CSA Official Press Release
Cloud Security Alliance Releases the Continuous Audit Metrics Catalog
Paper is first to establish a foundation for continuous auditing of cloud services by defining a catalog of relevant security metrics and measurement processes that can be largely automated
SEATTLE – Oct. 20, 2021 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released the Continuous Audit Metrics Catalog. Drafted by the CSA Continuous Audit Metrics Working Group, the document is the first to set forth a foundation for the continuous auditing of cloud services by defining a catalog of 34 security metrics relevant to cloud computing with measurement processes that can be largely automated.
The proposed metrics were designed to be consistent with the recently released Cloud Controls Matrix (CCMv4) and support internal cloud service provider governance, risk, and compliance (GRC) activities, while providing a helpful baseline for service-level agreement transparency. The initial release of the Continuous Audit Metrics Catalog is the first step in the eventual creation of a larger set of metrics associated with CCM controls. In this sense, the Metrics Catalog is a living document, and CSA encourages experts within the community to contribute to its expansion.
While traditional security auditing processes rely on a large body of knowledge and well-established references such as CSA CCMv4, ISO/IEC 27001, and ISO/IEC 27017, no such foundation is available for continuous auditing of cloud services. The closest existing references are ISO/IEC 27004:2016 and NIST SP 800-55-rev1, however they focus on traditional information systems and describe processes that often require human intervention.
“With DevOps and fast-paced technological evolutions, many enterprises are finding that annual third-party audits are no longer sufficient. Instead, they want cloud service providers to give continuous assurance of the ongoing effectiveness regarding security processes and practices. The lack of well-established references or even a body of knowledge, however, makes selecting and measuring an information system's security attributes in any meaningful way extremely challenging,” said Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance. "This document provides a starting point for the continuous auditing of cloud service.”
The longer vision is for the metrics to be integrated within CSA’s STAR (Security Trust Assurance and Risk) Continuous and provide a foundation for continuous certification. STAR Continuous is “an innovative framework designed to provide compliance assurance to cloud customers on a monthly, daily, or even hourly basis” and is based on the idea of continuous auditing, achieved by continuously measuring specific attributes of an information system and comparing these results with pre-established security objectives. The results of this continuous auditing process are then shared in real-time with customers in a way that protects the cloud provider’s confidential operation, however this process must be automated in order to scale in cloud environments.
The CSA Continuous Audit Metrics Working Group aims to define a catalogue of security attributes and their corresponding metrics, derived from the CSA Cloud Controls Matrix (CCM), which can be used as a reference for auditors, cloud service providers, cloud customers and security solution vendors that wish to engage in continuous audit-based self-assessments or certifications. Those interested in participating in future research and initiatives involving the group are invited to join.
Download the Continuous Audit Metrics Catalog now.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.
For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.