I’ve no excuse for not having noticed this before, as it was an entry on the Infosecurity Magazine blog, to which I’m a contributor. But miss it I did, I’m afraid, for over a week, even though it’s testing related. The article ““Testing the Testers”: Certification and Cloud Computing” was actually contributed by the (ISC)² U.S. Government Advisory Board Executive Writers Bureau. (Coincidentally, I blog for (ISC)2 as well, butI have nothing to do with the Government Advisory Board AWB.)
Anyway, the blog notes that NIST (the National Institute of Standards and Technology) has just released a Cloud Computing Standards Roadmap, recognizing the complexity of certification of products in the context of the rising demand for cloud services. In particular, the draft inter-agency advisory report (NISTIR 7328) is about requirements for security assessment providers, in particular those who are offering assessment as a service.
While it’s a very different document to AMTSO’s guidelines for testing in the cloud, it comes from a similar appreciation of the difficulties of this area of testing.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow