I am preparing to start at a new company and I will need to handle Vendor assessment requirements like CAIQ and similar from customers.
Since all customer data is stored in AWS, can I use the AWS CAIQ as a reference to show that we meet the requirements ?
Is there anything I should be aware of that could be a pitfall ?
Where are more resources that can help me ?
Thanks !
It depends on the customer and their requirements. You can start out with the AWS CAIQ and AWS SOC reports and that would probably satisfy most of your customers' requirements. BUT It doesn't tell the customer about security practices inside of your company though. Hopefully, your new company has an internal security assessment that can be shared with customers with a signed NDA upon request.
Pitfalls? What can go wrong with Cloud security? I'm not a fan of paper assessments. I guess that is because I was always told not only to trust, but verify. What I use today are several Open Source tools to discover misconfigured assets, including an automated assessment of IAM roles. That is the ONLY way you can be sure you data is safe. Take the technical approach!
Thanks for your input. I was thinking along similar lines.
Some customers may ask you to discuss the architecture of what's been built using IaaS or PaaS components.
Good Point. I need to verify all the components of the architecture.