Whether an organization is considering SaaS (software as a service) applications, PaaS (platform as a service) models or IaaS (infrastructure as a service) options, it’s pretty much a given that security and compliance issues will be priority considerations. However, potential cloud service customers do run into trouble trying to determine if the security and audit programs of cloud service providers are adequate. For one thing, many service providers don’t release details about their security controls. Also, regulation for service provider controls is inconsistent.
This article takes a look at some of the resources available for current and potential cloud customers to assess the security of a service provider.
CSA Best Practices
According to IT service provider CDW, survey results show that 70% of cloud users don’t certify their cloud service provider’s security measures. The Cloud Security Alliance (CSA) is a leader in cloud security standard creation and implementation. The CSA has released a set of security standards specific to the cloud, available for both cloud customers and service providers.
This set of standards is referred to as the Cloud Controls Matrix (CCM) and consists of about 100 controls and assessment guidelines that span a diverse range of best practices for ensuring security in the cloud. The CCM also includes several regulatory and compliance mandates, including PCI, HIPAA, ISO/IEC, NIST and COBIT.
The CCM is organized according to the thirteen domains that are outlined in the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing. The domains are as follows:
- Cloud computing architectural framework
- Governance and enterprise risk management
- Legal and electronic discovery
- Compliance and audit
- Information lifecycle management
- Portability and interoperability
- Traditional security, business continuity and disaster recovery
- Data center operations
- Incident response, notification and remediation
- Application security
- Encryption and key management
- Identity and access management
These domains encompass best practices that can help regulate cloud security policy and practices.
Another thing to consider when assessing the security of a cloud service provider is to see if they have been audited by an independent body. Audits can help to ensure that the provider has all of the essential security processes and controls in place.
However, it’s important to note that not all audits are adequately designed to assess the unique environment of the cloud. For instance, industry standards such as SAS 70 do not cover cloud services. Furthermore, SAS 70 audits involve vague, subjective controls which are often defined by the provider or auditor. It’s crucial to ensure that your cloud service provider has aligned itself with governance, controls and security standards that are specific to cloud computing. The CSA conducts third-party audits that would be suitable.
A Forrester Research report conducted for risk and security professionals reveals that the CSA’s cloud security standards are the most thorough, as the CSA “Takes a more holistic view of Cloud security. In addition, the CSA has the widest participation from users as well as Cloud vendors.”
Once you’ve found a provider that seems to have its security controls audited, take it one step further. As the service provider exactly which controls it has implemented. A CSA audit demonstrates how each CSA control requirement has been met, unlike SAS 70 audits, which are restricted to sue by the service provider and auditor. Such audits may not even document how controls are actually met.
As recent cloud service outages have shown, transparency is extremely important, especially during a crisis. For instance, when Amazon’s Elastic Cloud Compute went down in April 2011, its lackluster communications were called out by unsatisfied customers.
This article takes a look at existing cloud security standards and practices to ensure their cloud service provider can be trusted. According to IT service provider CDW, survey results show that 70% of cloud users don’t certify their cloud service provider’s security measures. This article takes a look at three key actions that current or prospective cloud customers can take: follow CSA best practices, ensure their service provider has been audited by an independent body, and double-check the service provider’s transparency claims.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Contractual security requirements (Domain 2)
- Enterprise and Information Risk Management (Domain 2)
- Contract enforceability (Domain 3)
- Compliance impact on cloud contracts and compliance analysis requirements (Domain 4)
- SAS 70 Type II (Domain 4)
- Auditor requirements (Domain 4)