Lots of goodness coming out of the Cloud Security Alliance up in Orlando this week.  Perhaps the biggest thing is the CSA GRC Stack. The GRC Stack is actually an amalgamation of three CSA initatives:

Cloud Audit CloudAudit

The goal of CloudAudit is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology. CloudAudit provides the technical foundation to enable transparency and trust in private and public cloud systems.

Visit the CloudAudit site

Download the Cloud Controls Matrix V1

Cloud Controls Matrix (CCM)

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The Cloud Controls Matrix provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Cloud Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA and NIST, and will augment or provide internal control direction for SAS 70 attestations provided by cloud providers. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry.

The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

Visit the Cloud Controls Matrix (CCM) page

Download the Initiative

Consensus Assessments Initiative Questionnaire (CAIQ)

The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. We are focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency. This effort by design is integrated with and will support other projects from our research partners.

The initial deliverable of this project is the Consensus Assessments Initiative Questionnaire (CAIQ). This questionnaire is available in spreadsheet format, and provides a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. It provides a series of “yes or no” control assertion questions which can then be tailored to suit each unique cloud customer’s evidentiary requirements.

Visit the Consensus Assessments Initiative Questionnaire (CAIQ) page

This is great stuff. You can download the entire GRC stack in zip format here. The stack will be useful to just about everyone on the cloud food chain, public or private, service provider or consumer.

Here is what I find very interesting about it though. While everyone acknowledges that cloud security-a-phobia or fears of cloud insecurity is still a major reason given for a lack of greater cloud adoption, the GRC Stack  is more about governance and compliance.

This proves that cloud security will end up being a lot like traditional IT security. While everyone wrings their hands over it, at the end of the day what they will really pay for is to be able to check that compliance box.  With the GRC stack, companies will be able to show that if they are not in fact secure in their cloud deployments, they have taken the reasonable steps necessary to show that they can be compliant.

I just hope that it doesn’t end there though, like it has in IT security.  It would be a shame for cloud security to boil down to a checkbox.

Enhanced by Zemanta

{ 1 comment… read it below or add one }

Cloud Security Guy June 1, 2011 at 11:08 am

Since its release in November 2010, the CSA’s GRC Stack has proven to be a great resource for enterprises, cloud providers, solutions providers, consultants and independent auditors to facilitate governance, risk and compliance in the cloud.

At the ccskguide.org, we take a look at the various issues surrounding cloud computing and help prepare candidates for the CCSK Cloud Security Certification. Read more about the GRC Stack and other cloud computing compliance issues at: http://ccskguide.org/2011/05/csa-governance-risk-


Leave a Comment

Previous post:

Next post: