Many enterprises are still wrapping their heads around the cloud and are figuring out how to ensure adequately...
managed security for their cloud service providers.
Some industries have invested in resources to help each other manage the security of their cloud provider, which has enabled many vendors to emerge in this space. These new resources have been unique to the industry and have enabled enterprises to work together to manage their cloud providers.
This tip explores the concept of shared cloud security assessments and how enterprises can utilize them.
Shared cloud security assessments
The idea that few security teams have sufficient resources to address all of the items that need their attention, combined with the rapid increase in cloud computing usage, means strained enterprise security resources. Many of the basics of cloud security are built on shared security models around outsourced providers and vendors that have evolved as enterprise information security programs have matured.
Many programs have questionnaires that have been turned over for years, and that are custom to their requirements and environments. They have also used these questionnaires for internal systems at times, and mapped them to their own compliance requirements.
There are several industry groups, such as Shared Assessments and the Cloud Security Alliance, that are trying to improve how these questionnaires are used to ultimately enable risk to be managed by enterprises.
One group is the Higher Education Information Security Council's Shared Cloud Security Assessments working group where higher education comes together, led by Baylor University CISO Jon Allen, to focus on improving questionnaires and shared assessments with the information security community (Editor's note: the author currently works for Internet2 on cloud security for higher education and is a staff contributor to the Shared Cloud Security Assessments working group).
With this working group built on top of the Internet2 Cloud Services program, there has been a focus on advancing cloud adoption in higher education. The working group developed a questionnaire, titled the Higher Education Cloud Vendor Assessment Tool, built from the existing resources of several campuses and the developed consensus in the community. The working group is improving awareness of these resources through conference presentations and outreach, and is also moving toward engaging the community in other beneficial ways -- readers can find a recent conference presentation on the topic here.
How enterprises can utilize cloud security questionnaires
There are many benefits for enterprises to work together to manage risk, as the use of similarities makes it easier for both enterprises and the service providers (SP) being assessed.
There was a presentation at the 2017 RSA Conference that was titled "Cloud Security Assessments: You're Doing It Wrong!" where a panel of SPs went over the difficulties they have had with customers using different questionnaires. Each questionnaire had different wording and covered different security controls, which required the SP to devote resources to answer each unique questionnaire.
Enterprises can adopt an industry standard questionnaire to reduce the resources required by an SP so that the SP can share the completed questionnaire rather than expending the resources to accurately complete it.
When the questionnaire is shared, the SP demonstrates to potential customers how they are dedicated to making it easy for a customer to assess the security of their service, and their security transparency further gains their customer's trust. This could also make it easier for an SP to ensure their sales staff are sharing the appropriate information with a potential customer, and for a customer to know that the questionnaire was completed by the appropriate resource.
Enterprises can continue to benefit from using a shared cloud security questionnaire due to the fact that, if they don't have an existing questionnaire, they could easily adopt the shared questionnaire to their local processes. By including the questionnaire in procurement, intake forms, risk management, and resource request processes, the industry ensures that all SPs are assessed for an enterprise.
Likewise, the use of a shared questionnaire would mean that the enterprise wouldn't need to individually maintain the questionnaire over time; as security controls and threats change, the shared work would be leveraged. Furthermore, enterprises in the same industry have many of the same requirements, and the use of a shared questionnaire would enable them to demonstrate that reasonable security controls are in place. This would also help senior management understand and compare security to similar organizations.
There are many existing service providers in this space that facilitate vendor, third party or cloud security assessments. Depending on how much an enterprise wants to pay, these vendors can collect data, assess a risk and monitor the SP for the enterprise. However, an enterprise will still need to oversee and manage the process, including maintenance of the relationship and the contract to ensure that risk is being properly managed.
In general, only a select number of information security teams have sufficient resources to adequately address information security risk across their entire enterprise. This means that resources must be prioritized to focus on the highest risk; however, any place where an enterprise can save resources is always welcomed.
The use of a shared resource could enable an enterprise to focus on the risks and aspects that are unique to their enterprise, whether it's a security checklist for hardening a system or an assessment of a service provider.
Read more on adopting assessment standards
Learn how to ensure the security of cloud computing
Find out about emerging cloud security concerns for enterprises