- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
Page 2 of 2
Another reason some providers may be holding back from participating in STAR, Hilgendorf says, is because they already release much of this information in different formats. Amazon Web Services, Google and others have sections of their websites dedicated to security controls. Some providers, Hilgendorf says, could be weighing the value of submitting information to the CSA's registry if the information is already made available elsewhere. There are also other security certification standards, such as the International Organization of Standards (ISO) compliance, Payment Card Industry (PCI) compliance and the Federal Information Security Management Act certification (FISMA). If an organization is already FISMA compliant, Hilgendorf wonders if they would also feel a need to register with the CSA.
Reavis says the questionnaire is loosely based on some of those certifications and asks for some of the same type of information.
Hilgendorf says it's useful information for customers. The questionnaire, which can be downloaded from the CSA's website, asks providers to answer 170 yes or no questions, and leaves space for additional comments. Topics range from compliances and certifications the providers have received, to how customer data is stored in the cloud. Other questions pertain to whether customers can access audit information of providers, and what types of audits and vulnerability tests are conducted by the provider. There are questions about how data is segmented to ensure information from multiple customers is not mixed together and there are questions about physical security of the data centers, for example. These are important questions that customers either ask, or should be asking to service providers, Hilgendorf says.
For providers, it's a way for them to prove they are serious about security, says Orlando Scott-Cowley, product marketing manager at Mimecast, one of the three companies that has submitted a STAR entry.
"Anyone can claim they're a cloud provider, but to actually make your controls available and open through this registry was important to us," he says. "We're not giving away anything proprietary about how the data is protected, but it does show to customers that we're open to talking about this."
Hilgendorf expects perhaps the registry may turn into a spot for small and mid-size providers to showcase their security controls as a way to differentiate themselves in the market. But, he says, the registry would gain true value if some of the CSA's other 130 members participate.
Read more about cloud computing in Network World's Cloud Computing section.