| By Scott Morrison | Article Rating: |
|
| August 17, 2011 03:00 PM EDT | Reads: |
540 |
As a vendor of security products, I see a lot of Requests for Proposal (RFPs). More often than not these consist of an Excel spreadsheet with dozens—sometimes even hundreds—of questions ranging from how our products address business concerns to security minutia that only a high-geek can understand. RFPs are a lot of work for any vendor to respond to, but they are an important part of the selling process and we always take them seriously. RFPs are also a tremendous amount of work for the customer to prepare, so it’s not surprising that they vary greatly in sophistication.
I’ve always thought it would be nice if the SOA gateway space had a standardized set of basic questions that focused vendors and customers on the things that matter most in Governance, Risk and Compliance (GRC). In the cloud space, such a framework now exists. The Cloud Security Alliance (CSA) has introduced the Security, Trust and Assurance Registry (STAR), which is a series of questions designed to document the security controls a cloud provider has in place. IaaS, PaaS and SaaS cloud providers will self-assess their status and publish the results in the CSA’s centralized registry.
Providers report on their compliance with CSA best practices in two different ways. From the CSA STAR announcement:
1. The Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings. The questionnaire (CAIQ) provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. Providers may opt to submit a completed Consensus Assessments Initiative Questionnaire.
2. The Cloud Controls Matrix (CCM), which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. Providers may choose to submit a report documenting compliance with Cloud Controls Matrix.
The spreadsheets cover eleven control areas, each subdivided into a number of distinct control specifications. The control areas are:
- Compliance
- Data Governance
- Facility Security
- Human Resources
- Information Security
- Legal
- Operations Management
- Risk Management
- Release Management
- Resiliency
- Security Architecture
The CSA hopes that STAR will help to shorten purchasing cycles for cloud services because the assessment addresses many of the security concerns that users have today with the cloud. As with any benchmark, over time vendors will refine their product to do well against the test—and as with many benchmarks, this may be to the detriment of other important indicators. But this set of controls has been well thought through by the security professionals in the CSA community, so cramming for this test will be a positive step for security in the cloud.
Read the original blog entry...
Published August 17, 2011 Reads 540
Copyright © 2011 Ulitzer, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Scott Morrison
K. Scott Morrison is the Chief Technology Officer and Chief Architect at Layer 7 Technologies, where he is leading a team developing the next generation of security infrastructure for cloud computing and SOA. An architect and developer of highly scalable, enterprise systems for over 20 years, Scott has extensive experience across industry sectors as diverse as health, travel and transportation, and financial services. He has been a Director of Architecture and Technology at Infowave Software, a leading maker of wireless security and acceleration software for mobile devices, and was a senior architect at IBM. Before shifting to the private sector, Scott was with the world-renowned medical research program of the University of British Columbia, studying neurodegenerative disorders using medical imaging technology.
Scott is a dynamic, entertaining and highly sought-after speaker. His quotes appear regularly in the media, from the New York Times, to the Huffington Post and the Register. Scott has published over 50 book chapters, magazine articles, and papers in medical, physics, and engineering journals. His work has been acknowledged in the New England Journal of Medicine, and he has published in journals as diverse as the IEEE Transactions on Nuclear Science, the Journal of Cerebral Blood Flow, and Neurology. He is the co-author of the graduate text Cloud Computing, Principles, Systems and Applications published by Springer, and is on the editorial board of Springer’s new Journal of Cloud Computing Advances, Systems and Applications (JoCCASA). He co-authored both Java Web Services Unleashed and Professional JMS. Scott is an editor of the WS-I Basic Security Profile (BSP), and is co-author of the original WS-Federation specification. He is a recent co-author of the Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing, and an author of that organization’s Top Threats to Cloud Computing research. Scott was recently a featured speaker for the Privacy Commission of Canada’s public consultation into the privacy implications of cloud computing. He has even lent his expertise to the film and television industry, consulting on a number of features including the X-Files. Scott’s current interests are in cloud computing, Web services security, enterprise architecture and secure mobile computing—and of course, his wife and two great kids.
Layer 7 Technologies: http://www.layer7tech.com
Scott's linkedIn profile.
Twitter: @KScottMorrison
Syscon blog: http://scottmorrison.sys-con.com
- Perils of the Cloud – FBI Seizure
- Xen Boys Start Bromium to Secure the Cloud
- Cloud Computing: Abiquo CEO Anticipates FBI Server Seizure
- Vyatta to Exhibit at Cloud Expo 2011 Silicon Valley
- Spooks Get Their Own Cloud
- IT Security: Mid-Year Gut Check
- Ten Best Practices for Contracting in the Cloud
- Cloud Security Alliance Announces Licensing Agreement with CSC
- SoftLayer Launches High-Availability Dedicated Firewalls
- Cure Your Big App Attack
- The Land of a Thousand Twist-Ties
- Cloud Encryption and Key Management for Software Vendors
- Cloud Expo Day Four: Still Very Cloudy in New York
- Perils of the Cloud – FBI Seizure
- Development in the Cloud – Challenges Remain, but the Future Is Bright
- Xen Boys Start Bromium to Secure the Cloud
- Five Ways to Protect Company Information in the Cloud
- ‘No System Is 100% Secure’: Sony CEO
- Cloud Computing: Abiquo CEO Anticipates FBI Server Seizure
- Vyatta to Exhibit at Cloud Expo 2011 Silicon Valley
- RSA Replacing Tokens After Hack
- Spooks Get Their Own Cloud
- The Security Development Lifecycle (SDL)
- IT Security: Mid-Year Gut Check
- The Top 250 Players in the Cloud Computing Ecosystem
- From Enterprise to Cloud, Virtualization Today on SYS-CON.TV
- The Cloud Computing Kettle Heats Right Up
- Unisys President To Keynote Cloud Computing Expo
- Cloud Expo 2011 East To Attract 10,000 Delegates and 200 Exhibitors
- Unisys Named “Platinum Sponsor” of Cloud Computing Expo
- Commercial vs Federal Cloud Computing
- CIA was Headed to an Enterprise Cloud All Along: Jill Tummler Singer
- Deputy CIO of the CIA to Keynote 1st Annual GovIT Expo
- Cloud Expo, Inc. Names Carmen Gonzalez CEO
- Cloud Expo New York Call for Papers to Expire January 15, 2010
- 1st Annual Government IT Conference & Expo: Themes & Topics




































Ulitzer content is offered under Creative Commons "Attribution Non-Commercial No Derivatives" License.
For any reuse or distribution, you must make clear to others the license terms of this work.
The best way to do this is with a link to this web page.
Any of the above conditions can be waived if you get written permission from Ulitzer, Inc., the copyright holder.
Nothing in this license impairs or restricts the author's moral rights.