Cloud 101CircleEventsBlog

Assessment, Remediation, and Certification Framework for Anything as a Service (XaaS) Products

Published 07/19/2024

Assessment, Remediation, and Certification Framework for Anything as a Service (XaaS) Products

Written by the CSA Enterprise Authority to Operate (EATO) Working Group.


Introduction by Jim Reavis, CEO of the Cloud Security Alliance

I would say that a lesson learned from spending many years in the cybersecurity industry is that one-size-fits-all solutions are rarely the approach we need to take for achieving high standards for governance, risk, and compliance. At CSA, we are always seeking to improve our tools and willing to question the status quo. When the stakeholders that would become the EATO Working Group came to us with an idea to address the use case of highly regulated industries needing to measure assurance for small cloud providers, we were intrigued. Using the Cloud Controls Matrix (CCM) as the starting point, they have articulated very detailed controls for this use case.

I would like to thank the EATO WG for their excellent work to date and I also want to issue a call to action for the larger community to review the work they have done and provide your feedback on the framework and next steps in our roadmap, which may eventually result in an additional STAR assessment service. Small providers are an important systemic risk issue to address in our ecosystem. I look forward to monitoring the progress of this group and hearing from you.

-Jim


The Enterprise Authority to Operate (EATO) Controls Framework is an assessment, remediation, and certification framework that targets small and mid-sized Anything-as-a-Service (XaaS) providers. It also targets their entire underlying supply chain who want to offer their services to customers in highly regulated industries or for processing sensitive data.

The EATO Controls Framework is based on the following components:

  1. A controls set based on the CSA Cloud Controls Matrix (CCM) but augmented to apply more detail and more restrictive controls. These controls aim to satisfy regulatory requirements that highly regulated industry customers must abide by.
  2. A comprehensive audited assessment against the controls framework. Additional scrutiny is applied toward risks emanating from non-compliance with controls, with particular focus on information security and data protection. Business continuity, data retention, archiving, and vendor/service provider controls and risks are also covered.
  3. The audit requires detailed evidence to support concrete design and implementation of the controls. Documentation is actively reviewed and challenged and where necessary, on-site inspection is added to obtain adequate assurance.
  4. The audit also allows individual customers to monitor the operating effectiveness of the controls on an ongoing basis.
  5. The audit results in findings which require remediation by implementing design changes in the XaaS solutions. Solution providers are accompanied by competent consultancy during the design and implementation phase.
  6. Once findings have been remediated, the audit is repeated for these specific findings to assess successful and effective remediation.
  7. Only after verification of successful remediation of earlier findings, the EATO certification is issued.


What is the difference between the EATO Framework and existing industry assessment frameworks?

Currently available standard assessment frameworks such as ISO 27001 or SOC 2 are not specific enough to address the tight control standards which customers in highly regulated industries have to comply with. Depending on the assessment framework, the controls applied are too high level, not addressing regulatory requirements fully, and partially configurable. Auditing may be evidence-based rather than following a detailed design challenge and inspection approach. Effective remediation of findings with testable evidence may not be supported by specific consultancies nor be enforced.

As corporate customers in heavily regulated industries are typically large, global, and must abide by multiple tight regulations, these customers cannot rely on existing assessment framework certifications. Instead, they must perform individual heavyweight risk and cloud control assessments that lead to many significant findings and trigger complex remediation requirements. This results in redundant cost and effort-intensive assessments and remediation processes, both to the XaaS vendor and the several potential corporate customers.

Enterprise customers may find subscribing to the EATO Controls Framework useful for the following reasons:

  • Provides an industry-standard controls-based assessment and remediation framework for XaaS solutions that specifically caters to corporate customers in highly regulated industries.
  • Issues trusted certificates only after effective and audited remediation of findings.
  • Supplies a shared assessment and remediation framework via a subscription model:
    • Corporate customers subscribe to an annual volume of certifications.
    • For each new XaaS considered, and for existing XaaS to be re-validated, corporate customers reach out to the CSA EATO Certification Register. If a certification already exists, this is made available to the customer, including the full underlying audit report. If no certification exists yet, a complete assessment is triggered by the CSA EATO Certification Body, leveraging the existing auditing and consultancy partner framework CSA has certified.
  • Reduces efforts and costs for corporate customers via the subscription model, eliminating the need for individual comprehensive assessments and remediation.
  • Improves information security and risk postures by applying a trusted, remediated assessment that is conducted by independent information security specialists against a defined global standard. Assessors must be certified by CSA as an independent and trusted body.
  • Encourages information security by design for XaaS providers by:
    • Incentivizing XaaS providers to conduct one and only one assessment instead of many, at no extra cost for the provider.
    • Focusing remediation efforts against one combined set of findings instead of many disparate and potentially conflicting requirements.
    • Supporting the design and implementation of compliant solutions.


The controls framework

The framework augments the CCM controls to apply more detail and more restrictions. For example, controls on encryption, privileged access management, and cross-border hosting/processing/access have been tightened to achieve a much stricter information protection standard. Requirements have been added for:

  • Customer-specific keys vaulted in a Hardware Security Module for sensitive data.
  • Temporary PAM with strict segregation of duties of privileged roles.
  • Localisation requirements for cloud hosting and services.
  • Cross-border access control /prevention for privileged/support user roles and standard user roles.

On the other hand, some controls on various aspects of service operation and control have been merged.


Next steps

The next steps for the EATO Working Group are:

  • Provide the auditing and implementation guidelines.
  • Cross-reference the controls and auditing guidelines to major regulatory requirement frameworks.
  • Map the EATO framework to other standard assessment frameworks and outline gaps in these compared to the EATO framework.
  • Certify auditing and consulting partners during Q4 2024 and Q1 2025.
  • Begin the pilot with XaaS solution assessments in Q4 2024.
  • Offer subscriptions to corporate customers, starting in Q2 2025.

Download the EATO Controls Framework.

Share this content on your favorite social network today!