8 - 9 March 2016

Brussels, Belgium

03/03/2015

Building trust in the cloud through transparent, flexible and detailed cloud certifications

CloudWATCH
Security and privacy certifications and attestations have been identified as one of most effective and efficient means to increase the level of trust in cloud services and stimulate their adoption. Based on this a number of efforts have begun in Europe at policy level mainly led by the European Commission (EC), in collaboration with the European Union Agency for Network and Information Security (ENISA) and the Clouds Standards Coordination (CSC) European Telecommunications Standards Institute (ETSI). These efforts have aroused much interest in European solutions for cloud standards and software industry development beyond the European Union.
 
How CloudWATCH is making a contribution
The CloudWATCH project is making an active contribution to European efforts through its focus on standards and certification, driving interoperability as key to ensuring broader choice and fairer competition. Building on the work by ETSI and the EC’s Cloud Select Industry Group , CloudWATCH aims to provide guidance for cloud service customers, especially public administrations and small and medium companies, cloud service providers and policy makers in their evaluation of possible options for “certifying” the level of security and privacy of cloud services.
 
Main findings of the CloudWATCH analysis
 
Over the last 15 months, the CloudWATCH consortium has analysed currently available cloud security cetifications schemes with the following findings:
  • The majority of the certification schemes considered have some promising transparency features. However, in most cases the level of visibility and information available about the certification process, and audit results are not yet sufficient.
  • While most certification schemes considered appear to provide the necessary level of scalability and some seem to be cost efficient, although a few clearly provide the necessary level of flexibility. This lack of flexibility could represent a potential problem since it might prevent, in some cases, the underlying technical frameworks from being able to evolve at same pace of the cloud market, therefore failing to satisfy changing requirements. 
  • Only a few certification schemes are able to address the needs of organisations with varying level of assurance. For example, very few schemes are based on a maturity/capability model, and very few include a self-certification option.
CloudWATCH recommendations
Based on these findings and our associated conclusions, CloudWATCH makes the following recommendations.
 
Add transperency requirements in the procurement process 
We recommend that cloud customers, especially public administrations, adopt a cloud selection process that favours certifications/attestations which clearly support transparency. It is particularly important that the details of technical standard(s) on which the certification assessment is based is clear to procurement officers. . Knowing which technical controls are included in a standard is the only way to understand if that technical framework, and the certification scheme it is based on, is suitable to satisfy the technical requirements and compliance needs of a certain organization. Furthermore, importance should be given to the quality of the assessment/audit. This recommendation is mainly addressed to public sector procurement offices, since they have the necessary negotiation power to demand specific features and services. 
 
Introduce appropriate level of detail on information security approaches
 
We recommend that cloud providers introduce more transparency in their information security approaches. We do not suggest an approach based on full disclosure, as we appreciate that in some cases this is not possible given the confidentiality of some information included in the assessment report However, Cloud Providers  should nevertheless be willing to provide as much details as possible about the results of their certification assessment reports.  
 
Soft law supporting transparency
We recommend that policy makers should work on soft-law to foster transparency by supporting certification schemes that enable transparency. Transparency is a fundamental attribute of accountability and essential trust-enabling component, and the adoption of soft-law supporting transparency could prevent the need of binding regulatory intervention that might not be the most appropriate measure in a market, which is still under development and in continuous transformation. 
 
Increase trust through clearly defined SLAs
We recommend cloud providers and customers to clearly define the scope, requirements and monitoring parameters of the SLA which may significantly differ from customer to customer, based on their compliance needs. Policies and procedures should be implemented to ensure the consistent review of SLAs between providers and customers across the relevant supply chain. 
 
Certification schemes should provide scalability, flexibility & cost efficiency 
Finally, we recommend that policy makers  endorse/demand for certification schemes that are able to provide scalability, flexibility and cost efficiency and to match the different assurance levels requested by regulatory authorities and customers of any kind (pubic administration, micro, small medium companies and enterprise). There is a clear trade-off between the levels of rigour and the cost of certification (obviously self-certification is less expensive than a certification based on third party assessment). To make the market more efficient, each actor should be given the possibility to select the most cost effective solution to satisfy its assurance needs. 
 

Authors:

Daniele Catteddu, Cloud Security Alliance