Some of you have asked us about similarities between the rating scheme and Consensus Assessments Initiative (CAI) launched by Cloud Security Alliance, so we have decided to write down this post to explain similarities and differences between them.
First of all, the Initiative is part of what is called GRC stack that includes other "pieces" like the very famous Cloud Control Matrix (CCM) or the Cloud Audit Project.
Secondly, we must say that the Initiative has involved the development of a questionnaire (used as base of STAR - Security, Trust and Assurance Register) that we will explain in further posts.
The questionnaire that should be accomplished by vendors is divided into 11 areas that are subdivided in 100 groups of controls and 197 questionas about specific controls traced to very well known standards, and guidelines as CobiT, HIPPA, ISO27001 or FedRamp, among others.
On the other hand, security rating criteria are divided into 14 areas subdivided in 73 subareas. So, although rating guide has more areas, criteria are more grouped. This is because CAI makes concrete questions for each control, while rating classifies controls in levels for each subarea. Groups of controls are quite similar with areas that are almost equal: Human Resources Security, Facilites Security, Compliance, Operations, or Resilience.
Another difference of security rating is that controls are classified in a way that allows assess confidentiality, integrity, and availability of services (there are 48 common groups of controls, 16 in confidentiality, 8 in integrity, and 15 in availability - yes, it adds more than 73 because some of them are repeated in various dimensions).
That is, controls in both documents are quite the same, because origins of both are standards very well known and accepted by security market but with a different approach:
- In CAI, vendor has to answer if it complies and how with identified controls.
- In security rating, vendor not only has to answer what controls it has implemented, but answers are classified between 5 levels for each security dimension (from D to A).
Ultimately, the fundamental difference is that, though in both cases, vendor is making a transparency exercise that contributes to trust building, in CAI, the user has to evaluate if answers match their needs, while in rating, answers has been classified in levels simplifying the understanding of vendor answers, thanks to the five levels defined for each security dimension.
You can follow us on twitter.com/leet_security