As more organizations consider cloud computing services, ranging from the use of Software as a Service (SaaS) applications to development environments staged on Platform as a Service (PaaS) models or fully customizable cloud-based Infrastructure as a Service (IaaS), security and compliance are top-of-mind. For prospective customers of cloud service providers (CSPs), assessing the adequacy of a CSP’s security and audit program is difficult. Most CSPs have some security and auditing controls in place, but many have been reluctant to share specific details. Additionally, there has been a noted lack of consistency in the range of controls in place, with no true notion of CSP best practices to adhere to.
The CSA CCM aligns with the 13 specific domains contained within the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing (.pdf) document. Areas of focus include security architecture, compliance and audit, incident response, encryption and key management, identity and access management, and virtualization. The controls within the CCM cloud security standards, while somewhat high level, encompass the 13 domains and represent a broad set of information security and compliance focus areas that most security professionals will recognize as best practices. Each control also includes a number of attributes that help guide practitioners looking to implement and evaluate them.
The first attribute is Cloud Service Delivery Model Applicability, and this helps classify the controls into categories of CSP delivery models (SaaS, PaaS and IaaS). Most controls are applicable in multiple CSP categories, but some are specific to one environment or another. The second attribute is Scope/Applicability. This classifies controls based on whether they apply to CSP organizations, tenants (CSP customers) or both. For example, CSPs need to undergo independent third-party audits of their controls, often resulting in a SAS 70 Type II audit report or other similar report. However, tenants do not need to be responsible for this audit, and expect the CSP to manage this and provide the results for attestation of controls for all involved parties (CSP and tenants).
In addition to classification categories, the CSA team that develops and publishes the CCM has attempted to provide compliance mapping across numerous well-known regulatory and industry compliance frameworks. As many organizations need to meet compliance requirements, this mapping is provided to help organizations determine how existing controls would apply in cloud environments, and also understand what additional considerations may be necessary for existing compliance programs when migrating systems, applications and data into CSP environments. U.S. government organizations can benefit from mapping to NIST SP800-53 risk management guidance (.pdf) and FedRAMP specifications, while publically traded companies can leverage the mapping to CoBIT for Sarbanes-Oxley compliance. Specific industry regulations such as the PCI DSS and HIPAA/HITECH are mapped for companies that handle payment card data or health care information. ISO 27001 and BITS Shared Assessments frameworks are included, as well as several others.
The CSA CCM fits into a larger CSA project, the CSA GRC stack, which also includes CloudAudit (a set of interfaces and namespaces for automating audit and assessment in cloud environments) and the Consensus Assessments Initiative Questionnaire, which is a common set of questions that prospective customers and auditors will want to ask cloud providers. These cloud security standards projects are all open and driven as community efforts, and additional involvement is welcome. By leveraging the CCM and other CSA GRC efforts, cloud customers, auditors and providers should be able to improve security and compliance efforts through more effective assessments, auditing and collaboration.
About the author:
Dave Shackleford is a founder and principal consultant with Voodoo Security and also a certified SANS instructor.
This was first published in January 2011