This is a weekly post where we address questions of interest to the Application Information Security Community. To that end, we’d love to hear your questions! Please Tweet us with the hashtag #ThinkAppSec or leave us a comment below and we’ll pick one or two questions from that list.
How to assess the security of a cloud service provider
This is a question that I hear a lot. And it’s been asked since the early days of ASP (Application Service Providers). While it’s a simple question, the answer is fairly complex. Below we outline some of the high-level points organizations should consider when looking at their CSP’s application security profile.
How do I know my Cloud Service Provider’s (CSP) Applications are secure?
1. Know What You Mean by “Secure”
The most important step a company can take is to define what they mean by “secure.” If you don’t know what you’re aiming for, it’s going to be hard to know if you’ve hit the target. A rule of thumb that I’ve found useful in my consulting past is to review the security requirements for the application or service that was being used in-house and ensuring that the same requirements are applied to that app or service in the cloud. In other words, if your organization required that sensitive data be stored encrypted when it was on-prem, that data should probably be encrypted in the cloud – and arguably there could be even more reason to have it encrypted at the cloud provider.
When defining application security requirements for the cloud, don’t forget physical and personnel protections and restrictions. Your data center may have 24/7 camera surveillance, 3 layers of back-up energy supply and biometric authentication for entry – what does the cloud provider have? Hiring practices vary by company. Do you require a full background check of employees in the data center? If so, do you need that same level of personnel assessment from your CSP for the people managing your application?
Another point to consider is geographic location. Countries have different approaches to data privacy and access. When your application or service is housed in your data centers, you control where the data resides. A CSP may have optimized operations all over the globe. If you have organizational restrictions on countries where your data is stored, you’ll want to make sure the CSP can keep your data in the right geo-location.
2. Understand Audit Options
Some organizations feel comfortable if their CSP can provide any kind of assurance report, like a PCI DSS RoC (Payment Card Industry Data Security Standard Report on Compliance), ISO/IEC 27001 certification, or a SSAE 16 SOC2 (was SAS 70 Type II) report. While these reports are useful, they often don’t tell the whole risk story for a CSP or the application you are using in their Cloud.
Another approach is to include a “right to audit” clause in the contract with the CSP which enables you, as the customer, to perform some kind of audit tasks. What those tasks are will depend on what is defined in the contract. Some customers go so far as to require quarterly on-site visits for physical assessment and regular vulnerability scans and penetration tests of the CSP’s cloud/application. While this approach is comprehensive, getting that level of audit capability isn’t easy and many CSPs won’t agree to those audit terms. Not to mention that you, as the customer, probably have to pay the CSP more for the audit access, and have to allocate resources to perform the audits, review the findings and work with the CSP to ensure that critical issues are remediated.
3. Consider CSA STAR (Cloud Security Alliance Security Trust & Assurance Registry)
Once you know your requirements and have any required assurance reports – rather than going to a full audit of the CSP yourself, your organization could check out the CSP’s in the CSA STAR.
“The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.”
There are three layers to the CSA STAR Open Certification Framework:
- STAR Entry – Self Assessment: Publication of the results of a due diligence self-assessment based on CSA Consensus Assessment Initiative (CAI) Questionnaire and/or Cloud Control Matrix (CCM).
- STAR Certification / Attestation: Publication of available results of a third party assessment based on CCM and ISO27001 or AICPA SOC2.
- STAR Continuous: Publication of results of security properties monitoring, based on Cloud Trust Protocol (CTP).
Both the CAI and the CCM cover much more than application security and can be used by an organization to assess the CSP’s overall security stance as well as to nail down specifics about what they’re doing to provide security and protection for their applications and the data stored or used by those apps. Current STAR Certification means that a provider has been assessed against CCM v1.4 and ISO/IEC 27001:2005. In March 2014 providers can be assessed against either CCM v1.4 or CCM v3.
The first control domain of the CCM focuses on Application and Interface Security and provides control specifications for that domain including application security and data integrity. But many of the other domains touch on application security – the CCM has these identified in the Architectural Reference column so organizations can find the domains and control specifications quickly.
Organizations can review the level that a provider has completed (self-assessment, certification, continuous) in the Registry as a precursor to selecting a provider and to get some answers about what they’re already doing for application security. The CCM and STAR Registry may not answer every question you have about a CSP’s application security, but it is a great place to start. And a good way to get your thinking going about what else you want to know from the vendor, map your requirements to what is in the CAI or the CCM to see where there are gaps and ask the vendor about those during the assessment or contract negotiation process.
Clearly, there are many more steps involved in doing a complete assessment of a CSP’s application security. But hopefully the points above will serve as a good starting point to get your thinking organized and strategy for assessment created.
What are you doing to assess and monitor your CSP’s application security? What has worked for you? And what hasn’t? Please let us know in the comments below.
Other Application Security Questions Answered
As a CISO, how can I control my organization’s testing methodologies, change management and deployment processes, without compromising on quality and project timelines?
How Can I Secure Apps in the Cloud?
Submit your questions via Twitter using #ThinkAppSec