How to Perform Cloud Security Assessments in a Hybrid World
In general, compliance frameworks such as CCM 3.0 provide a “control matrix” in the form of a checklist, or spreadsheet, for security evaluation. They identify required security controls – such as “vulnerability management” in an abstract fashion. They also provide tools to help assessors gauge one cloud security provider (CSP) features against the abstract controls. But what if you’re not evaluating a single CSP, but multiple CSPs in a supply chain? Conceptually, you could end up having to fill out control matrices for multiple CSPs and then have to stuff all that information into a unified control matrix for the entire system.
In my post for the RSA blog, I provide some recommendations on “How to Perform Cloud Security Assessment Across Supply Chains in a Hybrid World.”