KuppingerCole Report
By Mike Small

Assuring Cloud Security and Compliance

Digital transformation is changing the way that they do business through the use of cloud services and cloud-based applications. The Coronavirus epidemic has accelerated this process. The use of the cloud has provided many benefits but has also led to security and compliance challenges. This whitepaper is intended to provide a practical guide to help security stakeholders to assure their security and compliance with regulations when using cloud environments.

Commissioned by Duo Security

1 Introduction / Executive Summary

The Coronavirus epidemic forced organizations to change the way that they do business. Retailers have had to accelerate their move online; manufacturers have had to deal with supply chain disruptions and reorganize their shop floors, and employees have had to work from home. This has led organizations to accelerate their digital transformation by up to 5 years in a matter of months. This rate of change has only been possible through the use of cloud services, but it has also created new challenges.

As the use of cloud services and cloud-based applications has increased, concerns over cybersecurity and compliance have grown. The expansion in the use of cloud services and applications has brought many benefits but also introduced new vulnerabilities. The objectives of cybersecurity are the same however IT services are delivered. These are confidentiality -- prevent data breaches and unauthorised access; integrity --avoid data corruption; availability -- ensure business continuity; and compliance -- meet legal and regulatory obligations.

When using the cloud, these responsibilities for security and compliance are shared between the cloud tenant and the CSP (Cloud Service Provider). In today's hybrid IT environment, where some services are delivered through the cloud and some are delivered in other ways - on premises, at the edge and via hosting - this shared responsibility can cause confusion. This in turn can lead to security weaknesses and provide opportunities for cyber adversaries as well as lead to compliance failures.

The cloud tenant is responsible for ensuring that they meet their responsibilities. Cloud-based software companies such such as Workday, SalesForce or Duo also fall into the cloud tenant category. As such, they need to provide assurance to their clients and third parties that cloud services which they provide are compliant.

(Duo helps protect organizations against breaches through its cloud-based Zero Trust Security Product Suite, which includes multi-factor authentication (MFA), device health check, insight dashboard, single sign-on (SSO), mobile and endpoint security as well as user and entity behavior analytics.)

However, the tenant has no direct control over how a cloud service is delivered, managed, and secured. This means that tenants need to take a governance-based approach to assuring that a cloud service meets their security and compliance needs. This depends upon setting clear and measurable objectives for the cloud service as well as verifying that these are met. Since it is not practical for CSPs to allow every tenant to individually audit the services that they use this is where standards come in useful.

A standard provides the distilled wisdom of the best people in the industry as well as a template of best practices that can be used by regulators of a particular industry sector. It also provides a set of objectives against which performance can be independently measured. This makes standards the essential basis for assuring cloud services.

There is a wide range of standards and frameworks relating to the governance of risk and compliance as well as cyber security related to cloud services and most CSPs offer many certifications. Whether certification to a standard is relevant, depends upon the business objectives and the risk appetite of the organisation using the service. Within the EU, the German C5 standard is widely accepted as a good measure of how securely a cloud service is delivered. C5 is the convenient shorthand for the Cloud Computing Compliance Criteria Catalogue. This standard was introduced in 2016 to provide a set of baseline security requirements for cloud service providers, to enable customers to thoroughly vet vendors prior to purchase. It is planned to become the basis for the European Secure Cloud certification standard. This will enable the European market players to rely on trusted cloud services providers.

This whitepaper provides a practical guide to help security stakeholders to understand how to assure their security and compliance with regulations when using cloud environments.

2 Highlights

  • The Coronavirus epidemic has accelerated the change in the way most organizations do business. This has provided many benefits but has also led to ...

Login Get full Access

3 Security and Compliance Challenges

For many organizations the Coronavirus has meant adapt or die - the workforce is no longer on premises and digital transformation has become the imper ...

Login Get full Access

4 Zero Trust and the Cloud

Users, devices, and application workloads are now everywhere. Based on the principle "never trust, always verify," Zero Trust is designed to protect m ...

Login Get full Access

5 Standards and Frameworks

Standards and frameworks provide templates of requirements and best practices. They provide the distilled wisdom and experience of the best people in ...

Figure 1 illustrates some of these regulations with a focus on Europe. These are mapped onto the framework described above into four quadrants. The to ...

Login Get full Access

5.1 Major European Laws and Regulations

Figure 1 covers EU laws and regulations that are most relevant to the organizational use of cloud services -- these are mainly related to the privacy ...

Login Get full Access

5.2 Worldwide Governance Frameworks

There are several governance frameworks related to the use and delivery of IT services. These apply both to organizations using cloud services as well ...

Login Get full Access

5.3 Worldwide Cloud Security Standards

These standards provide detailed advice in the area of cyber security and data privacy to cloud service providers as well to organizations using cloud ...

Login Get full Access

5.4 European Cloud Technical Standards

BSI C5 The BSI Cloud Computing Compliance Criteria Catalogue (C5) defines a baseline security level for cloud computing. It is used by cloud servic ...

Login Get full Access

5.5 Certification and Attestation

Some standards such as ISO/IEC 27001 are normative, that is to say that compliance with the standard can be certified by an external auditor. However, ...

Login Get full Access

6 Security Versus Compliance

Cloud security standards such as C5 help organizations to assure that the service they are using is secure, but this does not mean that it is complian ...

Many business obligations relate to the privacy of personal data. While security controls help to prevent unauthorized access to personal data, privac ...

Login Get full Access

7 Shared Responsibility

The responsibilities for security and compliance when using cloud services are shared between the CSP and the tenant and this depends upon the service ...

Login Get full Access

8 Recommendations

The responsibilities for security and compliance are shared between the CSP and the cloud tenant. The tenant must ensure that the controls for which i ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.