ISO 27001 Certification or SOC 2 Compliance For CSA STAR
Growing Cloud Adoption
The worldwide public cloud services market is forecast to grow to 1 Trillion USD by 2024.
According to some estimates, there are more than 20,000 SaaS providers globally. SaaS Software as a service (SaaS) will remain the largest market segment, which is forecast to grow to $141 billion by 2022.
Cloud Security Challenges
Cloud Security Alliance has presented some of the following major cloud challenges.
Cloud Vendors as Third-Party Risks
Managing third-party risk is an important aspect of the overall risk management process and Zero Trust Security. Cloud providers are third parties that store or process valuable information. “From a cybersecurity perspective, third party risks frequently involve a set of threats that may exceed the scope of the organization’s risk management activities. Some organizations focus too narrowly on risks. For example, when hosting data in the cloud, most organizations ask the vendor for attestations or some evidence of cybersecurity capability.
IoT and Cloud
Connected devices and cyber-physical systems are becoming more prevalent in enterprise environments. As the cloud environment expands to encompass these technologies, the connected world depends on devices to manage, orchestrate, and provision data. By 2023, the number of connected devices is forecast to reach 20 billion. This increase in volume is a growing challenge for service providers tasked with trying to keep their networks secure and for enterprises and critical infrastructure entities deploying and managing devices.
Insecure data flow from the edge to the cloud is a concern for data processing specially in the age of Microservices & Contianerization involving Dockers, Kubernetes etc. This calls for increasing use of DevSecOps.
Distributed denial-of-service (DDoS) botnet attack is another top IoT risk.
The Mirai botnet exploited a vulnerability in IoT devices to launch a DDoS attack against a critical Domain Name System (DNS) server that disrupted a number of the Internet’s biggest websites, including PayPal, Spotify, and Twitter.
According to the Open Web Application Security Project (OWASP), both aspects of security in this convergence are facing challenges from each other. Cloud web interface is listed as one of the attack surfaces of IoT, while some top security risk factors include service and data integration, which is linked to the security of IoT devices.
Security Responsibilities in the Cloud
At a high level, security responsibility maps to the degree of control any given actor has over the cloud architecture stack consists of:
- Software as a Service (SaaS)—The CSP is responsible for nearly all security because the cloud user can only access and manage their use of the application and cannot alter how the application works. For example, a SaaS provider is responsible for perimeter security, logging/monitoring/auditing, and application security, while the consumer may only be able to manage authorization and entitlements.
- Platform as a Service (PaaS)—The CSP is responsible for the security of the platform, while the consumer is responsible for everything they implement on the platform, including how they configure any offered security features. The responsibilities are, thus, more evenly split. For example, when using a Database as a Service, the provider manages fundamental security, patching, and core configuration, while the cloud user is responsible for everything else, including which security features of the database to use to manage accounts or even authentication methods.
- Infrastructure as a Service (IaaS): Just like PaaS, the provider is responsible for foundational security, while the cloud user is responsible for everything they build on the infrastructure. Unlike PaaS, this places far more responsibility on the client. For example, the IaaS provider will likely monitor their perimeter for attacks, but the consumer is fully responsible for how they define and implement their virtual network security, based on the tools available on the service.
Shared Responsibility Model
Some SaaS providers believe that if they are hosting their application on platforms such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud and they are automatically compliant just because these platforms may be. This may be applicable to other IaaS or PaaS providers. SaaS CSPs may also need to review the exact controls in the SOC reports and examine whether the relevant controls and criteria are covered in those SOC reports. The availability of a SOC report should not be just a checkbox for third-party (vendor) risk compliance.
This customer/platform shared responsibility model also extends to IT controls. Just as the responsibility to operate the IT environment is shared between AWS and its customers, so is the management, operation, and verification of IT controls. Cloud platforms can help relieve the customer burden of operating controls by managing those controls associated with the physical infrastructure deployed in their environment that may previously have been managed by the customer. As every SaaS is deployed differently in the cloud, SaaS providers can take advantage of shifting management of certain IT controls to the platforms, which results in a (new) distributed control environment.
Data Governance in the Cloud
Governance issues also relate to regulatory compliance, security, privacy, and similar concerns impacting today’s organizations. Today’s data management and storage landscape, where data entropy and data sprawl are rampant, has far-reaching consequences for data security.
Many organizations are storing a significant amount of data in distributed and hybrid cloud and even unmanaged environments, increasing challenges for regulatory compliance. A data inventory and data flow are often recommended. With increasing IoT devices and data lakes in the cloud, visibility and control are invariably lost, resulting in data sovereignty challenges. Disruptive technologies such as Blockchain (distributed ledger) have emerged as candidates for financial institutions to reform their businesses. The speed and cost of doing business using distributed ledger technology are expected to improve by simplifying back-office operations and lowering the need for human intervention. However, a number of security concerns around this new technology remain.
Data Encryption or Anonymization
Privacy mandates such as the EU General Data Protection Regulation (GDPR) recommend data anonymization, which can be another form of encryption. Without a proper data governance program, organizations may face challenges in meeting these privacy compliance mandates. Data encryption is also mandated for the US Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).
Data security and privacy are increasingly challenging in today’s cloud-based environments. Providing independent third-party assurance such as a System and Organization Controls (SOC) 2 report helps address these concerns and helps cloud service providers (CSPs) stay ahead of the competition. This assurance also helps organizations mitigate data security and privacy risk.
Cloud Assurance for CSPs
There are several approaches for CSPs to provide assurance to their customers that would provide them with confidence in using the CSP’s services.
CSA STAR Certification Roadmap
The Cloud Security Alliance (CSA), in collaboration with the American Institute of CPAs (AICPA), developed a third-party assessment program of CSPs called the CSA Security Trust Assurance and Risk (STAR) Attestation. The STAR is the industry’s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, and harmonization of standards. The STAR program provides multiple benefits, including indications of best practices and validation of the security posture of cloud offerings.
Cloud CSA STAR Level 2 Attestation/ Certification
The SOC 2+ Framework allows a SOC 2 to report on any additional controls over and above the trust services criteria controls for security, availability, confidentiality, processing integrity, and privacy. Taking advantage of this framework, STAR Attestation provides a framework for Certified Public Accountants performing independent assessments of CSPs using SOC 2 engagements with the Cloud Security Alliance’s Cloud Controls Matrix (CCM). Alterntively being a Certification Body Accedere can also provide the ISO/IEC 27001 Certification + CCM from CSA to achieve the STAR Level 2 compliance.
Cloud Controls Matrix (CCM)
The CCM now CCM 4, is the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices, and regulations. CCM provides organizations with the needed structure, detail, and clarity relating to information security tailored to cloud computing. CCM is currently considered a de-facto standard for cloud security assurance and compliance. CCM also covers some Privacy controls that are mapped to GDPR.
Level 2 CSA STAR Compliance
The STAR Attestation is positioned as STAR Certification at Level 2 of the Open Certification Framework and STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider STAR Attestation is based on type I or SOC 2 compliance attestations supplemented by the criteria in the CCM. Accedere is listed with Cloud Security Alliance as Auditors
C5 Cloud Controls
In February 2016, the Bundesamt fur Sicherheit Institute (BSI) or the German Federal Office for Information Security, established the Cloud Computing Compliance Controls Catalog (C5) certification after it noted the rise in cloud computing in Germany. With the C5, the BSI redefined the bar that CSPs should meet when dealing with German data. The establishment of the C5 elevated the demands on CSPs by combining the existing security standards including ISO 27001 Certification and requiring increased transparency in the data processing. C5 controls can be applied globally.
C5 is intended primarily for professional CSPs, their auditors, and customers of the CSPs. The catalog is divided into 17 thematic sections (e.g., organization of information security, physical security). C5 makes use of recognized security standards, such as ISO 27001 Certification, the Cloud Controls Matrix of the Cloud Security Alliance and, BSI publications, and it uses these requirements wherever appropriate.
A SOC 2 compliance report proves that a CSP complies with the requirements of the catalogue and that the statements made on transparency are correct. This report is based on the internationally recognized attestation system of the International Standard for Assurance Engagements (ISAE) 3000, which is used by public auditors. When auditing the annual financial statements, the auditors are already on site, and auditing according to C5 can be performed without much additional effort.
CSA STAR for Cloud-Benefits:
- Based on an ISO 27001 Certification or SOC 2 Compliance and Attestation along with CCM.
- It is a Third-Party audit with CSA logo and ISO/IEC or SOC 2 (AICPA) logo that provides assurance to your customers.
- Most recognized assurance for Cloud Security.
- Covers a CSA Maturity model.
- Comprehensive Framework for AICPA, Security in Cloud Computing, Application Security and C5
- A SOC 2 Type 2 with CSA STAR can only be provided by a CPA Firm or a Certification Body (for ISO/IEC 27001) and listed with Security in Cloud Computing, Application Security Alliance. Accedere is listed as both Security in Cloud Computing, Application Security.
- More on SOC Reporting Services.
- More on SOC 2 vs ISO 27001(ISMS).