The long search for certifiably sane cloud security

Hand holding a wooden ink stamp stating 'certification'.

Regular readers of this blog will know that one of my bugbears is the over-simplification, to the point of downright abuse, of the term 'security' when applied to the cloud.

"We haven't adopted a cloud implementation strategy as of yet due to security concerns" and "security needs to be sorted out for the cloud to be a serious consideration" are common enough examples of the kind of generic meaningless of the word in far too may corners of the business community.

This dilution of the concept of security into a meaningless catch-all bugs me simply because the same people who bandy it about hardly ever explain exactly what they mean, hardly ever expand upon what those security fears actually are. The barge-pole brigade who keep the cloud at arm's length in case their corporate security policy is somehow infected by an unknown attacker are, in my never humble opinion, fearful of their own technological shadow. They see shapes in the ether and get the jitters - yet they have no rational explanation as to why. They cannot bring forward an argument about data sovereignty or encryption at rest or even compliance issues.

Which is why I was quite pleased to discover that someone is doing something about it.

If, as I suspect, the generic security bogeyman is never going to be consigned to the 'excuses that are no longer valid' box, then that 'something' has to address those general fears in a general way. I've never been the greatest fan of certification schemes in the IT industry, all too often they end up as being about as much use as a one-legged man at an arse-kicking party: crippled by proprietary influences and a total lack of industry agreed standardisation.

The Cloud Security Alliance (CSA) STAR Register is a self-assessment-based route to more transparency within the cloud provider industry. Unfortunately, with just a dozen providers of cloud services on the register it's hardly taken the industry by storm. Plus, it's a self-assessment reporting register whic always carries a hint of self-congratulatory back-slapping with it - although in this case it does bring a certain amount of standardisation into the process with its Consensus Assessments Initiative Questionnaire (CAIQ) and Cloud Controls Matrix (CCM).

Yet there's no doubt that certification of some sort at the cloud service provider level has to be a good thing, especially when it comes to calming down the insecurity blowhards. A recent nCircle survey (2012 Cloud Security Trend Study) of information security professionals revealed that some 80 percent wanted CSPs to be compliant with regulatory requirement such as the Payment Card Industry Data Security Standard (PCI-DSS) and Sarbanes-Oxley (SOX).

So perhaps the news that the Cloud Security Alliance (CSA) is partnering with the British Standards Institution (BSI) to bring international standardisation to its Open Certification Framework (OCF) is just what the cloud market needs. This builds upon the STAR scheme which becomes just the first step of the OCF ladder. Next year we should see the second step which will be an independently assessed certification process, to be joined at some point by a third level that encompasses continuous monitoring.

If what all this means is that cloud providers can end up with a certification scheme that carries the same kind of weight amongst decision makers and budget-string-pullers as an ISO standard, then that has got to be a good thing. Mind you, I understand that there is an actual ISO standard (ISO 27017) in the pipeline which should appear within two or three years. This would be a better fit for the cloud than the generic ISO 27001 information security certification that exists today.

None of which gets around the fact that business still needs to understand what it is scared of and why, rather than just accept that a provider with a certificate will make it all just go away, of course ...

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at