The Common Assurance Metric (CAM) launched today is a global initiative that aims to produce objective quantifiable metrics, to assure Information Security maturity in cloud, third party service providers, as well as internally hosted systems. This collaborative initiative has received strong support from public and private sectors, industry associations, and global key industry stakeholders.
There is currently an urgent need for customers of cloud computing and third party IT services to be able to make an objective comparison between providers on the basis of their security features. As ENISA’s work on cloud computing has shown, security is the number one concern for many businesses and governments. Existing mechanisms to measure security are often subjective and in many cases are bespoke solutions. This makes quantifiable measurement of security profiles difficult, and imposes the need to apply a bespoke approach, impacting in time, and of course cost.
The CAM aims to bridge the divide between what is available, and what is required. By using existing standards that are often industry specific, the CAM will provide a singular approach of benefit to all organizations regardless of geography or industry.
“With today’s complex IT architectures and heavy reliance upon third party providers, there has never been a greater demand for transparency and objective metrics for attestation”, said Jim Reavis, Executive Director of the Cloud Security Alliance. “The Common Assurance Metric framework has great promise to address this demand and the Cloud Security Alliance is proud to support this initiative and align our own cloud security metrics research with it”
“This work is essential. The number one barrier to adoption of cloud computing is assurance – “how can I know if it’s safe to trust the cloud provider?” This is a problem for providers too – answering a different security questionnaire for every customer is a huge drain on resources” said Giles Hogben, Network Security Policy Expert, ENISA.
The project team anticipate delivery of the framework in late 2010 followed by a process towards global adoption for organizations wishing to obtain an objective measurement of security provided by cloud providers, as well as the level of security for systems hosted internally.