CloudVPS believes cloud assurance and certification are very important in order to get serious parties comfortable with cloud-based solutions. This is why we took a leading role in the CloudControls project. The CloudControls are a series of measures that can be implemented by a cloud provider in order to mitigate cloud-specific risks for its customers. The controls are based on a comprehensive list of cloud-related risks that was defined together with KPMG in 2012. The framework also includes a list of questions that a cloud customer should ask their (prospective) provider.
We have implemented version 2.0 of the CloudControls which was released in September of 2012. In January of 2013 we successfully concluded auditing the CloudControls alongside our ISO 27002 audit. Now version 3.0 of the controls is available which we will use from now on. The CloudControls have also been translated into Dutch. You can now download a Dutch version of the cloud risks, questions for providers and the actual controls.
Scope of the CloudControls
The CloudControls aim to cover the cloud-specific risks related to outsourcing to an Infrastructure as a Service (IaaS) provider. This means the controls assume that the customer takes responsibility over the software configuration of its cloud environments and the connection to the cloud. In addition to this, the internal security policies and availability-enhancing measures of the cloud provider are also not considered cloud-specific risks because these risks also occur within in-house IT organisations. A lack of information regarding the security policies and the status of the infrastructure is considered to be a cloud specific risk however.
The controls are based on a comprehensive list of 61 cloud related risks. The CloudControls are the measures needed to control these risks. They consist of 39 controls related to the outsourcing risks and 5 controls for multi-tenancy risks.
We will continue to further improve the CloudControls as well as invite more parties to use them. We will also use the CloudControls as input for interesting developments in the field of cloud assurance. We intend to use them as input for the work we are doing with the NEN commission for Distributed Application Platforms and Services for example. This Dutch-based commission is part of the efforts the International Organization for Standardization (ISO) is currently undertaking in order to facilitate cloud standardisation. We expect to give you an update on these developments soon.