KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
And welcome to this webinar on negotiating cloud standards and advice jungle. So some of you may know me. I have been with KuppingerCole now since 2009, and one of my main areas of research has been related to cloud security. And one of the very important areas of cloud security is to understand what standards exist and what these standards can offer you. So carpenter coal is an Analyst company, and we focus primarily on the area of information security and cyber security.
And we offer a number of different services, including research for both vendors and for users of products, we offer advisory services and a number of events. And indeed there is an information security event being held at the end of November in UR, and more details of that can be found on the conical website. And of course there is the famous European identity and cloud conference, which is held every year in the month of may in the city of Munich in BIA.
So if, if, if you want more details on those, then please go on, look at Coco website. And indeed we are hoping that at EIC in Munich, we will give a workshop on this various subject because it is indeed more than can be covered in depth in 45 minutes to an hour.
Now this, this webinar qualifies for continuing education credits and you can see here what the learning objectives of that are. And in order to convince us that you were actually paying attention while all this webinar was taking place, there will be a short quiz that you need to take if you want to qualify for these CPEs. So what this webinar is going to cover is why are standards important? What standards exist, what areas they are, how you can actually negotiate your way through that jungle. And then summary with time, we hope for some questions and answers.
So first of all, let's look why it is that standards matter while standards are really important. And, and if you go back and standards were, are something that's been around for some time in the middle, middle ages, then in order to make sure that people who bought jewelry were not being cheated about the quality of the gold, then a number of countries set up gold standards. And in the UK, there was the Gilda gold Smith, and it led to hallmarking of gold, which was proof of its purity.
In, in, in Germany, in Bavaria, there have been for many years standards about the content of pier to make sure that beer was up to, up to scratch that it was in fact the quality was correct. And one of the, one of the turning points in, in standards came during the 19th century with in, in the, in, in great Britain, the setting of standards for nuts and bolts.
And this, this was an amazing thing because until then every individual manufacturer made nuts and bolts to their own specification. And so you couldn't interchange things. And indeed this standard set by Samuel or Whitworth in order to define the specific characteristics of nuts and bolt meant that there was competition for people to produce these and the UK government in the 19th century saved a massive amount of money as a result of the ensuing competition. So standards are really important.
And if we look at what makes up a cloud service, then you can see that a cloud service consists of a number of different things, all of which have to interoperate and have to be managed. And all of those things, the interim operation is dependent upon interfaces. And hence those interfaces need to have some kind of standardization. Otherwise you become locked in.
Now, of course, the cloud depends upon a whole host of standards like TCP I P and HTTP, for example, but there are a lot more subtleties if you will, that need to be controlled, particularly in the area of securities.
And so standards are what make, make it possible for you to choose one cloud and to make it work with another cloud for you to know that your standard, your, your, your cloud is in right achieving a particular security standard and for different levels, if you will, for example, for infrastructure as a service to work with, with your internal applications and your internal databases. So standards make many components work together in, in a way which is repeatable and which allows substitution of components from different suppliers.
The second thing that standards support is, is indeed the many processes that are involved in, in the cloud. And so you can see that these processes are divided between the different roles in the cloud. So a user is simply using the service and that may well simply be using HTTP, but they also have to manage the service. And that requires a common way of managing things. And so you ideally there should be a set of standards for managing services. And then the question of how you can be sure that the service that you are buying is the service that is being delivered to you.
So there is a question of service assurance. Increasingly clouds are being provided through brokers, brokers who will take a service or multiple services from cloud providers and will bring them together to provide a particular solution. So there are now a number of specialized application providers who are basing their solution on cloud services that come from big time providers like Amazon and IBM and so forth.
And so these brokers are in interested in, in, in cloud standards that allow them to orchestrate components from different, from different providers and for them to do this in a way where they can, they can, if you will resell the service and, and charge their own extra for it. In particular, one of the, one of the interesting areas is that many of these cloud brokers are prepared to accept higher standards for security or higher standards for availability than the basic cloud providers themselves would deliver.
Then the cloud providers themselves need sets of standards and those standards maybe related to how they pro provision the services for how they manage the infrastructure and for the management of secularity. So there are, these processes also need to be supported by standards. So the reason why standards are terribly important to the cloud is that they also represent the best experience and the best knowledge of all the experts in the industry.
And having said that is interesting that there was a survey that was conducted by ina the European network and information security agency of service level agreements across the EU public sector. One of the questions they asked in that survey was what governments, frameworks, and security standards do you use internally. And interestingly, they, they found that many of those, many of those local government users of it were requiring internally the use of ISO 27,001 of it and other standards.
Then they asked the question well, for your it service providers, which standards do you require them to adhere to? And it turned out that only 22% of the respondents required the external it providers to perform to those same standards. So there is a gap between what is perceived as the risk of internal services and the risk of external services is my belief that organizations using the cloud should definitely require and prefer cloud providers that conform to the standards that the organization itself works with.
So the problem is that there is a jungle of these standards, you know, everything that, that is a hot topic. Everybody wants to get a share. And so the standards defining organizations have, have in fact joined in to do with this. And so standards come from basically what are standards defining organizations? And many of these are international standards organizations. Some of them are industry bodies and some, some standards really arise and become a factor of standard because irrespective of anything else, it's, the people are just using them.
So let's look at some of the, the standards that, that, that they exist. First of all, there are what are known as frameworks. And these are overarching groups of, of best practice, if you will, around certain areas. So COVID is maybe around dominance of it. It is around the service level management and I sell 27,000 series, relate to issues relating to information security. And all of those standards are important.
Then, as I was saying that nearly every standards defining organization feels they need to do something. And so there are at least 35 cloud standards initiatives.
I, I did a, a survey, not a very exhaustive one and found over 42 standards that called find what specifically related to the cloud. And that's in addition to industry specific regulations and standards that are also applicable to certain kinds of organization, certain kinds of businesses in cloud services.
Then I, I, I think there is another set of best practices, documents, and so forth that are really advisory resources rather than being specifically standard saying, everybody's agreed that this is the way that it should be done, and this is the best thing, but those advisory resources are actually useful, but they need to be able understood as being advisory sources. And some of those also set standards itself, for example, missed the national Institute for standards and technology in the us sets definitively set standards for use by the us government.
But it also has a number of white papers and so forth that are advisory. And finally, there are independent assessment standards standards around how you can actually get an Indi independent assurance of the, the service that's provided by a particular provider. And this ranges from a statement on standards for attestation engagements, number 16, which is from the us, that's about service organization, control reports, and a set of if you will standards to do with, with security and availability, which is the trust services, principles, and criteria. We talked about the ISO 27,000.
There's also a series of clubs. If you will, of industry peers who have ways which allow one, one member of that industry group to make an assessment of a particular service or product, and for that assessment to be shared around other groups. So then if you look at the kinds of standards, what you have is you have standards that vary from those to do with terminology and requirements, which is, and terminology is actually quite important because it's very difficult to, to know that you are buying something.
If in fact, what the vendor is telling you that you are getting is different from what you believe that word that they're saying means there's a set of standards around management and security. And those may be to do with principles and processes as well as technicalities at much deeper level. There are standards to do with management APIs. And finally there are standards to do with the interoperability between clouds.
And so you can see some of the names that were on the previous slides that have appear at different points in this though, for example, is particularly concerned with requirements and management. The ISO is specifically about security. The APIs tend to come from the data manage management task force and the storage network industry association, as well as Oasis. And the interoperability between twelves are areas that are really being worked on by the tenant management forum, the international telegraphic union, the IE and the I P TF.
So it's in Europe, there's been a recognition of the fight that there is this problem with so many standards. And so last December last September, the EU produced a, a press release saying that they were going to take some actions on cutting through this standard jungle and the European telecommunication standards Institute, which has been nominated to coordinate a standard roadmap.
And indeed, I am a member of an advisor board for the service project, which meets regularly to discuss areas around the standards that should be being promoted and adopted within Europe in order to ensure that Europe becomes a cloud friendly place and a place where cloud providers are encouraged to, to set up shop and to deliver their services. And the organizations in Europe can safely use cloud services whilst remaining in compliance with all the various regulations. So how do you find your way through all this jungle of standards and advice?
And so what I'm going to do is to take you on a short journey, which hopefully is going to help you to, to, to take, take you through with this. So what I have done is I've gone through all of these standards that I can find, and I've produced a comprehensive list of, of standards that relate to the cloud. And I've classified these as being of different types. So there are standards which are something which you can measurably adhere to.
And there are things that I call advice, which are things that if you will give you advice as to what you might be looking for, as opposed to necessarily being something where there is a clear, measurable control that you can actually implement. Then I looked at these documents to see what status they have. And like I said earlier on, there are international standards that may have been through some kind of approval, but one end right through to defecto standards, which nobody ever, ever approved at a technical level.
But in fact have come into common use and the standards are, many of them are in fact, simply dreams. They are work in progress. And it's really important to understand that that is a work in progress. And obviously had something that you can can, can, can, can work with, but nevertheless, you need to be aware that that's happening. And so from that, I classifying the standards in terms of the action that I would advise you to take. And these actions can be varied from that.
You should use that standard internally, and you should require that standard from your CSP that you could consider using that standard. And you could prefer CSPs it's that sense adhered in that standard. And then these things that it's good to be aware of, but you shouldn't necessarily be worrying too much about actually applying the remote.
So when, how do you actually make those choices? And I think it's really important with everything to do with it. Do you have to go back to understanding what the business subjects can start, you know, standards like the level of service and everything else are something which help you to support the business. And unless you understand the business objective, then there isn't really any, any point in, in, in just going for a particular standard, you need to understand the business objective, and then you need to also understand the standards and advice that exist to support these objectives.
And finally, you then from those standards can choose out the ones that are actually relevant and which you should be using and which you should require the CSP to conform to. So I can give you my advice, but only you using your knowledge of your business and your business requirements, your industry, and the regulations you have to adhere to where you know, which really matter to you. So if we go through some of the, the areas, then here, here are the frameworks, and I'm suggesting you choose which frameworks you feel comfortable with as a business.
And you select from those frameworks, the things that are relevant to you because these frameworks are actually very comprehensive. And the principle frameworks that you probably know about are the Osaka five.
And I, so these management, but you may not be aware of the fact that the tele management forum has a considerably detailed set of standards to do with procuring and using cloud services. And so if you're a member of the tele management forum or you are, you're interested, then you can go and look at these, these papers.
And so on, you may have to buy. And finally in ISA has actually produced a thing called the cloud compute and information assurance framework, which ina tends to produce these things specifically for use by European government and local government. But nevertheless, the information insurance framework is a very useful standard for you to look at in, in Europe.
Then the next sort of process that's involved in organizations using the cloud is to do some kind of a risk assessment about whether or not they are ready for the cloud, whether or not the cloud service that they, whether or not the application that they are thinking of moving to the cloud is suitable for the cloud and whether or not the cloud provider is capable of delivering what is, what is helpful. So the things that can help you with this is the cloud security Alliance published for free, a very detailed questionnaire, which many cloud providers have in fact already answered.
And the answers can be found on the CSA style website, or you can use to, to specifically ask a cloud service provider, there is a standard on how you can conduct a risk assessment. This is ISO 27,005. It doesn't just apply to the cloud. It applies to everything. And so it's useful if you want to have a normalized way of doing a risk assessment.
And interestingly Osaka have a very specific cloud or program, which is a very detailed program, which allows internal or external auditors to go through and make an assessment of your readiness for the cloud and the appropriateness of particular cloud service provider. In addition to that, there is if you will, a set of prebate counselors, which you can look at and can say that, and a very useful one is the innocent document called the cloud computing risk assessment.
Now, in, in fact, that was published a few years ago and it's currently going through an update, but again, it's a very comprehensive document. It's free it's from the innocent website. And it goes through and identifies somewhere in the order of 47 areas of risk and prioritizes those areas, according to their impact, as well as their probability.
And there are a number of other kinds of checklists that you can get from the American tele tele telecommunications industry standards, body shared assessments, which is another financial services grouping of organizations, where they have a specific set of questionnaires to do with cloud risk. And the Jerry code forum also published some such assess schemes. Now having done your risk assessment, you may want to set up a particular set of security controls. And so here are some existing things, some existing standards, which can give you some very useful inbox.
So the cloud security Alliance produce a cloud controlled matrix. It's in September, there was a version three, this was released, which now has a number of extra controls related to things like mobile computing, as well as managing supplier relationships.
I saw 27,001 and two have just recently been updated. And in the UK, the 2013 version was released at the beginning of October and is now available. And that has been updated in a number of ways, which I'll talk about, but it includes so much considerations to do with the cloud, the BSI, which is the German state information security agency has a document which can cover security recommendations for cloud computing providers. And this is shown in terms of a number of different areas and different kinds of use of the cloud.
And that gives you a set of controls that you can be asking a cloud provider to support thought then related to this and things for you to consider and prefer that the CSA cloud controls matrix is also supported by a kind of white paper, which is security characters for critical areas of focusing cloud computing. The also produced is this cloud computing information assurance framework that I mentioned earlier on and N have produced a special publication, 801 46, which is cloud computing synopsis and recommendations.
And this is specifically targeted on us agencies, where there is now a cloud first preference. So those are sets of controls for controlling security in the cloud from a number of different sources. So if we go back to ISO 27,000 or more two, this is just giving you an idea of what is new in that particular standard.
Now, the standard has been changed in a number of ways, one of which is to do with, with just reorganizing the, the headings, but what area that's been introduced in particular is area 15, which is controls to do with supplier relationships. And these are specifically related to security.
And so you can see that there is a need for a policy for agreements to contain appropriate areas related to security, and the important issue to do with the supply chain, which is important if you are buying a, a cloud service through a broker or from a cloud service provider that is in fact sourcing some of the components of its service through third parties. And then another new thing is the cloud controls matrix version three, which also has a number of controls, which are mapped in, in a way. And I'm thinking, I think the number's wrong.
I think it's 148 now, but there are five new control domains to do with mobile security supply chain, transparency and accountability. That's important understanding who is accountable for particular things and eventual that isn't being able to see what it is, the issues around interoperability and portability.
Again, can you actually take your stuff out from the cloud and moving to another provider? And then a very important area related to security is encrypt and how you manage keys. And it's usually the key management. That is one of the areas. So there's a whole new set of controls from, from the CSA around those areas.
And so, again, to be aware, there are some things that are coming and indeed the ISO 27,000 series is expanding at an enormous rate. I mean, they're well up to nearly 27,050, but some specific ones that are related to the cloud are there is a proposed standard 27,017, which is under development on security controls specifically for cloud computing. And then 27,018 is covering issues around data protection and priv in cloud computing, and then a detailed standard 27,036 on supplier relationships.
So those are areas that you need to be aware of, and there will be standards in the next upcoming years related to, to that. Now there is the question of interoperability, and this is the, the, the ability for you from a single point to interoperate with multiple clouds for, for your, your services to be removed from one cloud provider, moved to another. And there's a set of standards here that your resident, there is this new standard, which has come from a standard that was brought forward by this storage networking association, which is related to the data management interface.
The CDM I, this allows you to find and retrieve data from cloud services. There is what I was referring to at the beginning, the need to manage multiple services through a common interface at the moment, most of the cloud providers provide their own personal interface for managing things and tell you how good it is. But the D TNF is, has produced a standard called cloud infrastructure management interface. And the open group forum has created a cloud computing interface, the OCS, which is in fact adopted by open stack, an open stack supported by a number of cloud service providers.
So that gives you some assurance to do with being able to have a common interface for making those things. There is a lot of work going on developing standards. And some of these are in, in fact, in a very early stage, might the IEE cloud portability and interation standards, but, and also Oasis is working on what they call toss pathology and orchestration specification and camp cloud application management platform. These are work in progress rather than actual standards that you could use. Now.
Now confidentiality is not a particularly new thing, but there are some things that you should remember that since most of the connection to the cloud is through HTTP, then it really is important to use secure software and transport layer security that if you are going to do encryption, then you are going to have to have a way of managing keys. And that's a whole, a whole nightmare in itself, but there is at least a standard to do with this, which is the key management interoperability protocol came up.
And when your data is finally erased from the cloud, then how do you know that the cloud service provider is in fact really erasing it? And when you move your stuff or when you close your VM down or when they destroy or remove their discs, how can you be sure that your data doesn't go with them? And there is in fact, missed special publication guidelines for media sanitation.
So this is something that you should be requiring of cloud service providers as a way of assuring yourself, that your data doesn't grow legs and walk away when the discs are destroyed by the cloud service provider, there's also a set of fundamental standards, and we mustn't forget all these fundamental standards, and I'm not going to go into them because this is a very selected list because there are a very large number of good standards that are very relevant to the cloud. And many of these have been produced by the American.
Then if we look at the area to do with privacy of personal information, we need to be aware of the fact, first of all, there is the need that if you are using cloud service provider, then in general, you most European countries, you, the organization is the data controller for that information that you put in the cloud and you are responsible for it. And you have to take due diligence in order to make sure that it is processed correctly, even though the processing is being done by a third party. And one of the ways of doing that is to have a set of contracts.
And there is a model contract for the transfer of personal data specifically out of outside of the EU. But you, as the data control are responsible for ensuring that there is a contract, which specifies the, the, the, the way it's processed. And you also have to understand the us EU safe Harbor program and what this means and what you can rely on from it. So that is a, if you will, a self attestation standard that us companies can say that they can form to it. And what you need to consider is what is happening with the EU reform of the data protection rules.
And this is a whole new story in itself that in, in effect, the previous set of rules were done as a directive, which individual countries could turn into the law in the wrong way. This has been transformed in, in new system to a regulation, which everybody has to adopt. The old rules were related to freedom of movement for data in order to promote free trade. The regulations have been written in a completely different way as a human, right? And there has been a lot of contention. A lot of argument, a lot of amendments have been put forward and recently the committee voted to proceed.
But then I heard that, that in fact, there's been a decision to delay, but you need to be aware of what's happening because when this comes out, it will have an impact. And there is also a very detailed document from N special publication, 853, which is to do with security and privacy controls for federal information systems and organizations. And that's a very detailed document that you should look at and understand and decide what of it is relevant to you. So identity and access management is also a, a critical area.
And there are a number of standards which are related to this and to pick out some of the specific ones. Certainly we, we are all interested in things like open idea or, but one of the key things for organizations is in fact, that of SAML, because Sam security assertion market language is the fundamental control that allows you to do federated identity, which means that you don't have to manage your identities in, in, in each cloud provider. If you use several. And Sam is a very mature standard, it was first agreed in something like November, 2002.
And so, you know, this is something that most, most vendors should conform to. There are lots of products that, that support, and don't forget the standards around certificates and so forth that come from the X 5 0 9 standards.
Now, although SAML is very good for authentication and course grained authorization, you can get fine grained authorization through executable.
And if you want, if, if, if you can't use Sam, then there is at least a standard would allow you to do interchange of provisioning information through SP L and there, there is also an it, I ETF sounded, which is sort of, if you will becoming a competitor to S SPM L, which is a SC system for cross day domain identity management, as regards service level management, there is a good document from ina, which is called procure secure, which gives very detailed guidelines for understanding how to specify a service level agreement, what things you should be measuring, what controls you should be expecting from, from, from, from the provider.
And so this is something that is definitely worth meeting. Definitely most reading, definitely worth taking into account as regards the continuity of service. There is in fact, again, a IO standard, which you can look for, which gives considerable detail as to how to manage business continuity in general. And there are a number of other things which you could consider and prefer. And once again, the TM forum has a very detailed set of handbooks and application notes for managing service levels in the cloud.
Now, interestingly, you might say, well, why is that? Well, what's, tele-management forum got to do with it.
Well, if you think about how telecommunication services are delivered, then many times you buy a telecommunication service from an entity that doesn't actually deliver that service. And so the people that deliver telecommunication services have had to think hard and long about how they deal with that situation. So it's kind of a, a cloud of the cloud. And so they have some very helpful and useful advice for those, for those areas.
Now, finally, there is the question of auditing an assurance. And so there's a number of standards that are very important to do with this. And so these include, for example, there is the American Institute of certified accountants, public accountants that have this thing called trust services, principles, and criteria, which some of you may have may have known in the past as web trust. The point about that is that it is a standard that many of the cloud service providers claim to be adhering to.
And you need to go and understand what that means, because there are actually five different areas of potential compliance to do with security, availability, privacy, confidentiality, and integrity. And if you read the reports, you will find it often. There is only one of those areas that's covered, which might be fine if that's the area that you are concerned about.
And these standards, SSAE 16 statement on standards for attestation engagements, number 16, and the equivalent European international standard for that is a standard for how third party auditors will write audits on the service controls that they find in services. And these are, this is how you usually get a report on the trust services, principles, and criteria. So many of the, of the, the service providers, the cloud service providers will say, we've got a, an SOC report on security.
And so you need to understand what kind of report that is, whether it's a, so one, a SOC two or a SOC three, what type of report it is because there's two different types, a type one, and a type two. And what of the various survey principles and criteria, it covers the ISO 27,001 certification.
The, the 2013 version is pretty new. And I don't know of anybody that's any CSP that's certified to that yet.
I, they may, some, most of them are certified to the old version. Again, it's important that you understand what that certification means because the certification always refers to a particular targeted evaluation. What the service, what, what components have in fact been being reviewed and certified. And finally there is the ice, a cloud audit program that we've already mentioned. There are also some things that you really need to be aware of.
And so the CSA star registry, I was in two mind as to whether to put it as use of require at the moment, the CSA star registry is really a, an ability for cloud service providers to self certify against the CSA criteria. And so it's very useful, but it's still only self certification.
Now, the CSA have a vision, which they produced as being this open certification framework. And they are in active discussion with various organizations for a way to introduce a, an independent certification for cloud service providers against the, basically the controls in the CCM. So that's something that you need to look at, and it's quite a useful area.
Now, the DTMF is also working on this area to do with this called the clouded data Federation and audit, audit working group, but that's still work in progress. So in summary, what we've done is we've pointed out that there is a jungle of standards, and what you need to do is to choose use and require this providers that meet what you need. And so this is really understand what these standards are. And I hope I've given you some understanding of those, although not an in depth description of what they cover, work out, what matters to your business based on your business objectives.
And then from that use the relevant standards and require CSPs to conform to these standards. So that is effectively what my advice will bring. And indeed, we will be running a workshop on this to give you a much deeper and in-depth view of this At European identity conference EIC in Munich in may in 2014. So now if you have any questions, I will be very happy to take those questions.
Now, if however, you, you, you you've got questions. You can actually put them to me by asking questions, using the, the little control screen that is on your desktop at the moment. I can't see any questions coming in that way. So I'll wait for a few moments.
So it, it seems that that I must have answered all your questions because there are no questions coming, coming up in which case I'll say, thank you very much to everyone in the audience for your attendance. I hope that you have found today useful. If you want to claim your continuing pro professional engineering and professional education credits, then you will have to answer the, the, the little quiz that will be sent to you after the webinar.
Otherwise, I would encourage you to attend the information and risk management event at the end of November in Frankfurt, or to come and get more details on this in a trend, the workshop that we will find, we will be running in Munich at the EIC conference in Munich in may. So thank you very much, everyone. And good afternoon to you.
