Continuous Auditing – STAR Continuous – Increasing Trust and Integrity

By John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance

As a SixSigma Black Belt I was brought up over the years with the philosophy of continual monitoring and improvement, moving from a reactive state to a preventive state. Actually, I wrote a white paper a couple of years ago on how SixSigma is applied to security.

The basic premise is it emphasizes early detection and prevention of problems, rather than the correction of problems after they have occurred. It eliminates the point in time “inspection” by deploying continuous monitoring and auditing. This approach basically saved the automotive industry back in the 1980s.

This age-old and proven process is the best way I can describe what CSA has done with the launch of another step in the direction of increasing transparency and assurance … continuous auditing.

Continuous auditing focuses on testing for the occurrence of a risk and the on-going effectiveness of a control. A framework and detailed procedures, along with technology, are key to enabling such an approach. Continuous auditing offers an enhanced way to understand risks and controls and improve on sampling from periodic reviews to ongoing testing.

STAR Continuous is a component of the CSA STAR Program that gives cloud service providers (CSP) the opportunity to integrate their approach to cloud security compliance and certification with additional capabilities to validate their security posture on an ongoing basis. Continuous auditing empowers an organization to make precise statements on the compliance status at any time over the whole time span in which the continuous audit process is executed, achieving an “always up-to-date” compliance status by increasing the frequency of the auditing process. 

Continuous auditing is not intended to replace traditional auditing, but rather is to be used as a tool to enhance audit effectiveness and increase transparency to stakeholders and interested parties.

STAR Continuous contains three models for continuous monitoring. Each of the three models provides a different level of assurance by covering requirements of continuous auditing with various levels of scrutiny. The three models are defined as:

1. Continuous self-assessment
2. Extended certification with continuous self-assessment
3. Continuous certification

chart showing levels of auditing

Essentially, the proposed framework starts from a simple process of the timely submission of self- assessment compliance reports and moves up to a continuous certification of the fulfillment of control objectives.

How does it help you as a cloud service provider?

• Provides top management with greater visibility, so that they can evaluate the effectiveness of their management system in real-time in relation to expectations of internal, regulatory and the cloud security industry standards;

• Implements an audit that is designed to reflect how your organization’s objectives are aimed at optimizing the cloud services;

• Demonstrates progress and performance levels that go beyond the traditional “point in time” scenario; and

• For customers of cloud service providers, STAR Continuous will provide a greater understanding of the level of controls that are in place and their effectiveness.

CSA is committed to helping customers have a deeper understanding of their security postures. Since the STAR Registry was launched in 2011 as the first step in improving transparency and assurance in the cloud, it has evolved into a program that encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.

CSA STAR is being recognized as the international harmonized solution leading the way of trust for cloud providers, users and their stakeholders by providing an integrated, cost-effective solution that decreases complexity and increases assurance and transparency. It simultaneously enables organizations to secure their information, protect themselves from cyber-threats, reduce risk and strengthen their information governance and privacy platform.

Want to find out more? Contact us at [email protected]

Webinar: The Ever Changing Paradigm of Trust in the Cloud

By CSA Staff

abstract line connection on night city background implying cloud computing

The CSA closed its 10th annual Summit at RSA on Monday, and the consensus was that the cloud has come to dominate the technology landscape and revolutionize the market, creating a tectonic shift in accepted practice.

The advent of the cloud has been a huge advancement in technology. Today’s need for flexible access has led to an increase in business demand for cloud computing, bringing with it increased security and privacy concerns. How organizations evaluate Cloud Service Providers (CSPs) has become key to providing increased levels of assurance and transparency.

On Thursday, March 14 at 2 pm ET, John DiMaria, Cloud Security Alliance’s Assurance Investigatory Fellow and one of the key innovators in the evolution of CSA STAR, will share his insight on the:

  • current global landscape of cloud computing,
  • ongoing concerns regarding the cloud, and the
  • evolution of efforts to answer to the demand for higher transparency and assurance.

Join John DiMaria as he reviews the efforts being led by CSA to answer this call. You’ll walk away with a deeper understanding of how these efforts are aimed at helping organizations optimize processes, reduce costs, and decrease risk while simultaneously meeting the continuing rigorous international demands on cloud services allowing for the highest level of assurance and transparency.

Register today.

CSA Summit Recap Part 1: Enterprise Perspective

By Elisa Morrison, Marketing Intern, Cloud Security Alliance

CSA’s 10th anniversary, coupled with the bestowal of the Decade of Excellence Awards gave a sense of accomplishment to this Summit that bodes well yet also challenges the CSA community to continue its pursuit of excellence.

The common theme was the ‘Journey to the Cloud’ and emphasized how organizations can not only go faster but also reduce costs during this journey. The Summit this year also touched on the future of privacy, disruptive technologies, and introduced CSA’s newest initiatives in Blockchain, IoT and the launch of the STAR Continuous auditing program. Part 1 of this CSA Summit Recap highlights sessions from the Summit geared toward the enterprise perspective.

Securing Your IT Transformation to the Cloud – Jay Chaudhry, Bob Varnadoe, and Tom Filip

Slide: Network security is becoming irrelevant

Every CEO wants to embrace cloud but how to do it securely? To answer this question this trio looked at the journeys other companies such as Kellogg and NRC took to the cloud. In Kellogg’s case they found that when it comes to your transformation the VMs of single-tenant won’t cut it. They also brought to light the question of  the ineffectiveness of services such as hybrid security. Why pay the tax for services not used?

For NCR, major themes were how to streamline connectivity and access to cloud service. The big question was how do end users access NCR data in a secure environment? They found that applications and network must be decoupled. And, while more traffic on the cloud is encrypted, it offers another way for malicious users to get in. Their solution was to use proxy and firewalls for inspection of traffic.

The Future of Privacy: Futile or Pretty Good? – Jon Callas

ACLU technology fellow Jon Callas brought to light the false dichotomy we see when discussing privacy. It is easy to be nihilistic about privacy, but positives are out there as well.

There is movement in the right direction that we can already see, examples include: GDPR, California Privacy Law, Illinois Biometric Privacy Law, and the Carpenter, Riley, and Oakland Magistrate decisions. There has also been a precedent set for laws with more privacy toward consumers. For organizations, privacy has also become the focus of competition and companies such as Apple, Google, and Microsoft all compete on privacy. Protocols such as TLS and DNS are also becoming a reality. Other positive trends include default encryption and that disasters are documented, reported on, and a concern.

Unfortunately, there has also been movement in the wrong direction. There is a balancing act between the design for security versus design for surveillance. The surveillance economy is increasing, and too many platforms and devices are now collecting data and selling it. Lastly, government arrogance and the overreach to legislate surveillance over security is an issue.

All in all, Callas summarized that the future is neither futile nor pretty good and it’s necessary to balance both moving forward.

From GDPR to California Privacy – Kevin Kiley

Slide: Steps to better vendor risk management

This session touched on third-party breaches, regulatory liability, the need for strong data processing paramount to scope and how to comply with GDPR and CCPA. Kiley identified a need for a holistic approach with more detailed vendor vetting requirements. He outlined five areas organizations should improve to better their vendor risk management.

  1. Onboarding. Who’s doing the work for procurement, privacy, or security?
  2. Populating & Triaging. Leverage templated vendor evaluation assessments and populate with granular details.
  3. Documentation and demonstration
  4. Monitoring vendors
  5. Offboarding

Building an Award-Winning Cloud Security Program – Pete Chronis and Keith Anderson

This session covered key lessons learned along the way as Turner built its award-winning cloud security program. One of the constant challenges Turner faced was the battle between the speed to market over security program. To improve their program, Turner enacted continuance compliance measurement by using open source for cloud plane assessment. They also ensured each user attestation was signed by both the executive and technical support. For accounts, they implemented intrusion prevention, detection, and security monitoring. They learned to define what good looks like, while also developing lexicon and definitions for security. It was emphasized that organizations should always be iterating from new > good > better. Lastly, when building your cloud security program they emphasized that not all things need to be secured the same and not all data needs the same level of security.

Case Study: Behind the Scenes of MGM Resorts’ Digital Transformation – Rajiv Gupta and Scott Howitt

MGM’s global user base meant they wanted to expand functions to guest services, check-in volume management and find a way of bringing new sites online faster. To accomplish this, MGM embarked on a cloud journey. Their journey was broken into business requirements (innovation velocity and M&A agility) along with necessary security requirements (dealing with sensitive data, the need to enable employees to move faster, and the ability to deploy a security platform).

Slide: Where is your sensitive data in the cloud?

As they described MGM’s digital transformation the question was raised, where is sensitive data stored in the cloud? An emerging issue that continues to come up is API management. Eighty-seven percent of companies permit employees to use unmanaged devices to access business apps, and the BYOD policy is often left unmanaged or unenforced. In addition, MGM found that on average number 14 misconfigured IaaS services are running at a given time in an average organization, and the average organization has 1527 DLP incidents in PaaS/IaaS in a month.

To address these challenges, organizations need to consider the relations between devices, network and the cloud. The session ended with three main points to keep in mind during your organization’s cloud journey. 1) Focus on your data. 2) Apply controls pertinent to your data. 3) Take a platform approach to your cloud security needs.

Taking Control of IoT – Hillary Baron

image of IoT connected devices overlayed on a cityscape

There is a gap in the security controls framework for IoT. With the landscape changing at a rapid pace and over 2020 billion IoT devices, the need is great. Added to that is the fact that IoT manufacturers typically do not build security into devices; hence the need for the security controls framework. You can learn more about the framework and its accompanying guidebook covered in this session here.

Panel – The Approaching Decade of Disruptive Technologies

While buzzwords can mean different things to different organizations, organizations should still implement processes among new and emerging technologies such as AI, Machine Learning, and Blockchain, and be conscious of what is implemented.

This session spent a lot of its time examining Zero Trust. The perimeter is in different locations for security, and it is challenging looking for the best place to establish the security perimeter. It can no longer be a fixed point, but must flex with the mobility of users, e.g. mobile phones require very flexible boundaries. Zero Trust can help address these issues, it’s BYOD-friendly. There are still challenges, but  Web Authentication helps as a standard for Zero Trust.

Cloud has revolutionized security in the past decade. With cloud, you inherit security and with it the idea of a simple system has gone out the window. One of the key questions that was asked was “Why are we not learning the security lessons from the cloud?” The answer? Because the number of developers grows exponentially among new technology.  

The key takeaway: Don’t assume your industry is different. Realize that others have faced these threats and have come up with successful treatment methodologies when approaching disruptive technologies.

CISO Guide to Surviving an Enterprise Cloud Journey – Andy Kirkland, Starbucks

Five years ago, the Director of  Information and Security for Starbucks, Andy Kirkland, recommended not going to the cloud for cautionary purposes. Since then, Starbucks migrated to the cloud and learned a lot on the way. Below is an outline of Starbucks’ survival tips for organizations wanting to survive a cloud journey:

  • Establish workload definitions to understand criteria
  • Utilize standardized controls across the enterprise
  • Provide security training for the technologist
  • Have a security incident triage tailored to your cloud provider
  • Establish visibility into cloud security control effectiveness
  • Define the security champion process to allow for security to scale

PANEL – CISO Counterpoint

In this keynote panel, leading CISOs discussed their cloud adoption experiences for enterprise applications. Jerry Archer, CSO for Sallie Mae, described their cloud adoption journey as “nibbling our way to success.” They started by putting things into the cloud that were small. By keeping up constant conversations with regulators, there were no surprises during the migration to the cloud. Now, they don’t have any physical supplies remaining. Other takeaways were that in 2019 containers have evolved and we now see: ember security, arbitrage workloads, and RAIN (Refracting Artificial Intelligence Networks).

Download the full summit presentation slides here.