Vetting a cloud service provider for security, compliance, and contract requirements is a big job and one many of us are tasked with quite often. I am looking for your suggestions, based on your experience for the most concise, yet effective methods for doing so.
My approach is to use the most commonly accepted standards to spot potential gaps in cloud provider security postures, their controls, audits, or data protection practices. I ask them to provide either answers to open-ended questions covering ISO 27001 control objectives or streamline the effort with a completed CSA CAIQ.
Have you found other ways to simplify this effort while still effectively managing risk?
The open ended questions include prompts like:
Adam
I've found a lot of information can be discovered with an in person visit to the data center, first to discuss business needs and a tour after to get a sense of the operations. After that we'll go off of third-party certifications.
They should already be registered with the CSA and have a publicly available CAIQ for download. I'm not going to waste my time and send questionnaires to a data center because any data center worth their salt will have these documents on stand-by with a signed NDA.
Other's may disagree but essentially the current model of sending questionnaires and hoping for honest answers is a broken third-party risk management system. Unfortunately, it's the current game we have to play for supposed "due diligence" and it stinks. What's the fix here?
@tmekelburg1An independent CSPM based on the NIST SP800-53 controls, but not from the CSP's own inhouse capabilities, but through a known third party based on their Shared Responsibility Model.
This is one option, as they auditors have been stating to myself several times, do not (not) depend on the CSP's own CSPM controls or reports. They must be independent including the creation of the required reports.
Regards
Caute_Cautim
@Caute_cautim Are you saying the cloud customer would have real-time read only access to their CSP's CSPM platform to see if they are in compliance at that specific time rather than getting their annual SOC2 reports? I'm not opposed to this and it seems like this would be the future of third-party risk management. Wide adoption would be an issue here.
Or are you saying viewing the CSPM on an annual basis from a trusted third-party? Kind of like how it is now when requesting SOC2 reports from CSPs.
@EIAKPKP452 I've also done a full stop when SaaS providers can't produce any kind of third-party certification of compliance in the datacenter they use for their application.
@tmekelburg1 , I agree and also stop the process if no third-party audit documentation is available. I have not had any problems getting those documents from a hosting provider or large SaaS provider. Where things seem to get more manual are with the smaller service providers, like a third-party analytics consulting company with a hosted platform. I have defaulted to the CAIQ and third-party audit reports, but I was wondering if others had come up with a simplified way to approach them. I think I may have been too broad with the CSP label.
Adam
Hi @EIAKPKP452 Yes, this is exactly what the auditors are stating - do not depend on the in-house CSPM capabilities. It is not sufficient from an auditors perspective. It looks great from the CSP themselves, and they often throw up the SOC2 Report as well, but this is just a point in time evaluation.
However, this does not help the client, whose auditors need an independent report of compliance.
From my experience, you have to ensure you take into account the CSP's Shared Responsibility Model, and ensure your independent auditor has secure access to the environment where your services are hosted. Often there are many suppliers willing to do this such as Palo Alto, Check Point etc at cost. One issue is ensuring you get best value and the more frequent the evaluations the more you will be charged etc.
Regards
Caute_Cautim
@tmekelburg1 To your first point no.
To your second point, if your auditors accept the SOC 2 report, which often have to be requested directly from the CSP - However, often auditors in accordance with their strict code of compliance will simply do not accept the SOC 2 report as a point in time report. Refer to ISACA CISA qualification/certification.or https://www.theiia.org/en/standards/what-are-the-standards/mandatory-guidance/code-of-ethics/.
Financial Institutions auditors want an independent review of the current controls within the CSP's environment - they want an independent report of verification.
Other organisations, want a rolling report, depending on the criticality of the assets held within the CSP's environment and also their respective risk appetite,
If their has been a major change in business direction, the organisation may wish to request an additional review, after the changes have occurred to pick up any issues before they become major ones.
I have seen some vendors now offering Application Security Posture Management (ASPM) above and beyond the normal CSPM review.
Regards
Caute_Cautim
@Caute_cautim wrote:@tmekelburg1 To your first point no.
To your second point, if your auditors accept the SOC 2 report, which often have to be requested directly from the CSP - However, often auditors in accordance with their strict code of compliance will simply do not accept the SOC 2 report as a point in time report. Refer to ISACA CISA qualification/certification.or https://www.theiia.org/en/standards/what-are-the-standards/mandatory-guidance/code-of-ethics/.
SME here so you're currently talking to the IT "Auditor" 😁. Don't get me wrong, we have in-house Compliance and QA functions but if I mentioned anything related to ISACA their heads would turn slightly sideways.
@EIAKPKP452 I'm aware of GRC platforms that will automate what we're currently talking about e.g., auto send the questionnaires out to the vendors via email, collect the information, compile fancy reports with charts, and assign risk scores but they are very pricy. So besides automating what we're currently doing, I'm not sure there is any real innovation going on here or at least to the point of rapid adoption across the industry with smaller SaaS providers. The CSPM sounds nice but, as a customer, if I can't request a rapid report (same day) or see the current compliance posture in a secure dashboard it really doesn't help me out. And we're not the size of @Caute_cautim's organization where if I take my business elsewhere it would have an impact to the vendors we choose not to do business with because of bad security practices.