CSA Certification Offers Simple, Cost Effective Way to Evaluate and Compare Cloud Providers
Technological developments, constricted budgets, and the need for flexible access have led to an increase in business demand for cloud computing. Many organizations are wary of cloud services due to apprehensions around security issues. Ernst & Young conducted a survey of C-level leaders in 52 countries which showed a unified concern over the accelerated rate that companies are moving information to the cloud and the subsequent demise of physical boundaries and infrastructure. The widespread adoption of mobile devices only serves to accelerate this trend. Now employees, customers, suppliers, and other stakeholders can access data wherever and whenever they wish, intensifying concerns surrounding security and privacy. (Ernst & Young 2011 Global Information Security Survey - Out of the Cloud into the fog, 2011)
Companies are moving from traditional IT staffing outsourcing contracts to cloud service providers, forever altering their business model and IT functions, with the potential to greatly reduce or even eliminate in-house IT operations. Security and quality must be of highest concern, and focused on the most important assets any company has …. customers and stakeholders.
BSI, a leading certification body and business improvement solutions provider in 2012 teamed up with the Cloud Security Alliance (CSA), an independent not-for-profit coalition comprised of industry leaders, associations, and information security experts. Together, they identified serious gaps within the IT ecosystem that inhibit market adoption of secure and reliable cloud services. They found that businesses did not have simple, cost effective ways to evaluate and compare their providers’ resilience, data protection capabilities and service portability.
CSA and BSI recognized that there was no single program, regulation or other compliance regime that would meet the future demands of IT as well as address the risk of adding complexity to the already overloaded and costly compliance landscape. The rise of the cloud as a global computer utility, however, demands better harmonization of compliance concerns and business needs.
The Ernst & Young survey supported their findings, which revealed that while companies are trying to respond, they fully admit that the information security budget may not be effectively applied. Just over half of companies indicated that their security functions do not meet the needs of the organization. Most admit that they have a heavy reliance on trust when it comes to outsourcing IT services, but what they need are validation, verification, and certification. The vast majority of companies are ready to mandate a “Standard of Care” and “Due Diligence” with almost ninety percent in favor of external certification and forty-five percent insisting it be based on an agreed upon internationally-accepted standard.
While there was already a self-declaration process available through the CSA Security, Trust and Assurance Registry (STAR), it was evident that without a formal validation and verification process that complies with international standards, self-declaration would not fill the need for transparency and trust. There were also questions regarding whether or not the scope of self-declaration was fit-for-purpose as there was no real measurement of how the processes were to be managed to ensure optimization (maturity).
BSI developed a process that would be user friendly, allow 3rd party validation and verification, and provide a formal certification that would be accepted internationally.
After many discussions with users, industry experts, and service providers, it was clear that any “new” standard would be overkill and just add to the confusion of the plethora of standards already in existence. A new standard would also have to build credibility over the long term thus inhibiting adoption.
ISO/IEC 27001 - the Foundation for STAR Certification
The gold standard since 2005, ISO/IEC 27001 is the most accepted internationally-endorsed standard for information security in the world. In some countries, like Japan, ISO/IEC 27001 has been mandated by the government particularly for publicly-traded companies, but over the years has cascaded down through the supply-chain. Many other countries are jumping on board by requiring tighter controls over information security across a variety of industries, as well as their critical suppliers and extended business partners.
Companies also realize they must be leaner, asking more of each employee while settling for smaller budgets. Moving to the cloud is partly a reaction to increased IT costs as it provides more IT services for a smaller investment. Unfortunately, it comes with increased risk, and companies are looking for a globally-accepted standard and 3rd party verification that can serve as a screening process for suppliers, particularly Cloud Service Providers.
ISO 27001 has a long history going back to 1995 when BS 7799 was introduced. It has been improved over the years taking into consideration the ever-changing compliance and regulatory landscape for information security.
Originally based on the Plan Do Check Act Model (PDCA), ISO 27001 is consistent with and easily integrated into other management systems standards and regulatory requirements. With the release of ISO/IEC 27001:2013, there will be increased consistency across all standards.
ISO 27001 has been called the umbrella standard because of its strong management system foundation that ensures business systems and objectives are in place that drive process ownership and continual improvement.
As stated in Annex A within the standard, ISO/IEC 27001 “contains a comprehensive list of control objectives and controls that have been found to be commonly relevant in organizations. Users of this International Standard are directed to Annex A as a starting point for control selection to ensure that no important control options are overlooked.” Additional controls may be necessary for cloud service providers, however. Some controls can be excluded with clear evidential justification and others can be replaced with compensating controls that meet or exceed the same requirement. In terms of the cloud, controls like those in the Cloud Control Matrix (CCM) can be added or even substituted, if justified.
Security standards that rely on self-assessment techniques and checklists ultimately fail to engage the deeper concerns of CIOs and CISOs. ISO/IEC 27001 plus CCM is certifiable by an accredited firm and has a formal management system to detect ongoing vulnerabilities, create information security controls, and preempt security threats. It is risk-based, and its assessment helps identify the controls needed to secure information. For this reason, ISO/IEC 27001 was used as the foundation for STAR Certification, but it can be used with any other industry-specific standard and/or framework either to supplement it or for specific needs such as government or healthcare contracts. The CCM can act as additional or compensatory controls to build a unified integrated system rather than reinforcing islands of information.
The CCM is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.
This matrix is meant to be integrated into the assessment by the auditor; referencing the applicable CCM control to the associated ISO 27001 controls (Statement of Applicability). The output will be the result of the overall performance of the organization within the scope of certification.
Figure 1. SOA
To further the value and increase transparency, CSA STAR Certification contains a maturity model to assess how well managed the activities are in the control areas. The resulting maturity score helps drive internal improvements within the organization, but will not be listed on the certificates.
An organization must demonstrate that it has all the controls in place and operating effectively, however, before an assessment of the management capability around the controls can take place.
When an organization is audited, a Management Capability Score will be assigned to each of the control areas in the CCM. This will indicate the capability of the management in this area to ensure the control is operating effectively.
Figure 2. CCM Control Areas
The management capability of the controls will be scored on a scale of 1-15. These scores have been divided into 5 different categories that describe the type of approach characteristic of each group of scores
Figure 3. Maturity Rating
In order to make it possible for an assessor to consistently apply a score to the control area, each auditor is provided a grid that outlines what would be required of an organization to achieve each score.
Depending on the capability level achieved by the client, the audit report will categorize performance against the maturity model as:
No Award
A Bronze Award
A Silver Award
A Gold Award
ISO 27001 is a management systems standard and by definition requires a systematic approach to managing an organization. Therefore, if an organization is certified to ISO 27001, it is very unlikely that they would not achieve at least a bronze award.
A STAR Certification leverages a holistic information security management system (ISO/IEC 27001) that, when applied using good risk management discipline, can address all cloud specific risks and relevant aspects of information security. Its benefits depend on proper scope and implementation; it must be Service Level Agreement (SLA)[SLA complements and forms part of a service agreement. It is a means used to incorporate business strategic objectives and define the business desired results.] driven.
Clients care about the security of their sensitive information and they care that cloud providers are certified. However, to provide the best level of security and service, management system implementation is equally important as it must be “fit-for-purpose.” A scope that is not "fit-for-purpose" is rather insignificant when it comes to cloud services. STAR Certification uniquely looks into scope relative to service, ensuring the most meaningful certification and providing evidence of 3rd party approval.
Summary
ISO 27001 requires the organization to evaluate customers’ requirements and expectations, as well as contractual requirements. To achieve this, it requires a system to be implemented.
ISO 27001 requires the organization to conduct a risk analysis that identifies the risks to meeting customers’ expectations.
CCM requires the organization to address specific issues that are critical to cloud security.
STAR Certification ensures proper implementation and effectiveness of the CCM controls and that the scope is fit-for-purpose and SLA Driven.
The maturity model assesses and scores how well managed activities are in the control areas, providing a clear route for continual improvement.
CSA Certification Offers Simple, Cost Effective Way to Evaluate and Compare Cloud Providers
Technological developments, constricted budgets, and the need for flexible access have led to an increase in business demand for cloud computing. Many organizations are wary of cloud services due to apprehensions around security issues. Ernst & Young conducted a survey of C-level leaders in 52 countries which showed a unified concern over the accelerated rate that companies are moving information to the cloud and the subsequent demise of physical boundaries and infrastructure. The widespread adoption of mobile devices only serves to accelerate this trend. Now employees, customers, suppliers, and other stakeholders can access data wherever and whenever they wish, intensifying concerns surrounding security and privacy. (Ernst & Young 2011 Global Information Security Survey - Out of the Cloud into the fog, 2011)
Companies are moving from traditional IT staffing outsourcing contracts to cloud service providers, forever altering their business model and IT functions, with the potential to greatly reduce or even eliminate in-house IT operations. Security and quality must be of highest concern, and focused on the most important assets any company has …. customers and stakeholders.
BSI, a leading certification body and business improvement solutions provider in 2012 teamed up with the Cloud Security Alliance (CSA), an independent not-for-profit coalition comprised of industry leaders, associations, and information security experts. Together, they identified serious gaps within the IT ecosystem that inhibit market adoption of secure and reliable cloud services. They found that businesses did not have simple, cost effective ways to evaluate and compare their providers’ resilience, data protection capabilities and service portability.
CSA and BSI recognized that there was no single program, regulation or other compliance regime that would meet the future demands of IT as well as address the risk of adding complexity to the already overloaded and costly compliance landscape. The rise of the cloud as a global computer utility, however, demands better harmonization of compliance concerns and business needs.
The Ernst & Young survey supported their findings, which revealed that while companies are trying to respond, they fully admit that the information security budget may not be effectively applied. Just over half of companies indicated that their security functions do not meet the needs of the organization. Most admit that they have a heavy reliance on trust when it comes to outsourcing IT services, but what they need are validation, verification, and certification. The vast majority of companies are ready to mandate a “Standard of Care” and “Due Diligence” with almost ninety percent in favor of external certification and forty-five percent insisting it be based on an agreed upon internationally-accepted standard.
While there was already a self-declaration process available through the CSA Security, Trust and Assurance Registry (STAR), it was evident that without a formal validation and verification process that complies with international standards, self-declaration would not fill the need for transparency and trust. There were also questions regarding whether or not the scope of self-declaration was fit-for-purpose as there was no real measurement of how the processes were to be managed to ensure optimization (maturity).
BSI developed a process that would be user friendly, allow 3rd party validation and verification, and provide a formal certification that would be accepted internationally.
After many discussions with users, industry experts, and service providers, it was clear that any “new” standard would be overkill and just add to the confusion of the plethora of standards already in existence. A new standard would also have to build credibility over the long term thus inhibiting adoption.
ISO/IEC 27001 - the Foundation for STAR Certification
The gold standard since 2005, ISO/IEC 27001 is the most accepted internationally-endorsed standard for information security in the world. In some countries, like Japan, ISO/IEC 27001 has been mandated by the government particularly for publicly-traded companies, but over the years has cascaded down through the supply-chain. Many other countries are jumping on board by requiring tighter controls over information security across a variety of industries, as well as their critical suppliers and extended business partners.
Companies also realize they must be leaner, asking more of each employee while settling for smaller budgets. Moving to the cloud is partly a reaction to increased IT costs as it provides more IT services for a smaller investment. Unfortunately, it comes with increased risk, and companies are looking for a globally-accepted standard and 3rd party verification that can serve as a screening process for suppliers, particularly Cloud Service Providers.
ISO 27001 has a long history going back to 1995 when BS 7799 was introduced. It has been improved over the years taking into consideration the ever-changing compliance and regulatory landscape for information security.
Originally based on the Plan Do Check Act Model (PDCA), ISO 27001 is consistent with and easily integrated into other management systems standards and regulatory requirements. With the release of ISO/IEC 27001:2013, there will be increased consistency across all standards.
ISO 27001 has been called the umbrella standard because of its strong management system foundation that ensures business systems and objectives are in place that drive process ownership and continual improvement.
As stated in Annex A within the standard, ISO/IEC 27001 “contains a comprehensive list of control objectives and controls that have been found to be commonly relevant in organizations. Users of this International Standard are directed to Annex A as a starting point for control selection to ensure that no important control options are overlooked.” Additional controls may be necessary for cloud service providers, however. Some controls can be excluded with clear evidential justification and others can be replaced with compensating controls that meet or exceed the same requirement. In terms of the cloud, controls like those in the Cloud Control Matrix (CCM) can be added or even substituted, if justified.
Security standards that rely on self-assessment techniques and checklists ultimately fail to engage the deeper concerns of CIOs and CISOs. ISO/IEC 27001 plus CCM is certifiable by an accredited firm and has a formal management system to detect ongoing vulnerabilities, create information security controls, and preempt security threats. It is risk-based, and its assessment helps identify the controls needed to secure information. For this reason, ISO/IEC 27001 was used as the foundation for STAR Certification, but it can be used with any other industry-specific standard and/or framework either to supplement it or for specific needs such as government or healthcare contracts. The CCM can act as additional or compensatory controls to build a unified integrated system rather than reinforcing islands of information.
The CCM is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.
This matrix is meant to be integrated into the assessment by the auditor; referencing the applicable CCM control to the associated ISO 27001 controls (Statement of Applicability). The output will be the result of the overall performance of the organization within the scope of certification.
Figure 1. SOA
To further the value and increase transparency, CSA STAR Certification contains a maturity model to assess how well managed the activities are in the control areas. The resulting maturity score helps drive internal improvements within the organization, but will not be listed on the certificates.
An organization must demonstrate that it has all the controls in place and operating effectively, however, before an assessment of the management capability around the controls can take place.
When an organization is audited, a Management Capability Score will be assigned to each of the control areas in the CCM. This will indicate the capability of the management in this area to ensure the control is operating effectively.
Figure 2. CCM Control Areas
The management capability of the controls will be scored on a scale of 1-15. These scores have been divided into 5 different categories that describe the type of approach characteristic of each group of scores
Figure 3. Maturity Rating
In order to make it possible for an assessor to consistently apply a score to the control area, each auditor is provided a grid that outlines what would be required of an organization to achieve each score.
Depending on the capability level achieved by the client, the audit report will categorize performance against the maturity model as:
ISO 27001 is a management systems standard and by definition requires a systematic approach to managing an organization. Therefore, if an organization is certified to ISO 27001, it is very unlikely that they would not achieve at least a bronze award.
A STAR Certification leverages a holistic information security management system (ISO/IEC 27001) that, when applied using good risk management discipline, can address all cloud specific risks and relevant aspects of information security. Its benefits depend on proper scope and implementation; it must be Service Level Agreement (SLA)[SLA complements and forms part of a service agreement. It is a means used to incorporate business strategic objectives and define the business desired results.] driven.
Clients care about the security of their sensitive information and they care that cloud providers are certified. However, to provide the best level of security and service, management system implementation is equally important as it must be “fit-for-purpose.” A scope that is not "fit-for-purpose" is rather insignificant when it comes to cloud services. STAR Certification uniquely looks into scope relative to service, ensuring the most meaningful certification and providing evidence of 3rd party approval.
Summary
-
Add a note