Ensuring Cloud Compliance Excellence with ISO Standards and CSA STAR
Published 09/14/2023
Originally published by MSECB.
Written by Varun Prasad.
Introduction
Almost two decades since the advent of public cloud services, cloud computing continues to be a foundational building block that drives enterprise digital transformations and accelerates the delivery of new features to users. According to Gartner estimates, cloud computing constitutes the main chunk of IT spending and is growing proportionally. The study forecasts worldwide public cloud end-user spending to reach nearly $600 Billion in 2023, which is significant growth from the prior year.
Despite the numerous benefits of cloud services and the rapid migration to cloud platforms, the biggest concern and barrier to adoption are the security risks associated with this technology. A recent survey of US IT leaders at medium to large organizations noted that although 97% of their organizations are accelerating their cloud migration strategy, about 63% stated that cybersecurity threats associated with cloud computing are a serious obstacle in their way. Also, with a steady increase in the number of data breaches over the years and a heightened public awareness of security and privacy-related risks, consumers are very particular about the security posture of the products and services they use. Customers, investors, and shareholders care about the security posture of the organization they do business with and consider it when making purchasing decisions. Recent studies on digital trust have revealed that a majority of consumers want to know an organization’s data policies before buying its products or services and will consider switching brands if the data practices are unclear. Hence, business entities of all sizes across industry segments are always ensuring to demonstrate digital trust and showcase a strong security posture with a solid system of controls.
What organizations should consider
ISO/IEC 27001
While organizations have had a suite of compliance certification and attestation options to choose from, the ISO/IEC 27001 standard has been a popular choice for a long time now. According to ISO, this is the world’s best-known standard for information security management systems (ISMS). Conformity to this standard means that an organization or business has put in place a management system to manage risks related to the security of data owned or handled by the organization. Implementing an ISMS enables the organization to meet its defined information security objectives and other legal and regulatory obligations. The requirements of the standard cover a variety of pertinent areas, including leadership and organizational structure; security-aware culture; risk management and implementation of appropriate controls; periodic internal audits; and management review to promote continuous improvement.
Organizations' use of cloud computing platforms introduces a new set of unique risks that require special considerations while assessing risk and implementing niche controls to mitigate the same. User entities are looking for assurances around the cloud security practices of organizations to protect systems and data. Thereby, in addition to obtaining certification against a generic standard, organizations must look to comply with other applicable frameworks (or standards) to provide confidence to stakeholders about having robust safeguards and control measures to mitigate risks specific to the use of cloud computing, help meet clients’ compliance requirements, and add value.
ISO/IEC 27017
Organizations must look to get certified against the ISO/IEC 27017 standard to complete their existing ISO/IEC 27001 certification and provide stakeholders with assurance of their control posture around the use of cloud computing. The ISO/IEC 27017 standard has a wide range of applicability and addresses several areas that are of key concern to users, making it an attractive option for organizations to demonstrate a strong state of cloud security. This international standard provides guidelines supporting the implementation of information security controls for cloud service customers and cloud service providers. Some guidelines are for cloud service customers, and others are for cloud service providers. The selection of appropriate information security controls and the application of the implementation guidance provided will depend on a risk assessment and any legal, contractual, regulatory, or other cloud-sector-specific information security requirements. It must be noted that these control sets for cloud computing are in addition to the base set of Annex A controls that are a part of the ISO/IEC 27001 standard.
The ISO/IEC 27017 standard is very effective, mainly because it includes control requirements that address some of the top risks related to cloud security. It serves as a good benchmark for organizations, reflects a mature control environment, and enhances their trustworthiness. It can be leveraged by organizations providing cloud-based products or services or leveraging other cloud services for their business operations. The foundation of cloud security is the shared responsibility model, which delineates the responsibilities of the cloud service provider and the cloud customer for each domain. Various public cloud providers have published versions of the shared responsibility model; customers must realize and identify their responsibilities, which can vary based on the cloud provider and services being used. This has been a gray area where cloud customers have often misunderstood or had serious misconceptions about their responsibilities. Gartner estimates that by the end of 2023, 99% of cloud security failures will be due to customers’ faults. To help clarify any confusion, the ISO/IEC 27017 standard consists of several controls that require the cloud service provider to communicate their responsibilities for various key areas and provide information about different security-related capabilities or functionalities. The cloud customer is expected to consider this information, integrate it with the policies, and formulate a process to manage security.
Insufficient identity and access, misconfigurations, system vulnerabilities, and data loss are among the top cloud security threats. To address questions around these, ISO/IEC 27017 has specific control requirements around segregation in virtual computing environments, virtual machine hardening, and monitoring of cloud environments. These controls are essential in helping identify vulnerabilities and reduce the attack surface.
CSA STAR
Another solid and increasingly popular option for cloud service providers who are building broad trust programs is the CSA STAR certification, which is based on the Cloud Security Alliance’s (CSA) Cloud Controls Matrix (CCM) framework. The CSA STAR certification requires and builds on ISO/IEC 27001 certification. In addition to complying with the ISMS requirements of the standard and supporting set of Annex A control objectives and controls, organizations also need to comply with a detailed set of 197 control specifications that are tailored toward topics relevant to cloud environments. Several organizations use the CCM for assessing their cloud computing environments, and incorporating it into their ISMS certification process can help leverage synergies, provide efficiency, and demonstrate trust.
Conclusion
We are seeing the adoption of multi-cloud strategies accelerate at a rapid pace, leading to increased complexity of system architectures; simultaneously, data breaches involving data and applications in the cloud also continue to rise. This mandates organizations to have a strong cybersecurity posture to manage risks appropriately—a bare minimum expectation of the market. Hence, complying with a broad and flexible standard like ISO/IEC 27017 or a comprehensive framework like CSA STAR helps organizations better manage threats and risks, enhance their reputation, and lead to better customer satisfaction and increased revenue.
About the Author
Varun Prasad is a senior manager with BDO’s Third Party Attestation practice, an MSECB auditor, and an IT audit and risk management professional with more than 14 years of progressive experience. He has managed and executed a variety of IT audit-based projects from end-to-end. Varun has provided various types of audits, advisory, and assurance services, such as SOC 1, SOC 2, gap assessment and examination, internal audit, compliance audits (NIST frameworks, etc.), risk assessments, financial external audit support, agreed-upon procedures, business continuity and disaster recovery planning, system security reviews, and privacy. He is a lead auditor for ISO/IEC 27001 and ISO 22301 and has led multiple ISMS audits for large multinational tech companies and SaaS providers. Varun has experience working with a wide range of industries, including technology, financial services, insurance and benefits, and manufacturing, with a strong focus on cloud services.
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024