The Cloud Security Alliance (CSA) has published a series of guidelines to help organizations in the area of security implementations. So I took a peek at their “Security as a Service” guidelines to see what they came up with.
Security as a Service refers to the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on-premise systems. It typically includes services such as third-party audits of cloud services or assessments of on-premise systems via cloud-provided solutions based on industry standards.
The CSA Security as a Service guidelines ended up being more of a checklist of things to review when shopping for providers. Nothing dramatically new here, but worth sharing. Here are the guidelines:
Core Functionalities Needed
Governance — process by which policies are set and decision making is executed
Risk Management — process for ensuring that important business processes and behaviors remain within the tolerances associated with those policies and decisions
Compliance — process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements.
Technical Compliance Audits – automated auditing of configuration settings in devices, operating systems, databases, and applications.
Application Security Assessments – automated auditing of custom applications
Vulnerability Assessments – automated probing of network devices, computers and applications for known vulnerabilities and configuration issues
Penetration Testing – exploitation of vulnerabilities and configuration issues to gain access to a an environment, network or computer, typically requiring manual assistance
Security / risk rating – assessment of the overall security / vulnerability of the systems being tested, e.g. based on the OWASP Risk Rating Methodology
Lack of continuous monitoring
Lack of correlation information
Lack of complete auditing
Failure to meet/prove adherence to Regulatory/Standards Compliance
Insecure / vulnerable configurations
Insecure processes / processes not being followed
Physical security assessments
Standards are on different maturity levels in the various sections
Certification & Accreditation
Boundary definition for any assessments
Skills of tester(s) / assessors
Inconsistent ratings from different individuals / vendors