WEBVTT 00:00:00.340 --> 00:00:04.860 Let's go through the details of specific attestation and 00:00:04.860 --> 00:00:07.860 certification capabilities that are in the cloud. 00:00:08.740 --> 00:00:12.810 One way that you could verify that the cloud service provider has the 00:00:12.810 --> 00:00:16.840 capabilities that you need from a security perspective is to use what's 00:00:16.840 --> 00:00:19.220 called the Cloud Security Alliance's Security, 00:00:19.220 --> 00:00:22.090 Trust, Assurance, and Risk Registry. 00:00:22.100 --> 00:00:27.380 This provides a way to evaluate cloud service providers where a given provider 00:00:27.380 --> 00:00:31.040 will have assessments and certifications that provide differing levels of 00:00:31.040 --> 00:00:34.240 assurance about the cloud controls that they maintain. 00:00:34.250 --> 00:00:38.810 The first level is called CSA STAR Level 1. 00:00:38.970 --> 00:00:41.790 This is where the cloud service provider has provided a CAIQ, 00:00:41.790 --> 00:00:44.590 or a Consensus Assessment Initiative Questionnaire, 00:00:44.600 --> 00:00:48.430 to achieve self‑assessment of a point in time. 00:00:48.440 --> 00:00:52.330 They could also be focusing particularly on GDPR standard, 00:00:52.330 --> 00:00:54.910 again, from a self‑assessment perspective. 00:00:54.910 --> 00:00:56.940 What's contained in this? 00:00:56.950 --> 00:00:59.650 Well, the self assessments are voluntary, 00:00:59.650 --> 00:01:00.150 free, 00:01:00.150 --> 00:01:04.150 and an open platform for any cloud provider to participate by 00:01:04.150 --> 00:01:07.390 submitting their own compliance to industry standard security 00:01:07.390 --> 00:01:12.080 practices based upon their IaaS, PaaS, or SaaS provisioning. 00:01:12.090 --> 00:01:13.170 In doing so, 00:01:13.180 --> 00:01:15.800 they address some of the most urgent and important security 00:01:15.800 --> 00:01:19.990 questions that buyers of cloud services need to have. 00:01:20.000 --> 00:01:20.300 Now, 00:01:20.300 --> 00:01:24.390 the cake that we mentioned earlier provides industry accepted ways to 00:01:24.390 --> 00:01:27.780 document what security controls exist in their IaaS, 00:01:27.780 --> 00:01:29.850 PaaS, or SaaS offerings. 00:01:30.040 --> 00:01:34.370 The questionnaire provides a set of 295 questions a cloud 00:01:34.370 --> 00:01:37.970 consumer and cloud auditor may ask a cloud provider, 00:01:37.970 --> 00:01:42.960 and providers may opt to submit a completed CAIQ inside of the STAR registry. 00:01:43.040 --> 00:01:43.430 Now, 00:01:43.440 --> 00:01:47.110 the Cloud Controls Matrix upon which the CAIQ is actually based 00:01:47.110 --> 00:01:51.170 provides a control framework that details understanding of security 00:01:51.170 --> 00:01:56.470 concepts and principles aligned with the CSA's guidance featuring 17 00:01:56.480 --> 00:02:03.480 large‑scale domains and having 197 detailed controls that are child 00:02:03.480 --> 00:02:05.600 objects of those domains. 00:02:05.610 --> 00:02:09.840 When you look at the Cloud Controls Matrix version 4, 00:02:09.850 --> 00:02:14.310 the left‑hand column of this best use of an Excel spreadsheet 00:02:14.310 --> 00:02:18.010 I've seen would be the enumeration of controls. 00:02:18.010 --> 00:02:19.870 As you go across the rows, 00:02:19.870 --> 00:02:24.390 what you come in contact with are the actual frameworks 00:02:24.390 --> 00:02:26.780 that are matrixed to the controls. 00:02:26.790 --> 00:02:30.360 Here's an example of what a cloud service provider 00:02:30.370 --> 00:02:32.840 could have based off of STAR Level 1. 00:02:32.840 --> 00:02:37.430 You see that they have their Consensus Assessment Initiative Questionnaire, 00:02:37.440 --> 00:02:39.590 which you could download. 00:02:39.590 --> 00:02:45.550 If you do STAR Level 1 and you add the Trusted Cloud Provider trust mark, 00:02:45.550 --> 00:02:50.450 this demonstrates a commitment to organizational security by that organization 00:02:50.450 --> 00:02:55.080 volunteering regularly for Cloud Security Alliance and having at least one 00:02:55.080 --> 00:02:59.160 staff member who has earned their CCSK certification. 00:03:00.340 --> 00:03:07.590 STAR Level 2 would include a third‑party attestation, or certification, or both. 00:03:07.590 --> 00:03:09.090 With the certification, 00:03:09.090 --> 00:03:12.530 we're focusing on the third‑party assessment that's 00:03:12.530 --> 00:03:16.670 tied to ISO 27001 as its standard. 00:03:16.680 --> 00:03:20.350 This independent assessment by an accredited Cloud Security Alliance 00:03:20.350 --> 00:03:24.480 certified body will assign a management capability score to each of the 00:03:24.480 --> 00:03:27.190 Cloud Control Security domains that are there, 00:03:27.200 --> 00:03:30.120 along with an optimal level of maturity. 00:03:30.130 --> 00:03:35.390 This helps to evaluate the effectiveness of a cloud service 00:03:35.390 --> 00:03:38.240 provider's information security management system. 00:03:38.240 --> 00:03:41.410 With the CSA STAR certification foundation, 00:03:41.410 --> 00:03:46.490 this is going to be based upon the conformity assessment requirements 00:03:46.500 --> 00:03:50.160 of ISO for bodies providing auditive certification, 00:03:50.240 --> 00:03:53.700 for requirements for bodies providing audit and certification 00:03:53.700 --> 00:03:55.980 of information security management systems, 00:03:55.990 --> 00:03:59.820 and for guidelines for auditing management systems. 00:03:59.830 --> 00:04:02.250 These three types of certifications. 00:04:02.250 --> 00:04:07.000 An attestation is going to be an independent third‑party 00:04:07.000 --> 00:04:10.320 assessment of a cloud service provider's security. 00:04:10.320 --> 00:04:13.190 This will be based upon what we previously described, 00:04:13.190 --> 00:04:17.930 the SOC 2 type 1 or type 2, the type 1 being the design, 00:04:17.940 --> 00:04:21.130 the type 2 being the operational effectiveness of that design, 00:04:21.140 --> 00:04:24.710 which could include testing of the controls. 00:04:24.720 --> 00:04:27.900 So this is what it would look like if you had a CSA 00:04:27.900 --> 00:04:32.240 STAR Level 2 cloud service provider. 00:04:32.250 --> 00:04:35.170 Not only would they have their CAIQ filled out, 00:04:35.180 --> 00:04:38.300 but they would have an attestation or a certification, 00:04:38.300 --> 00:04:41.310 or in the case of Dropbox, they actually have both. 00:04:41.320 --> 00:04:43.980 Let's take a closer look at each of these. 00:04:43.990 --> 00:04:46.360 So this is downloaded from Dropbox. 00:04:46.370 --> 00:04:48.550 You see that the attestation, 00:04:48.560 --> 00:04:52.800 even though it's carrying out a service organization control audit, 00:04:52.800 --> 00:04:58.760 it's actually going to use the framing that's based upon the ISO standards. 00:04:58.840 --> 00:05:02.790 The Cloud Controlertification that's given is 00:05:02.790 --> 00:05:06.630 precisely related to the ISO standards. 00:05:06.710 --> 00:05:09.720 This is also downloaded from Dropbox. 00:05:09.730 --> 00:05:14.950 Both their attestation and the certification is what we're able to see publicly.