Common Assurance Metric – Beyond the Cloud

Common Assurance Metric launched to provide security beyond the Cloud

London, February 2010 – The Common Assurance Metric (CAM) launched today is a global initiative that aims to produce objective quantifiable metrics, to assure Information Security maturity in cloud, third party service providers, as well as internally hosted systems. This collaborative initiative has received strong support from Public and Private sectors, industry associations, and global key industry stakeholders.

There is currently an urgent need for customers of cloud computing and third party IT services to be able to make an objective comparison between providers on the basis of their security features. As ENISA’s work on cloud computing, has shown, security is the number one concern for many businesses and governments. Existing mechanisms to measure security are often subjective and in many cases are bespoke solutions. This makes quantifiable measurement of security profiles difficult, and imposes the need to apply a bespoke approach, impacting in time, and of course cost. The CAM aims to bridge the divide between what is available, and what is required. By using existing standards that are often industry specific, the CAM will provide a singular approach of benefit to all organisations regardless of geography or industry.

"With today's complex IT architectures and heavy reliance upon third party providers, there has never been a greater demand for transparency and objective metrics for attestation", said Jim Reavis, Executive Director of the Cloud Security Alliance. "The Common Assurance Metric framework has great promise to address this demand and the Cloud Security Alliance is proud to support this initiative and align our own cloud security metrics research with it"

"Microsoft is committed to delivering secure, private, and reliable computing experiences. Today's interconnected world trustworthiness of computing solutions depends on many interdependent components and requires broad industry collaboration. We look forward to contributing to the work on Common Assurance Metric.” Matt Broda, Senior Security Strategist, Microsoft.

This work is essential. The number one barrier to adoption of cloud computing is assurance – "how can I know if it’s safe to trust the cloud provider?” This is a problem for providers too - answering a different security questionnaire for every customer is a huge drain on resources. Giles Hogben, Network Security Policy Expert, ENISA

“The Information Security Awareness Forum (ISAF) is committed to improving accessibility of advice through the promotion of consistent messages to help protect individuals and businesses alike. The Common Assurance Metric is a bold initiative that aspires to provide greater consistency in the security of cloud computing services. This will help to make the Internet a safer place for business and pleasure - an objective which the ISAF very much supports.” Dr David King, Chair ISAF.

“Security maturity is a major consideration in the adoption of cloud and collaboration technology, in fact a recent poll by Infosecurity Europe found that the lack of transparency around information assurance maturity was the biggest barrier to getting into the cloud for 94% security professionals (sample size 1014). Infosecurity Europe recognises that the CAM initiative can provide objective metrics which will enable customers to make timely and informed decisions to assure Information Security for cloud, third party service providers and internally hosted systems.” Tamar Beck, Group Exhibition Director, Infosecurity Europe.

“In an environment that is increasingly driven by regulatory and cost issues, confidence that your information is secure is a key factor to business success. But knowing who to trust your information to is an issue many businesses struggle to deal with effectively. The Common Assurance Metric will provide businesses with that confidence to choose the most appropriate partner to whom they can entrust their sensitive information.” - Brian Honan, Principal Consultant with BH Consulting.

The project team anticipate delivery of the framework in late 2010 followed by a process towards global adoption for organisations wishing to obtain an objective measurement of security provided by cloud providers, as well as the level of security for systems hosted internally.

Source: Eskenzi PR