In the past weeks, there have been several press releases from CSPs (Cloud Service Providers) announcing new certifications for their services. In November, BSI announced that Microsoft Azure had achieved Cloud Security Alliance (CSA) STAR Certification. On December 15th, Amazon Web Services (AWS) announced that it had successfully completed the assessment against the compliance standard of the Bundesamt für Sicherheit in der Informationstechnik (BSI), the Cloud Computing Compliance Controls Catalogue (C5).
What value do these certifications bring to the customer of these services?
The first value is compliance. A failure by the cloud customer to comply with laws and industry regulations in relation to the way data is stored or processed in the cloud could be very expensive. Certification that the cloud service complies with a relevant standard provides assurance that data will be processed in a way that is compliant.
The second value is assurance. The security, compliance and management of the cloud service is shared between the CSP and the customer. Independent certification provides reassurance that the CSP is operating the service according to the best practices set out in the standard. This does not mean that there is no risk that something could go wrong – it simply demonstrates that the CSP is implementing the best practices to reduce the likelihood of problems and to mitigate their effects should they occur.
There are different levels of assurance that a CSP can provide – these include:
CSP Assertion – the CSP describes the steps they take. This value of this level of assurance depends upon the customer’s trust in the CSP.
Contractual assurance – the contract for the service provides specific commitments concerning the details of the service provided. The value of this commitment is determined by the level of liability specified in the contract under circumstances where the CSP is in default as well as the cost and difficulties in its enforcement.
Independent validation – the cloud service has been evaluated by an independent third party that provides a certificate or attestation. Examples of this include some forms of Service Organization Control (SOC) reports using the standards SSAE 16 or ISAE 3402. The value of this depends upon the match between the scope of the evaluation and the customer’s requirements as well as its how frequently the validation is performed.
Independent testing – the service provided has been independently tested to demonstrate that it conforms to the claims made by the CSP. This extends the assessment to include measuring the effectiveness of the controls. Examples include SOC 2 type II reports as well as some levels of certification with the Payment Card Industry data security Standard (PCI-DSS). The value of this depends upon the match between the scope of the evaluation and the customer’s requirements as well as how frequently the testing is performed.
The latter of these – Independent testing – is what customers should be looking for. However, it is important that the customer asks the following questions:
1) What is the scope of the certification? Does it cover the whole service delivered or just parts of it – like the data centre?
2) How does the standard compare with the customer’s own internal controls? Are the controls in the standard stronger or weaker?
3) Is the standard relevant to the specific use of the cloud service by the customer? Many CSPs now offer an “alphabet soup” of certifications. Many of these certifications only apply to certain geographies or certain industries.
4) How well is your side of cloud use governed? Security and compliance of the use of cloud services is a shared responsibility. Make sure that you understand what your organization is responsible for and that you meet these responsibilities.
For more information on this subject see: Executive View: Using Certification for Cloud Provider Selection - 71308 - KuppingerCole.