CISO2CISO.COM & CYBER SECURITY GROUP

The Continuos Audit Metrics Catalog by Cloud Security Alliance CSA

  1. Introduction
    Are traditional IT security assurance tools outdated?
    With DevOps and fast-paced technological evolutions, many cloud customers think that a third-party audit conducted once a year is no longer sufficient; they want their cloud service providers (CSPs) to offer continuous assurance of ongoing effectiveness regarding security processes and practices.
    The blog post Continuous Auditing and Continuous Certification describes STAR (Security Trust
    Assurance and Risk) Continuous: “an innovative framework designed to provide compliance
    assurance to cloud customers on a monthly, daily, or even hourly basis.”1
    STAR Continuous is based on the idea of “continuous auditing,” achieved by continuously measuring specific attributes of an information system and comparing these results with pre-established security objectives. The results of this continuous auditing process are then shared in real-time with customers in a way that protects the cloud provider’s confidential operations. This process must be automated in order to scale in cloud environments.
    Selecting and measuring meaningful security attributes of an information system presents a
    significant challenge. While traditional security auditing processes can rely on a large body of
    knowledge and well-established references such as ISO/IEC 27001, ISO/IEC 27017, or the CSA
    CCM, there is no such foundation available for continuous auditing of cloud services. The closest
    existing references to address this topic are ISO/IEC 27004:2016 and NIST SP 800-55-rev1, but they
    focus mainly on traditional information systems and describe processes that often require human
    intervention. The work presented here is a first attempt to provide a foundation for continuous
    auditing of cloud services by defining a catalog of security metrics relevant to cloud computing with
    measurement processes that can be largely automated.
    This catalog is the product of the work conducted by industry experts in the CSA Continuous Audit
    Metrics Working Group, which was established in early 2020. Given the novelty of our approach, this
    catalog does not aim to be exhaustive and complete; instead, this release aims to gather feedback
    from the community and guide our ongoing work while broadening awareness of continuous
    assurance within the cloud community.
    Proposed metrics were designed to be consistent with the newly released CSA Cloud Control Matrix
    v4 controls (CCMv4).2
    These metrics aim to support internal CSP governance, risk, and compliance (GRC) activities and provide a helpful baseline for service-level agreement transparency. Additionally, depending on the success of this work and the STAR Continuous program’s evolution, these metrics might be integrated within the STAR Program in the future, providing a foundation for continuous
    certification.

Leave a Reply

Your email address will not be published.