Millions of people like you and me have had their personal data stolen, leaving companies with the hard task of covering substantial financial losses and of proving once again to the whole world that they can guarantee their users’ security.
How we handle security at Proxyclick
Sure. It's nice to daydream about being a superhero every once in a while. But we're all just human.
According to the CSA Guidance, cloud computing involves a shared responsibility model in which:
Cloud providers should clearly document their internal security controls and customer security features so the cloud user can make an informed decision. Providers should also properly design and implement those controls.
Cloud users should, for any given cloud project, build a responsibilities matrix to document who is implementing which controls and how. This should also align with any necessary compliance standards.
The Cloud Security Alliance provides two essential tools to help meet these two requirements:
the CAIQ, and
the Cloud Controls Matrix (CCM), which documents what security controls exist in IaaS, PaaS, and SaaS offerings while providing security control transparency around them.
Both documents are especially useful for ensuring compliance requirements are met.
What does the CAIQ assess?
As previously mentioned, the CAIQ analyzes the security controls a cloud provider has at that moment and determines if they match industry standards.
The security controls assessment covers 16 domains:
Application & Interface Security: assessing the security of application software that is running on or being developed in the cloud
Audit Assurance and Compliance: ensuring the audit function is efficient and applied to cloud system
Business Continuity: reviewing the ability to continue operations in the event of an outage
Change Control & Configuration: ensuring any changes in the cloud follow the same process as internal system
Data Security and Information Lifecycle: assessing the means of identifying important data and the controls established to secure it in accordance with corporate policy
Data Center Security: ensuring the effective implementation of physical control
Encryption and Key Management: analyzing data encryption implementation and ensuring scalable key management
Governance and Risk Management: assessing the ability to govern and measure enterprise risk introduced by cloud computing
Human Resources: analyzing factors such as background screening, employee agreements, employee roles/ responsibilities, workforce training, and awareness which can impact cloud data security
Identity and Access Management: managing identities and leveraging directory services to provide access control
Infrastructure and Virtualization Security: assessing core cloud infrastructure security, including networking, workload security, and hybrid cloud considerations
Interoperability and Portability: reviewing the ability of cloud systems to interact and work with each other, which also impacts the ability of a user to move and their applications and data between their cloud systems
Mobile Security: ensuring secure cloud computing on mobile devices
Incident Management, E-Discovery, and Cloud Forensics: assessing incident detection, response, notification, and remediation procedures
Supply Chain Management: reviewing security controls that mitigate and contain data security risks across the cloud supply chain
Threat and Vulnerability Management: assessing threat and vulnerability mitigation and protection
Just a few questions away from security
Interested in reviewing the questionnaire for your own cloud systems? You can download the CAI Questionnaire here.
Remember, using tools such as the CAIQ to determine the security of a potential cloud service partner can help you make the right decision for your company’s future.
Relying on a cloud infrastructure that is fully protected from known and emerging threats allows your business to leverage the best that cloud computing has to offer. Namely, the ability to operate at scale, to reduce technology costs and use agile systems that give you an undeniable competitive advantage.