cloud provider certification not worth that much

Great story in The Register from the other side of the pond on the recent trend of cloud service providers, such as Amazon AWS, to undergo a “self-certification process” by submitting details regarding its security measures to the “Security, Trust & Assurance Registry (STAR), operated by not-for-profit body the Cloud Security Alliance (CSA).”

However, the UK Information Commissioner’s Office (ICO), while welcoming the initiative, offered this somewhat ambivalent statement:

“While any scheme aimed at ensuring people’s information is adequately protected in line with an organisation’s requirements under the Act is to be welcomed, organisations thinking of using cloud service providers must understand that they are still responsible for the safety of that data. Just because their cloud service provider is registered with such a scheme, does not absolve the organisation who collected the data of their legal responsibilities.”

I don’t think this statement must necessarily be read, in a literal manner, to be tantamount to The Register’s headline that folks “can’t rely” on such certification. Rather, it just vague enough so that folks will have no idea the extent to which they may. Which I suppose may be the same thing. Alas.

Anyway, the ICO has promised to provide further guidance on storing personal information in the cloud in the autumn.