhile, prospective cloud customers are starting to ask more questions about the security of their data in the cloud. "What I hear from customers is 'how do I know my data is being protected by this cloud service?'" RSA's Hartman says. They want assurance that their sensitive data is protected, and that they can demonstrate that to their auditors and upper management, he says.

"If there were a widely accepted and reliable certification for this, it would be a great way to address those requirements [for customers]," Hartman says.

RSA and VMWare today released best practices for identity and data protection in a cloud environment. Among the recommendations are setting policies for protecting data; transparency of the cloud provider so that customers can see their logs and events, for example; adoption of data encryption and masking, so that your data isn't accessible by another customer of the cloud provider; and federated identity management.

These are all areas that could be part of a cloud security certification, Hartman says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
CVE-2021-27196
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...