The cloud has been — and continues to be — a challenge area for many security teams. It’s a continual struggle…
to validate and onboard new providers, particularly given the rapid pace at which business and technology teams adopt and incorporate new cloud services.
Fortunately, free resources from the Cloud Security Alliance (CSA) continue to provide value when it comes to securing those services. Let’s take a closer look at those resources and how they can be applied to help shore up enterprise cloud security, as well as how recent updates to these documents ensure they stay current.
CSA Security Guidance
The “flagship” CSA document continues to be CSA Security Guidance. Now in its fourth major version, the guidance is a distillation of input from CSA members and lessons learned from experts working on other CSA initiatives, such as the CSA Governance, Risk Management and Compliance Stack. This document is organized by cloud domain — i.e., with each section outlining key goals and objectives aligned by topic. It contains governance-level guidance, as well as technical guidance on implementation, so unless the CEO and CFO of your organization have considerable technical knowledge, many of those domains — other than the first few — will be most appropriate for a director-level audience, i.e. those directly responsible for the technical aspects of cloud adoption, including risk assessment and audit.
The completeness of this document — and the level to which it is targeted — makes it a great starting point for professionals who want to learn more about cloud security considerations or who wish to dive deep on a particular topic area. That said, the length and detail of the document — the 4.0 version of the document is 152 pages — make it a little unwieldy to use directly as source material for evaluating a service provider. This is where the supporting documents come in — specifically, the Cloud Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ).
Overview of the CSA CAIQ
Service providers and cloud customers have one big challenge area in common: the security questionnaire. Enterprise customers obviously seek to ensure service providers adhere to a minimum baseline of security controls. The most common approach to do that? A questionnaire. But, for most organizations, there’s not just one provider in the mix. There may be dozens — even hundreds or thousands, in some cases — meaning that obtaining completed questionnaires from every provider is a difficult, time-consuming logistical exercise.
Now, consider it from a provider’s point of view: Each customer it takes on might have its own unique questionnaire to complete, including questions that require input from multiple teams to run to ground. If a provider has hundreds or thousands of customers, imagine the volume of work required to address these.
The Consensus Assessments Initiative Questionnaire was designed to help with this. The CAIQ consists of a set of questions, presented in spreadsheet form, that a company can ask its vendors before signing up for a cloud service. The questions are categorized by control domain and then mapped to major compliance and regulatory standards, like COBIT, HIPAA, PCI DSS and FedRAMP (Federal Risk and Authorization Management Program), along with many others. These questions can be technical in nature — for example, question MOS-11.1 is “Does your mobile device policy require the use of encryption for either the entire device or for data identified as sensitive enforceable through technology controls for all mobile devices?” — or related to overarching business processes — question STA-05.3, for example, is “Does legal counsel review all third-party agreements?“
A company can use the information collected from the CAIQ for a number of different purposes, each of which can save it time. First, an organization can build a request for proposal and verify that the answers the vendor gives during the RFP review interview are valid.
Organizations can also use the CSA CAIQ themselves as a mechanism for collecting the data that they’re interested in from their service providers. From a service provider point of view, a consistent artifact from its customer base can help it streamline the collection of answers — and assist greatly with ensuring they stay current and accurate.
Basics of the CSA Cloud Controls Matrix
Going deeper still, organizations can use the CSA Cloud Controls Matrix to build a detailed list of requirements and controls they want their cloud service provider to implement. The CCM complements the CAIQ because it uses the same control area and control ID categorizations, enabling cloud customers to quickly move back and forth between the documents and build a customized set of controls and validating questions for their prospective providers.
Each control is mapped to where it is architecturally relevant and what service model — SaaS, PaaS or IaaS — it applies to, as well as other standards and frameworks that align with it. For example, a control such as STA-04 — “The provider shall perform annual internal assessments of conformance to, and effectiveness of, its policies, procedures and supporting measures and metrics” — applies to all architectural areas and service models and aligns to PCI DSS v3.2 control 12.1.1 and COBIT 5 MEA (Monitor, Evaluate and Assess) 01 and 02, among others.
One of the most useful aspects of the CSA Cloud Controls Matrix is the control harmonization. The fact that it is mapped to so many other industry standards and controls frameworks can help enable compliance efforts, streamline alignment between internal policy mandates and desired security measures from service providers, and organize areas for evaluation and vetting in subsequent analysis by the potential customer. The fact that the mapping is so exhaustive means that, regardless of what industry sector an organization is in, the list is relevant. For example, the CCM covers HIPAA/HITECH; ISO/IEC 27001-2013; NIST SP800-53 R3; PCI DSS 3.2; generally accepted privacy principles, or GAPP, (August 2009); and Jericho Forum requirements.
Why you should use both
When used together, the CSA CAIQ and CSA CCM represent a solid starting point for an organization to determine which controls it needs from its cloud provider. The documents also provide a way to normalize an RFP for those controls, as well as to normalize information requests from service providers. Both documents, but especially the CCM, provide detailed mapping to major compliance initiatives, enabling companies that must comply with certain requirements to quickly determine which controls are non-negotiable when contracting with a provider. Once a list of controls has been built using the CCM as a guide, the company can use the controls assertion questions in the CAIQ to validate that the provider has those controls in place.
Overall, the CSA’s CCM and CAIQ help provide a solid foundation for assessing the cloud provider risk models and controls, making them well worth a read — not only for reference, but also as an active part of an enterprise security program’s cloud tool set.