Following our tradition of commenting schemes similar to security rating for helping to understand it, we are going to analyze the aforementioned certification scheme developed by EuroCloud Germany (EuroCloud Deutschland_eco e.V.).
We must say in first place that we have carried out this analysis based on documents published in its web, in particular, "General product information and pricing" (pdf) and "Quick Reference" (pdf) because auditing guides are not public, existing a confidentiality agreement with clients covering audit guide and scope [what surprised us a little] and that is commented through workshops organized by EuroCloud with a price of 600€ (which is deducted from the audit price, if ordered in the following 6 months).
Below we will explain the similarities and differences that have been detected along both documents:
Use of levels
We feel a great success the fact of considering different grades for certification. In this case, certification uses the similarity with the gradations of hotels stars (from 1 to 5), as five levels used in rating (from A to E). Unfortunately, it seems that certifications are given only from 3 stars, which leaves us with only three operational levels (3, 4 or 5 stars).
The difference is that those levels used by certification are general, while rating uses 5 levels, but in each security dimension (confidentiality, integrity and availability).
In fact, all documents have that subtitle (SaaS). Actually, there are three modalities of certification that could be summarized in the following equation:
Star Audit SaaS certification = Star Audit SaaS Ready certification + Star Audit SaaS App certification
Total = Infrastructure + Application
Rating does not distinguish between cloud delivery models, in fact, it is valid for every type of ITC service, the only difference is that not all controls would be applicable for all type of service.
EuroCloud scheme relies on eco IT Service und Beratung GmbH auditors team that also belongs, as EuroCloud, to Association of the German Internet Industry (eco) while leet security rating is a combination of self-assessment (with initial validation) and periodic audits.
In this aspect, we find differences and similarities. In one side, while certification has a validity of 24 months, rating es valid for 12 months.
But, in other side, both schemes agree in get vendor commitment for notification of whatever circumstance that could impact certification - rating.
We find similarities also in this element. Both schemes agree in the importance of spreading the results of certification - rating.
While in leet security, prices depends on vendor size, in EuroCloud scheme, price depends, in one side, on type of certification requested (total, infrastructure or application) and, on the other, the number of stars wanted (for example, 12.500EUR for a general certification of 3 stars or 26.500EUR for 5 stars).
In fact, there is also a similarity, EuroCloud members have a discount in both schemes; in certification, because is EuroCloud the one that offers the service and in the case of our rating, thanks to the agreement [in Spanish] with EuroCloud Spain.
Criteria included in EuroCloud certification are the following ones:
- Contract and compliance
- Operations and infrastructure
- Operational processes
The big difference with respecto to security rating is that rating is focused in security and resilience, while certification includes elements more related with application operation (a whole section), considering that its approach is more specific (SaaS) and not as general as security rating.
Ultimately, each scheme has its own approach with its advantages and disadvantages. We hope En definitiva, que cada esquema tiene su propio enfoque con sus ventajas e inconvenientes. We hope we have illustrated well the similarities and differences and have outlined the elements for which we think rating offers valuable information to users.
You can follow us on twitter.com/leet_security