Security beyond the cloud
The Common Assurance Metric (CAM) is a global initiative that aims to produce objective quantifiable metrics, that its authors say will assure information security maturity in cloud, third party service providers, as well as internally hosted systems. The collaborative initiative has received strong support from public and private sectors, industry associations, and global key industry stakeholders.
There is currently an urgent need for customers of cloud computing and third party IT services to be able to make an objective comparison between providers on the basis of their security features. Security remains the number one concern for many businesses and governments. Existing mechanisms to measure security are often subjective and in many cases are bespoke solutions. This makes quantifiable measurement of security profiles difficult, and imposes the need to apply a bespoke approach, impacting in time, and cost. The CAM aims to bridge the divide between what is available, and what is required. By using existing standards that are often industry specific, the CAM is designed to provide a singular approach of benefit to all organisations regardless of geography or industry.
“With today’s complex IT architectures and heavy reliance upon third party providers, there has never been a greater demand for transparency and objective metrics for attestation,” said Jim Reavis, executive director of the Cloud Security Alliance. “The Common Assurance Metric framework has great promise to address this demand and the Cloud Security Alliance is proud to support this initiative and align our own cloud security metrics research with it.”
“Microsoft is committed to delivering secure, private, and reliable computing experiences. Today’s interconnected world trustworthiness of computing solutions depends on many interdependent components and requires broad industry collaboration. We look forward to contributing to the work on Common Assurance Metric,” Added Matt Broda, senior security strategist at Microsoft.
The project team anticipate delivery of the framework in late 2010 followed by a process towards global adoption for organisations wishing to obtain an objective measurement of security provided by cloud providers, as well as the level of security for systems hosted internally.
