Securing the cloud: Developing a new approach to managing third party risks

Raj SamaniEMEA Strategy Advisor Cloud Security Alliance

• Cloud Service Providers (CSPs) need an efficient and scalable approach to assure customers

• End user organisations need an efficient approach to address the risks such services represent

• Data subjects must feel confident that their data controllers are securing their data

ITS NOT ABOUT SECURITY

We Need a Fundamental Change in Our Approach to Fully Maximise the Benefits of Cloud Computing

*Based on Subjective Responses from Industry

Who?• Cloud Service Providers• Physical Access• VPN access• Extranet partners• Traditional Outsourcers

How?• Review of ISMS (Information Security Management

System)• Technical Assessment

Annual Cost for Assurance

What About the Other 11 Months?

Estimate the Assurance Costs Against 1000 Third Parties

TOTAL 1000

ESTIMATE 5 DAYS

$1000+

$1M25 YEARS

• Third party access on the up • Acronym soup• Contractual challenges• Leverage existing investments• Resource constraints• Best endeavours

The Challenge in Addressing Risks When Working With Third Parties

The Common Assurance Maturity Model (CAMM) is a global, collaborative effort made up of

security professionals working across industry in an effort to meet the security challenges of the

21st century.

CAMM—NEW BUSINESS ASSURANCE BAROMETER

BUSINESS ASSURANCE

Provides a genuine Unique Selling Proposition to organisations that have

higher levels of information risk maturity

Measures maturity against defined controls areas, with particular focus on

key controls

CAMM is built on existing standards, so no need for massive re-investment

Risk management maturity is open for stakeholders to view, using appropriate language and detail

A business benefit that creates consumer trust that is both

meaningful and understandable

• Simple to understand—customers do not need professional certifications to understand the difference between a level 2 and level 3.

• Analogous to other rating systems—Already used in tourism, banking, and other sectors.

• Develops (a level of) trust with one small icon—Cloud providers can develop trust with simple scorecard

Company AService A

Company AService B

Company AService C

Company AService D

Company AService E

Company AService F

1. Simpler comparison—Allows the CIO to perform a simpler comparison between internal vs external provision, not only relying on cost comparisons.

2. Cost comparison—Once risk appetite is defined, allows the CIO to compare the cost of different residual risk scenarios.

3. Apples for Apples—Judges services on a set of applicable criteria through use of applicable modules.

InternallyProvisioned

Cost£x

Cost£y

Cost£z

DECISION

Company AService A

Company BService C

InternallyProvisioned

Cost£x

Cost£y

Cost£z

DECISION

Risk Appetite

Business sets level of risk they are willing to tolerate (number of levels depending on the data). Maturity will include CAMM plus possible bespoke modules.

Maturity

Level of risk management maturity is communicated to business partners (and possible partners)

Maturity

Maturity

Leverage existing expenditure and remove need for duplicate verification (note: May remove audit requirement altogether)

Third Party Requesting Access

Cloud Provider

Internal Hosting Provider

Evidence of compliance may be uploaded to central repository that can be used by numerous customers

1 2 4

Third Party Assurance Centre

3

www.common-assurance.com

Twitter @Raj_Samani

Twitter @Commonassurance

End User Organisations

Security Associations

Cloud Providers

Consultancies

Independent consultants

Over 40 Organisations Already Involved, Including…• PCI

• ISACA

• CSA

• ENISA

• BITS

• ISF