KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The rapid growth in both scope and market share, combined with the inherent complexity of cloud computing, seem to exceed the capabilities of existing governance and risk management approaches. As users, and the uses of cloud computing evolve, so must the supporting governance models. This includes the transformation and adaptation of governance and risk management programs into the company's culture, and the evolution of the skills and expertise of the IT and Security professionals.
The rapid growth in both scope and market share, combined with the inherent complexity of cloud computing, seem to exceed the capabilities of existing governance and risk management approaches. As users, and the uses of cloud computing evolve, so must the supporting governance models. This includes the transformation and adaptation of governance and risk management programs into the company's culture, and the evolution of the skills and expertise of the IT and Security professionals.
So, as I said, thank once again. Thank you very much for having me. This has been the kind of last minute replacement Michael league lean up was managing the European region for, for CSA was supposed to be with you, but I might to, to be with, with you instead.
Now, before we get into the, the pre the topic of the presentation, just a quick note on cloud security Alliance, which is not for profit organization that have been founded in 2009 personally, I've been with CSA for the past almost nine years. It's gonna be nine years in September. So basically I grew professionally a lot within CSA. What CSA does is essentially a research through working groups that everyone can really join. The only requirement is really having the knowledge and the capabilities and the will to share your free time in order to contribute to the community.
We beside doing a lot of research on a number of different topics going, especially in, from cloud computing, where we got over 20 working groups, but so IOT, artificial intelligence and blockchain, we have also national chapters. We have a number of strategic partnership with government with where other research institution. And we have an extremely active role in this under organization communities through liaison category, a for I with ISO T2 seven and 38. Something very important for everyone to know is that whatever CSA does is free.
So any result of our research, our tools, they are free of charge. So if you want to bro through our website and check for some of the material we can, we made available for the community. Please go ahead now going into the very topic of the presentation today, which is gonna be governance, cloud governance and risk assessment. Let's start a bit with the foundation. So as I guess, many of, you know, a typical simplified hierarchy see the governance, which is really the size of policy or rules of controls that any organization has in place in order to properly manage the business.
The governance really represents the way in which an organization is run. It dictates the style of an organization dictates for instance, the prevention or a version of that organization to risk within the governance structure. We find the enterprise with management, which is the function that really look after looks after the manage the risk, the overall risk of your organization.
And as a subset of that, we find the information management risk on which the information security is the essential tool, the way through which so the program, the size of control, the practice that any organization puts in place in order to be able to properly manage information risk management. Now, with that said, cloud computing, as I'm, I mentioned earlier, it brings a lot of changes in the space of governance. And this is for a number of different reasons first and foremost, because typically the organization lose that direct access to resources.
As many have said several times, including myself, you don't have your, your server under your desk anymore. So you need to rely on a third party that is providing these pool of resources to you, which means that the way in which you are governing the, the it, the infrastructure and platform and services is change quite radically.
So no more direct control and direct governance, one more of indirect control and in and indirect form of the other big area where certainly cloud computing brings changes compared to an on-prem infrastructure is the idea of the shared responsibility model that links together with the idea of indirect governance. Because as, as all, you know, cloud computing brings in front of us, rather complex supply chain with a number of parties that are involved, each one of them with a role within, within, within the, the, this chain of, of, of production.
And what is important to understand is who does what, which is a standard question for anyone who does government government understanding who is doing what, why things are done in a certain way that is fundamental to really have a clear view on, on the location of those responsibilities in order to avoid like surprises later on one other important aspect to take into the consideration is disability.
This is something that cloud, this is something that cloud might create some problem with the lack of direct access to information it's providing sometimes a lack of visibility into some of the operation that, that the cloud service provider does. Again, for that to be for Dell risk, to be mitigated. We need a lot of effort in order to bring in additional transparency into the cloud supply chain, which requires the contribution and the collaboration of the cloud service provider.
Again, here, another key point, the, the extreme importance of the collaboration between the parties, the cloud service provider is not simply an outsourcer is an organization you need to partner with in order to be, to, to put in place an effective approach to cloud security. When we look at tools for cloud governance, I can think essentially of three main ones that any organization should look after contract is the first one. Supplier assessment is the second and then compliance reporting.
Now contract essentially are the possibly one of the, the single most important piece that you need to look after, because if something is not in the contract, it doesn't exist. Your relationship with your cloud service provider. It is regulated by, by the terms of the contract. So if there are some risks that are non mitigated by any close in the contract, then you need to find a different way to mitigate those. So you need to, to apply additional compensating control. The second point is about, as I said, supplier assessment.
So the informed decision that you make at the point of selection of, of the cloud service provider is fundamentally, that is why you need to make in advance a thorough evaluation of the, of the, of the cloud service provider.
What that means means that you need to collect a number of information, being them from, you know, white papers or certifications or sales certification, whatever is available to you in order for your it office, your procurement officer, to make that informed decision that is going to sell that is going to bring you to the selection of the rail service provider, and then clearly the compliance supporting. So the certification that the cloud service provider might have, that can be certification at the station of very shape of forms.
We're going to touch upon the topic later on for a second, but that, that would tell you a lot about two things, the credibility of the cloud service provider and the level of maturity of it, just to quickly recap on the, on the tradeoffs consideration between cloud and non-cloud it services clearly with cloud, you have much less physical control over the asset. We said that that is, I guess, at this point, after almost 15 years of, of cloud, that, that, that is a concept that it should be clear to anyone.
The second point, which I, I alluded before is that you need to manage those risks that the provider is accepting. If something is not in the current contract, we said it doesn't exist. So you need to be able to compensate for those controls.
There are, there will be situations where the cost service provider might be willing to accept some risks that depending on the risk appetite of your organization, you don't want to. And at that point you've really got only two options. Option. Number one, you walk away and you try to find a different cloud service provider. Option two is you become aware of those limitations. You need to become aware of the risks that the cloud service provider is accepting, and then having an off the cloud strategy to mitigate those risks. And there are plenty of examples and ways in which you can do that.
One of which for instance, is to leverage the API that the cloud service pro provider, especially the self-service provider might offer in order for you to plug in additional security services that you need to mitigate those, those open risk. On the more side, clearly you rely much more on SLA and contract SLA. It's a key factor to take into consideration and a key point of attention for any organization that is doing cloud business, because yes, and essentially are the way in which you can measure the performance of the cloud service provider.
You can mention the, Unfortunately though, the problem is that the, in many cases, the, the SLAs, the cloud SLAs are not, not a mature area. So you can find some very basic SLAs that here and there, but very often, especially those ready to securities are not as mature as they should be. So you need to make an effort to have an additional investigation on, first of all, understanding what are your internal SNA, and then compare those with the, the ones that are offered by cloud service provider.
The other key points, there is the reliance on assessment rather than testing, which means that very often, as you know, even the nature of shared infrastructure of the cloud of the cloud services, you don't, you don't have very often the right to audit. So you cannot do. You cannot perform first party audit. You need to rely on third party audits, which are again, an option. And you should leverage that just a quick summary there of a cloud risk management strategy and tools that you can use. We mentioned that. So you need to look a lot around documentation.
You need to request documentation. If you can do that, otherwise you need to rely to the documents that are made publicly available on the cloud service provider website. You need to review their security program and carefully review the legal regulation and industry and contractual obligation.
The one you have, and the one that the cloud service provider is able to, to satisfy evaluate, then the service based on the context and the information that is involved, if are for instance, doing business with a cloud service provider that is providing to you several different services, do not make assumption that the level of security of all the service is gonna be the same. You need to make an evaluation on a per service basis, not a non per cloud service provider basis.
You need to have a metrics and evaluate the risk impact of each application, as opposed to having an, an evaluation of the cloud service provider in general. And then finally you want to also have a careful understanding on the stability and financial position of the cloud service provider. One key concept that I would like to touch upon is also the one of compliance in inheritance, which can be a good friend, but also a substantial risk.
The compliance in inheritance as the term says, is basically means that you are building, you might, you might be building on a compliance compliance infrastructure. So let's say your AWS is ISO 27,001 certified. So you can inherit it, that portion of the compliance from the infrastructure basis, but it doesn't mean that you are compliant up to the top. So if you have a SaaS application, the SaaS application is done necessarily compliant, unless you take care of the compliance from the infrastructure above.
And this is a common mistake that many companies do and something that it should be certainly a good point of attention, something again, in the space of certification that I would like to bring your attention to is the idea of being paying up careful attention to the scope of the certification. So many, especially the, the, the, the most relevant and certification there. So the CSA start certification at the, the SOC two Theo 27,001 supported by the 27,017. They might have an issue with scoping.
So you need to be careful that when you're buying a service, you verify that the scope of the certification of that service is actually, it covers the service that you are buying in terms of key questions, something that I would like to leave you with. It's like, you need to ask you yourself essentially, how do the service provider enable my security strategy? Is that possible to do that?
That is allowed a level of flexibility to me, or it does not, depending on the answer to this question, then you will need to take your, your additional security measures and going back to the issue of the share responsibility model, ask yourself, what do I do and what the cloud provider is doing for me, and focus a lot on what you have to do. Do not assume that the cloud service provider will be doing things for you always a year.
There is a, a good list that I would like to leave you with of security capabilities that you should be looking at on any cloud service provider, both on the SA and past side. And then on the SA, some of them include a API and admin logging, which is fundamental to get the right visibility and elastic and scaling. As I mentioned earlier, an API for all the security feature in order to be able to plug in additional security tool, what is very important is having multiple accounts per customer.
So to allow the right segregation between between users and then having regional location control, similarly for the cloud, for the, for the, in the SA space, where I would like to bring your attention to the idea of strong internal controls to limit the UN mean access to the customer data, which is gonna be fundamental for compliance. Finally here, at least of CSA tools that can help you with the, the governance and risk assessment of the cloud, the cloud from metrics, the consensus assessment, initially questionnaire, and the start program. There are links attached to it.
If you have any questions, that would be more than to, to answer those, but I guess then my time is up. So I'll give the mic back to the thank you very much.
