Cloud Security – Who do you trust with your data?

Security concerns are still the major inhibitor of cloud adoption at many large companies. Has the BSI found the reassurance with the CSA STAR Certification?

Various surveys this year have shown that between 31% and 50% of decision-makers considering a cloud migration cited security as their biggest impediment to adoption.

Cloud providers have long known about this situation and the question always arises, how do they prove their security credentials?

Every cloud vendor will talk about their resilient architecture, tier 3 / 4 data centres, no single point of failure etc. however this is specifically addressing uptime and not security.

To address security cloud providers have embarked on certifying themselves against security and compliance standards.
This all sounds simple until you consider SSEA16, SOC1, SOC2, NERC, NIST, ISA, IASME, HIPAA, HITRUST, BASEL II, GLBA, PCIDSS, SXO, C-TPAT, FACTA, FISMA, PIPEDA, CIF, ISO27001 and many more. In fact, never before have so many acronyms been squeezed into the same sentence.

The costs involved in certification can also be prohibitive to some providers and in this competitive landscape, if you dig deep beyond the marketing words there are many providers who reference certifications that they do not hold. It is not uncommon to state a cloud is built within an ISO27001 datacenter or an Infrastructure as a service vendor has PCIDSS compliance when PCIDSS can only be certified for each implementation of a payment system in the cloud and it is not possible as a blanket cover for the cloud provider.

Outside of the US the BSI ISO27001 certification is widely recognized and respected, large cloud providers such as Microsoft, Google and Salesforce have all adopted this standard as the cloud services force the globalization of standards. The ISO27001 standards are however fairly generic and therefore does not focus on the areas of security that are critical to the cloud computing providers.

Recognizing this and in response to business concerns the Cloud Security Alliance (CSA), a not for profit organization with a mission to promote best practices in cloud computing, created the Cloud Control Matrix (CCM). The CCM specifies common controls which are relevant for cloud security.

In partnership with CSA, the BSI has developed CSA STAR Certification, a new scheme developed to address specific issues relating to cloud security as an enhancement to ISO27001.
A provider will first have to have achieved the ISO27001 providing the reassurance that the provider has the correct policies and controls in place to operate as a professional business to the highest standards with the controls and accountability demanded by any CIO considering entrusting their data to an external company. The additional CSA STAR Certification demonstrates that the Cloud Service Providers information security defences are robust and they have addressed the specific issues critical to cloud security.

This new scheme will promote greater transparency and allow Cloud Service Providers to give their stakeholders confidence that they have the necessary controls in place to secure the data they hold.

The below diagram shows all the disciplines that are certified and controlled under the new CSA STAR Certification (reproduced courtesy of the BSI).

It is becoming more widely excepted that this new scheme, as an extension of the providers standard ISO 27001 Information Security Management system, will be used by customers to underpin service level agreements (SLA’s) and contractual terms. Additionally, the CSA STAR Certification is achieved in a Gold, Silver and Bronze rating to provide a greater understanding of the level of security measures that are in place.

Further reading – www.bsigroup.com/LocalFiles/en-GB/cloud-security/STAR-certification/BSI-STAR-Certification-Client-manual-UK-EN.pdf

CSA STAR Security Controls Diagram.