Cloud Security Alliance registration project struggling

Source: Internet
Author: User
Keywords Vendor Cloud security says this
Tags cloud cloud security cloud vendors company customers data information project

Last August, the Cloud Security Alliance (CSA) announced a registration project at the Black Hat security conference in Las Vegas, which the Cloud security Alliance hopes will enable cloud users to easily assess and compare the security controls of cloud vendors. But so far, only three companies have submitted their cloud security data, making the registration project very limited.

The security, trust and Assurance Registration project ("STAR") is designed to evaluate the safety features of shipping vendors using a 170-point questionnaire, and end users can then view these assessments. Some big brands (such as Google, Intel, McAfee, Verizon and Microsoft) agreed to participate in the project shortly after the Cloud Security alliance announced the star project, but so far Microsoft has been the only one of these suppliers to submit data.

Cloud computing industry Gartner analyst Kyle Hilgendorf is disappointed that no more suppliers are joining the project. This project may provide the end user with valuable information about the cloud vendor, but only if most companies join the project to achieve this.

"If you have only three or four suppliers, end users cannot measure cloud providers from a market-wide perspective," says Hilgendorf. ”

Jim Reavis, executive director of the Cloud Security alliance, remains bullish on the project and says it expects more vendors to submit data by the end of the year, and several vendors are submitting data at an advanced stage. "Everything starts from scratch," he says. ”

The key issue affecting the project is what information vendors are willing and able to disclose. Jon Heimerl is the security strategy director for the managed Security Service provider Solutionary Company, one of three vendors who submitted data to star. and cloud email optimization and security services company Mimecast is the third company to submit data.

"We answered these questions as clearly as possible without disclosing too much confidential information about our security protocols," Heimerl said. "The solutionary approach is to answer a few questions and then contact them if they need additional information."

For example, Heimerl said that when answering questions about information encryption, the company replied: They use 256-byte encryption code and device hardening methods. However, they did not disclose exactly what the hardening methods were for these devices.

Star workers said the registration project was designed to review the vendor's cloud security practices, rather than disclosing information that could disrupt the vendor's network or customer data.

Reavis said: "The information we ask is not detailed enough to pose a security risk." "However, he says vendors must weigh which security information they can disclose without causing security risks." Reavis says all cloud providers have the information that star needs, and the question is how they choose what information to expose.

Hilgendorf says another reason some suppliers hesitate to join star is because they have already disclosed most of this information in different ways. Amazon Web Services, Google and other vendors have special security controls on their Web sites. Some vendors may be weighing the value of submitting information to the Cloud Security Alliance because the information is already open elsewhere. There are also security certificate standards, such as the International Organization for Standardization (ISO) compliance, Payment Card Industry (PCI) compliance and Federal Information Security Management Certification (FISMA). If companies have complied with Fisma,hilgendorf do not know whether these companies feel the need to participate in the Cloud Security Alliance project.

Reavis said the survey was based largely on these certifications and asked for the same type of information.

These are useful information for customers, Hilgendorf says. The Cloud Security Alliance website provides a download of the questionnaire, which consists of 170 questions. The scope of the problem ranges from vendor compliance and certification to how much customer data is stored in the cloud, whether customers can access vendor audit information, and what types of audits and vulnerability tests the vendor has conducted. There are also questions about how data is decoupled to ensure that data from multiple customers is not confusing, as well as data center security.

Mimecast Company Product Marketing manager Orlando Scott-cowley, one of the three companies that submitted data to the star, said that for suppliers, they were able to give customers a positive attitude toward their safety.

"Anyone can claim to be a cloud supplier, but it's important to let customers know about your security controls," he says. "We don't disclose any important information about how data is protected." ”

Hilgendorf expects the registration program to help SME suppliers prove their safety controls to show their strength to the market. But it is only when the other 130 members of the Cloud Security Alliance participate in the project that real value can be realized. (邹铮 Compilation)

(Responsible editor: The good of the Legacy)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.