The Dutch CSA chapter has a plan to address the number one concern of organizations using cloud: “can we trust our provider?”.
The CSA (Cloud Security Alliance) has developed a number of tools to address that situation. Our plan is to test these tools in practice, and record the experiences for inclusion in a “best practices” paper.
The main CSA tools are combined in the so-called CSA GRC stack (which stands for Governance, Risk management, and Compliance).
The “Security guidance for critical areas of focus in cloud computing v3.0” is the underlying body of knowledge for the GRC stack. We typically refer to this document as the ‘CSA guidance’.
The first component of the GRC stack is the CSA Cloud Controls Matrix (CCM). These controls are largely based on the recommendations of the CSA guidance.
The CCM is called a matrix, because it cross references other assurance frameworks such as PCI-DSS (payment card industry) and HIPAA (Healthcare).
The CCM can be used as a framework to give assurance to cloud customers. To make this process more efficient, CSA has introduced a number of additional tools. One of them is the CAIQ (Common Assessment Initiative Questionnaire, pronounced ‘cake’) which is a standardized list of questions to use to evaluate cloud providers. Each question in the CAIQ corresponds to exactly one control in the CCM.
Cloud consumers can take the CAIQ as a basis, select questions from it, add their own questions, and submit it to a number of cloud providers.
The smart move for a cloud provider is to pre-answer the CAIQ, and publish the results. This is the ambition of STAR (Security Trust and Assurance Registry), which is also a CSA initiative. And it does not stop there, beyond this there is Cloud Audit and the Cloud Trust Protocol. These products are in development and aim to go further by automating parts of the assurance process.
STAR is planned to have multiple levels:
- Level 1 is Self-Assesment, based on a provider report following either the CAIQ or the CCM.
- Level 2 is Third-Party Assessment, where the idea is to use the requirements of the ISO/IEC 27001:2005 management systems standard integrated with the CSA Cloud Control Matrix (CCM) and an organization’s own internal requirements or specifications to assess how mature their systems are.
- Level 3 is a Continuous Monitoring based certification. This is currently under development.
These three levels are collectively referred to as the Open Certification Framework (OCF).
Our ambition is to do a number of case studies in applying the CCM and CAIQ. These case studies would preferably cover at least a provider and a financial business (bank or insurance firm). For providers, this could lead to an actual STAR entry with its associated benefits.
Some of the expectations are:
- The CCM will be a better fit for cloud services than other assurance frameworks
- Assurance frameworks such as the CCM will lead to lower costs for consumers and providers because audit costs will be lower.
Some of the research questions are:
- How is the coverage of the CCM in relation to assurance requirements, what else do you need?
- How much work is it to fill in the CAIQ?
- How do you experience value in CCM/STAR/CAIQ?
Currently we have started to work with a number of IaaS providers who are interested in exploring better assurance. If you are interested you could still be part of this initial group. Just contact us.