Commissioned by Duo Security
1 Introduction / Executive Summary
The Coronavirus epidemic forced organizations to change the way that they do business. Retailers have had to accelerate their move online; manufacturers have had to deal with supply chain disruptions and reorganize their shop floors, and employees have had to work from home. This has led organizations to accelerate their digital transformation by up to 5 years in a matter of months. This rate of change has only been possible through the use of cloud services, but it has also created new challenges.
As the use of cloud services and cloud-based applications has increased, concerns over cybersecurity and compliance have grown. The expansion in the use of cloud services and applications has brought many benefits but also introduced new vulnerabilities. The objectives of cybersecurity are the same however IT services are delivered. These are confidentiality – prevent data breaches and unauthorised access; integrity – avoid data corruption; availability – ensure business continuity; and compliance – meet legal and regulatory obligations.
When using the cloud, these responsibilities for security and compliance are shared between the cloud tenant and the CSP (Cloud Service Provider). In today's hybrid IT environment, where some services are delivered through the cloud and some are delivered in other ways - on premises, at the edge and via hosting - this shared responsibility can cause confusion. This in turn can lead to security weaknesses and provide opportunities for cyber adversaries as well as lead to compliance failures.
The cloud tenant is responsible for ensuring that they meet their responsibilities. Cloud-based software companies such such as Workday, SalesForce or Duo also fall into the cloud tenant category. As such, they need to provide assurance to their clients and third parties that cloud services which they provide are compliant.
(Duo helps protect organizations against breaches through its cloud-based Zero Trust Security Product Suite, which includes multi-factor authentication (MFA), device health check, insight dashboard, single sign-on (SSO), mobile and endpoint security as well as user and entity behavior analytics.)
However, the tenant has no direct control over how a cloud service is delivered, managed, and secured. This means that tenants need to take a governance-based approach to assuring that a cloud service meets their security and compliance needs. This depends upon setting clear and measurable objectives for the cloud service as well as verifying that these are met. Since it is not practical for CSPs to allow every tenant to individually audit the services that they use this is where standards come in useful.
A standard provides the distilled wisdom of the best people in the industry as well as a template of best practices that can be used by regulators of a particular industry sector. It also provides a set of objectives against which performance can be independently measured. This makes standards the essential basis for assuring cloud services.
There is a wide range of standards and frameworks relating to the governance of risk and compliance as well as cyber security related to cloud services and most CSPs offer many certifications. Whether certification to a standard is relevant, depends upon the business objectives and the risk appetite of the organisation using the service. Within the EU, the German C5 standard is widely accepted as a good measure of how securely a cloud service is delivered. C5 is the convenient shorthand for the Cloud Computing Compliance Criteria Catalogue. This standard was introduced in 2016 to provide a set of baseline security requirements for cloud service providers, to enable customers to thoroughly vet vendors prior to purchase. It is planned to become the basis for the European Secure Cloud certification standard. This will enable the European market players to rely on trusted cloud services providers.
This whitepaper provides a practical guide to help security stakeholders to understand how to assure their security and compliance with regulations when using cloud environments.