Evaluating Different Cloud Service Offerings by Comparing Security Controls

In the latest episode of Cloud Fundamentals Video Series titled "Comparing Security Controls" - Trustworthy Computing group's Tim Rains interviews Kellie Ann Chainier, Business Manager, World Wide Public Sector at Microsoft, in this installment on the subject of Security Controls.Kellie explores the benefits of participating in cloud standards programs such as the Cloud Security Alliance's […]

In the latest episode of Cloud Fundamentals Video Series titled "Comparing Security Controls" - Trustworthy Computing group's Tim Rains interviews Kellie Ann Chainier, Business Manager, World Wide Public Sector at Microsoft, in this installment on the subject of Security Controls.

Kellie explores the benefits of participating in cloud standards programs such as the Cloud Security Alliance's (CSA) Security, Trust and Assurance Registry (STAR).

Cloud Fundamentals Video Series: Evaluating Different Cloud Service Offerings by Comparing Security Controls

Here's an excerpt:

"The industry is working on ways to make it easier to compare the security practices used to manage cloud services. One example of this is the Cloud Security Alliance Security, Trust & Assurance Registry (STAR). In this installment of the Trustworthy Computing Cloud Fundamentals Video Series, I discuss the potential benefits of STAR and how Microsoft is leveraging it to provide visibility into the security controls that our customers are looking for, and to help our customers compare the security of some of our cloud services with other vendors' cloud services."

Kellie notes, there are at least a couple of factors making comparison of "assurances about the security practices and security controls that are used by the cloud service provider(s)" harder than it should be including:

  1. "There is no industry standard set of questions that cloud service evaluators can use to ask cloud providers about the security practices they employ to manage their services. Subsequently cloud evaluators must create their own evaluation criteria." Adding, "to this end, some organizations have spent considerable time, resources and budget on developing their own evaluation criteria, or have paid consulting companies to do this for them." "This duplication of effort across the industry is inefficient and expensive for both cloud evaluators and the cloud providers who're forced to interpret and respond to a myriad of different requests for information," mentiones Kellie.
  2. Noting further Kellie says, "there's no industry standard format for cloud providers to provide answers to questions about the security practices they use to operate their service offerings. i.e. different cloud providers might answer the same question in very different ways making comparing and contrasting them difficult."

Here is the video: