Changing The Cloud Security Conversation
Leveraging Economies of Scale
John Howie, COO Cloud Security Alliance
Cloud providers benefit from economies of scale and have more resources at their disposal to invest in security and privacy of customer data. Due to the diverse nature of their customer base, cloud providers invest heavily in obtaining a variety of certifications and attestations that they can rely on to prove their solutions can meet their customers' compliance obligations. Although cloud consumers cannot outsource accountability, they can negotiate responsibility with providers.
These certifications and attestations along with other transparency measures, such as publication in the Cloud Security Alliance's (CSA) Security, Trust and Assurance Registry (STAR), can provide a window into the size and scale of the investments in security and privacy made by the cloud providers. Questions that prospective consumers can ask cloud providers might include, "What certifications and attestations do you have?" The answer to this question, however, is not sufficient alone. Consumers also need to ask if certifications and attestations obtained cover the service that the consumer is interested in purchasing, and can satisfy themselves that they do by examining Statements of Applicability and the audit reports themselves. Consumers should also ask providers if they have a SOC 2 report that includes the CSA's own Cloud Controls Matrix (CCM), which is recommended by the American Institute of Certified Public Accountants (AICPA).