The worldwide public cloud services market is forecast to grow to 1 Trillion USD by 2024.
Some estimates say there are more than 20,000 SaaS providers globally. SaaS Software as a service (SaaS) will remain the largest market segment, forecast to grow to $141 billion by 2022.
Need More information on Cloud CSA STAR Compliance refer to our video.
Cloud Security Alliance has presented some of the following major cloud challenges.
Managing third-party risk is a crucial aspect of the overall risk management process and Zero Trust Security. Cloud providers are third parties that store or process valuable information. From a cybersecurity perspective, third-party risks often involve threats that exceed the scope of the organization’s risk management activities. Some organizations focus too narrowly on risks. For example, when hosting data in the cloud, most organizations ask the vendor for attestations or evidence of cybersecurity capability.
Connected devices and cyber-physical systems are becoming more prevalent in enterprise environments. As the cloud environment expands to encompass these technologies, the connected world depends on devices to manage, orchestrate, and provision data. By 2023, connected devices are forecast to reach 20 billion. This increase in volume is a growing challenge for service providers tasked with keeping their networks secure. It is also a challenge for enterprises and critical infrastructure entities to deploy and manage devices.
Insecure data flow from the edge to the cloud is a concern for data processing, especially in the age of Microservices & Containerization involving Dockers, Kubernetes, etc. This calls for increased use of DevSecOps.
Distributed denial-of-service (DDoS) botnet attack is another top IoT risk.
The Mirai botnet exploited a vulnerability in IoT devices to launch a DDoS attack against a critical Domain Name System (DNS) server. This disrupted the Internet’s biggest websites, including PayPal, Spotify, and Twitter.
According to the Open Web Application Security Project (OWASP), both aspects of security in this convergence are facing challenges from each other. The cloud web interface is listed as one of the attack surfaces of IoT. Some top security risk factors include service and data integration, which is linked to IoT device security.
At a high level, security responsibility maps to the degree of control any given actor has over the cloud architecture stack consists of:
Some SaaS providers believe that if they host their applications on platforms such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud, they are automatically compliant just because these platforms are. This may apply to other IaaS or PaaS providers. SaaS CSPs may also need to review the exact controls in SOC reports. They may also need to examine whether the relevant controls and criteria are covered in those SOC reports. SOC reports should not be just a checkbox for third-party (vendor) risk compliance.
This customer/platform shared responsibility model also extends to IT controls. Just as a responsibility to operate the IT environment is shared between AWS and its customers, so is the management, operation, and verification of IT controls. Cloud platforms can help relieve the customer's burden of operating controls by managing controls associated with the physical infrastructure deployed in their environment. These controls may previously have been managed by the customer. As SaaS is deployed differently in the cloud, SaaS providers can benefit from shifting management of certain IT controls to the platforms. This results in a (new) distributed control environment.
Governance issues also relate to regulatory compliance, security, privacy, and similar concerns impacting today’s organizations. Today’s data management and storage landscape, where data entropy and data sprawl are rampant, has far-reaching consequences for data security.
Many organizations store a significant amount of data in distributed and hybrid clouds and even unmanaged environments, increasing regulatory compliance challenges. Data inventory and data flow are often recommended. With increasing IoT devices and data lakes in the cloud, visibility, and control are lost, resulting in data sovereignty challenges. Disruptive technologies such as Blockchain (distributed ledger) have emerged as candidates for financial institutions to reform their businesses. Distributed ledger technology is expected to improve by simplifying back-office operations and lowering human intervention. However, security concerns around this advancing technology remain.
Privacy mandates such as the EU General Data Protection Regulation (GDPR) recommend data anonymization, which is another form of encryption. Without a proper data governance program, organizations may face challenges meeting these privacy compliance mandates. Data encryption is also mandated by the US Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).
Data security and privacy are increasingly challenging in today’s cloud-based environments. Providing independent third-party assurance such as a System and Organization Controls (SOC) 2 report helps address these concerns and ensures cloud service providers (CSPs) stay ahead of the competition. This assurance also helps organizations mitigate data security and privacy risks.
There are several approaches for CSPs to provide assurance to their customers that would provide them with confidence in using the CSP’s services.
The Cloud Security Alliance (CSA), in collaboration with the American Institute of CPAs (AICPA), developed a third-party assessment program for CSPs called CSA Security Trust Assurance and Risk (STAR) Attestation. STAR is the industry’s most powerful program for cloud security assurance. STAR encompasses the key principles of transparency, rigorous auditing, and standards harmonization. The STAR program provides multiple benefits, including indications of best practices and validation of cloud offerings' security posture.
The SOC 2+ Framework allows SOC 2 to report on any additional controls over and above the trust services criteria controls for security, availability, confidentiality, processing integrity, and privacy. Taking advantage of this framework, STAR Attestation provides a framework for Certified Public Accountants performing independent assessments of CSPs using SOC 2 engagements with the Cloud Security Alliance’s Cloud Controls Matrix (CCM). Alternatively being a Certification Body Accedere can also provide the ISO/IEC 27001 Certification + CCM from CSA to achieve STAR Level 2 compliance.
The CCM now CCM 4, is the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices, and regulations. CCM provides organizations with the needed structure, detail, and clarity related to information security. Cloud computing. CCM is currently considered a de facto standard for cloud security assurance and compliance. CCM also covers some privacy controls mapped to GDPR.
The STAR Attestation is positioned as STAR Certification at Level 2 of the Open Certification Framework. STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. STAR Attestation is based on type I or SOC 2 compliance attestations supplemented by the criteria in the CCM. Accedere is listed with Cloud Security Alliance as Auditor
In February 2016, the Bundesamt fur Sicherheit Institute (BSI), or the German Federal Office for Information Security, established the Cloud Computing Compliance Controls Catalog (C5) certification after noting the rise in cloud computing in Germany. With the C5, BSI redefined the bar for CSPs when dealing with German data. The establishment of the C5 has increased the demands on CSPs by combining existing security standards including ISO 27001 Certification and requiring increased transparency in the data processing. C5 controls can be applied globally.
C5 is intended primarily for professional CSPs, their auditors, and customers of the CSPs. The catalog is divided into 17 thematic sections (e.g., organization of information security, physical security). C5 makes use of recognized security standards, such as ISO 27001 Certification, the Cloud Controls Matrix of the Cloud Security Alliance, and, BSI publications, and it uses these requirements wherever appropriate.
A SOC 2 compliance report proves that a CSP complies with the catalog requirements and that the statements made about transparency are correct. This report is based on the internationally recognized attestation system of the International Standard for Assurance Engagements (ISAE) 3000, which is used by public auditors. When auditing the annual financial statements, the auditors are already on site, and auditing according to C5 can be performed without much additional effort.