Ask any security practitioner and they’ll say securing cloud environments is challenging for a number of reasons, of which three particularly stand out: First, because of the increased complexity they add to environments. Second, because of their reliance on service providers without direct visibility into day-to-day security operations. Third, due to adoption dynamics that favor rapid and sometimes unplanned incorporation.
It shouldn’t be surprising then that cloud security frameworks are gaining traction in the security community. For customers, they can form part of a strategy to help secure cloud use. For providers, they can serve as a primary instrument to communicate security practices and countermeasures. Cloud security frameworks can also help with validation of security and preengagement vetting.
Regardless of what side of the cloud security fence you are on — either customer or end user — cloud security frameworks can provide value. With that in mind, let’s take a look at what cloud security frameworks are, why they’re useful and how to incorporate them into an enterprise security strategy.
What is a cloud security framework?
There are numerous security frameworks available, including those for governance (COBIT), architecture (SABSA), management standards (ISO/IEC 27001) and NIST’s Cybersecurity Framework. Just as these frameworks can apply broadly to technology, they are also applicable to the cloud. In addition to these general frameworks, there are multiple specialized ones that could be relevant depending on use case and context; for example, consider HITRUST’s Common Security Framework in a healthcare context.
Companies and vendors can use cloud-specific security frameworks for validation and certification efforts. These include the Cloud Security Alliance’s (CSA) Cloud Controls Matrix (CCM), FedRAMP and ISO/IEC 27017:2015. There are more cloud security frameworks available, but these three are particularly useful because they are frequently used and well known, specific to both cloud and security, have a supporting certification program or registry, and are equally useful to cloud service providers (CSPs) and customers.
Cloud security frameworks provide information to the broader industry about security measures that are applicable to cloud environments. Like any security framework, these include a set of controls with specific guidance about controls (including intent and rigor), control management, validation and other information related to securing a cloud use case.
How are cloud security frameworks useful?
Having a framework’s set of controls and practices in place is beneficial to CSPs and cloud customers. It gives both a frame of reference within which to discuss security practices and specific measures. As we all know, there is a near-infinite array of possible countermeasures that an organization might employ to keep their environment secured. Having an agreed-upon list of generally accepted controls helps CSPs decide how to invest their time and budget, and it gives customers guidance on what they should look for as standard security mechanisms in evaluating a CSP.
Frameworks can also serve as a baseline for evaluation. They provide a useful benchmark cloud customers can use to evaluate providers or compare security practices between providers. They can also enable service providers to demonstrate their security practices, either to assist with preengagement vetting or as part of their sales narrative. The more specific and prescriptive the controls laid out in the framework are, the more conducive they are to serving in this evaluation capacity.
If used strategically, frameworks reduce work for the customer and CSP. They reduce work for the customer in that these controls can form the basis for an evaluation checklist or set of evaluation criteria as described above, which in turn limits the need for an organization to develop such a list. They can reduce work for the CSP by reducing the number of disparate, one-off evaluation questionnaires customers ask providers to respond to. Even when that doesn’t happen, frameworks can still streamline the work involved in customer vetting by enabling providers to organize responses, prepare narratives and gather evidence against a known set of criteria instead of individually for each customer that they might encounter.
How to choose a cloud security framework
Adopting and using a cloud security framework is a relatively straightforward process, but it does vary a bit depending on whether you are a customer or CSP.
For customers, selecting one will depend largely on the company’s broader program and business context. For example, a U.S. federal government agency or contractor will almost certainly want to investigate FedRAMP first. FedRAMP was designed to offer a set of validation criteria based on standard security measures and to streamline the onboarding of CSPs for government use. A large multinational organization with a security program already built on ISO/IEC 27001 that incorporates controls from ISO/IEC 27002 may find ISO/IEC 27017 is a better fit because the controls will be more familiar, and it will align directly with the existing security program.
CSPs should employ a set of frameworks, both cloud and security ones, that are known and accepted within the markets they service. As mentioned, one of the reasons to consider these particular frameworks is their supporting assurance programs. In the case of FedRAMP, a CSP can become a FedRAMP authorized service provider. For the ISO/IEC standard, CSPs can certify to that as they can with any ISO management system standards. CSA has its Consensus Assessment Initiative Questionnaire, built on CCM, and its STAR registry, which certifies validation of adherence. The framework CSPs should favor is the one that is likely to get the most traction and be most recognized among customers.
Regardless of which is chosen, cloud security frameworks can help with cloud security efforts. Between providing a lingua franca for discussion of specific controls to providing a benchmark for evaluation and certification to creating a backbone for organization of internal security efforts, learning about the options available is time well spent.