KuppingerCole Report
By Mike Small

Assuring Cloud Security and Compliance

Digital transformation is changing the way that they do business through the use of cloud services and cloud-based applications. The Coronavirus epidemic has accelerated this process. The use of the cloud has provided many benefits but has also led to security and compliance challenges. This whitepaper is intended to provide a practical guide to help security stakeholders to assure their security and compliance with regulations when using cloud environments.

Commissioned by Duo Security

1 Introduction / Executive Summary

The Coronavirus epidemic forced organizations to change the way that they do business. Retailers have had to accelerate their move online; manufacture ...

Login Get full Access

2 Highlights

  • The Coronavirus epidemic has accelerated the change in the way most organizations do business. This has provided many benefits but has also led to ...

Login Get full Access

3 Security and Compliance Challenges

For many organizations the Coronavirus has meant adapt or die - the workforce is no longer on premises and digital transformation has become the imper ...

Login Get full Access

4 Zero Trust and the Cloud

Users, devices, and application workloads are now everywhere. Based on the principle "never trust, always verify," Zero Trust is designed to protect m ...

Login Get full Access

5 Standards and Frameworks

Standards and frameworks provide templates of requirements and best practices. They provide the distilled wisdom and experience of the best people in ...

Figure 1 illustrates some of these regulations with a focus on Europe. These are mapped onto the framework described above into four quadrants. The to ...

Login Get full Access

5.1 Major European Laws and Regulations

Figure 1 covers EU laws and regulations that are most relevant to the organizational use of cloud services -- these are mainly related to the privacy ...

Login Get full Access

5.2 Worldwide Governance Frameworks

There are several governance frameworks related to the use and delivery of IT services. These apply both to organizations using cloud services as well ...

Login Get full Access

5.3 Worldwide Cloud Security Standards

These standards provide detailed advice in the area of cyber security and data privacy to cloud service providers as well to organizations using cloud ...

Login Get full Access

5.4 European Cloud Technical Standards

BSI C5 The BSI Cloud Computing Compliance Criteria Catalogue (C5) defines a baseline security level for cloud computing. It is used by cloud servic ...

Login Get full Access

5.5 Certification and Attestation

Some standards such as ISO/IEC 27001 are normative, that is to say that compliance with the standard can be certified by an external auditor. However, ...

Login Get full Access

6 Security Versus Compliance

Cloud security standards such as C5 help organizations to assure that the service they are using is secure, but this does not mean that it is complian ...

Many business obligations relate to the privacy of personal data. While security controls help to prevent unauthorized access to personal data, privac ...

Login Get full Access

7 Shared Responsibility

The responsibilities for security and compliance when using cloud services are shared between the CSP and the tenant and this depends upon the service ...

Login Get full Access

8 Recommendations

The responsibilities for security and compliance are shared between the CSP and the cloud tenant. The tenant must ensure that the controls for which i ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.