How to Perform Cloud Security Assessments in a Hybrid World
Cloud risk standards, such as FedRAMP and the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM) 3.0 may make it seem like you’ve got your security requirements under control, but its not obvious how to use them for more than CSP at a time.
The challenge is huge. We’ve seen many incidents of breaches that start with third party supplier vulnerabilities, such as weak credentials or poor access management. Important applications in large enterprises tend to comprise, depend on, or interact with multiple enterprise IT systems, business units, and outsourced public cloud service providers (CSPs). I call this the “real world hybrid IT supply chain.” As I wrote in “Cloud Security: The Essential Question,” you need to understand who is in control for each part of a use case because that entity is where your risk lies.
In general, compliance frameworks such as CCM 3.0 provide a “control matrix” in the form of a checklist, or spreadsheet, for security evaluation. They identify required security controls – such as “vulnerability management” in an abstract fashion. They also provide tools to help assessors gauge one cloud security provider (CSP) features against the abstract controls. But what if you’re not evaluating a single CSP, but multiple CSPs in a supply chain? Conceptually, you could end up having to fill out control matrices for multiple CSPs and then have to stuff all that information into a unified control matrix for the entire system.
In my post for the RSA blog, I provide some recommendations on “How to Perform Cloud Security Assessment Across Supply Chains in a Hybrid World.”