The Cloud Security Alliance (CSA) has big plans around creating a global certification scheme for cloud services providers. Its new Open Certification Framework is a three-tiered certification that measures the level of trust and transparency of the operations of cloud services providers, as well as the level of assurance for the cloud customer.

Designed in line with the CSA's security guidance and control objectives, the certification has the chance to provide a level of integrity to cloud services providers and show off a measure of integrity to cloud customers. Of course, this assumes cloud customers become Open Certification Framework-savvy and know enough to ask about the level of certification a cloud services provider has.

"A key challenge the cloud industry faces is reassuring its customers that the service they provide is not only secure but can recover from any incidents with minimal disruption," said David Brown, director of corporate development at British Standards Institution (BSI), in a prepared statement.

At the same time the Open Certification Framework was being announced, CSA announced also announced a new partnership with BSI. "By adopting the Open Certification Framework, cloud service providers will benefit from reducing their risks, improving the incident recovery time and demonstrating good information governance," Brown said.

How does the new certification process work? Here's how CSA has outlined the three levels of its certification framework:

  • CSA STAR Self Assessment: In this first level of certification, cloud providers can submit reports to the CSA STAR Registry to indicate their compliance with CSA best practices. This is available now.

  • CSA STAR Certification: At the second level, cloud provides require a third-party independent assessment. The certification leverages the requirements of the ISO/IEC 27001:2005 management systems standard together with the CSA Cloud Controls Matrix (CCM). These assessments will be conducted by approved certification bodies only. It will be available sometime in the first half of 2013.

  • The STAR Certification will be enhanced in the future by continuous monitoring-based certification. This certification is still undergoing development.


If the CSA Open Certification Framework is a success, it could provide a good competitive advantage for cloud providers who can measure up to the requirements. CSA plans to provide additional details next month at the CSA Congress Europe.