Cloud Service Assessment Tools and Certification Schemes
Cloud service providers may promulgate their service offerings and capabilities to the potential customers by using the cloud service assessment tools and cloud service certification. There are a number of cloud service assessment tools and cloud service certification schemes available in the market. These tools and schemes are designed with considerations of various relevant aspects of cloud services.
Cloud Service Assessment Tools
What are Cloud Service Assessment Tools?
Cloud service assessment tools are tools aiming to help cloud service stakeholders to conduct assessments on cloud services based on pre-defined criteria. In general, using these cloud service assessment tools does not require independent assessment by a trusted third-party.
There are different types of cloud service assessment tools for different stakeholders.
- For cloud service providers, there are self-assessment tools which assess their capabilities and service offerings. The assessment results are usually documented in a publicly accessible registry maintained by the central body which developed the assessment tool. Consumers can thus make reference to the assessment results for reference.
- There are also self-assessment tools for cloud service consumers, as well as assessment tools that require input from cloud service consumers and providers. Readers interested in the assessment tools for cloud service consumer may read about them here.
Benefits of using cloud service assessment tools
- For cloud service providers, publishing their self-assessment results provides a convenient way to communicate with potential customers about their capabilities and service offerings.
- Comparing to cloud service certification schemes, assessment tools require less overhead and can be conducted using less time. Cloud service providers do not have the resources of obtaining cloud service certification may initially consider conducting self-assessment and publish the results for potential customers’ references.
Examples of Cloud Service Assessment Tools
- Below are examples of assessment tools for cloud service providers.
Many cloud service assessment tools are based on ISO/IEC 27001, which is a widely recognised international Information Security Management System (ISMS) standard. This is because when adopting cloud services, security is often the most concerned area for the cloud service consumer.
Cloud service assessment tools are usually provided in the form of a questionnaire.
| || Assessment Tools || Organisation || Description |
| 1 || CloudCode || CloudCode || |
The CloudCode is a voluntary disclosure-based Code of Practice that has been developed to improve the standard of services being provided by cloud service providers. Cloud service providers need to follow two core commitments of the CloudCode:
they can claim their products and services are cloud computing products and services only if they follow the definition of 'cloud computing' as defined by CloudCode;
they will disclose important details about their cloud products and services in different categories, including security, data location, data access and use, business continuity, etc.
| 2 || CloudeAssurance || CloudeAssurance || |
The CloudeAssurance platform is standards based and a cloud service provider can use it for self-assessment to score and benchmark their information security program against standards. The output of the self-assessment is a “Provisional” CloudeAssurance Score valid for 180-days. The score is a value ranges from 0 to over 850, with interpretation of very poor score, poor score, fair score, great score, excellent score to optimised score.
| 3 || Security, Trust & Assurance Registry (STAR) Self-Assessment || Cloud Security Alliance (CSA) || |
Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR) Self-Assessment is free and open to all cloud service providers and allows them to submit self-assessment reports that document compliance to Cloud Security Alliance-published best practices. Cloud service providers can submit two different types of reports to indicate their compliance with Cloud Security Alliance best practices:
- The Consensus Assessments Initiative Questionnaire, which is a set of over 140 questions a cloud service consumer and cloud auditor may wish to ask a cloud service provider;
- The Cloud Controls Matrix, which gives a controls framework that includes the security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.
- For the self-assessment tools for cloud service consumers, readers may read about them here.
Cloud Service Certification Scheme
What are Cloud Service Certification Schemes?
- Cloud service certification schemes are programmes used by cloud service providers to illustrate their credentials, and communicate an understanding of their capabilities to deliver on-going trusted cloud services. In order to obtain a particular certification, a cloud service provider needs to be assessed by a trusted third party (the certification body).
- Various cloud service certification schemes have been developed and such development is still evolving. The market on cloud service certification is moving towards maturity although at the moment no single scheme can be considered as the industry standard.
- Cloud service providers aim at obtaining certification need to plan for the support on financial and other critical resources required. There will be investment for the one-off certification process and recurrent cost for maintaining the certification.
Benefits of Adopting Cloud Service Certification Scheme
- During the certification process, the cloud service provider will make improvement and enhancement to meet the certification requirements. As a result, the cloud service certification improves cloud service provider’s quality of services.
- As a cloud service provider, obtaining a cloud service certification increases consumers’ confidence in their services, hence giving the provider an edge over competitors in the market.
- For the community at large, certified cloud service providers increase the community’s confidence in cloud computing, hence boosting the adoption of cloud computing in the market, and this represents more business opportunities.
Examples of Cloud Service Certification Schemes
- Below are examples of cloud service certification schemes that cloud service providers may be interested.
- All the cloud service certification schemes listed below are based on ISO/IEC 27001, which is a widely recognised international Information Security Management System (ISMS) standard. This is because when adopting cloud services, security is often the most concerned area for the cloud service consumer.
- ISO does not provide certification services. Organisations looking to get certified to an ISO standard, such as ISO/IEC 27001, must be assessed by an independent certification body in order to get certified. Visit http://www.iso.org/iso/home/standards/certification.htm for more details.
| || Certification Schemes || Organisation || Description |
| 1 || Cloud Assurance Assessor Program (CAAP) || CloudeAssurance, Inc || The assessors of Cloud Assurance Assessor Program will independently validate cloud service providers' scores derived from the providers’ self-assessments against the requirements of the CloudeAssurance rating system platform. |
| 2 || Code of Practice (CoP) || Cloud Industry Forum (CIF) || This Code of Practice is for organisations offering to customers remotely hosted IT services of any type. Organisations need to conduct an annual self-certification and confirm the results of the certification to the Cloud Industry Forum for claiming its compliance to Code of Practice. Optionally, an organisation may go for independent certification performed by a Cloud Industry Forum-approved certification body. The Cloud Industry Forum will spot check and randomly audit self-certifications. |
| 3 || EuroCloud Star Audit (ECSA) || EuroCloud Europe (ECE) || The EuroCloud Star Audit certification is specifically designed for Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). The scheme evaluates cloud services according to a set and published catalogue of criteria, which consists of the following categories: Profile, Contract and Compliance, Security and Data Privacy, Operations and Infrastructure, Operations Processes and Service Type (IaaS, PaaS, SaaS) specifc assessment. |
| 4 || Security, Trust & Assurance Registry (STAR) Certification || Cloud Security Alliance (CSA) || The Cloud Security Alliance's Security, Trust & Assurance Registry (STAR) Certification is a third party independent assessment of the security of a cloud service provider. The STAR Certification is technology-neutral, and based on the ISO/IEC 27001 and the Cloud Controls Matrix. The Cloud Controls Matrix is a set of criteria that measures the capability levels of cloud services. The STAR Certification enables cloud providers to communicate with potential customers on their levels of security controls. |
| 5 || CSA C-STAR Assessment || |
Cloud Security Alliance (CSA)
| The CSA’s C-STAR Assessment is a third party independent assessment of the security of a cloud service provider, mainly used in the Greater China region. The technology-neutral assessment leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from China’s national standard GB/T 22239-2008 and GB/Z 28828-2012. |
| 6 || Unified Certification Standard (UCS) certification || Managed Service Providers Alliance (MSPAlliance) || The Unified Certification Standard for cloud service providers is based on nine control objectives of how an IT service organisation should operate. Each of the nine control objectives is supported by controls that are used when the company goes through the certification process. A company that successfully completed the certification process will receive a Unified Certification Standard audit report, which documents how the company implements those controls and control objectives. |