Cloud Maturity Model helps to determine the security of cloud service providers

In almost every survey of cloud computing, security is ranked first among the many reasons companies are hesitant to adopt cloud based technology. And indeed, if it is not possible to determine how your data will be treated and adequately protected, it is foolhardy to blindly adopt cloud services, even if the economic benefits of cloud services look tempting.

So how can companies prove that cloud service providers are up to standard? Large companies and government departments may have the clout to require detailed inspection of the site and processes of cloud providers. However, small companies may be less popular.

Most notably, several initiatives from the Cloud Security Alliance (Cloud) have been trying to help companies negotiate at least the right questions to ask prospective service providers, but this may still be a slow and arduous task. And as we've noticed, small businesses submitting questionnaires to large cloud service providers expect little collaboration, let alone answers.

But hope may be right in front of you. A new cloud maturity model, which is used to score cloud service companies, promises to provide simple guidance to the enterprise, providing a level of security for cloud services companies that benefits prospective buyers and sellers who now need to go through an audit process for each customer.

The so-called universal Security Maturity Model (Common Assurance Maturity Model,camm) is the crystallization of Raj Samani, a veteran of the security community who worked as a consultant in the public sector and is now the European CTO of McAfee.

The formation of Camm

Samani has learned from the early projects of a large enterprise how difficult it is to deal with a large number of suppliers. He just doesn't have the resources or the money to carry out the necessary checks to make sure that they are looking after the information that he is responsible for in the context of the Data Protection bill.

However, in a conversation with his father, a hotel owner in the centre of London, he found a solution: "My father is complaining about the troublesome customers who want to have a detailed inspection of the hotel, and he said it would cause a lot of trouble," Samani said. "His answer is that this is a one-star hotel, meaning it is not luxurious but inexpensive." That's all the customers need to know.

This event breeds a similar five-star scoring system, which may be applied to cloud computing services. Samani realizes that if the system is widely used, it will not only make it easier for cloud services customers to find the right level of security and service, but also ease the endless customer audits that providers experience.

It was two years ago, and since then the team of volunteers from various support organizations have been working hard, but if Camm has some full-time staff to help, this situation will change quickly. Samani said he would announce the full details of the recruitment plan at the February San Francisco CSA Summit.

Camm components

Samani says the Camm model is designed to cover baseline control over security, but has been mapped by design and other criteria such as ISO27001, COBIT, and PCI DSS, because customers have specific needs for these standards.

"The CAMM model provides a baseline level of control, and then you can add different modules to it," Samani said. "This means people can pay for the level of security they require." So if you need to find a 3-level provider with a PCI module in Germany, Camm makes it easier to find the company.

One important aspect of the CAMM model, Samani says, is that the tools and intellectual property frameworks used to perform audits are free to anyone. "It's a labor of love," he added.

The only component that companies need to pay to start using the Camm model is the Third-party Security Center (Third party assurance Centre,tpac). Tpac is a repository of information about service providers that lists the level of security they receive based on a range of metrics. TPAC will serve as a market to provide communication to customers and providers. Customers will upload their requests, list Camm levels plus any other modules they need, and TPAC will immediately present a short list of suppliers that meet their requirements.

Samani added that the CAMM model would help security managers quantify residual risks based on what their bosses understand. "You go to the CEO and say, ' We're looking for a level 3 company but that leaves some risk, '" Samani said. "The CEO will then ask how much it costs to find a 4-or 5-level company and then make a judgment after understanding the risk." Because of this, you can't have conversations with business executives about security.

The recent CAMM model experienced alpha tests with four trial users, and once the feedback from these tests was "digested" in February, a series of beta tests were conducted before the end of the year's mass launch.

The project was supported by 150 organizations including large cloud service providers, government groups and industry groups such as CSA and ISACA (Information Systems Audit and Control Association).

Reaction to the CAMM model

The Camm method is generally regarded as a valuable and promising method. Paul Simmonds talked about Camm's invaluable role as a member of the board of Directors of the Jericho Forum of International Organizations, as a co-author of the CSA Security Guide V3 version.

"The Camm model has been very thoughtful, and I'm very impressed," Simmonds said. "The model is modular in its domain, so as users of cloud services, you can clearly ask what level of security is required in different areas." Camm makes it easier to find a short list of potential suppliers, and it continues to evolve into a more sophisticated and thorough audit approach that most companies can manage themselves.

The initiative also received strong support from Europe, including the Steering Committee of the European Network and Information Security Agency (ENISA). "We firmly believe that the CAMM model is the key to helping cloud computing take off," Enisa Giles Hogben, security Services program manager at Crete Island, Greece.

However, Hogben cautioned that any new standards should avoid adding additional costs to the company. He adds that measuring maturity by 1 to 5 is "likely to lead to oversimplification" and must be handled with care.

(Responsible editor: The good of the Legacy)