Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Google, Microsoft, Intel, Verizon among new cloud-security registry members

Google, Verizon, Intel, McAfee, Microsoft and Savvis are joining a voluntary program set up by the Cloud Security Alliance that provides public information about whether contributors comply with CSA-recommended cloud-security practices.

By reading reports submitted to CSA's Security Trust and Assurance Registry (STAR), potential customers of participating providers can more readily assess whether products and services meet their security needs.

LEARN: 8 ways to become a cloud security expert

To encourage other participants, CSA is encouraging businesses to require that any cloud vendors they deal with to submit reports to CSA STAR.

For example, eBay is requiring the submissions from all cloud vendors it works with, says the company's CISO Dave Cullinane. He says the information will help eBay security and its customers' privacy. Similarly, Sallie Mae will look for cloud vendors to demonstrate their security via CSA STAR filings.

CSA STAR lets participants file self-assessment reports about whether they comply with CSA best practices. The registry will also list vendors whose governance, risk management and compliance (GRC) wares take the CSA STAR reports into account when determining compliance. The idea is that customers will be able to extend GRC monitoring and assessment to their cloud providers, the CSA says.

Google, Microsoft, Savvis and Verizon will submit information about their services and Intel and McAfee will file reports about security products.

CSA announced the keystone participants in its STAR program at CSA Congress 2011 in Orlando, Fla., this week.

CSA also announced it is extending its scrutiny to cloud-based security service providers -- businesses that offer security services from cloud platforms.

Customer concerns with security as a service include:

= Systems might not be locked down properly.

= Personnel might not be vetted thoroughly.

= Data leakage among virtual machines within multi-tenant environments.

= Cloud-based security services might not meet compliance standards.

"When deploying Security as a Service in a highly regulated industry or environment," says the CSA's latest Guidance for Critical Areas of Focus in Cloud Computing, "agreement on the metrics defining the service level required to achieve regulatory objectives should be negotiated in parallel with the SLA documents defining service."

These cloud-based security services are wide-ranging and include identity and access management, data loss protection, Web and email security, encryption and intrusion prevention, CSA says.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ARN, CSA, Cullinane, eBay, Google, Intel, ISO, LAN, McAfee, Microsoft, Savvis, Verizon, Verizon
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Assurance, cloud computing, cloud security alliance, ebay, Google, Intel, internet, mcafee, Microsoft, Sallie Mae, security
Latest Blog Posts
Whitepapers
  • Bend or break: Flexible Policy
    DON’T. PANIC. Aligning business and IT needs has always been a challenge. Finding the right balance between ensuring the safety of sensitive data and enabling the free flow of information is increasingly difficult in today’s evolving regulatory and threat environment. Read on.
    Learn more »
  • Top 10 Mistakes in Data Centre Operations: Operating Efficient and Effective Data Centers
    For years, the data centre industry has accepted that human operational error, not poor data centre design or engineering, is the number one cause of data centre downtime. Now is the time for companies to evaluate their data centre operations programs. They must be able to clearly articulate operational requirements and design an operations program based on the risk profile of the data centre. However, the road to creating an industry-best operations program will not be easy, especially for those companies whose core expertise is not in business critical facilities. Read on.
    Learn more »
  • HP and Closed Circuit Print Security Podcast featuring Quorcirca
    Managing Security risks within Enterprise printing environments
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments