The recent debut of the Cloud Security Alliance's Trusted Security Certification raises questions about the certification's scope and its value compared with other industry standards, according to observers and security channel pros.
The "Trusted Cloud Initiative," which launched this month, is intended to help cloud providers develop secure identity, access and compliance management configurations. The cloud computing certification criteria will be defined by members of the non-profit Cloud Security Alliance (CSA), which promotes best practices and uses 12 domains or criteria to define secure cloud computing environments.
The certification initiative was announced as a partnership between Novell Inc. and the CSA. That alliance, however, has raised concerns that the CSA's certification entity may not have the credibility of an industry-adopted auditor, like the American Institute of Certified Public Accountants (AICPA), which developed the SAS 70 standard.
Scope and SAS 70
The main concern of Larry Boettger, information security leader at Madison, Wisc.-based InfoSec Consulting Group, is that the certification focuses heavily on Domain 12, Identity and Access Management, rather than the entire spectrum of Cloud Security Alliance domains, which include focus areas like application security, encryption and key management, business continuity and disaster recovery.
"The biggest challenge is that there's not an entity looking at the cloud as a whole," said Boettger. "How do you do an audit of only one domain?" Boettger suggested that an IAM-focused certification leaves out other important cloud computing security areas that need to be addressed, including identifying malicious code or handling intrusion prevention.
The Cloud Security Alliance is actively looking at the best approach for full domain coverage, said Jim Reavis, co-founder and executive director of the Cloud Security Alliance.
"To be able to do a certification in a granular way that covers everything is a pretty big task," Reavis said. "There are other pieces that have to be put together before we can actually do a full certification."
The CSA is taking a measured approach and wants to begin by focusing on identity management and access control to data and SaaS applications in the cloud, which, according to Reavis, is a major pain point for enterprises and one that the Cloud Security Alliance can make progress on.
While no further announcements are imminent, Reavis thinks a full scope can be achieved eventually by aligning the CSA's controls research with existing certifications, like those of the International Organization for Standardization (ISO), while providing additional certifications to augment any gaps.
"The word 'standard' can be used to mean a lot of different things. What we see ourselves doing primarily is assembling standards like NIST, IEEE, DMTF and OpenGrid Forum, and putting them into reference models and criteria that can be used as a certification," said Reavis, who assured cloud providers that the CSA is committed to staying aligned with standard bodies that are addressing cloud security issues. "We want to use what they do and leverage it, rather than reinvent it."
Reavis also said the new certification has more granularity and cloud-specific guidance than a less specific standard like SAS 70.
"We see our certification as being narrower in focus and drilling deeper than a SAS 70 II would in regard to identity and access management. We see the seal as being complementary to a good SAS 70," added Reavis via email.
Chenxi Wang, principal analyst at Cambridge, Mass.-based Forrester Research Inc., agreed and considered the Trusted Security Certification to be more targeted than the self-imposed exercise of a SAS 70. A SAS 70 audit does not specify a pre-determined set of control objectives or control activities that organizations must achieve. In a SAS 70 Level-1 examination, an auditor issues its opinions on a company's self-selected controls.
"SAS 70 is a baseline and doesn't representative a complete set of security controls that a cloud consumer would be interested in," Wang said.
Boettger, however, said a SAS 70 Level-2 certification, which demands a demonstration of compliance to an auditor, could be valuable. A SAS 70 Type-2 certification, for example, could demonstrate a thorough review of the data center and all physical controls around it.
With a SAS 70 Level-2 audit, however, demonstration of scope is essential, Boettger said, and customers should examine what controls are being evaluated. "Cloud customers have to be pretty thorough about what they read in that report," he said. "A cloud service provider can tell its customers that they're SAS 70 Level-2 certified on every control included in the cloud," including other domains beyond identity management.
Achieving a vendor-neutral certification
Wang said she appreciates the work being done by cloud security standard creators, especially when there is no set way to compare one cloud vendor to another. Vendors are often evaluated separately, and service-level agreements and contracts are often drawn up without established security criteria. A set of standards that cloud vendors would have to adhere to, Wang said, is a worthy task.
"But people who drive the effort will have to come from the user side," Wang said, "not the vendor."
Boettger expressed similar skepticism about vendor associations. "If I were the folks on the CSA board, I'd be aligning myself with AICPA rather than a vendor," Boettger said. "If they're using vendors, it almost looks vendor-driven."
Wang also questioned vendor involvement in the development of the standard. "The result is a [certification] that is more identity-focused. It shows that their influence does skew things."
Anita Moorthy, senior solutions manager for cloud computing at Novell, believes that a vendor-neutral certification will be achieved. "The working group will develop the entire certification criteria and roadmap ... Novell will be one more participant in it," she said.
The prospect of a vendor-influenced certification would be a concern in a smaller group, Moorphy said, but the varied membership of the Cloud Security Alliance will provide checks and balances.
"The membership of CSA has a lot of heavyweights, [including] HP, VMware and Microsoft. If we get a good working group together, it won't be something that Novell can dictate over."
Reavis insisted that the vision of corporate members like Novell and their help with project management is necessary, but said the cloud computing research itself will be done primarily by the CSA Working Group 5 (WG 5), which currently has 59 members and is a diverse group representing every point of view and major geography. Reavis said via email that they are adding another 10-15 people to the group, and will create a sub-group. The members will be published in April.
According to the Cloud Security Alliance website, members of CSA represent a cross section of industry stakeholders, end-user organizations, cloud service, SaaS and technology providers, including Novell, Microsoft, Dell Inc., Cisco Systems Inc. and McAfee Inc., as well as individual representatives from Global 2000 organizations and world governments.
Nick Nikols, vice president of product management for Novell and former analyst with Midvale, UT-based research firm Burton Group, will serve as a co-chair for the initiative, along with Liam Lynch, chief security strategist for eBay.