Google, Verizon, Intel, McAfee, Microsoft and Savvis are joining a voluntary program set up by the Cloud Security Alliance that provides public information about whether contributors comply with CSA-recommended cloud-security practices.
By reading reports submitted to CSA's Security Trust and Assurance Registry (STAR), potential customers of participating providers can more readily assess whether products and services meet their security needs.
To encourage other participants, CSA is encouraging businesses to require that any cloud vendors they deal with to submit reports to CSA STAR.
eBay requires cloud vendor submissions
For example, eBay is requiring the submissions from all cloud vendors it works with, says the company's CISO Dave Cullinane. He says the information will help eBay security and its customers' privacy. Similarly, Sallie Mae will look for cloud vendors to demonstrate their security via CSA STAR filings.
CSA STAR lets participants file self-assessment reports about whether they comply with CSA best practices. The registry will also list vendors whose governance, risk management and compliance (GRC) wares take the CSA STAR reports into account when determining compliance. The idea is that customers will be able to extend GRC monitoring and assessment to their cloud providers, the CSA says.
Google, Microsoft, Savvis and Verizon will submit information about their services and Intel and McAfee will file reports about security products.
CSA announced the keystone participants in its STAR program at CSA Congress 2011 in Orlando, Florida, this week.
CSA also announced it is extending its scrutiny to cloud-based security service providers - businesses that offer security services from cloud platforms.
Cloud security concerns
Customer concerns with security as a service include:
= Systems might not be locked down properly.
= Personnel might not be vetted thoroughly.
= Data leakage among virtual machines within multi-tenant environments.
= Cloud-based security services might not meet compliance standards.
"When deploying Security as a Service in a highly regulated industry or environment," says the CSA's latest Guidance for Critical Areas of Focus in Cloud Computing, "agreement on the metrics defining the service level required to achieve regulatory objectives should be negotiated in parallel with the SLA documents defining service."
These cloud-based security services are wide-ranging and include identity and access management, data loss protection, Web and email security, encryption and intrusion prevention, CSA says.