The STAR Certification programme is based on the BSI's ISO/IEC 27001:2005 management system standard and criteria set by the Cloud Security Alliance (CSA), the international industry-led body for promoting security standards within cloud computing. Cloud computing specialist Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that work towards standardisation of cloud security was essential.
"It goes without saying that cyber threats are international in flavour and that the only way forward in terms of assessing the accountability of businesses for information and cyber security must also be an international one," he said. "As laws converge across the globe on cyber related issues, standardisation through the work of the ISO and related national bodies must be seen as a positive step forward."
"Some time ago now the European Commission as part of its cloud policy tasked ETSI [the European Telecommunications Standards Institute] with the task of assessing the 'jungle of standards' relating to cloud security. Hopefully, the work of BSI and CSA will assist in this process," he said.
The European Commission's programme of work on cloud computing includes the creation of model contract terms that businesses could use when entering into contracts and service level agreements with cloud computing providers. ETSI has been asked to help set out what new standards are required in relation to data security, interoperability and data portability for cloud service providers alongside this work.
The CSA and BSI's new STAR Certification offers cloud providers a technology-neutral, independent assessment of their security standards. To obtain the certificate, providers will have to demonstrate that they meet ISO/IEC 27001 on security management generally, as well as the specified set of criteria contained in the CSA's Cloud Controls Matrix.
Providers' processes will be measured against the 11 control areas set out in the matrix by an accredited certification body. The matrix covers compliance, data governance, facility security, human resources, information security, legal, operations management, risk management, release management, resiliency and security architecture. Depending on their performance in each of these areas, providers could receive a bronze, silver or gold award, or no award.
Once certified, providers will be listed on the CSA STAR Registry as 'Star Certified'. They will also receive a report setting out how mature their processes are in each of the 11 control areas, with information on what areas they need to consider improving on to reach an "optimum" level of security.
Daniele Catteddu, the CSA's managing director for Europe, the Middle East and Africa, said that the new certificate would allow cloud service providers to reassure their clients about the security of their data and information.
"Especially in light of recent government revelations, both consumers and providers of cloud-based services have been asking for independent, technology-neutral certification to help them make more informed decisions about the services they purchase and use," he said. "In providing a rigorous, user-centric assessment, STAR Certification will provide an additional layer of transparency that the industry has been calling for."