Common Assurance Metric - Beyond the Cloud

CAM Aims to Bridge the Divide Between What is Available, And What is Required

(12.02.10) - The Common Assurance Metric (CAM) is a global initiative that aims to produce objective quantifiable metrics, to assure Information Security maturity in cloud, third party service providers, as well as internally hosted systems. This collaborative initiative has received strong support from Public and Private sectors, industry associations, and global key industry stakeholders.

There is currently an urgent need for customers of cloud computing and third party IT services to be able to make an objective comparison between providers on the basis of their security features. As ENISA’s work on cloud computing, has shown, security is the number one concern for many businesses and governments. Existing mechanisms to measure security are often subjective and in many cases are bespoke solutions. This makes quantifiable measurement of security profiles difficult, and imposes the need to apply a bespoke approach, impacting in time, and of course cost. The CAM aims to bridge the divide between what is available, and what is required. By using existing standards that are often industry specific, the CAM will provide a singular approach of benefit to all organisations regardless of geography or industry.

"With today's complex IT architectures and heavy reliance upon third party providers, there has never been a greater demand for transparency and objective metrics for attestation", said Jim Reavis, Executive Director of the Cloud Security Alliance. "The Common Assurance Metric framework has great promise to address this demand and the Cloud Security Alliance is proud to support this initiative and align our own cloud security metrics research with it".

"Microsoft is committed to delivering secure, private, and reliable computing experiences. Today's interconnected world trustworthiness of computing solutions depends on many interdependent components and requires broad industry collaboration. We look forward to contributing to the work on Common Assurance Metric." Matt Broda, Senior Security Strategist, Microsoft.

This work is essential. The number one barrier to adoption of cloud computing is assurance - "how can I know if it's safe to trust the cloud provider?" This is a problem for providers too - answering a different security questionnaire for every customer is a huge drain on resources," Giles Hogben, Network Security Policy Expert, ENISA. (ENISA: ra)