OneTrust and Cloud Security Alliance Partner to Launch Free Vendor Risk Tool for CSA Members

By Gabrielle Ferree, Public Relations and Marketing Manager, OneTrust

CSA OneTrust Vendor Risk Management toolOneTrust is excited to announce that we have partnered with Cloud Security Alliance to launch a free Vendor Risk Management (VRM) tool.

The tool, available to CSA members today, automates the vendor risk lifecycle for compliance with the GDPR, CCPA and other global privacy frameworks.

Get started today with the CSA-OneTrust VRM tool.

As the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, CSA has 90,000 individual members, 80 chapters globally and 400 corporate members. CSA members can access the VRM tool today and automate vendor risk management at no cost.

[Related: Ovum Radar Report: OneTrust Focused on Identifying and Managing Risk in Vendor Management]

The CSA-OneTrust VRM tool is pre-populated with templates reproducing the CSA’s best practices for cloud security and privacy assurance and compliance, including the Cloud Controls Matrix (CCM), the Consensus Assessments Initiative Questionnaire (CAIQ) and GDPR Code of Conduct. Privacy and security tea­­ms can also build upon existing templates or create custom vendor assessments based on their business-specific needs.

The CSA-OneTrust VRM tool automates the entire vendor management lifecycle, including:

  • onboarding and offboarding vendors
  • triaging vendors
  • populating vendor information and monitoring the vendor risk lifecycle
  • maintaining records for accountability and compliance purposes.

The tool is powered by Vendorpedia™ by OneTrust, a database of privacy and security details of more than 4,000 vendors that automatically populates vendor assessments based on the most up-to-date vendor information.

Our goal is to provide privacy and security professionals the power to automate and simplify what can be an overwhelming task of managing and monitoring vendor risk. We’re proud to work alongside leaders in the industry like CSA and look forward to providing vendor risk assessment and compliance automation for its more than 90,000 members.

To learn more, read our press release. For additional news and updates visit our LinkedIn, Twitter and Facebook.

Get started with the CSA-OneTrust VRM tool or request a demo today.

PCI Compliance for Cloud Environments: Tackle FIM and Other Requirements with a Host-Based Approach

By Patrick Flanders, Director of Marketing, Lacework

PCI compliance for cloudCompliance frameworks and security standards are necessary, but they can be a burden on IT and security teams. They provide structure, process, and management guidelines that enable businesses to serve customers and interoperate with other organizations, all according to accepted guidelines that facilitate a better experience for end users.

Yet, when their IT environment is the cloud there is the additional challenge of trying to maintain the fairly static state of compliance in an environment where change is continuous. Every configuration change, addition of a new users, or transaction between data sources, even seemingly minor changes, can have hidden implications that when discovered, can render the organization non-compliant.

Payment Card Industry Data Security Standard (PCI DSS) is an industry standard intended to protect credit, debit, and cash card owners against theft of their personally identifiable information (PII), and to equip companies with best practices guidelines to secure payment processes and supporting IT systems. Originally established as a collaborative effort by American Express, Discover, MasterCard, Visa, and JCB, the original intent was to promote credit card activity for e-commerce.

Play it safe with PCI

PCI is intended to keep all those transactions safe, but with more money exchanging digital hands, there are more endpoints that PII and financial data touch. At the same time, more financial organizations are moving critical workloads to the cloud, which means they’re managing more change in the name of agility.

Many turn to open source tools to give them PCI monitoring. These tools are intended to provide high level file integrity monitoring, but they are only a surface layer. Data transacting inside the cloud environment, and activity moving outside of it can be targeted by hackers because these tools don’t target inconsistencies with configurations, and they’re not able to scale the demands of cloud workloads. Their focus is the network and they aren’t equipped to look at anything else in the cloud stack. Yet, without insight at a level where one can identify and evaluate every cloud action, there really can be no true understanding of what is at risk, to what degree the  organization is out of compliance, and there’s not ability to pinpoint where the problem is so it can be fixed.

Many IT groups piece together open source FIM tools along with legacy security tools like SIEMs and network-based detection systems. In an earlier era when there were fewer endpoints and control governance could be extended to the firewall, this was adequate. But financial organizations are now extending payment options through mobile apps and even IoT devices; the number of endpoints and potential holes in the system can grow exponentially.

This concept of monitoring and analyzing activity at every layer of the cloud stack maps to what’s necessary for today’s workloads and IT environments. Intrusion detection monitoring certainly is still necessary at the network layer, but it’s what’s happening with cardholder data as it travels through to different apps and repositories that can be complicated and hard to identify. Using a host-based system for monitoring network traffic throughout the infrastructure of the organization is mandatory because it’s functioning at the depth of configuration, access, and asset change levels.

Out of compliance, out of business

Being PCI-compliant is a necessity for any organization that facilitates ecommerce transactions with credit or debit cards. If ever there was a growth industry, it is online shopping. In 2017, ecommerce represented just 13% of all total retail sales, but 49% of all retail growth. Consumers made $454 billion worth of online purchases last year, and online sales grew 16% from the previous year. The consequences, therefore, of being out of compliance are huge – at best, fines and remediation will get you back in business. But if you really don’t have control over the activity within your cloud, you are liable to attacks and compliance issues that could eradicate customer trust, or altogether put you out of business.

To be effective at validating PCI compliance, it’s best to use an approach that analyzes cloud activity against normalized behavior to identify status of all PCI controls. Awareness of every event, every endpoint, and automatic identification of anomalies is critical to ensuring you are prepared with an effective PCI compliance framework.

Towards a “Permanent Certified Cloud”: Monitoring Compliance in the Cloud with CTP 3.0

Cloud services can be monitored for system performance but can they also be monitored for compliance? That’s one of the main questions that the Cloud Trust Protocol aims to address in 2013.

Compliance and transparency go hand in hand.

The Cloud Trust Protocol (CTP) is designed to allow cloud customers to query cloud providers in real-time about the security level of their service. This is measured by evaluating “security attributes” such as availability, elasticity, confidentiality, location of processing or incident management performance, just to name a few examples. To achieve this, CTP will provide two complementary features:

  • First, CTP can be used to automatically retrieve information about the security offering of cloud providers, as typically represented by an SLA.
  • Second, CTP is designed as a mechanism to report the current level of security actually measured in the cloud, enabling customers to be alerted about specific security events.

These features will help cloud customers compare competing cloud offerings to discover which ones provide the level of security, transparency and monitoring capabilities that best match the control objectives supporting their compliance requirements. Additionally, once a cloud service has been selected, the cloud customer will also be able to compare what the cloud provider offered with what was later actually delivered.

For example, a cloud customer might decide to implement a control objective related to incident management through a procedure that requires some security events to be reported back to a specific team within a well-defined time-frame. This customer could then use CTP to ask the maximum delay the cloud provider commits to for reporting incidents to customers during business hours. The same cloud customer may also ask for the percentage of incidents that were actually reported back to customers within that specific time-limit during the preceding two-month period. The first example is typical of an SLA while the second one describes the real measured value of a security attribute.

CTP is thus designed to promote transparency and accountability, enabling cloud customers to make informed decisions about the use of cloud services, as a complement to the other components of the GRC stack. Real time compliance monitoring should encourage more businesses to move to the cloud by putting more control in their hands.

From CTP 2.0 to CTP 3.0

CTP 2.0 was born in 2010 as an ambitious framework designed by our partner CSC to provide a tool for cloud customers to “ask for and receive information about the elements of transparency as applied to cloud service providers”. CSA research has begun undertaking the task of transforming this original framework into a practical and implementable protocol, referred to as CTP 3.0.

We are moving fast and the first results are already ready for review. On January 15th, CSA completed a first review version of the data model and a RESTful API to support the exchange of information between cloud customers and cloud provider, in a way that is independent of any cloud deployment model (IaaS, PaaS or SaaS). This is now going through the CSA peer review process.

Additionally, a preliminary set of reference security attributes is also undergoing peer review. These attributes are an attempt to describe and standardize the diverse approaches taken by cloud providers to expressing the security features reported by CTP. For example, we have identified more than five different ways of measuring availability. Our aim is to make explicit the exact meaning of the metrics used. For example, what does unavailability really mean for a given provider? Is their system considered unavailable if a given percentage of users reports complete loss of service? Is it considered unavailable according to the results of some automated test to determine system health?

As well as all this nice theory, we are also planning to get our hands dirty and build a working prototype implementation of CTP 3.0 in the second half of 2013.

Challenges and research initiatives

While CTP 3.0 may offer a novel approach to compliance and accountability in the cloud, it also creates interesting challenges.

To start with, providing metrics for some security attributes or control measures can be tricky. For example, evaluating the quality of vulnerability assessments performed on an information system is not trivial if we want results to be comparable across cloud providers. Other examples are data location and retention, which are both equally complex to monitor, because of the difficulty of providing supporting evidence.

As a continuous monitoring tool, CTP 3.0 is a nice complement to traditional audit and certification mechanisms, which typically only assess compliance at a specific point in time. In theory, this combination brings up the exciting possibility of a “permanently certified cloud”, where a certification could be extended in time through automated monitoring. In practice however, making this approach “bullet-proof” requires a strong level of trust in the monitoring infrastructure.

As an opportunity to investigate these points and several other related questions, CSA has recently joined two ambitious European Research projects: A4Cloud and CUMULUS. A4Cloud will produce an accountability framework for the entire cloud supply chain, by combining risk analysis, creative policy enforcement mechanisms and monitoring. CUMULUS aims to provide novel cloud certification tools by combining hybrid, incremental and multi-layer security certification mechanisms, relying on service testing, monitoring data and trusted computing proofs.

We hope to bring back plenty of new ideas for CTP!

Help us make compliance monitoring a reality!

A first draft of the “CTP 3.0 Data Model and API” is currently undergoing expert review and will then be opened to public review. If you would like to provide your expert feedback, please do get in touch!

by Alain Pannetrat 

[email protected]

Dr. Alain Pannetrat is a Senior Researcher at Cloud Security Alliance EMEA. He works on CSA’s Cloud Trust Protocol providing monitoring mechanisms for cloud services, as well as CSA research contributions to EU funded projects such as A4Cloud and Cumulus. He is a security and privacy expert, specialized in cryptography and cloud computing. He previously worked as a IT Specialist for the CNIL, the French data protection authority, and was an active member of the Technology Subgroup of the Article 29 Working Party, which informs European policy on data protection. He received a PhD in Computer Science after conducting research at Institut Eurecom on novel cryptographic protocols for IP multicast security.