Assurance and trust in the cloud

Although the popularity of cloud computing is increasing rapidly, potential customers may perceive security barriers that are inhibiting wider adoption of services, says Daniele Catteddu, Cloud Security Alliance managing director for Europe, the Middle East and Africa

While businesses still have concerns about security, privacy and data management in the cloud, these can be attributed to lack of trust in cloud computing services. Cloud can’t be viewed as more or less secure without understanding its level of security.

It can be said that the main barriers to adoption of cloud computing come from lack of trust, which is generated by the perceived lack of clarity in service level agreements (SLAs) and security or privacy policies, standard terms and conditions, and sometimes in the immaturity of cloud services. Transparency of cloud service providers in their approach to information security is the key to building trust in their services.

As security and privacy certifications and attestations have been identified as among the most effective and efficient means to increase the level of trust in cloud services, stimulating their adoption, cloud customers are recommended to adopt a cloud selection process that favours certifications or attestations that clearly support transparency.

In order to support cloud customers in this decision-making process, in April 2013 the European Commission (EC) launched the Cloud Select Industry Group (C-SIG) on certification with the aim of supporting the identification of certification schemes appropriate for the European Economic Area market.

Furthermore, in 2014, the European Network and Information Security Agency launched the Cloud Certification Schemes Metaframework (CCSM) initiative to map detailed security requirements used in the public sector to describe security objectives in existing cloud certification schemes. The goal of CCSM is to provide more transparency and help customers in the public sector with their procurement of cloud computing services.

Global organisations have also developed cloud security-specific certification schemes. For example, the Cloud Security Alliance (CSA) Open Certification Framework was created as an industry initiative to allow global, accredited, trusted certification of cloud providers. This integrates with popular third-party assessment (ISO 27001) and attestation statements (SOC2) developed within the public accounting community to avoid duplication of effort and cost.

Besides standards and certifications, clearly SLAs can provide visibility into security and privacy capabilities, and increase the level of trust in cloud computing services. Specification of security parameters in cloud service level agreements (secSLAs) has been recognised as a mechanism to bring more transparency and trust for cloud customers and service providers.

Lack of security awareness sometimes affects potential customers in their decision to adopt cloud computing

Unfortunately, the conspicuous lack of relevant cloud security SLA standards is a barrier for their adoption. The benefits related to the specification of standardised security elements in cloud SLA are clear as the usage of secSLA seems to be the missing piece on the cloud customer’s security assurance and transparency puzzle.

For these reasons, standardised cloud secSLAs should become part of the more general SLAs or master service agreements signed between the cloud service provider and its customers. Current efforts from CSA and ISO/IEC (International Organization for Standardization/International Electrotechnical Commission) in this field are expected to bring some initial results by 2016.

Cloud SLA-specific standards will appear in the short term, mostly lead by organisations like ISO/IEC which are working on the definition of common vocabularies, metrics and requirements. However, it should be noted that while the concept of secSLA is simple, the application, enforcement and monitoring are not.

Despite the existence of certification, SLAs and standards, the lack of security awareness sometimes affects potential customers in their decision to adopt cloud computing. In many cases, prospective cloud customers are unwilling or unable to make the organisational changes necessary for the effective use of cloud services. This needs to change in order to promote the secure uptake of cloud computing.