Cloud security certification in the works following NSA revelations


Fallout from the National Security Agency (NSA) scandal continues as a new cloud security certification program is in the works to ease the fear of non-U.S. organizations.

According to a report in CloudPro, "The Cloud Security Alliance (CSA) is addressing cloud customer concerns about data security by tying up with the British Standards Institute (BSI). The CSA is set to expand its STAR program this autumn, by including a new formal certification process."

The partnership between the CSA and the BSI would provide a formal certification to build on the work that the CSA has already been doing through its STAR program, which aims to make the security policies of cloud service providers more public. Organizations that have lent their support to the STAR program include Amazon, HP, Microsoft, Box, Red Hat and Terremark. Organizations not yet committed include Google, IBM, Rackspace, Salesforce and VMware.

"The CSA programmer is self-certified, while the BSI will have assessors who will scrutinize vendors' practices once a year and issue a certificate," explained Jim Reavis, executive director for the CSA.

All of this comes after the recent revelation that the National Security Agency (NSA) has been collecting huge amounts of data from Internet Service Providers and telecommunications companies. The NSA activities were revealed by former NSA contract worker Edward Snowden, who is currently in Russia.

Following Snowden's revelations, a survey by the CSA found that 10 percent of executives at non-U.S. companies have canceled their contracts with U.S. service providers. The CSA is a non-profit organization with over 48,000 members. CSA conducted the member survey between June 25 and July 9.

The survey also revealed that 56 percent of the 456 respondents are rethinking whether they would continue to work with U.S. service providers, according to a report in Computerworld. Only one-third of respondents said the NSA scandal would have no impact on their choice of service provider.

A majority of survey respondents did call for more transparency from the U.S. government on its use of secret orders from the Foreign Intelligence Surveillance Act (FISA). That act allows the government to obtain customer data from Internet Service Providers and telecommunications firms for investigatory purposes.

Respondents were reportedly almost unanimous in wanting more details on just how cooperative the ISPs and telecommunications firms have been about sharing customer data.

"The level of skepticism was greater than I expected, "Jim Reavis, co-founder and executive director of the CSA, was quoted as saying in the Computerworld article. "I had thought that more people would understand that these activities happen all the time in their countries as well."

For more:
- read the Computerworld article
- read the CloudPro article

Read more about the NSA and security
BYOD security: Clueless in the enterprise [FierceMobileIT]
NSA snooping: Here we go again [FierceMobileIT]
NSA revelations taking toll on ISP market