New standard claims to alleviate cloud security concerns

The Cloud Security Alliance (CSA) and BSI have launched a technology-neutral certification they claim provides an additional layer of transparency around security controls used by cloud service providers.

Under the STAR Certification program, service providers will be able to give prospective users a greater understanding of their levels of security controls, the CSA and BSI said in a statement.

The new certification is based on achieving ISO/IEC 27001 and the criteria outlined in the Cloud Controls Matrix, a set of criteria that measures the capability levels of a cloud service.

There are 11 control points in this matrix including compliance, data governance, facility security, human resources, information security, legal, operations management, risk management, release management, resiliency and security architecture.

An independent assessment by an accredited body will assign a ‘management capability score’ to each of the 11 control points and each control is scored on a specific maturity and will be measured against five management principles, the companies said.

Nick Koukoulas, managing director at BSI (incorporating NCSI), said consumers and cloud providers have been asked for an independent, technology-neutral certification “to help them make more informed decisions about the services they purchase and use”.

“Many organisations are wary of cloud services due to a variety of security concerns. STAR Certification will help alleviate this problem, as it will provide organisations and consumers with a clear benchmark on which to evaluate the performance of a cloud service provider,” he said.