KuppingerCole Report
Advisory Note
By Mike Small

How to Assure Cloud Services

This report is one of a series of documents around the use of cloud services. It identifies how standards as well as, independent certifications and attestations can be used to assure the security and compliance of cloud services.

1 Executive Summary

This report is one of a series of documents around the use of cloud services. It identifies how standards as well as, independent certifications and ...

Login Free 30-day Select Access Get full Access

2 Highlights

This report provides guidance on how standards as well as, independent certifications and attestations can be used to assure the security and complian ...

Login Free 30-day Select Access Get full Access

3 Cloud Assurance as a part of IT Governance

KuppingerCole recommends taking a good governance approach to all IT services and this approach is fundamental to securely embracing the cloud service ...

The governance process starts from business objectives and defines a policy for the IT services to deliver on those objectives. These lead to the pro ...

For IaaS services the CSP has no control over how the service is being used by the customer and is only responsible for securing the infrastructure us ...

Login Free 30-day Select Access Get full Access

4 Assuring Cloud Services

This chapter describes some of the important standards and certifications and how they can be used to assure cloud services.

As previously described ...

Login Free 30-day Select Access Get full Access

4.1 Take a risk based approach

Not all risks are equal – you need to prioritize which risks are important and ensure the appropriate level of assurance based on this.

Kuppinger ...

Login Free 30-day Select Access Get full Access

4.2 Understand the Levels of Assurance

Understand the different levels of assurance available and require what is appropriate for your individual circumstances.

There are several ways in ...

  • CSP Assertion – the CSP describes the steps they take. This information may form part of the service description or be published, for example, a ...
Login Free 30-day Select Access Get full Access

4.3 Defining the measures

Define what must be measured to provide assurance during the procurement process.

One challenge for customers is to define the parameters that shoul ...

Login Free 30-day Select Access Get full Access

4.4 Use Frameworks and Standards to Help

Use the information provided by frameworks and standards to help.

There is no shortage of advice, on how to manage risk, to both cloud service provi ...

Login Free 30-day Select Access Get full Access

5 Cloud Assurance Frameworks, Advice and Certification

This section provides an outline of the most important frameworks, certifications and advice.

Cloud customers should adopt the best practices, relev ...

Login Free 30-day Select Access Get full Access

5.1 Summary against risks

The following figure summarizes the information provided by various sources of assurance against the previously identified risks.

Explanation of SOC 2 Entries – A = Availability, C = Confidentiality, I = Integrity, P = Privacy, S = Security.

Login Free 30-day Select Access Get full Access

5.2 IT Control Objectives for Cloud Computing

COBIT 5 provides a framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT.

COBIT 5, ...

Login Free 30-day Select Access Get full Access

5.3 Use a Cloud Access Security Broker

CASBs provide a tool that helps to enforce policies around the use of cloud services.

Employees and associates can use their personal cloud service ...

Login Free 30-day Select Access Get full Access

5.4 Contract / SLA

The contract and SLA provide important information on the commitments by the CSP around the cloud service provided.

Most cloud services have a stand ...

Login Free 30-day Select Access Get full Access

5.5 ISO/IEC 27001:2013

ISO/IEC 27001:2013 is a well-established standard that provides a code of practice for information security management. It is supplemented by ISO/I ...

Login Free 30-day Select Access Get full Access

5.6 ISO/IEC 27017:2015

This standard provides guidelines for the security information controls applicable to the provision and use of cloud services.

It provides additiona ...

Login Free 30-day Select Access Get full Access

5.7 ISO/IEC 27018: 2014

This standard provides control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in ...

Login Free 30-day Select Access Get full Access

5.8 Service Organization Control Reports (SOC)

SOC reports to SSAE 16 / ISAE 3402 provide independent attestations on a service provided by an organization including cloud services.

In 2009, ...

Login Free 30-day Select Access Get full Access

5.9 CSA STAR Registry

The Cloud Security Alliance STAR (CSA STAR) is a program for security assurance of cloud services.

The Cloud Security Alliance is a member-driven ...

Login Free 30-day Select Access Get full Access

5.10 BSI Cloud Computing Compliance Controls Catalogue (C5)

The German Federal Office for Information (BSI) Computing Compliance Controls Catalogue (referred to as “C5”) is intended to be an aid for the ...

Login Free 30-day Select Access Get full Access

5.11 Other Important Standards

Cloud services are built using a technical architecture that may include standard protocols and interfaces. Certification to the relevant standards c ...

Login Free 30-day Select Access Get full Access

5.12 Codes of Conduct

Codes of Conduct can help organizations choose between suppliers. There are two recently announced codes for cloud service providers.

On February 1 ...

Login Free 30-day Select Access Get full Access

5.13 Other Certifications

There are many local certifications that may be relevant to the use of the cloud service. Some of these are listed here:

EU/EEA specific conformanc ...

Login Free 30-day Select Access Get full Access

6 Recommendations

The cloud service customer must ensure that the controls for which it is responsible are implemented. However, since the delivery of the cloud serv ...

Login Free 30-day Select Access Get full Access

6.1 Implement Assurance through Governance

Good governance and organizational structures are the foundation upon which assurance is built.

There are several existing frameworks for the best ...

Login Free 30-day Select Access Get full Access

6.2 Use Standards and Independent Certifications to Assure Cloud Services

The overall responsibility for security and compliance is shared between the customer and the CSP. The cloud customer must ensure that the controls f ...

Login Free 30-day Select Access Get full Access

Copyright

©2019 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole Analysts, founded in 2004, is a global analyst company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies.

For further information, please contact clients@kuppingercole.com.

top