Group aims to set standard for cloud security

Published 10 February 2010

A new consortium aims to provide a Common Assurance Metric (CAM) that will consist of objective, quantifiable measurements; it will draw from existing standards, which are often industry specific, to provide an international, cross-sector approach

A 24-strong consortium of service providers, vendors, government organizations, and consultants has begun work on a set of measurements designed to make it easier for businesses to compare the security features offered by cloud-computing providers.

ZDNet’s Manek Dubash writes that the project, launched on Monday, aims to provide a Common Assurance Metric (CAM) that will consist of objective, quantifiable measurements, the as-yet unnamed consortium said in a statement. It will draw from existing standards, which are often industry specific.

Overall, it will provide an international, cross-sector approach that “allows cloud providers the opportunity to demonstrate their information security maturity in an open and constructive manner,” the consortium said.

Participants include Amazon, Google, Microsoft, the European Network and Information Security Agency (Enisa), the Cabinet Office, HM Revenue & Customs, KPMG, McAfee, and Oracle.

Existing mechanisms to measure security are often subjective and in many cases are bespoke solutions. This makes quantifiable measurement of security profiles difficult,” the consortium said. In addition, customized services typically cost more in time and money than a those based on standards, it noted.

The consortium said the benefits of the CAM are that it will allow businesses to compare security features via a standardised information format, to help service providers differentiate their offerings, to build trust among end users and to develop a standard across industry and international borders. A key business benefit will be the ability to link information risk management with business objectives.

The CAM will arrive as online tools and white papers, as well as information from cloud-computing providers in a common format that will allow their products to be compared.

This work is essential. The number-one barrier to adoption of cloud computing is assurance: ‘How can I know if it’s safe to trust the cloud provider?’ This is a problem for providers too — answering a different security questionnaire for every customer is a huge drain on resources,” said Giles Hogben, network security policy expert at Enisa, in the consortium’s statement.

On a wider level, the consortium said that it also hopes to use the CAM as “a means to measure the level of security employed around the world, and spot new and emerging trends in the information security landscape.”

The consortium said the CAM project team is scheduled to deliver the framework in late 2010, and that it expects global adoption to follow.