Assessing Cloud Vendor Security? Here are the acronyms you need to know
Security is obviously a top-of-mind concern for any business that wants to migrate data and processes to the cloud—especially when it comes to talent management, which requires protecting employees' sensitive personal data. But what's less clear is what to actually look for when evaluating vendors and assessing their security practices. It's even more complicated when you encounter the many acronyms associated with security standards and certifications.
Here's a quick overview of certifications that talent management cloud services providers should already have or be working to earn, what they mean and why they matter.
Published by ISO, an independent, nongovernmental international organisation, ISO/IEC 27001:2013 is a standard that “specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation."
In short, it's a set of rules and controls intended to guide the way a company manages information security. While ISO/IEC 27001:2013 began as a standard for companies in Europe, it is now embraced by businesses globally. Many companies now require cloud vendors to be ISO certified—and maintain that certification—throughout the life of a service contract.
Keep in mind that being “ISO certified" and “ISO compliant" are different things. ISO certification shows that a company either meets all the requirements of ISO/IEC 27001:2013, or a specific subset of controls, and the status of those controls has been reviewed by an independent auditor. Certification is an ongoing process; auditors check requirements annually and look for improvement. Be sure to ask cloud services providers for an SOA (Statement of Applicability), a document showing which controls were in scope when the vendor was audited.
“ISO compliant" means a company claims to follow the requirements of the ISO standard, but they have never been officially certified. This is acceptable practice. However, businesses should take time to review the provider's security measures, especially if the provider will be handling sensitive data.
Many cloud vendors are in the process of adding the ISO/IEC 27018:2014 code of practice to their ISO/IEC 27001 certification. A newer standard, ISO/IEC 27018:2014 “establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment."
Like ISO/IEC 27001:2013, ISO/IEC 27018:2014 will probably become a specific requirement outlined in many cloud service provider contracts in the future.
SSAE 16 SOC 1 and SOC 2
The Statement on Standards for Attestation Engagements No. 16 (SSAE 16), also known as SOC 1, (SOC is “Service Organisation Control") was finalised by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in 2010. SSAE 16 describes service provider defined controls and is intended to help companies better understand the processes and procedures in place which helps build trust and confidence in the cloud providers service delivery process.
SOC 2, based on AICPA Trust Services Principles and Criteria, outlines very specific controls for security and privacy amongst others, and is another compliance standard more companies are adding to service contracts for cloud providers.
To demonstrate they are compliant with SSAE 16 and AICPA Trust Services Principles and Criteria, companies must present SOC 1 and/or SOC 2 reports. Request a cloud vendor to specifically present a “SOC 1, Type II” and/or “SOC 2, Type II" report, which confirms that controls have been tested. (Type I is simply a description of how a company runs controls.) Pay special attention to who audited the report; larger firms are generally more thorough with these types of audits. It’s important to read the report carefully to evaluate any control failures or exceptions the auditors may have noted.
ISAE 3402 Type II
This is the European version of SSAE 16 SOC 1, Type II. Cloud vendors don't typically need to have both attestations, but if they do it's a positive.
The Federal Risk and Authorisation Management Program, or FedRAMP, “is a U.S. government-wide program based on the National Institute of Standards and Technology (NIST ) Special Publication 800-53 Revision 4 that provides a standard approach to security assessment, authorisation, and continuous monitoring for cloud products and services."
The FedRAMP certification process is arduous, and it can take years for a vendor to achieve the “Authority to Operate" (ATO). So, if a cloud services provider is FedRAMP certified, it means their security practices and controls met a very high bar.
To see which cloud providers are FedRAMP certified, see this list on the program's website.
An emerging standard, the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) is “specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider." The matrix (available for download here) is a control framework designed by the CSA; controls are mapped to other leading security standards, such as those described above.
Cloud services providers are not required to use this framework. But if they do, or are working to adopt it, it suggests they have a very strong commitment to security. Ask cloud services providers if they have completed the CSA Consensus Assessments Initiative Questionnaire (CAIQ) or check the CSA STAR Registry to see if they have submitted.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that companies who process, store or transmit credit card information maintain a secure environment. In order to become certified, cloud providers who fall into this category must implement and maintain the standard. More on PCI can be found at https://www.pcisecuritystandards.org.
The security requirements a cloud vendor should meet to protect a customer's data depends largely on the type of information they will be asked to handle. The more sensitive the data, the more important adherence to industry standards becomes. Regardless, all cloud services providers should be able to demonstrate to their customers exactly what they are doing to ensure security.