Latest news
Cloud provider assurance: Trust but verify
by Mike Small - Analyst at KuppingerCole - Thursday, 11 October 2012.
Manage risk through understanding needs
The first step to assuring trust is to understand what the business requirements are. Everything follows from these requirements:
There is no shortage of advice on how to manage risk to both cloud service providers, as well as cloud customers. The following list summarizes the most prominent frameworks and sources of advice:
Independent auditing and certification
The cloud customer may wish to audit the cloud provider to verify the service provided. However, it is not usually practical for the provider to allow every customer to perform their own audit. Auditing and certification of providers by a trusted third party is a way to satisfy this need. Therefore, it is important to understand what these certifications mean. Here are three examples:
SOC Reports - The auditing standard SSAE no. 16 (Statement on Standards for Attestation Engagements) is intended to satisfy the need for independent checking of service organizations. This is based on International Standard on Assurance Engagements no. 3402, Assurance Reports on Controls at a Service Organization.
Using these standards, an auditor can examine a service and produce a report. This report is based on the statement of the service that the organization claims to provide. Note: They are not an assessment against best practice. The auditor examines how the service is performed and the controls the organization has in place. The auditor is able to produce two types of reports (often referred to as SOC 1 and SOC 2 reports):
Type 1 report provides the auditor’s opinion on whether or not the description of the service is fair (does it exist) and whether or not the controls are appropriate.
Type 2 report is similar to a type 1 report but includes further information on whether or not the controls were actually working effectively.
An example of a cloud provider that offers such a report is Amazon Web Services.
The first step to assuring trust is to understand what the business requirements are. Everything follows from these requirements:
- Classify data and applications. Some applications are more critical than others and some kinds of data are more sensitive than others.
- Develop scenarios to understand the benefits and risks. Use these to determine the requirements for controls and the questions that need to be answered. This helps you to decide the appropriate response to the risks based on your enterprise’s risk appetite.
- Understand what the certification and accreditations offered by the cloud provider mean and actually cover and how these support your needs. Assurance frameworks can help with this.
- Finally, monitor the service provided using the agreed controls to assure that it is conforming to what was agreed.
There is no shortage of advice on how to manage risk to both cloud service providers, as well as cloud customers. The following list summarizes the most prominent frameworks and sources of advice:
- COBIT
- ISO/IEC 27001-27005
- AICPA/CICA Trust Services (SysTrust and WebTrust)
- Cloud Security Alliance Controls Matrix
- BITS Shared Assessment Program
- Jericho Forum Self-Assessment Scheme (SAS)
- CSA Shared Assessments
- ENISA Procure Secure
- German BSI Security Recommendations for Cloud Computing Providers.
- NIST Cloud Computing Synopsis and recommendations
Independent auditing and certification
The cloud customer may wish to audit the cloud provider to verify the service provided. However, it is not usually practical for the provider to allow every customer to perform their own audit. Auditing and certification of providers by a trusted third party is a way to satisfy this need. Therefore, it is important to understand what these certifications mean. Here are three examples:
SOC Reports - The auditing standard SSAE no. 16 (Statement on Standards for Attestation Engagements) is intended to satisfy the need for independent checking of service organizations. This is based on International Standard on Assurance Engagements no. 3402, Assurance Reports on Controls at a Service Organization.
Using these standards, an auditor can examine a service and produce a report. This report is based on the statement of the service that the organization claims to provide. Note: They are not an assessment against best practice. The auditor examines how the service is performed and the controls the organization has in place. The auditor is able to produce two types of reports (often referred to as SOC 1 and SOC 2 reports):
Type 1 report provides the auditor’s opinion on whether or not the description of the service is fair (does it exist) and whether or not the controls are appropriate.
Type 2 report is similar to a type 1 report but includes further information on whether or not the controls were actually working effectively.
An example of a cloud provider that offers such a report is Amazon Web Services.
Spotlight
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
To hack back or not to hack back?
Posted on 12 June 2013. | If you think of cyberspace as a new resource for you and your organization, it makes sense to protect your part of it as best you can. But is it a good idea?
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
