The world of Cloud security standards is not for the faint of heart. There is a vast intertwined jungle of overlapping standards, certification and compliance efforts that all relate to cloud. One of the leading organizations in the Cloud security world is the Cloud Security Alliance (CSA).
The CSA is now encouraging Cloud providers and users to embrace the Service Organization Control (SOC) version 2 report standard. In a video interview with Datamation, John Howie, the Chief Operating Officer of the CSA, detailed the myriad standards for clouds that might be applicable and what his organization sees as the way forward.
"If you look at proving the security of a service provider and not necessarily just a cloud provider, there is a patchwork of tools, systems and methodologies in existence today," Howie said. "We're looking to do something that works globally."
The CSA produces the Cloud Controls Matrix (CCM), which is a guiding document to help insure security of a cloud provider. The CCM can be mapped against the SOC v2 standard for service providers. "The SOC 2 report is essentially attesting to the controls in use in a service organization and whether or not they are operating as expected," Howie said.
The SOC 2 report is intended as a replacement for the SAS 70 reporting standard for service providers. The SAS 70 has been identified by multiple parties over the years as being deficient for cloud providers.
Howie explained that a SOC 2 report provides information on the health of cloud controls in use by a service provider. A SOC 2 report is generated over six months of service provider activity.
Point in Time Compliance
With multiple forms of compliance, there is a risk that organizations are only compliant at the point in time at which the compliance audit is completed. Howie argued that risk doesn't really apply with the SOC 2.
"With a SOC 2 report the controls have to be in operation continuously for a period of at least six months," Howie said. "So it's not as though a cloud provider could scramble to get everything healthy, bring in an auditor for a day and then have everything fall into a state of disrepair the next day."
As the SOC 2 report is produced annually, Howie sees it being highly unlikely that any cloud provider will let any control lapse.
CSA is now also working on a continuous monitoring piece for cloud controls. The monitoring could provide daily or weekly reporting on the health of a cloud provider environment.
The CSA itself is not a compliance organization for the cloud.
"We provide objective data to legislators and regulators about the state of the industry," Howie said. "We're not seeking to set policy."
Today there is no publicly posted seal on any given cloud providers service that identifies the cloud security posture of a provider. Howie explained that the emerging SOC 3 report is now being developed to solve that need.
"It's not yet known how this will work for cloud providers specifically," Howie said.
The CSA has not yet done the mapping for the the Cloud Controls Matrix to the SOC 3, though efforts to do so are currently underway.
The PCI-DSS, data security standard is used by merchants around the world as a compliance measure for online transaction security. PCI-DSS can also work for cloud providers.
"What we did when we created the Cloud Controls Matrix is we mapped the representative controls that we think a cloud provider should have, to a number of standards including PCI-DSS," Howie explained. "So you're able to take our controls and map them to other existing compliance obligations that you already have."
In general, the need to continuously evolve cloud controls is something that will not change.
There will always be something missing, because as technology advances, as people use the cloud in new way, there will always be gaps," Howie said. There will always be for us as an organization and our work will never be done."
Watch the video interview with John Howie, COO of the Cloud Security Alliance below: