Modernizing Assurance for Cloud and Beyond

Since we launched in 2009, organizations around the world have looked to the Cloud Security Alliance to see what we might be able to offer to assist them in addressing assurance issues with the cloud services they were beginning to use. Fast forward to 2023, this has grown into a critical aspect of what we do and we continue to ask ourselves if we are addressing the needs of the market. I wanted to take some time to share how we are thinking about this challenge, what we do today, and how this will likely evolve in the future. It seems that every week we get new requests from an industry, country, or other important stakeholders that will impact our roadmap, so it is important that we stay focused on what the common needs are. You might call the following paragraph our problem statement:

The pace of technological innovation and cloud's ability to be procured, provisioned and scaled on demand puts tremendous pressure on the security assurance and compliance functions within both cloud service providers and cloud customers. In short, we have a massive number of cloud services that an enterprise needs to assure have an acceptable level of security. Cloud providers need to prove that their security meets the requirements of millions of enterprises. The growth in regulatory requirements is a major issue for both enterprises and cloud providers. The core challenge is delivering the requisite assurance at a pace that satisfies the business. The need is for both stakeholders to reduce redundant assurance activities to enable agility and focus on raising the bar for security.

To address that problem statement, the industry needs standardized, universal approaches to cloud assurance that are recognized globally, can be customized for relevant risks easily, and are rapidly updated to address evolving assurance needs. At CSA our portfolio of capabilities is called STAR - the Security, Trust, Assurance & Risk Program.

Probably the most familiar component of STAR is our Cloud Controls Matrix (CCM). CCM is our framework of cloud-native control objectives and is used pervasively throughout the industry. I would certainly call it the standard. A tool derived from CCM is our Consensus Assessments Initiative Questionnaire (CAIQ), the most common way to assess CCM control objectives in cloud provider environments. Thanks to assistance from volunteers and partners around the world, we are able to deliver a high quality controls framework and questionnaire. Perhaps the biggest challenge we have with CCM is maintaining current mappings to other standards and regulations. It is currently a manual process requiring lots of expert volunteers, but critically important to help organizations from performing a lot of redundant work with various security requirements that are actually asking for the same thing.

I would say that our second most noted component of STAR is the online registry itself, which includes thousands of cloud provider entries. It includes STAR Level 1 Self-Assessment to provide cloud providers a starting point to document their compliance with our best practices. STAR Level 2 provides third party assessments, including ISO 27001-based STAR Certification, SOC 2-based STAR Attestation, and other regional assessment types. STAR Level 2 audits are conducted by our global network or third party assessors, which represent a “Who’s Who” of assurance firms.

A newer and critical component of STAR is our STAR Enabled Solutions. CCM is delivered as a spreadsheet. Professionals like the flexibility a spreadsheet provides, but the agility and scale requirements in my problem statement dictate that we enable greater automation. Continuous monitoring is also a necessity. STAR Enabled Solutions is about working with technology partners to include our standards inside of their products. It also means providing greater tooling, such as machine readable versions. NIST’s Open Security Compliance Automation Language (OSCAL) is likely an important part of the solution and we are working to deliver OSCAL versions of CCM. At the end of the day, CSA is going to depend upon partners to take our standards and deliver the timely automation we think the market needs.

Education is of course an important part of assurance. The STAR program includes the Certificate of Cloud Auditing Knowledge (CCAK, a partnership with ISACA) and STAR Auditor Training. I believe we likely need to greatly expand this education to provide hands-on labs as well as contextual education for different industries and compliance requirements.

A component of STAR we are not talking about yet but we have already started delivering on is something we are calling Extended Services. CSA has a capability to deliver STAR components to governments, industries, and other consortia to rapidly build out state-of-the-art, relevant cloud assurance for the unique needs of their constituents while allowing them to add a few unique requirements of their own. You might think of it as STAR + Delta = Country A or Industry B cloud assurance program. We are engaging in a lot of interesting conversations in this regard and I think it may well be the game changer we need to simplify cloud assurance at scale.

What else will the future bring? We have been having fun playing around with ChatGPT (we also have a serious research project with it), and I think AI/ML may in the future greatly help us accelerate the mappings we must do and harmonize global security requirements. I see blockchain as being an ideal ledger system for recording IT audit activities in a way that cannot be repudiated and will allow all sorts of new solutions to analyze and manage risk. There are any number of new technologies that we can apply STAR to. At the same time, I think there is a lot of intellectual work we need to perform, together with industry experts to make assurance frameworks better. I also see us aligning CCM with NIST’s next version Cybersecurity Framework and certain maturity models.

Call me weird, but cloud assurance is one of the most interesting and exciting areas we work on at CSA. I would love to hear what you would like to see.