Should your company complete the Cloud Security Alliance CAIQ?

Picture of Jean-Bernard van Zuylen

Added on by

CSA-CAI-Questionnaire

Most companies nowadays use the cloud to store their sensitive data and make it accessible anytime and from anywhere over the internet.

83% of enterprise workloads will be in The Cloud by 2020. 

—Louis Columbus, Forbes

However, as with any piece of technology, cloud computing comes with great advantages for its users but also with some challenges in terms of security for service providers.

In recent years, there have been numerous cloud computing attacks:

  • account or service hijacking,
  • denial of service,
  • data loss, and
  • data breaches

Millions of people like you and me have had their personal data stolen, leaving companies with the hard task of covering substantial financial losses and of proving once again to the whole world that they can guarantee their users’ security.

How we handle security at Proxyclick

Sure. It's nice to daydream about being a superhero every once in a while. But we're all just human.

So when I get asked how we handle security at Proxyclick, the best answer I could possible give is "the best we can."  But it's more complicated than that, of course. As a cloud-based visitor management system, our software handles visitor data across the globe.

And like other providers we must ensure that our infrastructure is secure and our users' data is fully protected. We take this very seriously.

Cloud-Security-Alliance-CAI-Questionnaire-securityA glimpse at how we handle security at Proxyclick

 

Among our external validations and certifications that keep us honest, is the Cloud Security Alliance (CSA) CAI Questionnaire.

Note: Proxyclick's completed questionnaire is available upon request and under NDA. For more information contact support@proxyclick.com.

What is the CSA CAIQ?

Simply put, the Consensus Assessments Initiative Questionnaire (CAIQ) is a set of “yes or no” questions a cloud consumer and cloud auditor can ask of a cloud provider in order to determine the effectiveness of their security controls.

It helps cloud providers (like Proxyclick) to assess their own security level and also guides any necessary assessment processes for engaging with cloud provider.

Designed by the Cloud Security Alliance (CSA) as part of its Governance, Risk Management, and Compliance (GRC) Stack, the CAIQ follows the organization’s mission of defining best practices and standards that create a more secure cloud computing environment for both providers and users.

Shared responsibility model of cloud computing

According to the CSA Guidance, cloud computing involves a shared responsibility model in which:

  • Cloud providers should clearly document their internal security controls and customer security features so the cloud user can make an informed decision. Providers should also properly design and implement those controls. 
  • Cloud users should, for any given cloud project, build a responsibilities matrix to document who is implementing which controls and how. This should also align with any necessary compliance standards. 

The Cloud Security Alliance provides two essential tools to help meet these two requirements:

  1. the CAIQ, and
  2. the Cloud Controls Matrix (CCM), which documents what security controls exist in IaaS, PaaS, and SaaS offerings while providing security control transparency around them. 

Both documents are especially useful for ensuring compliance requirements are met.

What does the CAIQ assess?

As previously mentioned, the CAIQ analyzes the security controls a cloud provider has at that moment and determines if they match industry standards.

CSA_CAI_questionnaireThe security controls assessment covers 16 domains:

  1. Application & Interface Security: assessing the security of application software that is running on or being developed in the cloud

  2. Audit Assurance and Compliance: ensuring the audit function is efficient and applied to cloud system

  3. Business Continuity: reviewing the ability to continue operations in the event of an outage

  4. Change Control & Configuration: ensuring any changes in the cloud follow the same process as internal system

  5. Data Security and Information Lifecycle: assessing the means of identifying important data and the controls established to secure it in accordance with corporate policy

  6. Data Center Security: ensuring the effective implementation of physical control

  7. Encryption and Key Management: analyzing data encryption implementation and ensuring scalable key management

  8. Governance and Risk Management: assessing the ability to govern and measure enterprise risk introduced by cloud computing

  9. Human Resources: analyzing factors such as background screening, employee agreements, employee roles/ responsibilities, workforce training, and awareness which can impact cloud data security

  10. Identity and Access Management: managing identities and leveraging directory services to provide access control

  11. Infrastructure and Virtualization Security: assessing core cloud infrastructure security, including networking, workload security, and hybrid cloud considerations

  12. Interoperability and Portability: reviewing the ability of cloud systems to interact and work with each other, which also impacts the ability of a user to move and their applications and data between their cloud systems

  13. Mobile Security: ensuring secure cloud computing on mobile devices

  14. Incident Management, E-Discovery, and Cloud Forensics: assessing incident detection, response, notification, and remediation procedures

  15. Supply Chain Management: reviewing security controls that mitigate and contain data security risks across the cloud supply chain

  16. Threat and Vulnerability Management: assessing threat and vulnerability mitigation and protection

Just a few questions away from security

Interested in reviewing the questionnaire for your own cloud systems? You can download the CAI Questionnaire here

Remember, using tools such as the CAIQ to determine the security of a potential cloud service partner can help you make the right decision for your company’s future. 

Relying on a cloud infrastructure that is fully protected from known and emerging threats allows your business to leverage the best that cloud computing has to offer. Namely, the ability to operate at scale, to reduce technology costs and use agile systems that give you an undeniable competitive advantage. 

How we can help

Last but not least, we believe that securing your premises and maintaining regulatory compliance using  a strong cloud-based visitor management system is key to a secure infrastructure. 

Meet your security and compliance objectives with our solution can help you with several tasks:

  • maintaining high levels of security via integrations with global watchlists and facial recognition capabilities for verifying ID documentation
  • printing custom visitor badges with photos, QR codes for access, and detailed information for fast identification and authorization 
  • granting and restricting access on your premises with access control integrations
  • managing alerts and escalations discreetly so that business continues smoothly

...and much more.

If you'd like to see for yourself how much a difference the right visitor management solution can make, then start a free trial and we'll be with you every step of the way.

 


Like this article? Spread the word.