Security is at the forefront of news, and although companies are making an effort to simplify the typically intense technical and legal fine print of something like the Terms and Conditions, something like cloud security certifications are still fairly hard to follow and are loaded with heavily technical terms.
This is especially true when it comes to security certifications. A company can certainly list certificates, but what does that matter if you can’t figure out the difference between FISMA and FedRAMP?
This glossary aims to demystify some of the certificates you’d come across when checking out info on a cloud-based company. We also use some of these certifications we’ve also used for our independent cloud business app ranking, Category Leader. It’s important to note that even if a piece of software doesn’t list some of the certifications or compliance standards, they still might have it. For example the hosting service, Amazon Web Services (AWS), has some of the certifications listed below and many companies use AWS to host their data.
Some of these standards and certifications are incredibly expensive, so it’s not necessarily a reflection of poor security, it’s just many companies can’t afford to receive them. It’s part of the reason why you see big companies like Amazon, Microsoft, or Salesforce have lots of the certificates listed below.
Keeping in mind that these definitions are an attempt to translate into layman’s terms and are more complicated than the brief descriptions below.
This is set by the Cloud Security Alliance, which is a worldwide non-profit dedicated to Cloud security standards. This is an incredibly detailed system that is comprised of other certifications and standards such as ISO 27001/2002. The CSA’s main goal is to educate people and organizations on good cloud security practices, and their website is a treasure trove of information.
FedRAMP was designed to specifically address cloud security for government organizations. It provides a more efficient way to have a unified standard for government agencies or related groups to follow the same security processes.
The predecessor to FedRamp, this is to protect government agencies, departments, and related contractors and make sure that their systems are secure. Although this is for systems that may be connected to the government, other organizations may voluntarily opt for this standard. Technically, it is not a “certification”, but rather an authorization to operate your systems based on standards and guidelines. If you’re interested in diving into the nitty gritty of FISMA (the link below is general FAQs), check out this page on the National Institute of Standards and Technology (NIST) website.
This is a U.S. government security standard that assesses cryptography for both hardware and software. It’s broken up into four different levels, with level 1 as the basic level of cryptography, and level 4 as the most secure. Components of FIPS 140 can range from self-tests to electromagnetic protection. It’s important to note that the higher levels of FIPS 140-2 factor in physical location (e.g. where your servers are, are the security guards, alarm system info).
This pertains to health records in the United States. This is a contract between a HIPAA-covered entity and a HIPAA business associate that is used to protect personal health information in accordance with HIPAA guidelines. Any business under this agreement is subject to audits and must alert customers if there’s been a security breach.
These come from the International Organization for Standardization, which essentially is a voluntary organization that provides international standards across a wide variety of areas. Specifically, ISO 27001 and 27002 deal with security. 27001 provides a structure for implementing and maintaining security in an organization; ISO 27002 provides a baseline for compliance or for other external certifications. Note: these do not necessarily provide proof that something is secure, rather that the app works within this agreed upon standard.
This is one step further in the evolution of ISO that will be important in cloud computing. It’s made up of factors which say that the organization must be transparent about where they store your data, alert you in case there’s a breach, commit to a yearly third-party audit, and (perhaps most importantly) agree to not use your info in sales and marketing materials. Two notable examples that have adopted this standard are Microsoft Azure and Dropbox.
This is a security standard for organizations that deal with the major credit card companies including Visa, MasterCard, and American Express. Originally, credit card companies had their own security standards which led to the creation of Payment Card Industry Security Standards Council (PCI SSC).
SOC 1 is comprised of financial and accounting standards for financial organizations. It provides a way to audit a company’s financial information. The audit provides reports on the management/company of the service organization, the company’s clients, and the auditors themselves.
This is an updated version of SOC 1 that includes more criteria to address security concerns in the financial sector. Security is judged on seven different criteria which is comprised of: organization and management, communications, risk management and design and implementation of controls, monitoring of controls, logical and physical access controls, system operations, and change management.
An initiative aimed at simplifying the incorporation of cloud software into UK government agencies or related groups, receiving this certification makes it easier for the agencies to choose cloud services without having to go through a procurement process (a competition to choose services). These services are offered on a digital marketplace, which makes it simpler for government organizations to find approved software.
This was an agreement between the EU and United States that was created in order to take care of the differences in data protection laws. The EU (generally speaking) is far more restrictive on what companies can do with user data when compared to the United States. This allowed for Europeans’ data to be transferred across to the United States, while still adhering to the EU standards. However, it was ruled invalid in 2015 and it has since been replaced by the EU-US Privacy Shield.
There’s also a similar agreement between the US and Switzerland called the U.S.-Swiss Safe Harbor agreement, which has been replaced by it’s successor, the Swiss-U.S. Privacy Shield Framework.
(This post was originally ran Jan 15, 2015 and has since been updated.)