This content is part of the Essential Guide: Combat the latest cloud security challenges and risks

Read between the lines of providers' cloud security assessments

Certifications are a good starting point to evaluate a cloud provider's security, but users need to dig deeper than a simple checkbox to understand how much risk is involved.

Cloud security assessments and certifications are designed to help businesses understand what steps a provider takes to protect confidential information. But while security certifications may provide users with some level of comfort, they're not always enough to guarantee that their information will be safe.

Data security continues to be a major bugaboo with public cloud. "After price, what level of security a provider offers is one of the first questions a business asks when examining a public cloud service," said Dan Blum, managing partner and principal consultant at Security Architects LLC, a consulting firm based in Washington, D.C.

Organizations often feel uncomfortable moving sensitive information from their own data center to that of a third-party provider. To assuage that feeling, businesses like to confirm that a provider has completed certain cloud security assessments, or holds certifications. Those cloud security certifications often consist of two elements. First, an ad hoc group develops a framework that outlines what checks should be put in place to safeguard data. Then, third parties develop processes to ensure that those checks are implemented.

Baseline IT security certifications

IT security is complex, so, through the years, frameworks emerged from many different groups. When evaluating a cloud provider's security, business often begin with Statement on Standards for Attestation Engagements 16, according to Pete Lindstrom, VP of security research at IDC, an analyst firm based in Framingham, Mass.

After price, what level of security a provider offers is one of the first questions a business asks when examining a public cloud service.
Dan Blummanaging partner and principal consultant at Security Architects LLC

The American Institute of Certified Public Accountants crafted the specification, which defines how service providers deploy security controls. The program produces three reports: Service Organization Controls (SOC) 1 focuses on financial reporting; the SOC 2 report evaluates the security, availability, processing integrity, confidentiality and privacy of a vendor's internal systems; and the SOC 3 reports the same information as SOC 2, but is designed for a general audience, rather than specific parties.

Two groups -- the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) -- worked together to craft a second set of standards. The ISO 27001 specification focuses on information security management systems and ISO 27002 describes system controls.

Cloud security assessments and certifications

The previous guidelines do not differentiate between cloud and traditional on-premises system security, but, more recently, cloud security assessments and certifications arose. For example, the National Institute of Standards and Technology Special Publication-500 specification outlines the role of cloud computing in the U.S. federal government. The document addresses cloud operations, management and security issues.

Vertical standards take shape

In addition to the horizontal standards, there are industry-specific certifications to look for when assessing cloud providers:

  • Health Insurance Portability and Accountability Act is used to protect personal medical information, principally in the USA.  
  • PCI-DSS safeguards consumer payment card credit information.
  • FedRAMP monitors government data and offers a standardized approach to security assessment, authorization and continuous monitoring of cloud services.
  • Information Assurance Framework was developed by the European Network Information and Security Agency, and aims to close network and information security holes.

Formed in December 2008, the Cloud Security Alliance (CSA) is a coalition that provides guidance for enterprises adopting cloud computing. The group's Cloud Controls Matrix consists of principles that help prospective cloud users assess a cloud provider's overall security risk. The group's Security, Trust and Assurance Registry (STAR) assessment and certification process features three cloud security certifications: Level 1 is a self-assessment by the provider; Level 2 is an assessment of the provider done by a third party; and Level 3 checks security on an ongoing basis rather than only one time.

Buyer beware

The customer has to determine if the need for the service offered outweighs any potential security risk.
Dan Blum

The various standards and certifications that a cloud provider can hold come with caveats. First, they fall short of the ironclad guarantee that some companies desire; a certification provides only a high-level overview of a provider's security checks.

Second, the specifications themselves work at a high level. For instance, a certification may require that a business deploy a strong authentication system/ttvideocomponent>

Small, niche or startup cloud providers may lack certifications. "The customer has to determine if the need for the service offered outweighs any potential security risk," Blum said.

Remember that cloud security assessments and certifications aren't a perfect reflection of a provider's security posture. To fully understand how your provider implements security processes -- and whether those processes are adequate -- a business needs to examine various reports, according to Blum. The reports usually are not published on a cloud provider’s website, so the user has to do some digging to find that information.

Next Steps

Get to know the CSA STAR certification program

What cloud security certifications are available for IT Pros?

Seven cloud security risks to put on IT's radar

Dig Deeper on Cloud security tools