Working with BSI, or British Standards Institution, a U.K. advocate for information security standards, the Cloud Security Alliance detailed the Open Certification Framework for the first time Monday. Under the first and only active stage, cloud providers submit a self-assessment in the CSA Star Registry to recognize that they comply with the organizations’ on-demand best practices. (Click here for a PDF of the third version of those best practices released in November 2011.)
The second step, expected to be ready in the first half of 2013, involves a third-party independent assessment based on ISO/IEC management systems standards and CSA’s Cloud Controls Matrix. This includes a service where an assessor gives a numerical score to a cloud vendor’s performance against the Cloud Controls Matrix over time. In a final stage, a continuous monitoring certification would be earned by cloud providers, though that level remains “under development.”
CSA Managing Director Daniele Catteddu said in a release on the new framework that their work with BSI will “better harmonize compliance concerns” within differing global regulatory schemes. David Brown, BSI director of corporate development, called the new framework a measure that adds security and reassurance from cloud providers to customers that the provider can “recover from any incident with minimal disruption.”
The not-for-profit Cloud Security Alliance board of director members include eBay and Coca Cola, and IT vendor members include CA, Dell, HP, Microsoft, Oracle and RSA. CSA and BSI plan to release more details and progress on the standards framework Sept. 25 at the EMEA Cloud Security Congress 2012.
The announcement Monday is one of a many cloud computing standards being hammered out and researched by a handful of other IT and enterprise trade groups, some which have expressed concerns over the range of different standards.