by Thomas Kenyon, Director, ISG
Earlier this month, ISG joined the Cloud Security Alliance (CSA) as a corporate member. Here’s a description of this organization:
“The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders.”
According to many industry analysts and multiple cloud surveys, security of cloud services is the No. 1 concern of clients related to adoption of cloud services. To help our clients, ISG has developed a cloud security assessment based on a toolkit available from the CSA that’s called the “GRC Stack.”
According to the CSA, “Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary supporting data. Whether implementing private, public or hybrid clouds, the shift to compute as a service presents new challenges across the spectrum of GRC requirements. The Cloud Security Alliance GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.”
We are excited to be able to combine the CSA’s best industry thinking around cloud security and GRC issues with our industry-leading assessment methodologies. Not only have we developed a unique mechanism to help our clients define what cloud GRC components are important to them, but we’ve done so using a standard language and scoring mechanism, captured in our priority tool, that is used to assess how well a cloud provider meets a client’s GRC needs.
Working with the CSA is a two-way street. Not only are we benefiting from CSA membership through access to the GRC Stack, we also are contributing to the CSA by providing unique intellectual property we have developed related to the CSA GRC Stack. Further, we are contributing the talents of the ISG cloud team, in part through my involvement as co-chair of the CSA’s Cloud Controls Matrix (CCM) subgroup. The CCM is specifically designed to:
“... provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The Cloud Controls Matrix provides a controls framework that gives detailed understanding of security concepts and principles … The foundations of the Cloud Security Alliance Cloud Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA and NIST, and will augment or provide internal control direction for SAS 70 attestations provided by cloud providers.”
ISG is pleased to be part of the CSA and actively contribute to the work of that organization. Let us know how you think we may be of greatest service to you through our association with this esteemed industry association.