SOC 2 Compliance For CSA STAR

Growing Cloud Adoption

The worldwide public cloud services market is forecast to grow to 1 Trillion USD by 2024.

Some estimates say there are more than 20,000 SaaS providers globally. SaaS Software as a service (SaaS) will remain the largest market segment, forecast to grow to $141 billion by 2022.

Need More information on Cloud CSA STAR Compliance refer to our video.

CSA STAR with SOC 2 Attestation

Cloud Security Challenges

Cloud Security Alliance has presented some of the following major cloud challenges.

Insecure Software Development

Misconfiguration and Inadequate Change Control

Insufficient Identity, Credential, Access and Key Management

Lack of Cloud Security Architecture and Strategy

Unsecured Third-Party Resources

Insecure Interfaces and Application Programming Interfaces

Accidental Cloud Data Disclosure

System Vulnerabilities

Misconfiguration and Exploitation of Serverless and Container Workloads

Cloud Storage Data Exfiltration

Organized Crime,Hackers & APT

Cloud Vendors as Third-Party Risks

Managing third-party risk is a crucial aspect of the overall risk management process and Zero Trust Security. Cloud providers are third parties that store or process valuable information. From a cybersecurity perspective, third-party risks often involve threats that exceed the scope of the organization’s risk management activities. Some organizations focus too narrowly on risks. For example, when hosting data in the cloud, most organizations ask the vendor for attestations or evidence of cybersecurity capability.

IoT and Cloud

Connected devices and cyber-physical systems are becoming more prevalent in enterprise environments. As the cloud environment expands to encompass these technologies, the connected world depends on devices to manage, orchestrate, and provision data. By 2023, connected devices are forecast to reach 20 billion. This increase in volume is a growing challenge for service providers tasked with keeping their networks secure. It is also a challenge for enterprises and critical infrastructure entities to deploy and manage devices.

Insecure data flow from the edge to the cloud is a concern for data processing, especially in the age of Microservices & Containerization involving Dockers, Kubernetes, etc. This calls for increased use of DevSecOps.

Distributed denial-of-service (DDoS) botnet attack is another top IoT risk.

The Mirai botnet exploited a vulnerability in IoT devices to launch a DDoS attack against a critical Domain Name System (DNS) server. This disrupted the Internet’s biggest websites, including PayPal, Spotify, and Twitter.

According to the Open Web Application Security Project (OWASP), both aspects of security in this convergence are facing challenges from each other. The cloud web interface is listed as one of the attack surfaces of IoT. Some top security risk factors include service and data integration, which is linked to IoT device security.

Security Responsibilities in the Cloud

At a high level, security responsibility maps to the degree of control any given actor has over the cloud architecture stack consists of:

  • Software as a Service (SaaS)—The CSP is responsible for nearly all security because the cloud user can only access and manage their use of the application and cannot alter how the application works. For example, a SaaS provider provides perimeter security, logging/monitoring/auditing, and application security. In contrast, the consumer may only manage authorizations and entitlements.
  • Platform as a Service (PaaS)—The CSP is responsible for the security of the platform, while the consumer is accountable for everything they implement on the platform, including how they configure any security features offered by the platform. Therefore, responsibilities are more evenly split. For example, when using a Database as a Service, the provider manages fundamental security, patching, and core configuration. The cloud user is responsible for everything else, including which database security features to use to manage accounts or authentication methods.
  • Infrastructure as a Service (IaaS): Just like PaaS, the provider is responsible for foundational security, while the cloud user is accountable for everything they build on the infrastructure. Unlike PaaS, this places far more responsibility on the client. For example, the IaaS provider will likely monitor their perimeter for attacks. However, the consumer is fully responsible for how they define and implement their virtual network security. This is based on the tools available on the service.

Shared Responsibility Model

Some SaaS providers believe that if they host their applications on platforms such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud, they are automatically compliant just because these platforms are. This may apply to other IaaS or PaaS providers. SaaS CSPs may also need to review the exact controls in SOC reports. They may also need to examine whether the relevant controls and criteria are covered in those SOC reports. SOC reports should not be just a checkbox for third-party (vendor) risk compliance.

This customer/platform shared responsibility model also extends to IT controls. Just as a responsibility to operate the IT environment is shared between AWS and its customers, so is the management, operation, and verification of IT controls. Cloud platforms can help relieve the customer's burden of operating controls by managing controls associated with the physical infrastructure deployed in their environment. These controls may previously have been managed by the customer. As SaaS is deployed differently in the cloud, SaaS providers can benefit from shifting management of certain IT controls to the platforms. This results in a (new) distributed control environment.

Data Governance in the Cloud

Governance issues also relate to regulatory compliance, security, privacy, and similar concerns impacting today’s organizations. Today’s data management and storage landscape, where data entropy and data sprawl are rampant, has far-reaching consequences for data security.

Many organizations store a significant amount of data in distributed and hybrid clouds and even unmanaged environments, increasing regulatory compliance challenges. Data inventory and data flow are often recommended. With increasing IoT devices and data lakes in the cloud, visibility, and control are lost, resulting in data sovereignty challenges. Disruptive technologies such as Blockchain (distributed ledger) have emerged as candidates for financial institutions to reform their businesses. Distributed ledger technology is expected to improve by simplifying back-office operations and lowering human intervention. However, security concerns around this advancing technology remain.

Data Encryption or Anonymization

Privacy mandates such as the EU General Data Protection Regulation (GDPR) recommend data anonymization, which is another form of encryption. Without a proper data governance program, organizations may face challenges meeting these privacy compliance mandates. Data encryption is also mandated by the US Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).

Data security and privacy are increasingly challenging in today’s cloud-based environments. Providing independent third-party assurance such as a System and Organization Controls (SOC) 2 report helps address these concerns and ensures cloud service providers (CSPs) stay ahead of the competition. This assurance also helps organizations mitigate data security and privacy risks.

Cloud Assurance for CSPs

There are several approaches for CSPs to provide assurance to their customers that would provide them with confidence in using the CSP’s services.

CSA Star Certification Roadmap

The Cloud Security Alliance (CSA), in collaboration with the American Institute of CPAs (AICPA), developed a third-party assessment program for CSPs called CSA Security Trust Assurance and Risk (STAR) Attestation. STAR is the industry’s most powerful program for cloud security assurance. STAR encompasses the key principles of transparency, rigorous auditing, and standards harmonization. The STAR program provides multiple benefits, including indications of best practices and validation of cloud offerings' security posture.

Cloud CSA STAR Level 2 Attestation/ Certification

The SOC 2+ Framework allows SOC 2 to report on any additional controls over and above the trust services criteria controls for security, availability, confidentiality, processing integrity, and privacy. Taking advantage of this framework, STAR Attestation provides a framework for Certified Public Accountants performing independent assessments of CSPs using SOC 2 engagements with the Cloud Security Alliance’s Cloud Controls Matrix (CCM). Alternatively being a Certification Body Accedere can also provide the ISO/IEC 27001 Certification + CCM from CSA to achieve STAR Level 2 compliance.

Cloud Controls Matrix (CCM)

The CCM now CCM 4, is the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices, and regulations. CCM provides organizations with the needed structure, detail, and clarity related to information security. Cloud computing. CCM is currently considered a de facto standard for cloud security assurance and compliance. CCM also covers some privacy controls mapped to GDPR.

Level 2 CSA STAR Compliance

The STAR Attestation is positioned as STAR Certification at Level 2 of the Open Certification Framework. STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. STAR Attestation is based on type I or SOC 2 compliance attestations supplemented by the criteria in the CCM. Accedere is listed with Cloud Security Alliance as Auditor

C5 Cloud Controls

In February 2016, the Bundesamt fur Sicherheit Institute (BSI), or the German Federal Office for Information Security, established the Cloud Computing Compliance Controls Catalog (C5) certification after noting the rise in cloud computing in Germany. With the C5, BSI redefined the bar for CSPs when dealing with German data. The establishment of the C5 has increased the demands on CSPs by combining existing security standards including ISO 27001 Certification and requiring increased transparency in the data processing. C5 controls can be applied globally.

C5 is intended primarily for professional CSPs, their auditors, and customers of the CSPs. The catalog is divided into 17 thematic sections (e.g., organization of information security, physical security). C5 makes use of recognized security standards, such as ISO 27001 Certification, the Cloud Controls Matrix of the Cloud Security Alliance, and, BSI publications, and it uses these requirements wherever appropriate.

A SOC 2 compliance report proves that a CSP complies with the catalog requirements and that the statements made about transparency are correct. This report is based on the internationally recognized attestation system of the International Standard for Assurance Engagements (ISAE) 3000, which is used by public auditors. When auditing the annual financial statements, the auditors are already on site, and auditing according to C5 can be performed without much additional effort.

CSA STAR for Cloud-Benefits:

  • Based on an ISO 27001 Certification or SOC 2 Compliance and Attestation along with CCM.
  • It is a Third-Party audit with CSA logo and ISO/IEC or SOC 2 (AICPA) logo that provides assurance to your customers.
  • Most recognized assurance for Cloud Security.
  • Covers a CSA Maturity model.
  • Comprehensive Framework for AICPA, Security in Cloud Computing, Application Security and C5
  • A SOC 2 Type 2 with CSA STAR can only be provided by a CPA Firm or a Certification Body (for ISO/IEC 27001) and listed with Security in Cloud Computing, Application Security Alliance. Accedere is listed as both Security in Cloud Computing and Application Security.