The emergence of the cloud has turned information security professionals into investigators and assessors of third-party cloud services – all the while keeping an eye on the security and compliance issues that drive their departments.
One of the topics he discussed during the event in Philadelphia was that of convergence, and the combination of cloud services bought into by enterprises, which is yet another factor complicating the situation. It’s related to a greater cloud security concern not unlike that which businesses face overall, as Howie contemplated: “As more enterprises go to the cloud and adopt several key services, how do you actually integrate all of those together? Are the processes and procedures that one vendor has compatible with those of the other vendors. The only way you will really get to the bottom of that is by in-depth analysis of the service.”
That’s why the CSA’s guidance is so critical, he asserted, “because we tell people what to look for, and the cloud vendor’s themselves can actually document their service and publish it”. Howie was alluding to the CSA’s Security Trust Assurance Registry (STAR). It’s a portal where security professionals facing these choices can download a registered vendors’ self-assessment questionnaire on an array of security-related information and, as he pointed out, “be as informed as possible about how the service is run”.
Large cloud vendors – including Microsoft, Amazon, and Salesforce – have all submitted their self-assessments, Howie said. “They’ve all done the right thing and published into the STAR, and we hope to see many more cloud providers follow.”
Then the CSA’s chief operating officer – himself a CISSP for more than 12 years – explored how the cloud continues to transform the role of today’s security professionals. “We are very good at doing risk calculations for on-premise solutions and systems”, he contended, adding that, traditionally, security professionals made three choices about risk: “you either mitigate it, you transfer it, or you accept and ignore it”.
But the cloud has fundamentally changed this dynamic, and thus the trade-offs one must consider. “When you are running in the cloud and you are shifting your data and applications to a cloud provider, you have no visibility over risk within their infrastructure”, Howie observed. “You can’t cite controls or a defense-in-depth approach, because the cloud provider does that. So there is this fear that the cloud is not a secure option because you can’t see it, you can’t touch it, you can’t inspect it, and you can’t control it. At the end of the day, the role of the information security professional is changing, because you now have to judge a cloud provider based on audit evidence that is provided.”
Tools like the CSA’s Cloud Controls Matrix, Howie continued, can be used by infosec professionals to judge their requirements against any provider it may be considering. “It’s a way of improving transparency on how the services are run, operated and maintained”, he says. “And it’s through that transparency that [cloud vendors] will win customers’ trust”.
Howie broke down the CSA’s Open Certification Framework – meant to continually assess a cloud provider’s security – into three levels. The first level, he said, is STAR itself, which is a “self-attestation” of each registered provider’s documented security controls and capabilities.
The second level includes independently audited assessments on what the vendor claims. The third level comprises continuous monitoring of each provider’s controls for use by its clients.
The problem with just employing audits is that they are a point-in-time assessment, Howie noted, which only occur periodically. “This will not be sufficient for some sophisticated customers; they will want to have more information”, he said.
Security professionals can use the CSA’s resources to aid in their decision making when it comes to choosing a cloud vendor. Assuming you are comparing multiple vendors with respect to similar offerings, Howie said STAR data can answer many of the questions each organization will need to ask.
He admits that not all organizations – especially large enterprises and those facing numerous regulatory requirements – will have all of their questions answered by downloading the documentation from CSA’s STAR. “But most should be”, he added. “You may have to go to the cloud provider and do a bit more research in these cases”.