The continuous cloud controls evaluation model

Cloud computing has many benefits, such as drastically decreased costs and wide availability of storage for organizations. The ability to fully outsource all IT functions is an attractive business model for companies who can choose to focus their talent and their resources on growing the company rather than growing their IT infrastructure.

[How to avoid having your cloud-hosted business destroyed by hackers]

With the growing trend of increasing clouds and the increasing complexity of cloud architecture (hybrid, multi-vendor, cloud of clouds), it is imperative to understand and solve the biggest security concerns. Once you evaluate the cloud service providers (CSP) and provide approval for business leaders to pursue those cloud services, the security oversight is only half-done. The process still needs to be established to constantly assess the compliance of these providers on an on-going basis.

Before we talk about the reassessment criteria, there are certain assumptions that I’m going to make:

• The company has already approved a particular cloud service provider (SaaS, IaaS, etc.)
• The security team that is going to review and approve these cloud service providers is a small team
• At the end of evaluation, there is a risk score computed, highlighting the risk impact with each cloud service provider

The question at the core of the matter is, why do we need to reassess the cloud service providers once the security team has provided a green signal and a contract is signed to use the cloud service provider? The C3 (continuous cloud controls) approach will reduce the exposure of your company’s and your customers’ data and help drive the remediation of high and medium risks, if any, to an acceptable level.

With this approach, the platforms that process highly sensitive data in a multi-tenancy environment and the systems that integrate with your company’s HR or finance systems will still be compliant and meet your company’s security policies and standards. Here, I’m going to take you through the frequency for doing those reassessments and the criteria that we need for an ongoing evaluation of those providers that host our most-sensitive data.

Reassessment frequency

My recommendation would be to define the reassessment frequency on when to evaluate the approved cloud service provider again as part of your reassessment. This is critical to prioritize your efforts on reviewing the cloud service providers based on data classification, severity (P1 or P2), and risk impact (H, M, L), and then reassess the cloud service providers.

If it’s a small company, you might probably use only a few cloud service providers, which might not be an issue. Most of the medium to large companies at least have anywhere from 100 to 500 different cloud service providers on average. Hence, it is very important to define the reassessment frequency depending on the risk, data type, etc.

Typically, my recommendation would be to reassess a high risk cloud service provider every 2 years, medium risk provider every 3 years and low risk provider every 4 years.

Reassessment criteria

When the reassessment frequency is met, the next step is to perform the reassessment itself. You will want to set the expectations with this cloud service provider (SaaS, PaaS, or IaaS) about your reassessment process so that the project team cooperates and assists the security team with this review.

[Hackers found controlling malware and botnets from the cloud]

It would be beneficial to understand at least a very superficial overview on what has changed since the last review. To make it easy and understand it better, ask these questions before you perform a full-blown review:

• Has the functionality or service offering of the application reviewed still the same, or have there been any new offerings from this CSP?
• Has the data sensitivity of the application in question been bumped to a higher sensitivity? (e.g. public to confidential)
• Has there been a known security incident or breach for the CSP that caused potential compromise of customer records or company data?
• Are there new additional systems that introduce any regulatory laws or compliance requirements to adhere to?
• Has the architecture (system/network/data center) been changed/redesigned to a different data center, or have additional components been added since last approval/review?

Enterprises trust the cloud provider with the most important asset they have – the data. At the same time, it is almost impossible to gain complete visibility into the cloud’s provider’s network to monitor its stack closely enough to track everything they did, and confirm that they met all of your standards, policies, and any legal requirements. With the enormous influx of new cloud service providers, I see light at the end of tunnel and am very optimistic about the visibility, governance, and responsibility that these cloud service providers will bear in the near future.