Using CSA STAR to Improve Cloud Governance and Compliance
By John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance
The more complex systems become, the less secure they are, even though security technologies improve. There are many reasons for this, but it can all be traced back to the problem of complexity. Why? Because we give a lot of attention to technology, and we have increased silos of a plethora of regulations and standards. Therefore, we become fragmented and too complexed.
In this blog, I’ll be discussing ways to address this problem by leveraging frameworks and systems that map to multiple certifications and industry standards. In particular, I’ll be discussing how the CSA STAR program fits in with other certification schemes and how you can leverage it to help reduce complexity.
“The adversary works in the world of the stack, and that complexity is where they thrive”.
~Ron Ross, Senior Scientist and Fellow at NIST~
Indicators of Complex Systems
Complexed systems create more security risk because they:
- Have more independent processes, interfaces and interactions.
- Have more interfaces and interactions and create more security risks.
- Are harder to monitor and have visibility into, which creates untested, and unaudited portions.
- Are harder to develop and implement securely.
- Are harder for employees and stakeholders to understand and be trained in.
Cloud service providers are forced to comply with a plethora of standards, frameworks and regulations. This causes complexity and compliance fatigue, along with increased risk and resource allocation issues. Many of the controls across these platforms are similar and cross over, but because they are individual requirements, many organizations manage them in silos. This causes confusion as interpretation issues become a huge debate.
Business benefits of integrating your security systems
An integrated security system helps alleviate some of the challenges listed above by enabling organizations to align their processes and procedures into one complete framework that can help to deliver their objectives effectively and efficiently.
The system integrates all components of a governance, risk and compliance program into one coherent system linking boundaries between processes and creating seamless connections between its requirements and internal controls.
By using a single system for the ongoing management of risks and compliance, greater visibility into regulatory, legal, and information security obligations can be achieved., It also makes it easier to identify overlapping requirements which enables controls to be better designed and implemented. Ultimately this all results in better assurance being provided to the organization.
CSA best practices play an important guidance role in the creation of such a system and supports setting the objectives, monitoring the performance and ensuring metrics are aligning your operations to top management strategic thinking.
Why integrated security systems?
- Improve consistency within the organization
- Avoid duplication and gain cost savings
- Clarify allocation of responsibility
- Focus the organization onto business goals
- Absorb informal systems into formal systems
- Optimize staff training and development
Using CSA STAR to integrate your security systems
Since it maps to multiple standards and regulations, the CSA STAR Program can be leveraged as an organization’s integrated security system.
The STAR Program is based on three pillars that allow this integration:
- Technical standard and best practices
- A Certification framework
- A public repository and database
Each of the STAR pillars offer organizations tools to establish and maintain an effective and efficient cloud security and privacy governance and compliance posture.
The STAR Program is facilitated by the Cloud Control Matrix (CCM). The CCM has 16 domains and 133 controls (Figure 2). These cover a range of areas from the application, data center, and mobile security through to security incident, supply chain and threat management. These domains are then backed by 133 individual controls within the CCM that are mapped to over 40 different frameworks and regulatory requirements.
With the CCM mapping to multiple standards and regulations, it will support meeting the strategic direction of the organization by supporting and weaving all the main functions together as one fabric that covers the business. Not only increasing security but making the business more resilient as well.
How STAR can facilitate an integrated security system in your organization
Below is an illustration of how common requirements of multiple systems standards/specifications can be integrated into one common system.
By using the ISO approach shown above of addressing the High-Level Structure (HLS) you will be able to:
- Map the context of the organization; identifying all the inputs and outputs as well as interested parties (both internal and external).
- Fully understand the context of the organization and introduce planning activities that will address the risks and opportunities of the business that can interfere with the expected output of the business and build the mitigation strategy into the day-to-day planning and operational process.
- Ensure that sufficient and appropriate resources are available. Appropriateness is often determined through competency analysis.
- Harden operational functions by deploying the functions developed during the planning process.
- Evaluate performance and effectiveness at consistent planned intervals. Internal audits and management reviews are key methods of reviewing the performance of the security system and tools for its continual improvement.
- Use the results to continuously improve the organization and its processes.
By integrating multiple frameworks into one holistic one you can understand both the gaps into your internal control systems and the areas of overlap, and therefore avoid unmitigated risks, on the one hand, and duplication of efforts on the other. The latter is achieved by focusing only on covering the gaps in the process and controls addressing the areas of intersection between the CCM and any other security framework used in the internal control system.
Things to consider prior to kicking off your project plan
- Perform a gap analysis of your cloud security using the CSA CAIQ
- Set clear objectives for integration and expected ROI
- Determine the extent to which integration should occur (scope)
- Consider the cultural landscape within your company
- Analyze the need for training based off of the levels of competence necessary
- Evaluate your training needs to get started
- Re-evaluate based on the gaps you’ve identified
- This will help embed the knowledge
- Keep in mind legal and other regulatory requirements along with internal requirements
What do you need to do next?
- Set up a project team to manage the implementation
- Communicate the project across the whole organization
- Create an implementation plan and monitor progress
- Take a fresh look at your total business
- Highlight the changes as opportunities for improvement
- Make changes to your documentation to reflect the new structure (as necessary)
- Implement the new requirements on leadership, risk and context of the organization
- Review the effectiveness of your current control set.
- Carry out an impact assessment
- Start measuring ROI
Do things Differently through Visibility – Insight - Action
Experience teaches that the more successful businesses embed best practices holistically across the entire organization, not just in one specific area. Products and services today must meet a diverse spectrum of certification and compliance requirements.
Developing a consistent framework of repeatable processes and procedures allows the organization to comply, grow, and protect the operation.
Instituting a company-wide strategy breaks down long-established silos separating departments and divisions, and, for many organizations, can represent a significant change to corporate culture.