Analysis of CSA cloud certification

We have published today a post at INTECO blog (in Spanish) about the certification proposed by Cloud Security Alliance (CSA) together with British Standard Institution (BSI) for cloud services security based on CSA's Open Certification Program. The goal of this post is analyze this certification from our perspective as security rating agency.

Use of levels

We are glad to see that the use of levels as mechanism to provide information is becoming common in the information security field. In this case, the CSA - BSI certification proposal also uses three levels (auto-assessment, third party audit and continuous audit), although levels depend on the evaluation rigor more not on the security controls as we do in security rating.

Approach

Considering CSA mission, proposed certification is focused on cloud services, being the security controls evaluated those included in CSA research material (basically CCM - Cloud Controls Matrix). In the other side, security rating covers ITC services in general, so security controls evaluated comes from a broader range of standards (from ISO27001, through PCI-DSS, to FFIEC).

Besides, security rating includes additional elements to security controls, that impacts in a general way on vendors (strategy, financial solvency, etc.) but that contributes, undoubtedly, in building a trust relationship between users and vendors.

Auto-assessment

As mentioned earlier, certification lowest level is vendor auto-assessment regarding CCM "compliance". We could think that this is the same that our rating procedure, but we must nos forget that, besides self-declaration by the vendor, our procedure includes additional controls, like periodic random audits or validation previous to rating publication that analyzes atypical applications.

As we can see, we are talking about two different frameworks, with different approaches, but in any case, both suppose an advance towards better trust relationships between users and vendors.