SOC 2 Type 2 for Cloud Security
Growing Cloud Adoption
The worldwide public cloud services market is forecast to grow 17% in 2020 to total $266.4 billion, up from $227.8 billion in 2019.
According to some estimates there are about 20,000 SaaS providers globally. SaaS Software as a service (SaaS) will remain the largest market segment, which is forecast to grow to $116 billion next year due to the scalability of subscription-based software. The second-largest market segment is cloud system infrastructure services, or infrastructure as a service (IaaS), which will reach $50 billion in 2020. IaaS is forecast to grow 24% year over year, which is the highest growth rate across all market segments. This growth is attributed to the demands of modern applications and workloads, which require infrastructure that traditional data centers cannot meet. (according to Gartner, Inc.)
Cloud Security Challenges
Cloud Security Alliance has presented some of the following major cloud challenges.
Cloud Vendors as Third-Party Risks
Managing third-party risk is an important aspect in the overall risk management process. Cloud providers are third parties that store or process valuable information. “From a cybersecurity perspective, third party risks frequently involve a set of threats that may exceed the scope of the organization’s risk management activities. Some organizations focus too narrowly on risks. For example, when hosting data in the cloud, most organizations ask the vendor for attestations or some evidence of cybersecurity capability.
IoT and Cloud
Connected devices and cyber-physical systems are becoming more prevalent in enterprise environments. As the cloud environment expands to encompass these technologies, the connected world depends on devices to manage, orchestrate and provision data. By 2023, the number of connected devices is forecast to reach 20 billion. This increase in volume is a growing challenge for service providers tasked with trying to keep their networks secure and for enterprises and critical infrastructure entities deploying and managing devices.
Insecure data flow from the edge to the cloud is a concern of the Internet of Things (IoT) model of data processing. Data processing can be done either at the edge or at the cloud. Edge computing provides a way to allow applications and services to gather or process data to the local computing devices, away from centralized nodes, enabling analytics and knowledge generation to the logical extremes of the network. Although edge computing enhances instantaneous response and subsequent decision-making (e.g., use of machine learning [ML] to make autonomous decisions), it also results in a distributed, unsafe and uncontrollable disarray of data, which can become critical when taking into account the amount and the sensitivity of data that are transmitted. Limited processing and storage capabilities of some endpoints may restrict security features such as authentication, encryption and integrity protection mechanisms, jeopardizing both access control and the confidentiality or integrity of data transmitted to the cloud. Even when security features are enabled, faulty implementation can have a great impact on the security of the entire model.
Distributed denial-of-service (DDoS) botnet attack is another top IoT risk.
The Mirai botnet exploited a vulnerability in IoT devices to launch a DDoS attack against a critical Domain Name System (DNS) server that disrupted a number of the Internet’s biggest websites, including PayPal, Spotify, and Twitter.
According to the Open Web Application Security Project (OWASP), both aspects of security in this convergence are facing challenges from each other. Cloud web interface is listed as one of the attack surfaces of IoT, while some top security risk factors include service and data integration, which is linked to the security of IoT devices.
Security Responsibilities in the Cloud
At a high level, security responsibility maps to the degree of control any given actor has over the The cloud architecture stack consists of:
- Software as a Service (SaaS)—The CSP is responsible for nearly all security, because the cloud user can only access and manage their use of the application and cannot alter how the application works. For example, a SaaS provider is responsible for perimeter security, logging/monitoring/auditing, and application security, while the consumer may only be able to manage authorization and entitlements.
- Platform as a Service (PaaS)—The CSP is responsible for the security of the platform, while the consumer is responsible for everything they implement on the platform, including how they configure any offered security features. The responsibilities are, thus, more evenly split. For example, when using a Database as a Service, the provider manages fundamental security, patching, and core configuration, while the cloud user is responsible for everything else, including which security features of the database to use to manage accounts or even authentication methods.
- Infrastructure as a Service (IaaS): Just like PaaS, the provider is responsible for foundational security, while the cloud user is responsible for everything they build on the infrastructure. Unlike PaaS, this places far more responsibility on the client. For example, the IaaS provider will likely monitor their perimeter for attacks, but the consumer is fully responsible for how they define and implement their virtual network security, based on the tools available on the service.
Shared Responsibility Model
Some SaaS providers believe that if they are hosting their application on platforms such as Amazon Web Services (AWS), Microsoft Azure or Google Cloud and they are automatically compliant just because these platforms may be. This may be applicable to other IaaS or PaaS providers. SaaS CSPs may also need to review the exact controls in the SOC reports and examine whether the relevant controls and criteria are covered in those SOC reports. The availability of a SOC report should not be just a checkbox for third-party (vendor) risk compliance.
This customer/platform shared responsibility model also extends to IT controls. Just as the responsibility to operate the IT environment is shared between AWS and its customers, so is the management, operation, and verification of IT controls. Cloud platforms can help relieve the customer burden of operating controls by managing those controls associated with the physical infrastructure deployed in their environment that may previously have been managed by the customer. As every SaaS is deployed differently in the cloud, SaaS providers can take advantage of shifting management of certain IT controls to the platforms, which results in a (new) distributed control environment.
Data Governance in the Cloud
Governance issues also relate to regulatory compliance, security, privacy and similar concerns impacting today’s organizations. Today’s data management and storage landscape, where data entropy and data sprawl are rampant, has far-reaching consequences for data security.
Many organizations are storing a significant amount of data in distributed and hybrid cloud and even unmanaged environments, increasing challenges for regulatory compliance. A data inventory and data flow are often recommended. With increasing IoT devices and data lakes in the cloud, visibility and control are invariably lost, resulting in data sovereignty challenges. Disruptive technologies such as Blockchain (distributed ledger) have emerged as candidates for financial institutions to reform their businesses. The speed and cost of doing business using distributed ledger technology are expected to improve by simplifying back-office operations and lowering the need for human intervention. However, a number of security concerns around this new technology remain.
Data Encryption or Anonymization
Privacy mandates such as the EU General Data Protection Regulation (GDPR) recommend data anonymization, which can be another form of encryption. Without a proper data governance program, organizations may face challenges in meeting these privacy compliance mandates. Data encryption is also mandated for the US Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).
Data security and privacy are increasingly challenging in today’s cloud-based environments. Providing independent third-party assurance such as a System and Organization Controls (SOC) 2 report helps address these concerns and helps cloud service providers (CSPs) stay ahead of the competition. This assurance also helps organizations mitigate data security and privacy risk.
Cloud Assurance for CSPs
There are several approaches for CSPs to provide assurance to their customers that would provide them with confidence in using the CSP’s services.
Cloud STAR Certification Roadmap
The Cloud Security Alliance (CSA), in collaboration with the American Institute of CPAs (AICPA), developed a third-party assessment program of CSPs called the CSA Security Trust Assurance and Risk (STAR) Attestation. The STAR is the industry’s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, and harmonization of standards. The STAR program provides multiple benefits, including indications of best practices and validation of the security posture of cloud offerings.
SOC 2 for Cloud CSA STAR Attestation
The SOC 2+ Framework allows a SOC 2 to report on any additional controls over and above the trust services criteria controls for security, availability, confidentiality, processing integrity and privacy. Taking advantage of this framework, STAR Attestation provides a framework for Certified Public Accountants performing independent assessments of CSPs using SOC 2 engagements with the CSA’s Cloud Controls Matrix (CCM).
Cloud Controls Matrix (CCM)
The CCM is the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail, and clarity relating to information security tailored to cloud computing. CCM is currently considered a de facto standard for cloud security assurance and compliance.
Level 2 CSA STAR Attestation
The STAR Attestation is positioned as STAR Certification at Level 2 of the Open Certification Framework and STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider STAR Attestation is based on type I or types II SOC attestations supplemented by the criteria in the CCM.
C5 Cloud Controls
In February 2016, the Bundesamt fur Sicherheit Institute (BSI) or the German Federal Office for Information Security, established the Cloud Computing Compliance Controls Catalog (C5) certification after it noted the rise in cloud computing in Germany. With the C5, the BSI redefined the bar that CSPs should meet when dealing with German data. The establishment of the C5 elevated the demands on CSPs by combining the existing security standards (including international certifications such as ISO 27001) and requiring increased transparency in the data processing. C5 controls can be applied globally.
C5 is intended primarily for professional CSPs, their auditors, and customers of the CSPs. The catalog is divided into 17 thematic sections (e.g., organization of information security, physical security). C5 makes use of recognized security standards, such as ISO 27001, the Cloud Controls Matrix of the Cloud Security Alliance and BSI publications, and it uses these requirements wherever appropriate.
A SOC 2 report proves that a CSP complies with the requirements of the catalogue and that the statements made on transparency are correct. This report is based on the internationally recognized attestation system of the International Standard for Assurance Engagements (ISAE) 3000, which is used by public auditors. When auditing the annual financial statements, the auditors are already on site, and auditing according to C5 can be performed without much additional effort.
SOC 2 Type 2 for Cloud Benefits:
- SOC 2 Type 2 can cover the entire year and the effectiveness of the controls in place.
- It is a Third-Party Period- of-Time assessment and so has Accountability.
- Most other assurance programs or audits are only, at a point in time.
- Since it is a period assessment, it is more like a continuous compliance with low risk and high reliability. It also provides assurance on operative effectiveness of controls.
- Comprehensive Framework for AICPA, Cloud Security Alliance and C5.
- Provides a high reliability SOC 2 Seal by AICPA.