Welcome! Yea, though a scurvy pirate or two has occasioned to dare set foot within our establishment, they were swiftly dealt with and ne’ery a one have been eyed since. Aaargh …’tis no safer place to bury yer treasure. Thar treasure chests are sturdy and their locks sure. We afford ye yer own shovel for buryin’ and the watchmen step lively to thwart the ne’er-do-wells. Would ye care for a copy of our SSAE-16? Did I mention that we’re PCI compliant?

Outsourcing Security to the Cloud

shutterstock_82522894.jpg

Recent popular sentiment seems to suggest that organizations should move from a “check box” driven compliance model to one that is risk-based.

In near the very next breath, the benefits of leveraging cloud-based infrastructure to address availability and resourcing concerns are posited.

But if organizational compliance was ever truly as simple as completing a checkbox alone, then the assessment process supporting it was certainly flawed.

Further, though cloud solutions can indeed address availability and resource concerns, the unspoken dream of outsourcing security responsibilities in whole to third-party providers who have themselves completed their own “checkboxes” should seem counterintuitive.

It is true that organizations benefit greatly from applying sound risk management principles. However, most risk management frameworks integrate best practice security control use and supporting processes into their very foundation.

For example, consider the National Institute of Standards and Technology’s (NIST) special publication 800-30, "Risk Management Guide for Information Technology Systems."  Therein security requirements are advised to be considered as based on the criteria defined in sources such as the Federal Information Processing Standards Publications to which NIST special publications (SP) such as 800-53, Security and Privacy Controls for Federal Information Systems.

Risk Management is Not an Island 

Truthfully, risk management cannot be viewed as entirely independent of or as a replacement for the best practice security control frameworks which most compliance assessments consider. They are inter-related.

The Payment Card Industry (PCI) Data Security Standards (DSS) can easily be mapped to ISO 27001 and NIST SP800-53, the Cloud Security Alliance’s (CSA) Cloud Controls Matrix (CCM) includes mappings to various industry standards and frameworks; and NIST SP800-146, Cloud Computing Synopsis and Recommendations recommends the use of SP800-53.

Organizations should be encouraged to develop their risk management functions. It should readily be understood, however, that doing so does not supplant security control requirements, operational strategies, or the need to periodically review them.

Further, neither security nor compliance concerns can be wholly outsourced to third-parties. While a third-party provider’s own compliance reflects well on the sense of duty with which they manage and monitor their infrastructure, it does not establish an inherited compliance for their customers.

Rather it supports the probability that their customers should be able to more easily demonstrate their own compliance in the event that the provider offers sufficient transparency and support. Without this customers and their assessors lack sufficient insight into established controls and processes and how they may or may not extend to customer environments.

As such, the CCM establishes reasonable process for customer review of cloud service provider controls and capabilities while including consideration of whether or not the provider supports third-party reviews in alignment with both PCI DSS and NIST 800-53 among other standards and frameworks. Similarly again, the PCI Security Standards Council’s (SSC) recently issued "Information Supplement: PCI DSS Cloud Computing Guidelines" advises that,

Clients should discuss their needs with the provider to determine how the CSP can provide assurance that required controls are in place … Use of a PCI DSS compliant CSP does not result in PCI DSS compliance for the clients ...The client therefore must work with the CSP to ensure that evidence is provided to verify that PCI DSS controls are maintained on an ongoing basis -- an Attestation of Compliance (AOC) reflects a single point in time only; compliance requires ongoing monitoring and validation that controls are in place and working effectively”.

Expecting different is akin to burying treasure and expecting that the resulting natural camouflage mitigates the risk of pirates ever finding it without incurring the expense of better controls or the required effort to periodically ensure that your valued “booty” is still there and protected according to expectations.

Image courtesy of Fer Gregory (Shutterstock)

Editor's Note: When Peter isn't busy feeding his parrot, he writes thoughtful articles about risk management. To read more: The 5 Stages of Security Control Procurement: Getting to Acceptance