How to Share the Security Responsibility Between the CSP and Customer

By Dr. Kai Chen, Chief Security Technology Officer, Consumer BG, Huawei Technologies Co. Ltd.

The behemoths of cloud service providers (CSPs) have released shared security responsibility related papers and articles, explaining their roles and responsibilities in cloud provisioning. Although they share similar concepts, in reality, there are different interpretations and implementations among CSPs.

While there are many cloud security standards to help guide CSPs in fulfilling their security responsibilities, the cloud customers still find it challenging to design, deploy, and operate a secure cloud service. “Guideline on Effectively Managing Security Service in the Cloud” (referred to as the ‘Guideline’) developed by CSA’s Cloud Security Services Management (CSSM) Working Group provides an easy-to-understand guidance for cloud customers. It covers how to design, deploy, and operate a secure cloud service for different cloud service models, namely IaaS, PaaS, and SaaS. Cloud customers can use it to help ensure the secure running of service systems.

In the Guideline, the shared security responsibility figure was developed with reference to Gartner’s shared security responsibility model[1]. It illustrates the security handoff points for IaaS, PaaS, and SaaS cloud models. The handoff point moves up the stack across the models.

[1] Staying Secure in the Cloud Is a Shared Responsibility, Gartner,
https://www.gartner.com/doc/3277620/staying-secure-cloud-shared-responsibility

Security responsibility division between CSPs and cloud customers in different cloud service models.

While there are differences in the security responsibility across the models, some responsibilities are common to all cloud service models:

CSPs’ Common Security Responsibilities

  • Physical security of the infrastructure, including but not limited to: equipment room location selection; power supply assurance; cooling facilities; protection against fire, water, shock, and theft; and surveillance (for details about the security requirements, see related standards)
  • Security of computing, storage, and network hardware
  • Security of basic networks, such as anti-distributed denial of service and firewalls
  • Cloud storage security, such as backup and recovery
  • Security of cloud infrastructure virtualization, such as tenant resource isolation and virtualization resource management
  • Tenant identity management and access control
  • Secure access to cloud resources by tenant
  • Security management, operating monitoring, and emergency response of infrastructure
  • Formulating and rehearsing service continuity assurance plans and disaster recovery plans for infrastructure

Cloud Customers’ Common Security Responsibilities

  • User identity management and access control of service systems
  • Data security (in the European General Data Protection Regulation (GDPR) mode, cloud customers control the data and should be responsible for data security while CSPs only process the data and should take security responsibilities granted by data controllers.)
  • Security management and control of terminals that access cloud services, including hardware, software, application systems, and device rights

Besides that, the Guideline contains chapters that describe the technical requirements for the security assurance of cloud service systems and provides an implementation guide based on the existing security technologies, products, and services. It also illustrates security assurance technologies, products, and services that CSPs and customers should provide in different cloud service models as mentioned previously.

Security responsibilities between CSPs and cloud customers

Mapping of the Guideline with CCM

To help provide an overview to end users about the similarities and differences between the security recommendations listed in the Guideline and the Cloud Controls Matrix (CCM) controls, the CSSM working group conducted a mapping of CCM version 3.0.1 to the Guideline.

The Mapping of “Guideline on Effectively Managing Security Service in the Cloud” Security Recommendations to CCM was a one-way mapping, using the CCM as base, done in accordance with the Methodology for the Mapping of the Cloud Controls Matrix.

The mapping document is supplemented with a detailed gap analysis report that breaks down the gaps in each CCM domain and provides recommendations to readers.

“This mapping work brings users of the Guideline a step closer to being CCM compliant, beneficial to organizations looking to extrapolate existing security controls to match another framework, standard or best practice,” said Dr. Chen Kai, Chief Security Technology Officer, Consumer BG, Huawei Technologies Co. Ltd., and chair of the CSSM Working Group.

Users of the Guideline will be able to bridge lacking areas with ease based on the gap analysis. By understanding what it takes to go from the Guideline to CCM, the mapping work complements the Guideline to help users achieve holistic security controls.

Download the gap analysis report on mapping to the CSA’s Cloud Controls Matrix(CCM) now.

Learn more about the Cloud Services Management Working Group here.

CCM v3.0.1. Update for AICPA, NIST and FedRAMP Mappings

Victor Chin and Lefteris Skoutaris, Research Analysts, CSA

The CSA Cloud Controls Matrix (CCM) Working Group is glad to announce the new update to the CCM v3.0.1. This minor update will incorporate the following mappings:

A total of four documents will be released. The updated CCM (CCM v3.0.1-03-08-2019) will be released to replace the outdated CCM v3.0.1-12-11-2017. Additionally, three addendums will be released for AICPA TSC 2017, NIST 800-53 R4 Moderate and FedRAMP moderate, separately. The addendums will contain gap analyses and also control mappings. We hope that organizations will find these documents helpful in bridging compliance gaps between the CCM, AICPA TSC 2017, FedRAMP and NIST 800-53 R4 Moderate.

With the release of this update the CCM Working Group will be concluding all CCM v3 work and refocusing our efforts on CCM v4.

The upgrade of CCM v3 to the next version 4 has been made imperative due to the evolution of the cloud security standards, the need for more efficient auditability of the CCM controls and integration into CCM of the security requirements deriving from the new cloud technologies introduced.

In this context, a CCM task force has already been established to take on this challenge and drive CCM v4 development. The CCM v4 working group is comprised of CSA’s community volunteers comprised of industry’s leading experts in the domain of cloud computing and security. This endeavor is supported and supervised by the CCM co-chairs and strategic advisors (https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix) who will ensure that the CCM v4 vision requirements and development plan are successfully implemented.

Some of the core objectives that drive CCM v4 development include:

  • Improving the auditability of the controls
  • Providing additional implementation and assessment guidance to organizations
  • Improve interoperability and compatibility with other standards
  • Ensuring coverage of requirements deriving from new cloud technologies (e.g., microservices, containers) and emerging technologies (e.g., IoT)

CCMv4 development works are expected to be concluded by the end of 2020. Should you be interested in knowing more, or participating and contributing to the development of CCM v4, please join the working group here: https://cloudsecurityalliance.org/research/join-working-group/.

CSA STAR – The Answer to Less Complexity, Higher Level of Compliance, Data Governance, Reduced Risk and More Cost-Effective Management of Your Security and Privacy System

By John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance

STAR Registry: Security on the Cloud Verified

We just launched a major refresh of the CSA STAR (Security, Trust and Assurance Risk) program, and if you were at the CSA Summit at RSA, you got preview of what’s in store. So let me put things in a bit more context regarding the evolution of STAR.

The more complex systems become, the less secure they become, even though security technologies improve. There are many reasons for this, but it can all be traced back to the problem of complexity. Why? Because we give a lot of attention to technology, and we have increased silos of a plethora of regulations and standards. Therefore, we become fragmented and too complexed.

The adversary works in the world of the stack, and that complexity is where they thrive.

Ron Ross, Senior Scientist and Fellow at NIST

Complexed systems:

  • have more independent processes and that creates more security risks.
  • have more interfaces and interactions and create more security risks.
  • are harder to monitor and therefore, are more likely to have untested, unaudited portions.
  • are harder to develop and implement securely.
  • are harder for employees and stakeholders to understand and be trained on.

By using a single system for the ongoing management of compliance, regulatory, legal, and information security obligations, overlapping requirements can be identified, efficiencies leveraged, and greater visibility and assurance provided to the organization.

CSA STAR: Built to Support

To respond to these growing business concerns, the Cloud Security Alliance (CSA) created the Cloud Control Matrix (CCM). Developed in conjunction with an international industry working group, it specifies common controls which are relevant for cloud security and is the foundation on which the three pillars of CSA STAR are built.

In the same approach, we recently released the GDPR Code of Conduct (CoC). The GDPR CoC shows adherence to GDPR privacy requirements, streamlines contracting, accelerates sales cycles and provides assurance to the cloud customer of data privacy in conjunction with CSA STAR.

CSA STAR is being recognized as the international harmonized solution, leading the way of trust for cloud providers, users, and their stakeholders, by providing an integrated cost-effective solution that decreases complexity and increases trust and transparency while enabling organizations to secure their information, protect against cyber-threats, reduce risk, and strengthen their information governance. It creates trust and accountability in the cloud market with increasing levels of transparency and assurance. What’s more, it provides the solution to an increasingly complex and resource-demanding compliance landscape by providing technical standards, an integrated certification and attestation framework, and public registry of trusted data.

The STAR Registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions and also to manage their supply-chain. Additionally, it allows cloud service providers (CSPs) to benchmark themselves against like CSPs in their industry.

STARWatch can then be used for benchmarking and/or third-party risk management. STARWatch is a SaaS application to help organizations manage compliance with CSA STAR Registry requirements. STARWatch delivers the content of the CCM and Consensus Assessments Initiative Questionnaire (CAIQ) in a database format, enabling users to manage compliance of cloud services with CSA best practices.

While it is understood that ISO/IEC 27001, the international management systems standard for information security, and SOC 2 are both widely recognized and respected, their requirements are more generic. As such, there can be a perception that they do not focus on certain areas of security that are critical for particular sectors, such as cloud security, in enough detail.

By adopting STAR as an extension of your ISO/IEC 27001 or SOC 2 System, you’ll be sending a clear message to existing and potential customers that your security systems are robust and have addressed the specific issues critical to cloud security.

STAR Certification can boost customer and stakeholder confidence, enhance your corporate reputation, and give your business a competitive advantage.

Take the STAR Challenge

Take the first step in evaluating how your organization stacks up against the CCM. Fill out the self-assessment using the CAIQ and the CCM. You can then upload your information into the STAR Registry, taking credit for your compliance efforts.

Additionally you can evaluate yourself against the GDPR Code of Conduct. Just fill out the self-assessment, which can then be uploaded to the STAR Registry, along with your Statement of Adherence . Our team of experts will evaluate your submission and either respond with questions or approve your submission for posting. Again, you’ll be making a major statement about your compliance posture.

Once you have completed this step (or along the way) you can make decisions on whether there is a business case to move into Level 2 (certification and/or attestation).

Contact us to find out more about CSA STAR and the opportunities available for you to contribute and have a voice in this growing area of increasing trust and transparency in the cloud.

CCSK Success Stories: From the Financial Sector

By the CSA Education Team

This is the second part in a blog series on Cloud Security Training. Today we will be interviewing an infosecurity professional working in the financial sector. John C Checco is President Emeritus for the New York Metro InfraGard Members Alliance, as well as an Information Security professional providing subject matter expertise across various industries. John is also a part-time NYS Fire Instructor, a volunteer firefighter with special teams training in vehicular extrication and dive/ice rescue, an amateur novelist, and routinely donates blood in several adult hockey leagues.

Can you describe your role?

Currently I lead the “Security Innovation Evaluation Team” at a large financial firm where we forage and test emerging technology solutions that will build upon our security posture and fortify our resilience far into the future.

What got you into cloud security in the first place? What made you decide to earn your CCSK?

Whether you are in the automotive, engineering, medical, retail or the information security field, one needs to constantly stay abreast of emerging trends and hype – indeed, “cloud” was one of those emerging trends and hype combined which represented a logical transition from existing legacy infrastructures.

I am a lifelong learner; seeing the early explosion of “cloud providers” who really just wrapped an orchestration layer around virtualization rather than true holistic solutions, was the jumpstart I needed to understand how important the CCM (and CCSK) was.

The CCSK reflects both the operational knowledge of the CCM, as well as the strategic goals for the CSA. The CCM itself is a superset of many existing security control standards, which makes the CCSK all the more relevant to today’s security environment.

Can you elaborate on how the CCSK reflects the operational knowledge of the CCM? Why do you think this is important knowledge for infosec professionals to know?

The CCM builds upon existing NIST/ISO standards and produces new controls where existing controls cannot adequately cover the cloud paradigm. If one knows how to properly interpret and use the CCM standard, they most likely understand the non-cloud security standards as well. The CCSK is represents knowledge assurance of the CCM at an operational level; and having a shared origin to the CCM, the CCSK can truly test proficiency of the spirit of the CCM as it was designed, not just its definitions.

How did you prepare for the CCSK exam?

I was an initial member of the NY Metro Chapter of the CSA and aware of the Cloud Controls Matrix. Although my employer was not explicitly referencing the CCM as a security standard, I was pulling from it as a security controls guidance for my employer’s projects.

If you could go back and take it again, how would you prepare differently?

As information security has become more complex and more splintered, simply studying definitions is no longer an effective method to have lasting knowledge. I would suggest two additional study techniques:

  • Understand the “WHY” of each control in the CCM: what was the originating problem statement, what is the scope of that problem statement, and was the control defined to resolve the problem or simply reduce the problem’s impact to a tolerable level? Once you have a good comprehension of the background, then there is no memorization needed … it becomes common sense to the learner.
  • Get DIRTY with some hands-on experience – whether it be an existing work project or reworking an old personal project. Taking an old project and redeploying it using newer technologies and security controls gives the learner unimaginable insight into why a control is written in a certain way. The advantage of using an existing project is that you can focus on the coding, deployment and security control aspects rather than features and requirements. I have revamped my personal “Resume Histogram” project originally written in 1990 as a dial-up BBS site → to a CGI website → to a RoR web application (hey, not every decision was a good one) → to a social media plugin → to a containerized web API.

Were there any specific topics on the exam that you found trickier than others?

I suspect that everyone will have a different topic of weakness. Legal aspects were my weakness, and from the plethora of recent changes in standards and regulations – PCI DSS3, NIST revisions, NYS DFS 500, GDPR and the myriad of local regulations – I suspect it is not going to get any easier.

What is your advice to people considering earning their CCSK?

I have four points of advice:

  1. Get real-life quality experience before you attempt a certification … doctors, nurses, architects and engineers are required to, so why not InfoSec professionals?
  2. Make a habit of learning something every day …  knowledge gets stale, intelligence doesn’t.
  3. Avoid the shortcuts, like boot camps, it’s a crash diet of ignorance;
  4. Be humble, keep an open mind, and listen before you speak … things change, so what you knew was right today may be turned on its head tomorrow. Nobody should want to gain a reputation of being “CIA” (certified, ignorant and arrogant).

Lastly, what part of the material from the CCSK have been the most relevant in your work and why?

Ironically, my work over the years has made my weakest area – legal – also the most important and relevant one; especially when it comes to contracts with cloud providers for enterprise projects as well as vendors and managed service providers who run in the cloud.

Interested in earning your CCSK? Download our free CCSK prep-kit here.

Invest in your future with CCSK training

CCM Addenda Updates for Two Additional Standards

By the CSA CCM Working Group


Dear Colleagues,

We’re happy to announce the publication of the updated Cloud Controls Matrix (CCM) Addenda for the following standards:
— German Federal Office for Information Security (BSI) Cloud Computing Compliance Controls Catalogue (C5) 
ISO/IEC 27002, ISO/IEC 27017 and ISO/IEC 27018

These CCM addenda aim to help organizations assess and bridge compliance gaps between the CCM and other security frameworks. 

The documents contain:  

  • A controls mapping between the above mentioned standards and the CCM (e.g. which control(s) in CCM maps to each given control in ISO27017).
  • A gap analysis
  • Compensating controls (i.e. the actual “addendum”)

Additionally, the addendum for the German BSI C5 contains both mappings and reverse mappings.

The CSA and the CCM Working Group hope that organizations will find this document useful for their security compliance programs. 

Best Regards,
CSA CCM Working Group

Weigh in on the Cloud Control Matrix Addenda

Mapping of the cloud controls matrixDear Colleagues,

The Cloud Security Alliance would like to invite you to review and comment on the Cloud Control Matrix (CCM) addenda for the following standards:

—German Federal Office for Information Security (BSI) Cloud Computing Compliance Controls Catalogue (C5). (Add your comments to CCM-C5.)
—ISO/IEC 27002, ISO/IEC 27017 and ISO/IEC 27018. (Add your comments to CCM-ISO.)

These CCM addenda aim to help organizations assess and bridge compliance gaps between the CCM and other security frameworks. The documents contain:

  • a controls mapping between the above mentioned standards and the CCM (e.g., which control(s) in CCM maps to each given control in ISO27017),
  • a gap analysis, and
  • compensating controls (i.e. the actual “addendum”).

The CSA and the CCM Working Group hope that organizations will find this document useful for their security compliance programs.

To participate, please follow the links above to the review site. From there, you should be able to navigate to Google Sheets and provide your comments. Please do not provide editorial comments (i.e. grammar, formatting, etc), rather focus instead on the content of the document.

The peer review ends on December 20, 2018. We appreciate your assistance and thank you in advance for your time and contributions.

Best Regards,
CSA Research Team

Cloud Security Alliance Releases Minor Update to CCM v3.0.1

By the CSA Research Team

CCM logoThe Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) Working Group has released a minor update for the CCM v3.0.1. This update incorporates mappings to IEC 62443-3-3 and BSI Compliance Controls Catalogue (C5).

The CCM is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers.

As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. It strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

The CSA CCM Working Group would like to thank the following individuals for their contributions to this minor update:

Siemens

  • Claus Matzke
  • Kristian Beckers

CCM Working Group

  • Noel Haskins-Hafer
  • Kris Seeburn
  • Amita Radhakrishnan
  • Angela Dogan
  • Dibya Ranjan Nath
  • Hardeep Mehrotara
  • Jevon Wooden
  • Keith Stocks
  • Leena Singal
  • Loredana Mancini
  • Manjunath A.T.
  • Michael Roza
  • Reid Leake
  • Subrata Baguli
  • Umar Khan
  • Vamsi Kaipa

Please feel free to contact us at [email protected] if you have any queries regarding the update.

If you are interested in participating in future CCM Working Group activities, please feel free to sign up for the working group.

Methodology for the Mapping of the Cloud Controls Matrix

By Victor Chin, Research Analyst, Cloud Security Alliance

CCM Mapping methodologyThe Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) provides fundamental security principles to guide cloud vendors and cloud customers seeking to assess the overall security risk of a cloud service. To reduce compliance fatigue in the cloud services industry, the CCM program also includes controls mappings to other key industry frameworks such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, National Institute of Standards and Technology (NIST) 800-53, and American Institute of Certified Public Accountants (AICPA) Trust Services Criteria (TSC).

Historically, these mappings come from two main sources: third-party organizations and CCM Working Group volunteers. Over time, processes to incorporate these mappings have evolved organically but were not formally documented.

The Methodology for the Mapping of the Cloud Controls Matrix document aims to formally document and enhance these processes. They include a controls mapping methodology, the identification of gaps between two frameworks, the creation of a mapping work package, naming references, and project management guidelines.

By documenting these processes, we aim to fulfill four primary functions:

  1. Provide clarity and transparency regarding the CSA CCM Working Group’s mapping approach, guidelines and naming conventions;
  2. Encourage process review and improvement suggestions by the CSA community;
  3. Yield a valuable reference for organizations—especially those seeking to benefit from and contribute to interoperable efforts by mapping their frameworks to the CCM; and
  4. Improve assessor criteria understanding and interpretation of all mapping processes through criteria mapping exercises.

Moving forward, we hope that this document will be a valuable reference to all key stakeholders in the CCM ecosystem, as well as contribute to the maturity of the CCM program.

The success of the CCM continues to be the result of the dedicated professionals within the CCM Working Group. This document would not have been possible without the expertise, focus, and collaboration of the following working group members:

  • Sean Cordero
  • Ai-Ping Foo
  • Kimberley Laris
  • Ahmed Maaloul
  • Michael Roza
  • Eric Tierling

Download the Methodology for the Mapping of the Cloud Controls Matrix.

Updated CCM Introduces Reverse Mappings, Gap Analysis

By Sean Cordero, VP of Cloud Strategy, Netskope

CCM logoSince its introduction in 2010, the Cloud Security Alliance’s Cloud Control Matrix (CCM) has led the industry in the measurement of cloud service providers (CSP). The CCM framework continues to deliver for CSPs and cloud consumers alike a uniform set of controls to measure the security readiness of a cloud-centric security program. It continues to be the industry standard used to measure, evaluate, and inform risk, information security, and audit professionals on the best practices for securing cloud services.

Consistent with the CSA’s commitment to driving greater trust, assurance, and accountability across the information risk and security industry, this latest expansion to the CCM incorporates the ISO/IEC 27017:2015, ISO/IEC 27018:2014, and ISO/IEC 27002:2013 controls, and introduces a new approach to the development of the CCM and an updated approach to incorporate new industry control standards.

Core to this release of the ISO 27017:2015, 27018:2014, and 27002:2013 reverse mappings and gap analysis were two additional goals defined by the CSA and the CCM Working Group:

  1. Improve the ease of operationalization and measurement for all new controls.
  2. Increase the flexibility for CSPs and cloud consumers adopting additional control frameworks while retaining alignment with the core CCM controls.

Improved ease of operational usage and measurement

The avoidance of overly prescriptive control statements has been central to the CCM’s control development philosophy. This approach was required to avoid duplication across other control frameworks and to avoid rework for security and audit professionals. While this approach is reflected in the language of the CCM, this intentional lack of specificity has made it, at times, challenging to fully integrate into architectural and validation efforts. To address this within the language for the newly developed controls two key changes were made—first, to the alignment of the core of the research team and second, to the method of delivery for new controls.

First, two working group sub-teams were created and leaders of each identified. One group specific to information risk management and the other for audit and control measurement. To ensure that both teams brought to bear their collective expertise across the entire revision, each team then collaborated on the review of the work product of the other team, which has led to the most comprehensive and well-defined release of the CCM to date.

The information security team was led by Ai Ping Foo. Her team focused on the identification and creation of new controls and mappings with a focus on ensuring the incorporation of these controls across security architectures.

The assurance team was led by Ahmed Maaloul, whose team drove the creation of the new controls and mappings with a focus on ensuring control clarity, ease of measurement, and reproducibility for audit and assurance professionals.

Improved flexibility and delivery for new controls

This latest release of the Cloud Controls Matrix introduces reverse mappings and gap analysis to the CCM program. We believe that this approach allows organizations to continue their alignment to the core CCM standard while giving the option of further expanding their controls without disruption to any STAR certification efforts underway or existing certifications.

As the CCM framework continues to mature we are confident it will give security, audit, and assurance professionals the most flexibility for control identification without compromising the existing CCM controls.

The CCM continues to define the standard for trust, assurance, and control for security, audit, and compliance analysts when conducting operations in the cloud. This latest release reflects the CSA’s and the CCM Working Group’s continued commitment towards ease of use, flexibility, and uniformity across the multiple disciplines which enable trusted cloud operations.

The success of the CCM continues to be the result of the dedicated professionals within the CCM Working Group. This latest release would not have been possible without the expertise, focus, and collaboration of the following working group members:

Security Team Leader: Ai Ping Foo

Assurance Team Leader: Ahmed Maaloul

CCM Working Group Volunteers:

Ai Ping Foo

Adnan Dakhwe

Ahmed Maaloul

Angela Dogan

Alejandro del Rio Betancourt

Bunmi Ogun

Chris Sellards

Chris Shull

Eric Tierling

Josep Bardallo

Kazuki Yonezawa

Kelvin Arcelay

Madhav Chablani

Masashiro Morozumi

Mariela Rengel

Mohin Gulzar

Muswagha Katya

Noutcha Gilles

Puneet Thapliyal

Shahid Sharif

Saraj Mohammed

M. Reid Leake

William Butler

Download the latest version of the CSA Cloud Control Matrix.

Sean Cordero has over 18 years of IT and Information Risk Management. He has held senior security executive roles at leading bio-technology, financial, retail, and consulting organizations. Cordero is the Chair of the CSA’s Cloud Control Matrix Working Group and serves as the Co-Chair of the CSA’s Consensus Assessments Initiative Questionnaire. Cordero was honored by the CSA with the Ron Knode Service Award in 2013 and inducted as a CSA Research Fellow in 2016. Cordero is a certified CISSP, CISM, CISA and CRISC.

You can Benefit from the Cloud: Choose based on Class of Service

In my last blog, I had promised a deeper dive into Choosing a Cloud provider based on Class of Service.

It is a very timely topic. In one of very many recent articles on cloud security, Avoiding cloud security pitfalls Telstra enterprise and infrastructure services IT director Lalitha Biddulph advises “A lot of cloud services are proprietary and once you move your data in there, you may have given away your right to shift data by choosing to use a particular service.”

Without a doubt this is an area of risk to be balanced when making decisions about which key vendors to use when you consider public cloud usages across SaaS, PaaS and IaaS models. It is also an area of opportunity where organizations can draw up distinct SLAs around their rights with their data and ensure that the SLAs are properly drawn up, communicated and agreed to by all parties prior to moving data across.

Over the last couple of years we have seen remarkable strides forward with cloud providers becoming much more diligent in not only improving levels of security for hosted email, customer relationship management and vertically-focused applications, but also with IaaS providers becoming much more flexible in conditions around SLAs and reporting.

I continue to feel greatly encouraged by the work that the Cloud Security Alliance is doing and it is why I invest my time in their activities. I believe that they have the power with their wealth of resource and broad industry participation to continue to educate the industry and move us forward with ideal frameworks based on consensus.

While I think caution should be urged and organizations should be in no doubt about the risks that their data can be exposed to in cloud models, this should also be balanced with the economic advantages. Added, to that, cloud models have matured for the types of services I have mentioned above and others – that too should be taken into consideration along with a robust set of security controls.
Additionally, for more news and discussions, head over to @SecDatacenter or Secure Data Center Trends

Evelyn de Souza Bio
Evelyn is a senior data center and cloud security strategist for the Security Technology Group at Cisco responsible for championing holistic and next generation security solutions . She is a strong proponent of building automated, repeatable processes that enable organizations to sustain compliance while optimizing security posture and reducing costs. To this end, she pioneered the development of such tools in her previous role as the McAfee Compliance Mapping Matrix, which cross-maps various regulations, standards, and frameworks to e solutions and the McAfee PCI Mapping Tool. She currently co-chairs the Cloud Security Alliance Cloud Controls Matrix (CCM) and is focused on harmonizing efforts across industry initiatives such as the Open Data Center Alliance (ODCA). Evelyn is a dedicated security professional with more than 12 years in the IT security industry. She enjoys engaging with industry analysts, customers, and partners to discuss industry trends and how security solutions can be best implemented to meet the needs of next-generation datacenters. She holds a Bachelors of Arts degree with honors in music from Monash University, Melbourne, Australia. She can also be found on Twitter at: e_desouza

Why the Cloud Cannot be treated as a One-size-fits-all when it comes to Security

Despite the fact that cloud providers have long since differentiated themselves on very distinct offerings based on cloud platform type, I often see the cloud written about as though it is a single, uniformservice. And, the problem with that is while there are commonalities, it is downright misleading especially as so much is misunderstood around what’s required to secure cloud-based services and the risks that are involved. Today there are three classes of service, Software as a Service (SaaS) where the provider hosts software-based services and the consumer accesses via a web interface, Platform as Service (PaaS) that developers mostly use to developsoftware-based offerings, and Infrastructure as a Service (IaaS) where consumers can “rent” infrastructure to host their own services.

When I speak with customers I recommend they consider cloud offerings in the light of classes of services they need, the types of data they will need to expose, their regulatory compliance needs and the reputation and flexibility of the service providers they are looking to leverage. Because, even within the classes of service I mentioned above there are distinct variances.

Choosing a cloud provider based on class of service

Over the last five years in particular the industry has benefitted from broad based adoption of SaaS particularly for customer relationship management, payroll and document collaboration to name a few. But, cloud providers in this space range from those with established practices and who have robust data handling and hygiene practices that are well documented to emerging players. The same goes for PaaS and IaaS. Over the last couple of years some IaaS providers have developed tailored offerings to suit particular verticals such as government, retail and healthcare. Today, the industry is still very much lacking from standard definitions and templates for SLA. And with each different class of service, there are different security requirements too, ranging from SaaS where the consumer has no ability to push security controls down to the provider’s environment to IaaS where typically the consumer is responsible for securing the virtual machines that they might “rent” from a provider. This is where leveraging the freely available resources from the Cloud Security Alliance Trust and Assurance Registry (STAR) an initiative that encourages transparency of security practices within cloud providers, is incredibly valuable.

Data Security According to Data Type

Data, too, is not created equal. Consumers of different cloud services need to consider the data that entrust in the hands of a SaaS provider from a sensitivity level as well as any exposure that may result from a potential data breach. This concern may be a little different with IaaS where a consumer potentially has the opportunity to addmore safeguards such as encryption, file monitoring and other security controls at the virtual machines level that may help mitigate some of the risks. I have seen some excellent security implementations around some vertical stack models that some IaaS providers have developed for government, retail, healthcare and now expanding to more verticals. However, there are issues such as data residency, data handling and monitoring at the network and overall host level that still need to be considered and carefully thought out.

Regulatory Compliance Needs

Some years back the security industry had been focused around the idea of audit and compliance fatigue – this the idea that many enterprises today can be dealing with in excess of fifty mandates pending whom they do business with and their geographic span and the amount of often manual audit data collection. Since then, there has been some automation of IT audit practices but it still remains a time consuming practices for most organizations. There are over 4000 mandates today, which the Unified Compliance Framework has done an amazing job of tracking and cross mapping for many years and as always more government and data privacy mandates in the works. The Cloud Security Alliance Cloud Controls Matrix also cross walks several standards but further categorizes controls according to platform, recognizing that different models require different controls. It is ideal for those looking to learn about how to evolve their controls to map to different models and who want to avoid the audit fatigue syndrome through the concept of audit once, report many times.

Over the next few weeks I will drill down into each of the above areas. In the meantime, if you have any questions or wish to discuss any of the above further, please contact me at [email protected]

Evelyn de Souza Bio
Evelyn is a senior data center and cloud security strategist for the Security Technology Group at Cisco responsible for championing holistic and next generation security solutions . She is a strong proponent of building automated, repeatable processes that enable organizations to sustain compliance while optimizing security posture and reducing costs. To this end, she pioneered the development of such tools in her previous role as the McAfee Compliance Mapping Matrix, which cross-maps various regulations, standards, and frameworks to e solutions and the McAfee PCI Mapping Tool. She currently co-chairs the Cloud Security Alliance Cloud Controls Matrix (CCM) and is focused on harmonizing efforts across industry initiatives such as the Open Data Center Alliance (ODCA). Evelyn is a dedicated security professional with more than 12 years in the IT security industry. She enjoys engaging with industry analysts, customers, and partners to discuss industry trends and how security solutions can be best implemented to meet the needs of next-generation datacenters. She holds a Bachelors of Arts degree with honors in music from Monash University, Melbourne, Australia. She can also be found on Twitter at: e_desouza

CSA Releases CCM v 3.0

The Cloud Security Alliance (CSA) today has released a draft of the latest version of the Cloud Control Matrix, CCM v3.0. This latest revision to the industry standard for cloud computing security controls realigns the CCM control domains to achieve tighter integration with the CSA’s “Security Guidance for Critical Areas of Focus in Cloud Computing version 3” and introduces three new control domains. Beginning February 25, 2013 the draft version of CCM v3.0 will be made available for peer review through the CSA Interact website with the peer review period closing March 27, 2013, and final release of CCM v3.0 on April 1, 2013.

The three new control domains; “Mobile Security”, “Supply Change Management, Transparency and Accountability”, and “Interoperability & Portability” address rapidly expanding methods cloud data is accessed, the need for ensuring due care is taken in the cloud providers supply chain, and the minimization of service disruptions in the face of a change to cloud provider relationship.

The “Mobile Security” controls are built upon the CSA’s “Security Guidance for Critical Areas of Mobile Computing, v1.0” and are the first mobile device specific controls incorporated into the Cloud Control Matrix.

The “Supply Change Management, Transparency and Accountability” control domain seeks to address risks associated with governing data within the cloud while the “Interoperability & Portability” brings to the forefront considerations to minimize service disruptions in the face of a change in a cloud vendor relationship or expansion of services.

The realigned control domains have also benefited through changes in language to improve the clarity and intent of the control, and, in some cases, realigned within the expanded control domains to ensure the cohesiveness within each control domain and minimize overlap.

The draft of the Cloud Control Matrix can be downloaded from the Cloud Security Alliance website and the CSA welcomes peer review through the CSA Interact website.

The CSA invites all interested parties to participate in the peer review and the CSA Cloud Controls Matrix Working Group Meeting to be held during the week of the RSA Conference, at 4pm PT on February 28, 2013, at the Sir Francis Drake Hotel
Franciscan Room
450 Powell St in San Francisco, CA.