pppppppppppp p p p p p p ppppppppp p p p pppppppppppp p p p p p p ppppppppp p p p p p p p p p p p pppppppppppp p p p p p p ppppppppp p p p p p p p p pppppppppppp p p p p p p ppppppppp p p p p p p p p p p p p p pppppppppppp p p p p p p ppppppppp p p p p p p p p p p p p p p p pppppppppppp p p p p p p ppppppppp p p p p p p p p p p p pppppppppppp p p p p p p ppppppppp p p p p p p p p p pppppppppppp

p p p p p p ppppppppp p p p p p p p p p p pppppppppppp pppppppppppp p p p p p p ppppppppp p p p p p p p pppppppppppp p p p p p p ppppppppp p p p pppppppppppp p p p p p p ppppppppp p p p p p p p p p p p p p p p pppppppppppp p p p p p p ppppppppp p p p p p p p p p p pppppppppppp p p p p p p ppppppppp p p p p p p p p p p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p ppppppppp p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p ppppppppp p p p p p p p p p p p p p p ppppppppp p p p p p p p p ppppppppp p p p p p p p p p ppppppppp p p p p p p p ppppppppp p p p p p p p p p p p ppppppppp p p p p p p p p p ppppppppp p p p p p p pppp

TECHGUIDE
Cloud Compliance
Standards Initiative Spurs Optimism, Criticism

A global perspective on emerging cloud compliance issues

q FedRAMP Cloud Computing

q Calls for Cloud Security

Transparency Getting Louder Security Compliance is Possible, Experts Say SMBs Judge Security of Cloud Providers

q PCI in the Cloud: Segmentation,

q Cloud Maturity Model to Help

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp STANDARDs pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

FedRAMP Cloud Computing Standards Initiative Spurs Optimism, Criticism

Federal cloud security framework aims to speed cloud security assessments and agency cloud adoption. BY MARCIA SAVAGE
STANDARDS

INDUSTRY EXPERTS AND

GOVERNANCE

cloud service providers are hopeful about the prospects of

a new federal program that sets cloud computing security standards, but they also note some potential pitfalls. For one security expert, the program represents a lost chance to improve cybersecurity. In December 2011, the Obama Administration launched the Federal Risk and Authorization Management Program (FedRAMP), which sets a standard approach for assessing the security of cloud services and products against a baseline of controls. The goal is to cut the cost and time spent on redundant agency security assessments and cloud authorizations. What it is going to do is provide government agencies and organizations with an easier way of acquiring public and private cloud computing authorizations, which means they can start using cloud a lot easier than they could have through the older FISMA process, said Dan Philpott, a federal information security specialist and member of the Cloud Security Alliance (CSA). Under FedRAMP, a cloud service provider goes through authorization with one agency and other agencies can leverage that authorization. If an agency has additional requirements, then only the delta between the baseline and those specic requirements needs to be addressed, which provides a more economical model for security, he said. The do once, use many times approach promised by FedRAMP will save both government and industry a lot of money by cutting down on the number of certicationsprovided it truly happens, said Jennifer Kerber, vice president for federal and homeland security policy at TechAmerica, a Washington, D.C.-based industry advocacy organization.

PCI-DSS

CAMM

TECHNICAL GUIDE ON CLOUD COMPLIANCE

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp STANDARDs pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

The problem will be if a growing number of federal agencies tack on additional requirements to a providers certication, she said. If no one really accepts it and its all FedRAMP plus, then you have to pay all this extra to get certied, Im not sure its worth it. Alan Paller, director of research at the SANS Institute, is highly critical of FedRAMP, which he views as a lost opportunity.
STANDARDS

FedRAMP could have been the breakthrough that enabled the government to lead by example in cybersecuritydemonstrating how to do it right, he said in an email. FedRAMP provided that opportunity because it has the leverage of contractingno company could provide FedRAMP services if they did not meet FedRAMP security rules so had they done the right rules they could have radically improved security and lowered the cost of effective security. But ofcials missed that opportunity by providing guidance that did not require six measures known to provide effective security, including using common security congurations and implementing daily continuous monitoring and mitigation, Paller said. Instead, the guidance called for people to write reports that could easily be written without effectively implementing any of the six [measures]. Its a throwback to FISMA at its worst and it is inexcusable, he said.

GOVERNANCE

PCI-DSS

CAMM

FEDRAMP ELEmENTS

White House ofcials expect FedRAMP to be operational by June after they complete a number of steps, including publishing the security controls, a concept of operations and a charter. In January, they released the security control requirements, which are based NIST Special Publication 800-53 Revision 3 and include controls that address the unique risks associated with cloud computing, such as multi-tenancy and shared resource pooling. A key component of FedRAMP are third-party assessment organizations (3PAOs), which will assess cloud providers implementation of the security requirements. The FedRAMP program management ofce plans to publish an

TECHNICAL GUIDE ON CLOUD COMPLIANCE

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp STANDARDs pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

initial list of FedRAMP accredited 3PAOs in the second quarter. In response to criticism that FedRAMP will be a report-based compliance program that doesnt implement effective security, a FedRAMP program ofce spokesperson said in an email that FedRAMP will assess and authorize cloud solutions based on implementation of the NIST SP 800-53 security controls and independent validation by an accredited 3PAO.
STANDARDS

Once these cloud solutions are assessed and authorized, FedRAMP will coordinate the continuous monitoring activities with federal agencies and DHS, with a focus on real-time data and automation, giving agencies a better ability to view the risk posture of a cloud solution in near real time, the spokesperson said. Philpott said having accredited third-party assessors will make it easier for agencies and cloud service providers to know who truly has

GOVERNANCE

PCI-DSS

CAMM

FedRAMP will coordinate the continuous monitoring activities with federal agencies and DHS.

the technical expertise to evaluate cloud security. He welcomed the nal release of the FedRAMP security controls, which he said the CSA plans to quickly adapt to its Cloud Controls Matrix to help the cloud computing industry adopt them. Falls Church, Va.-based CSC is well prepared for FedRAMP after taking its cloud services through a federal certication and accreditation process, said Yogesh Khanna, North American public sector chief technology ofcer at CSC. The technology provider recently deployed IaaS and a cloud-based service for development and testing for DHS, he said. Weve gone through the wickets with DHS, taking our system through a pretty comprehensive C&A process, he said. We understand the 800-53 goals. I feel as a company and one that is a strategic partner of one of the leading federal agencies playing a signicant role in FedRAMP, we have a lot of experience already under our belt. Khanna said FedRAMP will benet service providers, vendors and cloud customers by providing a benchmark for cloud computing security standards.

TECHNICAL GUIDE ON CLOUD COMPLIANCE

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp STANDARDs pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

Youre letting go of some level of control as a cloud consumer. Unless theres some industry standards and third parties reviewing it, well always be stuck in a mode where people use security as a barrier, he said.

POTENTIaL FEDRAMP ISSUES

STANDARDS

While optimistic about FedRAMP, Khanna said he hopes federal ofcials are prepared to handle the volume of demand the program may generate. Right out of the gates, they dont want to create an impression that theyre a stodgy bureaucracy, he said. Cloud service providers have a role in the programs success by making sure they have polished packages that are ready for evaluation, but he would have liked to have seen some commitment to a time limit for FedRAMPs governing agency to review a cloud service thats been approved by a 3PAO. What we cant haveand we have a role to play to make sure this doesnt happenis the trafc being so great and the staff at FedRAMP not being adequately situated to handle the trafc, creating the perception that things go into the FedRAMP ofce and nothing comes out, Khanna said. Philpott said he sees a potential issue with how a federal initiative, Trusted Internet Connections (TIC), will work under FedRAMP. TIC requires that agencies limit the number of Internet connections they operate, and that trafc be routed so DHS can monitor it for security threats. Routing network trafc to meet the requirements of TIC may not be feasible under some cloud service models, Philpott said. Overall, though, the baseline of cloud computing security standards established by FedRAMP has the potential to improve cloud security, Philpott said. Commercial customers will be able to ask cloud providers to provide the same security they provide the government. A lot of cloud providers are very security conscious. Not all of them, but most of the major ones are, he said. We hope and expect this is going to provide a level playing eld. n

GOVERNANCE

PCI-DSS

CAMM

TECHNICAL GUIDE ON CLOUD COMPLIANCE

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp GOVERNANCE pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

Calls for Cloud Security Transparency Getting Louder

Enterprises need cloud security transparency and must understand cloud provider security in order to move forward with engagements. BY MICHAEL S. MIMOSO
STANDARDS

GOVERNANCE

CLOUD SEcURITY TRANSPARENcY

today equates to a non-disclosure-agreement

discussion between an enterprise and service provider over the providers

PCI-DSS

controls. The end result may satisfy the customer and lead to business for the provider, but the process isnt efcient for either side. Despite several standards-based efforts, providers dont have a repeatable mechanism for these types of interactions, and customers often dont get an apples-to-apples comparison of providers. Calls for cloud transparency, however, continue to resonate as IT evolves and moves onto cloud computing platforms, attractive for their efciency and elasticity. Enterprises moving applications and data to the cloud, or consuming a providers services, need to understand cloud provider security. But providers remain hesitant to give up proprietary information, or expose themselves to exploit. What [customers are] trying to do is gure out a way to determine what are the questions they should be asking cloud providers and evaluate a service, evaluate the risk and whether it meets compliance requirements, said Microsofts Tim Rains, a director of product management in the Trustworthy Computing Group. Customers want to compare service offerings on an apples-to-apples basis. They need a standard set of questions to ask and get consistent set of answers. Thats what were hearing from customers. The Cloud Security Alliances Security Trust and Assurance Registry, or STAR, is the closest thing to a standards-based effort meeting this need. STAR launched in the fourth quarter of last year and its aim is to be a public reposi-

CAMM

TECHNICAL GUIDE ON CLOUD COMPLIANCE

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp GOVERNANCE pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

tory of providers security controls. Providers who are STAR members can ll out either the CSAs Consensus Assessments Initiative Questionnaire or the Cloud Controls Matrix framework questionnaire, both built according to the ISO 27001 standard, and ultimately agree to have that data published online and publicly accessible. [Providers] dont want to be creating new security issues and dont want to
STANDARDS

publish anything thats exploitable, said Jim Reavis, executive director of the Cloud Security Alliance. Once we get through the questionnaires and the providers understand its not about publishing a HP WebInspect scan, but more about whether theyre performing a Web assessment and how to make it available to customers; once theyve understood it was at that level, theyve been won over and have said it makes sense. Then its more of a legal question. Reavis said most of the large providers have lled out questionnaires and are aboard in principal with the STAR effort; legal teams are reviewing the responses and the level to which they want to publish data publicly. To date, only Microsoft, Mimecast and Solutionary have agreed to publish their controls. From our perspective, STAR makes a lot of sense, Microsofts Rains said. The industry and providers have gotten together to work out a set of questions based on a set of standards. The questions are standard and the answers are standard and customers can compare apples to apples and its all based on an international standard. The use of the ISO 27001 standard also keeps providers from oversharing controls, Rains said. Using Microsofts published questionnaire on its Ofce 365 service as an example of how this is avoided; Rains pointed to the section on architecture around user identity credentials. The ISO requirement is that passwords expire every 90 days and are seven characters of minimum length. Microsofts response is that passwords are assigned a maximum age and minimum character length. Were not telling people any information on whether its 90 days, for example, were simply saying that were following the ISO standard and we have independent auditors coming in and making sure were doing what were supposed to, Rains said. Customers can take this as a baseline that controls are in

GOVERNANCE

PCI-DSS

CAMM

TECHNICAL GUIDE ON CLOUD COMPLIANCE

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp GOVERNANCE pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

place that meet international standard, and if they wish to extend the relationship, can learn more under NDA. We get asked these types of questions all time and the compliance mapping associated with them, said Ken Owens, technology vice president of security and virtualization services at Savvis, a service provider. The questionnaire provides a baseline of answers. We have a good story about how we take secuSTANDARDS

rity seriously. Its a useful tool for us in customer discussions; they can use a NDA to get to the details behind it. Providers hope they can eventually use security as a differentiator for their services. A March 2011 Savvis survey of more than 400 enterprise IT and security managers identied security, by a large margin, as the No. 1 barrier for companies to use cloud computing. Savvis Owens said customers are much more conversant about cloud and security and are applying pressure on providers about transparency of controls. Customers, Owens said, want to know not only if their applications are right for the cloud, but what are the risks to those apps, how those risks can be assessed, how changes in security policies can be monitored, where their data is located, and when its moved, will a provider inform them? Weve seen hesitancy in moving enterprise applications into the cloud for fear of security, said Chris Richter, vice president of managed security services at Savvis. A lot of CIOs are fearful they dont believe they know enough about the cloud. Efforts such as CSA STAR can go a long way toward creating educated consumers, Reavis said. Were doing some of the work for them. Here are the tools, and maybe we can save them some time from a due diligence perspective, Reavis said. Why create your own assessment tools? Use a common tool. Some customers get it, and thats what Im hoping for to, tongue-in-cheek, create a viral occupy cloud providers movement. If customers dont ask for it and providers dont feel the need to provide it, were going down a path of nasty incidents and people not doing the right thing. n

GOVERNANCE

PCI-DSS

CAMM

TECHNICAL GUIDE ON CLOUD COMPLIANCE

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp PCI-Dss pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

PCI in the Cloud: Segmentation, Security Compliance is Possible, Experts Say

STANDARDS

Merchants are ultimately responsible for locking down credit card data and maintaining PCI compliance, according to experts. BY ROBERT WESTERVELT

GOVERNANCE

MERcHANTS INTERESTED IN
PCI-DSS

outsourcing their payment processes or looking to

reduce internal architecture complexities have been turning to cloud providers, but experts caution that no matter where the credit card data resides, the merchant ultimately is fully responsible for safeguarding the information and maintaining cloud PCI DSS compliance. The PCI Security Standards Council has made it clear in its virtualization guidance document that turning over payment processes to cloud service providers can result in a reduction in PCI scope. While there are benets, there are also important caveats that should be heeded when reaching out to a provider, experts say. Compliance is based on the service being delivered, said Michael Dahn, director of threat and vulnerability management at PricewaterhouseCoopers. The merchant has to know the responsibilities of the cloud service provider and understand who is doing the maintenance, monitoring and other security processes protecting the data, he said. You may approach a vendor that offers cloud services and they may have been validated as a PCI-compliant provider, but putting your payment systems in their environment does not make you compliant, Dahn said. Cloud computing platforms such as Amazon Web Services and Verizons Computing as a Service (CaaS) have been validated as PCI DSS compliant, meaning their internal systems have been validated by an independent Quality Security Assessor. Both providers make it clear that the merchant will be re-

CAMM

TECHNICAL GUIDE ON CLOUD COMPLIANCE

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp PCI-Dss pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

sponsible for securing data stored and maintained on those platforms. Its important for security professionals to understand that there is no onesize-ts-all approach to PCI compliance in the cloud, Dahn said. Organizations that choose to outsource their payment systems are both large and small. Their risk tolerances vary and often the size and maturity of the merchants using a cloud provider are also mixed. Among the similarities is the use of point-toSTANDARDS

point encryption and tokenization technologies to ensure security within the cloud environment. Tokenization is also growing in popularity because merchants can completely wipe sensitive credit card data from systems, but maintain business analytics. In an article on PCI compliance in the cloud, Ed Moyle, a senior security strategist at Savvis and founding partner of consultancy Security Curve, said merchants can take steps early on to avoid potential pitfalls. PCI DSS compliance and cloud computing doesnt have to be a scary proposition, Moyle said. Its vital that the merchant understands what will be moving to the cloud and gain a better picture of what the scope will look like. It is easier from a governance standpoint if the merchant maintains direct control of the cardholder environment, he said. Chenxi Wang, vice president and principle analyst at Cambridge, Mass.based Forrester Research Inc., said she does not believe there are any major issues that havent been addressed by the PCI Council. Recent guidance on virtualization and point-to-point encryption have helped most merchants better understand and address the challenges. Cloud providers gaining PCI DSS compliant validation is also helping reduce some of the confusion with gaining compliance in the cloud, Wang said. The cloud providers job is to provide documentation on how they meet important security controls, Wang said. In addition to Amazon Web Services and Verizon, Web content giant Akamai runs a PCI DSS validated tokenization service. Visa provides a list of dozens of PCI-validated service providers (.pdf). There are many merchants that have been using cloud services for their payment processes for a long time, Wang said. While merchants are ultimately responsible, theres shared responsibility with the cloud provider. n

GOVERNANCE

PCI-DSS

CAMM

10

TECHNICAL GUIDE ON CLOUD COMPLIANCE

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp CAMM pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

Cloud Maturity Model to Help SMBs Judge Security of Cloud Providers

The Common Assurance Maturity Model (CAMM) may be the key to helping organisations, and especially SMBs, evaluate the security of cloud providers.
STANDARDS

BY RON CONDON, SearchSecurity.co.UK Bureau Chief

GOVERNANCE

IN NEARLY EVERY
PCI-DSS

survey about cloud computing, security tops the reasons why

companies hesitate to adopt cloud-based technologies, and rightly so; if you cannot be sure how your data will be treated, and that it will be adequately protected, then it would be foolhardy to go blindly into the cloud, even if the economic benets look attractive. So how can an organisation conrm whether a cloud service provider is up to scratch? Big companies and government departments maybe have the clout to demand the right to carry out a detailed inspection of the cloud providers premises and procedures. Smaller companies, however, are likely to be less welcome. Several initiatives, most notably from the Cloud Security Alliance (CSA), have tried to help companies at least formulate the right questions to ask of prospective service providers, but that can still be a slow and difcult task. And as already noted, smaller organisations submitting a questionnaire to a big cloud service provider can expect little cooperation, let alone answers. A cloud maturity model for rating cloud services companies promises to provide a simple guide to the levels of security they provide, offering benets both for the prospective purchaser, and for the supplier who now only has to undergo one audit process, instead of one for every customer.

CAMM

It would be foolhardy to go blindly into the cloud, even if the economic benets look attractive.

11

TECHNICAL GUIDE ON CLOUD COMPLIANCE

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp CAMM pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

Called the Common Assurance Maturity Model (CAMM), it is the brainchild of Raj Samani, a security veteran who has worked in consultancies, in the public sector, and is now European CTO for McAfee.

DEVELOpmENT Of CAMM
STANDARDS

Samani already knew from an earlier project at a major organisation how hard it can be to deal with large numbers of suppliers. He just didnt have the resources or money to carry out the necessary checks to ensure they were looking after the information for which he remained responsible under the Data Protection Act. However, the solution came to him in a conversation with his father, a central London hotel owner: My Dad was complaining about an awkward customer who wanted to do a detailed check on the hotel, and he was saying how much bother it would cause, Samani said. His answer was that it was a one-star hotel, meaning it wasnt luxurious but it was cheap. Thats all the guy needed to know. This incident sowed the seed of a similar ve-star rating system that could be applied to cloud computer services. Samani realized that, if widely adopted, such a system could not only make nding the right level of security and service a lot easier for cloud computing customers, but also relieve suppliers of undergoing endless customer audits. That was two years ago, and since then the effort has been sustained by a team of volunteers from various supporting organisations, although that will change soon when CAMM acquires some full-time professional help. Samani said he will announce full details of that hiring plan at the CSA Summit in San Francisco in February.

GOVERNANCE

PCI-DSS

CAMM

CAMM cOmpONENTS

The CAMM model is intended to cover baseline controls for security, Samani said, but has been designed to cross-map with other standards such as ISO

12

TECHNICAL GUIDE ON CLOUD COMPLIANCE

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp CAMM pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

27001, COBIT and PCI DSS, where customers have specic needs. CAMM provides a base level of controls, and then you can add on different modules on top, he said. It means people can pay for the level of security they require. So now if you need a supplier in Germany at Level 3 with the module for PCI, CAMM makes it easier to nd one. One important aspect of CAMM, Samani said, is that the intellectual propSTANDARDS

erty for the framework and the tools for carrying out an audit will be freely available for anyone to use. Its been a labour of love, he added. The only charges will occur when companies start using the Third Party Assurance Centre (TPAC) component of CAMM. TPAC is a repository of information about service providers, listing their levels of security across a range of measures. The aim is that TPAC will serve as a marketplace for customers and suppliers to meet. Customers will upload their requirements, listing CAMM levels plus any other modules they need, and immediately be presented with a short list of suppliers that t their requirements. Samani added that CAMM will help security managers quantify residual risk in terms their bosses can understand. You go to the CEO and say, Were going for a Level 3 company but that leaves some risk, he said. The CEO can then ask how much it will cost to go to Level 4 or 5, and then make a judgment understanding the risk. You cant have that kind of conversation with business executives about security at the moment. CAMM recently underwent alpha tests with four pilot users and, once feedback from those tests is digested in February, a series of betas will take place ahead of a full-scale launch before the end of the year. The project has the support of 150 organisations including major cloud service providers, government bodies, and industry bodies such as the CSA and the Information Systems Audit and Control Association (ISACA).

GOVERNANCE

PCI-DSS

CAMM

An important aspect of CAMM is that the intellectual property for the framework and the tools for carrying out an audit will be freely available for anyone to use.

13

TECHNICAL GUIDE ON CLOUD COMPLIANCE

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp CAMM pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

REacTION TO CAMM

The CAMM approach is widely seen as a valuable and promising approach. Paul Simmonds, a board member of the Jericho Forum and a co-author of the CSAs Security Guidance V3 document, said CAMM fullls a valuable function. CAMM has been pretty well thought out. Im very impressed, Simmonds
STANDARDS

said. It is modular in its domain areas, so as a user of cloud services, you can stipulate what levels of security you need in different areas. CAMM makes it much easier to get a short list of potential suppliers, and its going to be a better and more thorough audit than most companies could manage themselves. The initiative has also received strong support from Europe, and includes the European Network & Information Security Agency (ENISA) on its steering committee. We believe CAMM is key to helping cloud computing take off, said Giles Hogben, programme manager for secure services at ENISA in Crete, Greece. Hogben sounded a note of caution, however, saying that any new standard should avoid adding extra costs for companies. He added that measuring maturity on a scale of 1 to 5 can lead to an over-simplication and therefore needs to be treated with care. n

GOVERNANCE

PCI-DSS

CAMM

The CAMM approach is widely seen as a valuable and promising approach.

14

TECHNICAL GUIDE ON CLOUD COMPLIANCE

pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp ABOUT THE pppppppppppp pppppppppppp AUTHORs pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp pppppppppppp

Marcia Savage is site editor for SearchCloudSecurity.com. Michael S. Mimoso is the editorial director for TechTargets Security Media Group. Robert Westervelt is the News Director for TechTargets Security Media Group. Ron Condon is TechTargets Security Media Group UK Bureau Chief.
This Technical Guide on Cloud Compliance is a SearchSecurity.com e-publication. Michael S. Mimoso Editorial Director Eric Parizo Senior Site Editor Robert Westervelt News Director Marcia Savage Site Editor Ron Condon UK Bureau Chief Kara Gattine Senior Managing Editor Doug Olender Vice President/Group Publisher dolender@techtarget.com Tom Click Senior Sales Director tclick@techtarget.com

STANDARDS

GOVERNANCE

PCI-DSS

CAMM

TechTarget 275 Grove Street, Newton, MA 02466 www.techtarget.com

2012 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group. About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

15

TECHNICAL GUIDE ON CLOUD COMPLIANCE

Building Trust Around The Globe

When you want to establish trusted relationships with anyone, anywhere on the internet, turn to Thawte. Securing Web sites around the globe with: strong SSL encryption expansive browser support multi-lingual customer support recognized trust seal in 18 languages Offering outstanding value, Thawte is for those who know technology. Secure your site today with a Thawte SSL Certificate.

www.thawte.com

2012 Thawte, Inc. All rights reserved. Thawte, the Thawte logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Thawte, Inc. and its subsidiaries and affiliates in the United States and in foreign countries. All other trademarks are property of their respective owners.