KuppingerCole says Using independent, external Certification for Cloud Provider Selection is a must
September 2015 by KuppingerCole
Independent Analysts Company KuppingerCole Ltd. recently published a new Executive View about using certification for Cloud Provider Selection. The document provides an overview of how certifications and attestations relating to cloud services and CSPs can be used by a cloud customer.
For the author and Senior Analyst Mike Small the important starting point is for the customer to be clear about their requirements and the division of responsibilities between themselves and the CSP. Certifications can then be used to help the customer to select a service, to assure compliance, to reduce risk, and to assure continued conformance of the service. “The customer needs to take a holistic view to understand the coverage and strength of the certifications offered by the CSP in the context of the overall organization’s IT service catalogue”, says Small.
KuppingerCole has identified five critical challenges that a cloud customer faces, which are:
• Loss of compliance
• Availability of service and data
• Legal risks
• Lock in
Independent certification provides a way for the cloud customer to reduce some of these risks.
“The important starting point is for the customer to be clear about their requirements and the division of responsibilities between themselves and the CSP”, explains Small.
For KuppingerCole standards provide a distillation of the knowledge and best practices from the best brains in the industry. IT systems in general and cloud services in particular should be run in a way that conforms to these standards to ensure the confidentiality, integrity and availability of the service. Certificates and attestations provide a proof that the conformance of a cloud service to a standard has been independently assessed and measured. However not all measurements are the same and the customer needs to understand the differences to be able to make comparisons.
“Independent certification against standards and best practice provides the cloud customer with a way to verify CSP claims, to reduce risk and to provide assurance that the service is delivered to specification”, says Mike Small, ”Customers should identify the standards that are relevant to their needs and require CSPs to provide evidence of the conformance of their service to these standards”.
The Executive View describes the four levels of assurance that a CSP could provide and the ways in which a customer can use these to assurance compliance with laws and regulations, reduce cyber risks and assure service availability.