2020 is unquestionably the year of maturity for cloud storage solutions. Nearly a decade ago, the cloud was still a new idea and was only being used by startups. While cloud services are still not perfect, you can build better security today on the cloud than you can over your own premises, which is significant. Enterprises are now using more cloud services, and as a result, I predict that we will see more development of hybrid cloud topologies and more investment in edge computing.
Yet enterprises still face unique challenges with their cloud providers today, and those issues are shaping trends and solutions.
When enterprises are looking for platforms to develop workloads (i.e. IaaS/PaaS), my recommendation is usually to choose one of the large providers. The reason? Because large is usually a sign of maturity and well-defined budgets.
With SaaS, however, it’s a different ball game. There’s a large variety in the market, not all providers are created equal and there’s not always an advantage to size. Sometimes the cloud consumer needs to onboard a smaller provider, because it has specific features that integrate with your application. Perhaps because it is a specific type of CRM, or a specific type of IT service or you are using a unique database. Sometimes, it is the smaller SaaS providers with these unique features that can bring you marketing value or a competitive advantage.
For this reason, the biggest challenge for organizations in 2020 is to understand how to evaluate their providers, and this is particularly relevant for SaaS. Organizations need to create an ongoing process for evaluating a provider, setting security requirements, understanding its maturity level and security and comparing it to other providers. They will need to make a decision, onboard the provider, connect it to the local identity management structure and monitoring services, and then be ready to offboard within a couple of months if the relationship doesn’t work. All of this needs to be done at a rapid pace. They will have to mature their point-in-time assessment as well as their continuous and ongoing assessment of this provider, because typical enterprises will host hundreds of SaaS providers.
Organizations often look for certification and assessment frameworks, like SOC2 or ISO27K, as proof of security. Yet it’s important to understand that certifications are often the minimal requirement and a provider should be able to demonstrate security controls on top of the certification. This can be accomplished by checking its
● Security policy
● Disaster recovery plan
● Incident response and change management policies
● Technical features
A good security policy, for example, will be transparent and will have equal responsibilities, because the provider will trust its ability to fulfill its obligations. A non-mature security policy is much more one-sided.
Another strategy is to examine the technical features of the cloud provider. Make sure that it’s integrated to your single sign on, that it has good monitoring tools and provides granular access controls to let you know what your administrators are doing. For example, a Microsoft feature called Lockbox encrypts all data with a specific key, and customer support cannot access data without admin approval. I like this because it controls access to information and it gives the customer a crucial layer of trust.
The most significant change that is going on in cloud security is the move from point-in-time assessment and certification to a continuous monitoring certification. Until now, the way that we monitored cloud providers was usually through certifications and audits. But this is only correct for that point in time; the day after an audit could be completely different. Once a year or once in six months is not enough to engender trust between customer and provider.
For this reason, I believe that in the next couple of years, we will see more continuous monitoring methodologies, so that organizations will receive live feedback from their providers about their security posture. Thus, you can receive frequent updates about their patch level, their compliance status and software hardening process.
Ultimately, we need more cooperation between providers and consumers. We need to develop the tools, and Panorays is a good example of a tool that provides a continuous assessment of third parties. To achieve this, we need to have advanced technology to support continuous monitoring. So this is the challenge currently, but luckily, this continuous monitoring is being pushed by best practices and the EU cyber laws that emphasize continuous monitoring.
The Cloud Security Alliance has been talking about continuous monitoring for the past couple of years. This began with the CAIQ (Consensus Assessments Initiative Questionnaire) and the CCM (Cloud Controls Matrix), which are the biggest projects produced by cloud providers to evaluate providers. CAIQ is an RFP spreadsheet sent to all providers containing many questions that addressed different regulations. When they responded, we posted the answers on our website. Today there are over 400 providers publishing their CAIQ, and over time we introduced the and the STAR certification, meaning that you were certified for a point in time.
We are now pushing for step three, which is a continuous monitoring assessment, and this means that we evaluate a provider on a continuous basis. We introduced this as a framework, but we still don’t have the technology and the right standards to work with. We are expecting that startups like Panorays will launch tools to help us with continuous monitoring of cloud security. We hope to leverage the industry to position continuous monitoring as the only way to monitor your cloud provider in the future.
Moshe Ferber is chairman of the Israeli chapter of the Cloud Security Alliance.
Panorays is a licensed distributor of the CSA’s Consensus Assessment Initiative Questionnaire (CAIQ). Read more here.