Following our tradition of commenting schemes similar to security rating for helping to understand it, we are going to analyze the aforementioned certification scheme developed by EuroCloud Germany (EuroCloud Deutschland_eco e.V.).

We must say in first place that we have carried out this analysis based on documents published in its  web, in particular, "General product information and pricing" (pdf) and "Quick Reference" (pdf) because auditing guides are not public, existing a confidentiality agreement with clients covering audit guide and scope [what surprised us a little] and that is commented through workshops organized by EuroCloud with a price of 600€ (which is deducted from the audit price, if ordered in the following 6 months).

Below we will explain the similarities and differences that have been detected along both documents:

Use of levels

We feel a great success the fact of considering different grades for certification. In this case, certification uses the similarity with the gradations of hotels stars (from 1 to 5), as five levels used in rating (from A to E). Unfortunately, it seems that certifications are given only from 3 stars, which leaves us with only three operational levels (3, 4 or 5 stars).

The difference is that those levels used by certification are general, while rating uses 5 levels, but in each security dimension (confidentiality, integrity and availability).

SaaS Approach

In fact, all documents have that subtitle (SaaS). Actually, there are three modalities of certification that could be summarized in the following equation:

Star Audit SaaS certification = Star Audit SaaS Ready certification + Star Audit SaaS App certification

Total = Infrastructure + Application

Rating does not distinguish between cloud delivery models, in fact, it is valid for every type of ITC service, the only difference is that not all controls would be applicable for all type of service.

Compliance Validation

EuroCloud scheme relies on eco IT Service und Beratung GmbH auditors team that also belongs, as EuroCloud, to Association of the German Internet Industry (eco) while leet security rating is a combination of self-assessment (with initial validation) and periodic audits.

Validity

In this aspect, we find differences and similarities. In one side, while certification has a validity of 24 months, rating es valid for 12 months.

But, in other side, both schemes agree in get vendor commitment for notification of whatever circumstance that could impact certification - rating.

Communication

We find similarities also in this element. Both schemes agree in the importance of spreading the results of certification - rating.

Prices

While in leet security, prices depends on vendor size, in EuroCloud scheme, price depends, in one side, on type of certification requested (total, infrastructure or application) and, on the other, the number of stars wanted (for example, 12.500EUR for a general certification of 3 stars or 26.500EUR for 5 stars).

In fact, there is also a similarity, EuroCloud members have a discount in both schemes; in certification, because is EuroCloud the one that offers the service and in the case of our rating, thanks to the agreement [in Spanish] with EuroCloud Spain.

Evaluation Criteria

Criteria included in EuroCloud certification are the following ones:

  • Contract and compliance
  • Security
  • Operations and infrastructure
  • Operational processes
  • Application
  • Implementation

The big difference with respecto to security rating is that rating is focused in security and resilience, while certification includes elements more related with application operation (a whole section), considering that its approach is more specific (SaaS) and not as general as security rating.

Moreover, security does not appear until requirements for 4 stars certification, while in rating there are security requirements even for E level.
 

Ultimately, each scheme has its own approach with its advantages and disadvantages. We hope En definitiva, que cada esquema tiene su propio enfoque con sus ventajas e inconvenientes. We hope we have illustrated well the similarities and differences and have outlined the elements for which we think rating offers valuable information to users.

You can follow us on twitter.com/leet_security

17 de septiembre de 2012