Guide to Cloud Certifications

Security and privacy certifications and attestations have been identified as one of most effective and efficient means to increase the level of trust in cloud service and stimulate their adoption. Based on this assumption, a number of efforts have been started in Europe at policy level, mainly led by the European Commission (EC) and their Special Industry Group on Certification, the European Union Agency for Network and Information Security (ENISA) and the European Telecommunications Standards Institute (ETSI), where CloudWATCH plays a role.

There is now a growing interest in European solutions for cloud standards and software industry development beyond the European Union. Building on this work CloudWATCH aims to provide guidance to cloud service customers, cloud service providers and policy makers in their evaluation of suitable security and privacy certification schemes for cloud services. A core activity within CloudWATCH is looking into the topics of standards and certification in order to understand if and how certification can increase the level of trust in the cloud computing business model. 

 

Free guide to Cloud Certifications

CloudWATCH has analysed all currently available cloud security certification schemes and through our own Certification recommendations report we have established a set of recommendations for policy makers.

Furthermore, we provide guidance for cloud service customers, especially public administrations and small and medium companies, cloud service providers and policy makers in their evaluation of possible options for “certifying” the level of security and privacy of cloud services. In this section you can find the main security and privacy certification schemes currently available.

Watch the CloudWATCH webinar on the role of certification and standards for trusted cloud solutions

 

CloudWATCH Cloud Certification Recommendations

CloudWATCH is making an active contribution to European efforts through its focus on standards and certification, driving interoperability as key to ensuring broader choice and fairer competition. This CloudWATCH report is aimed at providing guidance for cloud service customers, especially public administrations and small and medium companies, cloud service providers and policy makers in their evaluation of possible options for “certifying” the level of security and privacy of cloud services.

CloudWATCH2: Takeaways from Cloud for Europe Certification Workshop

Monday, 14 September, 2015 - 16:15
A key takeaway of the workshop is the complexity of risk assessment for cloud services. There is a general lack of standards in cloud-specific risk assessment. An Existing ISO standard relates mainly to ICT security so there is a gap there. ENISA have identified 150 cloud risks and the Cloud Security Alliance 133 cloud controls. However, clearly checking and mapping these is a massive job for companies and is usually just too large especially for SMEs.

How to create a sound security certification scheme - a European experience

Security and privacy certifications and attestations have been identified as one of most effective and efficient means to increase the level of trust in cloud services and stimulate their adoption. Based on this on assumption a number of efforts have begun in Europe at policy level mainly led by the European Commission (EC), in collaboration with ENISA and the Clouds Standards Coordination CSC ETSI effort. These efforts have aroused much interest in European solutions for cloud standards and software industry development beyond the European Union.

Cloud Computing Security Considerations - Australia

The Australian Department of Defence issued the Cloud Computing Security Considerations, which explains several cloud related terms such as delivery models, deployment models and service types and benefits. The document targets users with the aim of increasing their understanding of the fundamentals of the cloud computing paradigm and helps them identify security threats that might have a malicious impact on their applications and data deployed in the cloud. Instead of being a list of security issues that need to be taken into account, they are expressed as a series of questions that need to be answered by the potential user and can help the user understand the risks that he or she might be taking when migrating to the cloud.

Multi-Tier Cloud Security (MTCS) - Singapore

This standard describes the relevant cloud computing security practices and controls for public cloud users, public cloud service providers, auditors and certifiers. Recognising security risk requirements differ from users to users, different control measures are specified for different levels of security requirements in this multi-tier model. MTCS seeks to address needs such as transparency of cloud users. Transparency is a way to build trust between CSPs & cloud users. With the new standard, certified CSPs will be able to better spell out the levels of security that they can offer to their users. This is done through third-party certification and a self-disclosure requirement for CSPs covering service-oriented information normally captured in Service Level Agreements. The disclosure covers areas including: Data retention; data sovereignty; data portability; liability; availability; BCP/DR; incident and problem management.

Federal Risk and Authorization Management Program (FedRAMP) - USA

FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services. FedRAMP uses a “do once, use many times” framework that intends to saves costs, time, and staff required to conduct redundant agency security assessments and process monitoring reports.

TÜV Rheinland Certified Cloud Service

Certified Cloud Service is TÜV Rheinland's certification for cloud services of any kind and any operation model. Trustworthiness, transparency and quality are the key criteria in a company's search for a cloud service - whether it wants to use infrastructure as a service, platform as a service or software as a service, one of the greatest issues for potential customers is the security of their corporate data.

EuroCloud – STAR Audit

The EuroCloud STAR Audit provides transparency about the Cloud Service Delivery chain and involved subcontractors; legal compliance according to individual regulations per EU country; data security and data privacy. DC resilience; business operations; reversibility and interoperability

EuroPrise - The European Privacy Seal

EuroPrise is a European certification scheme that certifies compliance of IT products and services with a catalogue of criteria that are based on the European Data Protection directives (95/46/EC and 2002/58/EC) and opinions of Article 29 working party. The EuroPrise trustmark is awarded after (1) an evaluation by an independent accredited auditor and (2) the validation of the produced evaluation report by the Europrise certification body.

Cloud Security Alliance Open Certification Framework

The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers. The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives. The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost. The CSA Open Certification Framework is based upon the control objectives and continuous monitoring structure as defined within the CSA GRC (Governance, Risk and Compliance) Stack research projects. The CSA Open Certification Framework will support several tiers, recognizing the varying assurance requirements and maturity levels of providers and consumers. These will range from the CSA Security, Trust and Assurance Registry (STAR) self-assessment to high-assurance specifications that are continuously monitored.

SSAE16 – SOC 1-2-3 - Service Organization Control (SOC)

For over 20 years, Certified Public Accountants have performed specialized audits of information technology (IT) internal controls at service organizations. During this time, a report by a CPA firm has become the standard for reporting on internal controls at a service organization as required by the U.S. Government, Security and Exchange Commission (SEC), the financial services industry, and standard contract terms with countless service organization users. One of the main reasons for this wide adoption has been that the professional standards that underpin these CPA reports provide customers with a basis for relying on the reports’ conclusions. The objective of these service organization reports (SOC) has been to provide the customers of service organizations, and the auditors of those customers, assurance over the effective operation of IT controls designed to address IT risk to information processing. To provide the framework for CPAs to examine controls and to help management understand the related risks, the American Institute of Certified Public Accountants (AICPA) established three Service Organization Control (SOC) reporting options (SOC 1, SOC 2 and SOC 3 reports).

ISO-IEC 27001: 2013 - Information security certification scheme

ISO/IEC 27001 is the international standard for information security management. It outlines how to put in place an independently assessed and certified information security management system. This allows you to more effectively secure all financial and confidential data, so minimizing the likelihood of it being accessed illegally or without permission.