Yesterday, I wrote the first part of “Is my data safe in the cloud?”, looking at the work we’d been doing with the Cloud Security Alliance STAR (Security, Trust & Assurance Registry) project – which is an industry-wide initiative to make it possible to compare security practices across cloud services.
One of the outputs of the project is a standardised list of questions about cloud security practices which are designed to mirror the typical questions that might be asked in an RFP document. And then each of the cloud suppliers is asked to publish self-assessments of the answers to these standard questions.
Cloud security assessment questions
The standard sections in the self assessment cover 100 different cloud service requirements:
- Compliance – 8 areas
- Data Governance – 8 areas
- Facility Security – 8 areas
- Human Resources Security – 3 areas
- Information Security – 34 areas
- Legal – 2 areas
- Operations Management – 4 areas
- Risk Management – 5 areas
- Release Management – 5 areas
- Resiliency – 8 areas
- Security Architecture – 15 areas
Sample cloud requirements
Each section contains a series of individual requirements, which combine to form a very comprehensive list. Here’s some examples of the kind of requirements specified in the CSA requirements documents:
CO-03 Compliance - Third Party Audits
Third party service providers shall demonstrate compliance with information security and confidentiality, service definitions and delivery level agreements included in third party contracts. Third party reports, records and services shall undergo audit and review, at planned intervals, to govern and maintain compliance with the service delivery agreements.
CO-06 Compliance - Intellectual Property
Policy, process and procedure shall be established and implemented to safeguard intellectual property and the use of proprietary software within the legislative jurisdiction and contractual constraints governing the organization.
DG-04 Data Governance - Retention Policy
Policies and procedures for data retention and storage shall be established and backup or redundancy mechanisms implemented to ensure compliance with regulatory, statutory, contractual or business requirements. Testing the recovery of disk or tape backups must be implemented at planned intervals.
DG-05 Data Governance - Secure Disposal
Policies and procedures shall be established and mechanisms implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means
FS-02 Facility Security - User Access
Physical access to information assets and functions by users and support personnel shall be restricted.
HR-01 Human Resources Security - Background Screening
Pursuant to local laws, regulations, ethics and contractual constraints all employment candidates, contractors and third parties will be subject to background verification proportional to the data classification to be accessed, the business requirements and acceptable risk.
IS-15 Information Security - Segregation of Duties
Policies, process and procedures shall be implemented to enforce and assure proper segregation of duties. In those events where user-role conflict of interest constraint exists, technical controls shall be in place to mitigate any risks arising from unauthorized or unintentional modification or misuse of the organization's information assets.
Microsoft CSA STAR self-assessments
There have been self assessments published on the Cloud Security Alliance’s website for three key Microsoft cloud services, driven by customers asking for information and assurances about the security practices and security controls that different cloud service provider’s use. This information helps you better understand whether those services meet or exceed your organisation’s compliance obligations and internal standards. The self-assessments for Office 365, Windows Azure, and Microsoft Dynamics CRM in the CSA’s STAR registry provides cloud customers with the visibility and transparency they are looking for, in a way that is based on standards (ISO 27001) and CSA best practices. The Microsoft Dynamics CRM document, for example, runs to 50 pages, with detailed responses for each of the 100 requirements. Which means that for each of these services you can see the list of answers for each of the detailed requirements:
How can you use the Cloud assessment documents?
There are three main ways I see that these documents, and the programme, can help educational organisations in Australia:
- If you are going to use cloud services, the requirements make a great starting place for your own RFP documents, as it provides a set of key requirements based on existing international standards (such as ISO 27001).
- If you want to see how Microsoft’s cloud services provide security at a physical, organisational and strategic level, the documents provide clear answers for each requirement
- Lastly, if you want to do an effective comparative risk assessment between on-premise and cloud services, you could use exactly the same requirements framework to assess your own data security. (for a quick check, read the sample list of requirements above, and self-evaluate your own datacentre and services against it)