|
Cloud Service Assessment Tools and Certification Schemes
Cloud service providers may promulgate their service offerings and capabilities to the potential customers by using the cloud service assessment tools and cloud service certification. There are a number of cloud service assessment tools and cloud service certification schemes available in the market. These tools and schemes are designed with considerations of various relevant aspects of cloud services.
What are Cloud Service Assessment Tools?
Cloud service assessment tools are tools aiming to help cloud service stakeholders to conduct assessments on cloud services based on pre-defined criteria. In general, using these cloud service assessment tools does not require independent assessment by a trusted third-party.
There are different types of cloud service assessment tools for different stakeholders.
Benefits of using cloud service assessment tools
Examples of Cloud Service Assessment Tools
Many cloud service assessment tools are based on ISO/IEC 27001, which is a widely recognised international Information Security Management System (ISMS) standard. This is because when adopting cloud services, security is often the most concerned area for the cloud service consumer.
Cloud service assessment tools are usually provided in the form of a questionnaire.
Assessment Tools | Organisation | Description | |
1 | CloudCode | CloudCode | The CloudCode is a voluntary disclosure-based Code of Practice that has been developed to improve the standard of services being provided by cloud service providers. Cloud service providers need to follow two core commitments of the CloudCode:
|
2 | CloudeAssurance | CloudeAssurance | The CloudeAssurance platform is standards based and a cloud service provider can use it for self-assessment to score and benchmark their information security program against standards. The output of the self-assessment is a “Provisional” CloudeAssurance Score valid for 180-days. The score is a value ranges from 0 to over 850, with interpretation of very poor score, poor score, fair score, great score, excellent score to optimised score. |
3 | Security, Trust & Assurance Registry (STAR) Self-Assessment | Cloud Security Alliance (CSA) | Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR) Self-Assessment is free and open to all cloud service providers and allows them to submit self-assessment reports that document compliance to Cloud Security Alliance-published best practices. Cloud service providers can submit two different types of reports to indicate their compliance with Cloud Security Alliance best practices:
|
What are Cloud Service Certification Schemes?
Benefits of Adopting Cloud Service Certification Scheme
Examples of Cloud Service Certification Schemes
Certification Schemes | Organisation | Description | |
1 | Cloud Assurance Assessor Program (CAAP) | CloudeAssurance, Inc | The assessors of Cloud Assurance Assessor Program will independently validate cloud service providers' scores derived from the providers’ self-assessments against the requirements of the CloudeAssurance rating system platform. |
2 | Code of Practice (CoP) | Cloud Industry Forum (CIF) | This Code of Practice is for organisations offering to customers remotely hosted IT services of any type. Organisations need to conduct an annual self-certification and confirm the results of the certification to the Cloud Industry Forum for claiming its compliance to Code of Practice. Optionally, an organisation may go for independent certification performed by a Cloud Industry Forum-approved certification body. The Cloud Industry Forum will spot check and randomly audit self-certifications. |
3 | EuroCloud Star Audit (ECSA) | EuroCloud Europe (ECE) | The EuroCloud Star Audit certification is specifically designed for Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). The scheme evaluates cloud services according to a set and published catalogue of criteria, which consists of the following categories: Profile, Contract and Compliance, Security and Data Privacy, Operations and Infrastructure, Operations Processes and Service Type (IaaS, PaaS, SaaS) specifc assessment. |
4 | Security, Trust & Assurance Registry (STAR) Certification | Cloud Security Alliance (CSA) | The Cloud Security Alliance's Security, Trust & Assurance Registry (STAR) Certification is a third party independent assessment of the security of a cloud service provider. The STAR Certification is technology-neutral, and based on the ISO/IEC 27001 and the Cloud Controls Matrix. The Cloud Controls Matrix is a set of criteria that measures the capability levels of cloud services. The STAR Certification enables cloud providers to communicate with potential customers on their levels of security controls. |
5 | CSA C-STAR Assessment | Cloud Security Alliance (CSA) | The CSA’s C-STAR Assessment is a third party independent assessment of the security of a cloud service provider, mainly used in the Greater China region. The technology-neutral assessment leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from China’s national standard GB/T 22239-2008 and GB/Z 28828-2012. |
6 | Unified Certification Standard (UCS) certification | Managed Service Providers Alliance (MSPAlliance) | The Unified Certification Standard for cloud service providers is based on nine control objectives of how an IT service organisation should operate. Each of the nine control objectives is supported by controls that are used when the company goes through the certification process. A company that successfully completed the certification process will receive a Unified Certification Standard audit report, which documents how the company implements those controls and control objectives. |