Security rating for cloud services selection

Along with exciting new opportunities, cloud computing presents new challenges for both IT professionals and business managers. The former have to change their mindsets from an internally provided service to an outsourced one, and the latter have to consider security issues in their decision about moving to the cloud.

But both parties share one request: due diligence in the process of service selection.

Due diligence will help organizations considering the cloud to clarify their risk posture, choose the cloud service that best meets their needs and avoid surprises down the road.

However, the due-diligence process is not an easy one. We should consider security measures implemented by the vendor, but also service-level agreements, compliance with different regulations, and a host of critical aspects regarding the potential vendor—financial stability, long-term strategy, experience in the field, human-resources policies, guarantees in case of mergers or acquisitions, etc. These issues contribute to building the confidence needed to establish a long-term relationship with a vendor.

None of the tools we have to carry out this due-diligence process are perfect. Security certifications are related to process, not the real security level that the vendor has, and the scope could be completely exogenous to our interest. Audits, on the other hand, are specific and concrete, but vendors are often unwilling to let potential clients audit them to cover every specific need. (SSAE reports could serve as a good approach.)

So, due diligence requires agile tools that allow IT professionals, risk managers, chief information security officers and business managers to quickly and easily compare risk involved in different cloud services, enabling them to make the right decisions for their organizations’ goals.

In this scenario, we could apply one tool that has been used for more than a century in the financial markets: rating. Besides criticism of the credit-rating agency’s role in the financial crisis, rating has been shown to be a good tool for investors. All of us continue to trust in audit, despite cases like Enron. (An incorrect implementation of an idea does not mean that the idea is wrong.)

Unlike the credit rating, the security rating should have at least three dimensions covering the organization’s appetite for risk in three vectors: confidentiality, integrity and availability. (One organization could have very strong requirements in confidentiality, but not in availability, for example.)

The security rating should also take into account the security measures implemented by vendors, as well as general issues like financial stability and long-term strategies.

Finally, the security rating should consider if the vendor has any security certifications, and if it conducts periodic and comprehensive audits.

What could be most useful is if the security rating was service-specific, considering only the aspects relevant to a service to help organizations make the right decisions.

In my opinion, taking care of the problematic elements of rating agencies—basically transparency and competition—could be very helpful for all of us when choosing the best service provider for our businesses.

Cross-posted from ISACA blog