Push Your Cloud Supplier to Participate in CSA STAR
Security is a top concern for potential cloud users so the formation of the Cloud Security Alliance was welcome news when the organization emerged in 2009. And while many vendors have since joined CSA, precious few service providers have stepped up to take part in its Security, Trust and Assurance Registry.
Mon, March 26, 2012
Network World — Security is a top concern for potential cloud users so the formation of the Cloud Security Alliance was welcome news when the organization emerged in 2009. And while many vendors have since joined CSA, precious few service providers have stepped up to take part in its Security, Trust and Assurance Registry.
The CSA STAR registry, rolled out last August, is "designed to index the security features of cloud providers using a 170-point questionnaire that end users are then able to peruse" (see story, "Cloud security registry slow to catch on").
Of the big guns that professed intentions to lay it on the line, only Microsoft has followed through to date. Kudos to them. Now it is time for enterprise buyers to pressure other suppliers to follow suit.
Survey after survey, after all, show security issues are holding cloud back. The latest example: Study results released last month by European managed service provider Interxion identified "a perceived lack of security" as the top barrier to cloud computing adoption.
The market-leading cloud service providers are likely dragging their feet on STAR in the belief that coming clean would only give smaller competitors ammunition to use against them (anything you say or do can be used against you).
That can't work if buyers demand transparency through STAR, if they demand the right to see 1) if the cloud providers are doing enough, and 2) how the approaches of the different suppliers stack up.
Some suppliers cite as a reason for not participating in STAR that they don't want to reveal security details for fear of making it easier for bad guys to attack. But that's just a red herring. The alliance says in a FAQ that information collected is "intended to allow a provider to document its security practices without going into a level of detail that would expose sensitive information. For example, a provider will likely document whether or not they regularly perform application layer penetration testing, but would not likely publish detailed results of web scanning tools."
But STAR will only become meaningful if enough vendors partake, which will require enterprise buyers to demand participation (think "Show me the Carfax"). If you don't participate, this effort will collapse, making your job harder down the road when it comes time to weigh potential suppliers.
The good news: CSA Executive Director Jim Reavis says more vendors are in the wings and may come onboard soon. Aid the cause by adding your voice to the chorus calling for this important industry effort.