Security as a Service

The Cloud Security Alliance (CSA) has published a series of guidelines to help  organizations in the area of security implementations. So I took a peek at their “Security as a Service” guidelines to see what they came up with.

Security as a Service refers to the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on-premise systems. It typically includes services such as third-party audits of cloud services or assessments of on-premise systems via cloud-provided solutions based on industry standards.

The CSA Security as a Service guidelines ended up being more of a checklist of things to review when shopping for providers. Nothing dramatically new here, but worth  sharing. Here are the guidelines:

Core Functionalities Needed

Governance — process by which policies are set and decision making is executed

Risk Management — process for ensuring that important business processes and behaviors remain within the tolerances associated with those policies and decisions

Compliance — process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements.

Technical Compliance Audits – automated auditing of configuration settings in devices, operating systems, databases, and applications.

Application Security Assessments – automated auditing of custom applications

Vulnerability Assessments – automated probing of network devices, computers and applications for known vulnerabilities and configuration issues

Penetration Testing – exploitation of vulnerabilities and configuration issues to gain access to a an environment, network or computer, typically requiring manual assistance

Security / risk rating – assessment of the overall security / vulnerability of the systems being tested, e.g. based on the OWASP Risk Rating Methodology

Threats Addressed

Inaccurate inventory

Lack of continuous monitoring

Lack of correlation information

Lack of complete auditing

Failure to meet/prove adherence to Regulatory/Standards Compliance

Insecure / vulnerable configurations

Insecure architectures

Insecure processes / processes not being followed

Optional Features

SI/EM Integration

Physical security assessments


Standards are on different maturity levels in the various sections

Certification & Accreditation

Boundary definition for any assessments

Skills of tester(s) / assessors


Inconsistent ratings from different individuals / vendors