The Cloud Security Alliance (CSA) maintains the so-called Cloud Controls Matrix (CCM), a list of controls that can be used to get assurance on the quality of a cloud provider. (See earlier blog post for more details and background on the CCM). The CCM is part of a larger suite of CSA best practices, one of which is the CAIQ (Common Assessment Initiative Questionnaire). The CAIQ list a number of questions per control, which a provider can answer with yes or no.
In practice we see that this tool is used in a number of ways in this process.
- CCM and CAIQ list a significant amount of cloud specific controls that are not found in other frameworks such as ISO 27001. Some companies use these as input to their own control frameworks.
- Use the CAIQ as a first level filter. Providers are asked to provide a response with only yes/no answers. After passing that test, the provider can be asked to provide more specific demonstration on controls that matter most to the consumer. It is neither necessary nor efficient to ask the provider to demonstrate evidence on all controls.
- The CCM and CAIQ can be used as input for a ranking activity, where multiple offers are scored on their security assurance.
- Providers can use the CAIQ to demonstrate the breadth of their control, and as a ‘standard response to an RFP’. Examples of these (such as Microsoft Office 365) can be found in the STAR registry (https://cloudsecurityalliance.org/star/). Although answering to the CAIQ will take some effort, anecdotal evidence suggest that a provider who is already progressing with an assurance initiative will need only a few hours to draft a first version of their CAIQ.
- Providers can use the CCM and CAIQ without publicly disclosing all their control evidence. Full evidence will then only be given to customers that have signed a non-disclosure agreement.
- Providers can refer to the controls that their upstream providers have implemented. For example, an application provider could refer to Microsoft’s Azure CAIQ. In practice however, this still leaves a few questions open.
Providers are warming up to the idea of using the CCM. For them, it standardizes responses, so they can be reused, which can save work.
Cloud consumers see the advantage of standardizing control sets. It allows for easier comparison across potential providers, as well as having potential in creating control visibility in the supply chain.
Shortcomings and pitfalls
The CAIQ as it is developed only allows for yes/no answers. There is no provision for extra information, nor is their guidance on how the provider should qualify their answers (i.e. this is how we do this, this is the extent to which we do this). In practice, most providers do add another column to their response in order to provide more detail.
There is only minimal experience in efficiently handling assurance obligations over a supply chain of providers, such as a SaaS provider working on top of a PaaS provider working on top of a IaaS provider.
Cloud consumers like to add their own questions to the CAIQ. They are of course capable of doing it, but the answers will not be reflected in the STAR registration.
What should you do?
Most companies are procuring cloud services these days. Generally speaking, most of these are SaaS and just a few are IaaS or PaaS. Managing these contracts and relations is a bit out of the scope of this article, but essential bits are to have a clear owner of the contract of every cloud service, even if it is a free service, and some indication of the data classification. From a risk management perspective, it would then be good to have a filled-in CAIQ for every provider.
For more education on the various risks and control areas in the CCM, you can consider Cloud Security CCSK training.
As this is ongoing research, please send me comments and notes on this article.