The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives. The program will support popular third-party assessment and attestation statements developed within the public accounting community.
Jim Reavis, executive director of the CSA, said: “We all recognize that no single certification, regulation or other compliance requirement will supplant all others in governing the future of IT. However, the rise of cloud as a global compute utility creates a mandate to better harmonize compliance concerns. Both consumers and providers alike will benefit from the knowledge that their CSA-backed compliance activities will be broadly applicable within global regulatory regimes.”
Carl Christian Buhr, European Commission Cabinet Member of Vice-President Neelie Kroes, during his keynote at SecureCloud 2012, said that he was pleased to hear that the CSA will be launching its certification framework.
The European Commission (EC) will include in the European Cloud Strategy document, which will be published this summer, an action on certification. The EC doesn't foresee any European mandatory certification scheme, but encourages and supports a market-driven, bottoms-up approach for security certification for cloud computing services/providers. This voluntary approach must bring together the "right people", in order to be accepted by the market and by national regulators.
The CSA Open Certification Framework is based upon the control objectives and continuous monitoring structure as defined within the CSA GRC (Governance, Risk and Compliance) Stack research projects. The CSA Open Certification Framework will support several options and tiers, recognizing the varying assurance requirements and maturity levels of providers and consumers. These will range from the CSA Security, Trust and Assurance Registry (STAR) self-assessment to high-assurance specifications that are continuously monitored. CSA will also work closely with the assurance community to develop programs for qualified assessors for the CSA Open Certification Framework.
“The Cloud Security Alliance has identified the gaps within the IT ecosystem that are inhibiting market adoption of secure and reliable cloud services. Consumers do not have simple ways to evaluate their providers’ resiliency, data protection capabilities and service portability,” said Daniele Catteddu, Managing Director, EMEA for the CSA. “This problem is exacerbated internationally, causing significant barriers to cloud adoption outside of national boundaries. The CSA Open Certification Framework provides a path for any region to address compliance concerns with trusted, global best practices.”
The CSA Open Certification Framework will provide explicit guidance for providers to use GRC Stack tools for multiple certification efforts. For example, scoping documentation will articulate the means by which a provider may follow an ISO/IEC 27001 certification path that incorporates the CSA Cloud Controls Matrix (CCM). The CSA will also provide guidance as to how a provider may use the CCM inside of an AICPA SSAE16 attestation. CSA supports certify-once, use-often, where possible.
By leveraging the CSA Open Certification Framework and tools within the GRC Stack, it will be possible for a regulatory regime to create a globally recognized certification that meets their own exacting assurance requirements”, said Aloysius Cheang, Managing Director, APAC for the CSA, “For example, we expect governments to be heavy adopters of the CSA Open Certification Roadmap to layer their own unique requirements upon the GRC Stack and provide agile certification of public sector cloud usage.”