Back in the day, Verisign went on to fortune and fame by having websites that were secured by their SSL certificates that displayed the "verified by Verisign" logo. It became the Good Housekeeping seal of approval for websites. Now highly touted security company Skyhigh Networks is seeking to do a similar thing for cloud apps with its CloudTrust Program
Working with the Cloud Security Alliance, Skyhigh has developed a comprehensive set of criteria for evaluating the enterprise worthiness of cloud-based apps and services. Broadly, this set of criteria can be broken down into five categories:
I had a chance to speak with Rajiv Gupta, CEO of Skyhigh Networks, about the program. Rajiv is very proud of his company working with the Cloud Security Alliance to put this together. What is really great about it is that there is no cost for any company to be evaluated for CloudTrust. The full report and findings are also made available for free to the company that was tested. This way, if they do not pass, they can see why and take steps on how to correct any deficits and become certified. Even better, any company seeking to find out the results of an evaluation of a cloud service or app can request and receive the report for free as well.
I know what you are asking. Why is Skyhigh doing this? I asked Gupta the same question. He said his company had to do this type of evaluation anyway as part of their underlying business model. By working with the CSA and promoting the whole CloudTrust program, Skyhigh wants to brand itself as the company providing this. The new Verisign, if you will.
What about companies receiving the certification? I reached out to my friends at Yesware, one of the companies certified, to get their take. I spoke with Cashman Andrus, CTO and co-founder of Yesware. Cashman thought that it was really a great indication of all of the hard work that Yesware's team has put in making sure their app and service is safe, secure and reliable. While he thinks there will be similar copy-cat kinds of certifications in the future, for now at least CloudTrust stands out as a one of a kind.
Yesware did not have to do anything special to be qualified. This was also gratifying to Cashman. Doing something just to be certified is not what the program should be about. The Yesware folks have written a nice blog on their involvement with the program here.
In the meantime, Yesware is only one of many companies that have been certified. Gupta says Skyhigh will be testing and certifying many more in the days, weeks and months to come. He hopes companies will begin looking for the blue and green logo and that it influences their decision to use or not use a cloud app or service.
Both Skyhigh Networks and the Cloud Security Alliance are committed to updating the testing criteria in the future as well.
Will this be the new Verisign logo program? I don't know, but I do know that something like this is needed. I think if people can trust it to show quality about the certified apps and services, it will catch on. My question is will this become Balkanized? By that, will we see a plethora of different testing companies watering down the quality and confusing customers? It could be, but with the Cloud Security Alliance as their partner, Rajiv Gupta says that Skyhigh Networks will rise above the noise as the voice of trust in this area. Good luck to them!
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.