Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA's free and virtual Global AI Symposium, October 22-24, for cutting-edge insights on AI and cloud security. 

Assessment, Remediation, and Certification Framework for Anything as a Service (XaaS) Products

Home
Industry Insights
Assessment, Remediation, and Certification Framework for Anything as a Service (XaaS) Products

Blog Article Published: 07/19/2024

Written by the CSA Enterprise Authority to Operate (EATO) Working Group.


Introduction by Jim Reavis, CEO of the Cloud Security Alliance

I would say that a lesson learned from spending many years in the cybersecurity industry is that one-size-fits-all solutions are rarely the approach we need to take for achieving high standards for governance, risk, and compliance. At CSA, we are always seeking to improve our tools and willing to question the status quo. When the stakeholders that would become the EATO Working Group came to us with an idea to address the use case of highly regulated industries needing to measure assurance for small cloud providers, we were intrigued. Using the Cloud Controls Matrix (CCM) as the starting point, they have articulated very detailed controls for this use case.

I would like to thank the EATO WG for their excellent work to date and I also want to issue a call to action for the larger community to review the work they have done and provide your feedback on the framework and next steps in our roadmap, which may eventually result in an additional STAR assessment service. Small providers are an important systemic risk issue to address in our ecosystem. I look forward to monitoring the progress of this group and hearing from you.

-Jim


The Enterprise Authority to Operate (EATO) Controls Framework is an assessment, remediation, and certification framework that targets small and mid-sized Anything-as-a-Service (XaaS) providers. It also targets their entire underlying supply chain who want to offer their services to customers in highly regulated industries or for processing sensitive data.

The EATO Controls Framework is based on the following components:

  1. A controls set based on the CSA Cloud Controls Matrix (CCM) but augmented to apply more detail and more restrictive controls. These controls aim to satisfy regulatory requirements that highly regulated industry customers must abide by.
  2. A comprehensive audited assessment against the controls framework. Additional scrutiny is applied toward risks emanating from non-compliance with controls, with particular focus on information security and data protection. Business continuity, data retention, archiving, and vendor/service provider controls and risks are also covered.
  3. The audit requires detailed evidence to support concrete design and implementation of the controls. Documentation is actively reviewed and challenged and where necessary, on-site inspection is added to obtain adequate assurance.
  4. The audit also allows individual customers to monitor the operating effectiveness of the controls on an ongoing basis.
  5. The audit results in findings which require remediation by implementing design changes in the XaaS solutions. Solution providers are accompanied by competent consultancy during the design and implementation phase.
  6. Once findings have been remediated, the audit is repeated for these specific findings to assess successful and effective remediation.
  7. Only after verification of successful remediation of earlier findings, the EATO certification is issued.


What is the difference between the EATO Framework and existing industry assessment frameworks?

Currently available standard assessment frameworks such as ISO 27001 or SOC 2 are not specific enough to address the tight control standards which customers in highly regulated industries have to comply with. Depending on the assessment framework, the controls applied are too high level, not addressing regulatory requirements fully, and partially configurable. Auditing may be evidence-based rather than following a detailed design challenge and inspection approach. Effective remediation of findings with testable evidence may not be supported by specific consultancies nor be enforced.

As corporate customers in heavily regulated industries are typically large, global, and must abide by multiple tight regulations, these customers cannot rely on existing assessment framework certifications. Instead, they must perform individual heavyweight risk and cloud control assessments that lead to many significant findings and trigger complex remediation requirements. This results in redundant cost and effort-intensive assessments and remediation processes, both to the XaaS vendor and the several potential corporate customers.

Enterprise customers may find subscribing to the EATO Controls Framework useful for the following reasons:

  • Provides an industry-standard controls-based assessment and remediation framework for XaaS solutions that specifically caters to corporate customers in highly regulated industries.
  • Issues trusted certificates only after effective and audited remediation of findings.
  • Supplies a shared assessment and remediation framework via a subscription model:
    • Corporate customers subscribe to an annual volume of certifications.
    • For each new XaaS considered, and for existing XaaS to be re-validated, corporate customers reach out to the CSA EATO Certification Register. If a certification already exists, this is made available to the customer, including the full underlying audit report. If no certification exists yet, a complete assessment is triggered by the CSA EATO Certification Body, leveraging the existing auditing and consultancy partner framework CSA has certified.
  • Reduces efforts and costs for corporate customers via the subscription model, eliminating the need for individual comprehensive assessments and remediation.
  • Improves information security and risk postures by applying a trusted, remediated assessment that is conducted by independent information security specialists against a defined global standard. Assessors must be certified by CSA as an independent and trusted body.
  • Encourages information security by design for XaaS providers by:
    • Incentivizing XaaS providers to conduct one and only one assessment instead of many, at no extra cost for the provider.
    • Focusing remediation efforts against one combined set of findings instead of many disparate and potentially conflicting requirements.
    • Supporting the design and implementation of compliant solutions.


The controls framework

The framework augments the CCM controls to apply more detail and more restrictions. For example, controls on encryption, privileged access management, and cross-border hosting/processing/access have been tightened to achieve a much stricter information protection standard. Requirements have been added for:

  • Customer-specific keys vaulted in a Hardware Security Module for sensitive data.
  • Temporary PAM with strict segregation of duties of privileged roles.
  • Localisation requirements for cloud hosting and services.
  • Cross-border access control /prevention for privileged/support user roles and standard user roles.

On the other hand, some controls on various aspects of service operation and control have been merged.


Next steps

The next steps for the EATO Working Group are:

  • Provide the auditing and implementation guidelines.
  • Cross-reference the controls and auditing guidelines to major regulatory requirement frameworks.
  • Map the EATO framework to other standard assessment frameworks and outline gaps in these compared to the EATO framework.
  • Certify auditing and consulting partners during Q4 2024 and Q1 2025.
  • Begin the pilot with XaaS solution assessments in Q4 2024.
  • Offer subscriptions to corporate customers, starting in Q2 2025.

Download the EATO Controls Framework.

Cloud Controls MatrixCloud Security Services ManagementComplianceStandardsSTAR

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
The Cloud Identity, Access, and Permissions Summit
SECtember.ai Global
CCZT: Now with Zero Trust Strategy
Trending This Week
#1 NIST FIPS 203, 204, and 205 Finalized: An Important Step Towards a Quantum-Safe Future
#2 AI Safety vs. AI Security: Navigating the Commonality and Differences
#3 What is BLOB (Binary Large Object)? Can it be tokenized?
#4 Managing Cloud Misconfigurations Risks
#5 The Impact of Blockchain on Cloud Security
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
What is the NIS 2 Directive? A European Approach to Cybersecurity

Published: 08/30/2024

The State of Cyber Resiliency in Financial Services

Published: 08/29/2024

14 Essential Steps to a Secure Salesforce Environment

Published: 08/29/2024

What are Machine Credentials, And Why Are They Important to Secure in Your Organization?

Published: 08/27/2024