The integrity of Cloud service providers will now be measured after it was revealed more than half of organisations were reluctant move into the cloud for fear of security flaws.
A Ponemon Institute report has found 51 per cent of companies were uncertain about migrating to the Cloud due to data breach concerns, while 56 per cent didn't know what their Cloud service provider was doing to protect and monitor their accounts.
The report coincides with the launch of a technology neutral certification process which provides a “rigorous” independent assessment of a Cloud provider’s security.
The Cloud Security Alliance and BSI – incorporating NCSI - yesterday launched the STAR certification program which awards a gold, silver or bronze rating (or no rating at all) based on 11 control points outlined in a Cloud Controls Matrix.
The points include compliance, data governance, facility security, human resources, information security, legal, operations management, risk management, release management, resiliency and security architecture.
An independent assessment will assign a ‘management capability score’ to each of the 11 control points and each control is scored on a specific maturity and will be measured against five management principles.
BSI managing director Nick Koukoulas said growing concerns around the security of Cloud services were holding back Cloud adoption.
“It’s really to respond to the growing business concerns when people are moving their commercial information into the Cloud,” he said.
“Organisations are mainly concerned about data breaches and they can’t judge services or measure what degrees of security cloud services will have.
“In providing a rigorous, user-centric assessment, STAR Certification will provide an additional layer of transparency that the industry has been calling for.”
Koukoulas said the response so far from the Cloud community had been very positive. “It’s still early days, this was only launched yesterday,” he said. “But there’s a great deal of interest in the rating of a cloud security provider.”
“But it also depends on what rating is achieved. If it’s a gold rating then the organisation (client) should feel comfortable that the capability factors are covered.”
ISO/IEC 27001 is the internationally recognised standard for information security management and is now being revised to ensure its relevancy for challenges facing companies.
The final draft standard has been developed and is expected to be published during late 2013.
The current standard remains valid and will still be allowed for a period of time following publication of the new version of the standard.
BSI incorporating NCSI will support users through the transition once the new standard has been published, a spokesperson for BSI said.