By John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance
I have always said I am a “data guy.” Decisions made with data eliminate all bias, opinions, and ad hoc decisions that cause potential costly moves.
In my most recent podcast interview with Phillip Merrick, CEO of Fugue, he discussed how vendors sometimes use security events in order to sell fear, uncertainty, and doubt (FUD) to sell products. Nothing wrong with keeping up with world events and learning from others’ mistakes, but there is a difference between prevention and reaction.
Think about it. Smoke alarms go off after something happens; usually, a fire that causes smoke to rise and enter the alarm. At that point, running out of the building is the standard “reaction.” Sure, there are all kinds of incidents that can scare you and make you run out and buy the latest technology to warn you when there is a fire, and even call 911 for you. But while you definitely need smoke alarms, doesn’t it make sense to do a full evaluation of your premises and see what you can do to prevent that fire in the first place? Then, even if a fire does happen, there is a good chance the damage will be less than if you had done nothing at all. Even if you did just buy all the latest and greatest technology, how do you know you addressed the critical areas unless you did a full evaluation first?
The point is, why not spend your budget dollars wisely by using good data-driven decisions. A smart strategy means less complexity. Evaluate where you are at, give yourself credit for what you already have in place and spend dollars wisely on the areas that have little or no protection and/or areas that could use improvement. The fire department can provide you with a checklist or questionnaire pointing out things you should evaluate before you spend money so you know what you really need (and what you don’t). Whereas a company that wants to sell you equipment can give you a hundred reasons why you should by their product, even before they know if you even need it.
Security is similar. Evaluate where you are at today, draw out where you need to be tomorrow, and act on the differences — simple, smart, and cost-effective (not to mention a valuable budget justification).
CSA’s Questionnaire to Assess Cloud Compliance
Think of the Consensus Assessments Initiative Questionnaire (CAIQ) as fulfilling the same purpose as the fire risk questioner. It allows you to evaluate where you are at today in meeting internationally accepted cloud-specific controls. The CAIQ is based upon the Cloud Controls Matrix (CCM) and provides a set of Yes/No questions a cloud consumer or cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix. It’s vendor-neutral, and some of the improvements may not even require technology, but if they do, you’ll be a smarter shopper.
As I mentioned above – simple, smart and cost effective. Once you feel you are ready and have addressed any gaps, you can submit your CAIQ to the STAR Registry and join the other 600 plus cloud service providers that have chosen to post their completed questionnaire for not only their customers to see, but potential clients as well, increasing the level of transparency and trust. The great thing is, it is scalable, and you can build on that initial step by graduating to STAR Continuous. STAR Continuous improves upon that “point in time” or “point over a period of time” analysis by requiring that the CAIQ be updated every 30 days, increasing the level of assurance.
If you feel it is an advantage or requirement to go even further, again, you can progress to STAR Level 2; Third-Party certification or attestation and even Level 3; continuous monitoring. See Figure 1.
Following are costs due to non-compliance as per an Independent survey conducted by Ponemon Institute on behalf of Globalscape:
These costs, as shown in this report, are 2.71 times the cost of compliance:
- Business disruption
- Productivity losses
- Revenue losses
- Fines, penalties and
- settlement costs
Evaluate if you are compliant.
If you are, give yourself credit and let the world know and continue to improve and advance as applicable. If not, act on the differences, fill the gaps, and then let the world know and continue to improve and consider the other levels of STAR based on your business needs and compliance requirements.
John DiMaria is the Assurance Investigatory Fellow for the Cloud Security Alliance. He has 30 years of successful experience in Standards and management System Development, including Information Systems, Business Continuity, and Quality. John was one of the innovators and co-founders of the CSA STAR program for cloud providers, a contributing author of the American Bar Association’s Cybersecurity Handbook, a working group member, and a key contributor to the NIST Cybersecurity Framework. He currently manages all facets of the CSA STAR Program which includes security, privacy, continuous monitoring and development of new solutions.