CSA Official Press Release
Cloud Security Alliance Releases Cloud Octagon Model to Facilitate Cloud Computing Risk Assessment
Innovative model challenges enterprises to investigate risk from perspective other than that of the cloud service provider
SEATTLE – June 24, 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today released a new approach to overcoming the challenges involved in cloud computing environments—the Cloud Octagon Model. This model, which can be used in conjunction with CSA’s Cloud Controls Matrix (CCM) or Consensus Assessments Initiative Questionnaire (CAIQ), makes it easier for organizations to identify, represent, and assess risks in the context of their cloud implementation across multiple factors by introducing a logical approach to holistically dealing with security aspects involved in moving to the cloud.
The Cloud Octagon Model stems from an approach conceptualized and implemented by the Cloud Security Group within the Technology & Engineering department, Corporate Information Security Office (CISO), ABN AMRO Bank NV (Netherlands). It counts such aspects as procurement, IT governance, architecture, development and engineering, service providers, risk processes, data classification, and country. The model provides practical guidance and structure to all involved risk parties in order to keep pace with rapid changes in privacy and data protection laws and regulations, and changes in technology and its security implications. The model aims to:
- reduce risks associated with cloud computing;
- improve the effectiveness of the cloud risk team;
- improve manageability of the solution; and
- improve security.
“The sheer complexity arising from diversity in the number of cloud-based services, implementation approaches, and security make cloud security extremely challenging, especially for large organizations, where security aspects such as legal, compliance, service level agreements and privacy are dealt with by separate internal departments,” said Jim de Haas, a security professional with ABN AMRO Bank NV’s Global Security Office and Board member of CSA’s Netherlands Chapter. “Adding to the challenge, large enterprises are in competition with smaller, more agile start-ups and security may take a backseat to time to market. We hope that this novel approach will provide a jumping off point for addressing the myriad issues that must be considered when moving to the cloud,” he explained.
The model can be supplementary to an organization’s existing risk assessment methodology in the event, for example, that it already has procedures and tools for cloud risk assessment or its regulator demands that the risk assessment methodology be supported by international standards. Using the Octagon Model in combination with CCM, for instance, challenges enterprises to investigate risk from a perspective other than that of their cloud service provider. Organizations are driven to examine the entire chain of service providers and their assurance levels, and by linking CCM controls to subjects covered by the Octagon Model—such as procurement or data classification—a detailed risk assessment picture will emerge.
Implementation of the Cloud Octagon Model at ABN AMRO is supported by a board game version, created by them. The game raises awareness among 2nd-line experts about the required depth of a risk assessment and what areas require extra work in order to improve completeness and accuracy.
About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.
For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.