When governments work together on common approaches to digital regulation, it helps set globally interoperable rules that create a more level playing field for companies of all sizes, while elevating standards for consumer protection.
The G7’s Hiroshima Process has, for instance, helped establish baseline expectations for companies developing foundation artificial intelligence (AI) models, both making it more likely that governments establish interoperable rules while also improving cooperation and digital solidarity among G7 nations at a crucial time for digital policymaking.
As businesses, consumers, and governments take increasing advantage of the benefits of cloud security, the G7 can and should take this concept a step further in the context of cloud security.
Cloud security certification requirements: toward interoperability and mutual recognition
Cloud computing has become a well-recognized, essential ingredient for delivering services and enabling digital transformation. It offers many clear benefits, such as scalability, flexibility, and cost-efficiency; it also has security and resiliency advantages, which have become increasingly important.
But it is also true that, if not properly developed and secured, there are real security risks associated with it. To address these risks, many governments have or are considering implementing cloud security certification requirements that designate baseline specifications for providers.
While the controls required are often interoperable – the core of each is generally aligned with ISO standards – each market requires different certifications. This can create challenges and barriers for both cloud service providers (CSPs) and barriers to accessing the best cloud services for customers, especially when operating across multiple jurisdictions.
While the requirements in different markets are not identical, and some countries or regions may require additional controls, there is a great opportunity to enhance security and digital solidarity by building around the common core shared by most cloud security certification requirements.
The G7 should initiate a two-step program on cloud security that does the following:
- Maps the compatible controls of different cloud security certification requirements. This process would identify which controls in different laws are effectively analogous such that meeting one would provide sufficient confidence that the objective of the other is met.
- Agrees on mutual recognition of certifications from each partner country. If a company is certified for Japan’s Information system Security Management and Assessment Program (ISMAP), for instance, that certification should be sufficient for the similar controls required in the EU’s Cybersecurity Certification Scheme (EUCS) or FedRAMP in the US.
A mutual recognition process would significantly cut time and costs for providing secure cloud services in those countries and sectors that choose to require certification. It will also increase confidence and solidarity among those governments and coordination among security professionals in different jurisdictions and highlight where a country is out of step with its peers and make it more difficult for countries to use such certifications as non-tariff trade barriers. Different economies would also still be able to enact security schemes that might impose additional controls beyond those common criteria, which would require a limited additional certification process.
Mutual recognition of cloud security certifications would benefit all stakeholders involved. For CSPs, it would reduce the complexity and burden of complying with multiple certification schemes, and enable them to offer their services more easily and efficiently across different markets. For cloud customers, it would increase the availability and choice of secure and trustworthy cloud services, and facilitate their cross-border data flows and operations. For governments, it would enhance their security posture and resilience, and foster their cooperation and alignment on digital policies and standards. It would also drive CSPs to compete on developing better, more secure solutions rather than on having a better funded team of regulatory compliance attorneys.
Conclusion
Cloud security certification requirements are a reality and a necessity in today’s digital world. However, they do not have to be a hindrance or a hurdle for cloud adoption and innovation. By leveraging the common core of ISO Standards and pursuing mutual recognition of certifications among like-minded governments, we can create a win-win situation for all parties involved. We urge the G7 to take the lead in this initiative and set an example for the rest of the world.
