Future of Cloud Security Assessments: Microsoft Leads with Public Registrations on CSA
On April 11, Microsoft completed security assessments for three of its services: Office 365, Windows Azure and Dynamics under Cloud Security Alliance's (CSA) Security Trust and Assurance Registry(STAR) which is
is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.
Microsoft is the first large cloud service provider to register security assessments that includes responses to over 140 questions that constitute The Consensus Assessments Initiative Questionnaire (CAIQ). An immediate concern for providers will be the increased vulnerability to attacks from public disclosure of security controls but CSA provides the following assurance:
The CAIQ is intended to allow a provider to document its security practices without going into a level of detail that would expose sensitive information. For example, a provider will likely document whether or not they regularly perform application layer penetration testing, but would not likely publish detailed results of web scanning tools.
For consumers a possible concern is that CSA expects these assessments to be maintained by the provider with no third party certifying them. CSA has the following view of third party certifications:
CSA feels transparency of security practices and scrutiny of providers via a crowdsourcing public is something the industry can leverage today that holds great promise to improve security baselines in the industry. We feel this agile approach to security assurance using market forces will be an important complement to rigorous certifications.
Cloud security concerns still remain the top inhibitor for adoption. CSA attempts to alleviate them by providing transparency and guidance to the evaluation process through the Governance, Risk Management and Compliance (GRC) toolkit of which STAR is a member. The CSA also maintains a security guidance document that covers established best practices and lessons learnt from GRC and other initiatives that go beyond technical concerns. One type of concern is the contractual and legal concern that may arise, similar to this quote from Computer Weekly earlier this year:
Peter Brudenall, outsourcing lawyer at Lawrence Graham, thinks 2012 could be the year that the cloud is shaken by a security problem. After all it is all part of learning. He said: "I predict there will be at least one major data breach affecting the cloud - and that may well cause companies to pause and re-think their use of the cloud (or at least the contractual protection they may be lacking compared to traditional outsourcing platforms)."
With Microsoft leading the pack by registering its service assessments, do you feel this will produce a cascading effect through the industry that will eventually lead to effective and objective security evaluations?
Oracle and other database vendors have greatly improved database security, following the secure by default principle for example, and placing strong security as a high priority. The cloud vendors will get there - eventually.
Microsoft does seem to be a leader in this area - their Security Development Lifecycle is a good resource for any software development shop working to improve their security controls. At first glance, I thought that having yet another álliance might further splinter and confuse the already confusing world of GRC, but it looks like the CSA is working with the ISO in drafting the next set of standards which seems to be a smart move, perhaps for both parties. These standards can take some time to hash out, so maybe that's where the agile/crowd-sourcing philosophy of the CSA can spur things along?