[BreachExchange] Why Certification Matters for Cloud Service Providers

[Inga Goddijn]

https://cloudtweaks.com/2017/10/certification-cloud-service-providers/

Certification for Cloud Service Providers

As of 2017, the concept of “*cloud*” has become more of a norm for
companies and organizations worldwide. Most now use cloud service providers
(CSPs) for some part of their business, and cloud has grown from simply
being an IT concern to a C-level concern. Debate continues over the
varieties of cloud available, such as on-premise, hybrid, public and
private, and it is an industry that according to Global Industry Analysts,
Inc., will reach over $127 billion by the end of the year.
Problems

Since so much data is now being stored on cloud servers, CSPs must be
vigilant and proactive to ensure their clients’ vital digital property is
never compromised, infected, or held for ransom. The potential for damage
extends well beyond simple data loss; companies can face litigation, fines,
and destruction of their reputation and brand if their cloud platform is
breached.

Cloud security is a joint responsibility: organizations bear some
obligation to protect their data, but so, too, do the CSPs themselves. As a
result, many CSPs realize that despite the substantial technology and human
expertise they have at their disposal, the threats are varied and
persistent. They must seek to stay one step ahead to continue serving as a
trusted technology and security advisor to their clients. This is when
certification can make a big difference.

While there are many compliance certifications that CSPs maintain, having
certified cloud security professionals on staff, and also having them as
third-party contractors, provides an opportunity for CSPs to bolster their
reputation and expertise. This is especially useful when customers have
reservations about cloud computing. Cloud security certification confers
credibility and helps reassure the customer of a CSP’s status as a trusted
technology and security advisor in the cloud.
The Power of the CCSP Designation

The CCSP (Certified Cloud Security Professional
<https://cloudtweaks.com/2015/11/cloud-security-insights-ccsp-pros/>)
designation was co-created by (ISC)² and Cloud Security Alliance, and is a
globally recognized credential representing the highest standard of cloud
security expertise. The certification attests to deep, up-to-date knowledge
and hands-on experience with cloud security architecture, design,
operations, and service orchestration.

To qualify, candidates must already possess a minimum of five years
cumulative, paid, full-time work experience in information technology, of
which three years must be in information security and one year in one or
more of the six domains of the CCSP Common Body of Knowledge (CBK).

Why should anyone pursue such a designation, and why should CSPs or their
clients care about it?

As highly trained experts, CCSPs work either within an organization or as
external contractors. Their role is to stay ahead of the trends, threats,
and other developments that the often-overtaxed members of an internal IT
team have little time to review. These include:

   - Assessing the viability and security of APIs
   - Detecting compromised credentials, poor password hygiene and
   insufficient authentication, including one-off activities like forgetting
   to de-activate the credentials of people who have left the project or
   company.
   - Incorporation of multifactor authentication
   - Assessing the CSP’s security around the identity platform
   - Evaluating the potential for a cloud application to be used as an
   attack launchpad
   - Scanning for vulnerabilities and bugs
   - Scanning for sabotage or people acting as weak links
   - Training and consulting on employee awareness against phishing and
   other forms of external attack
   - Training employees on the use of BYOD devices

CCSPs assist with software and patches, vulnerability testing, auditing and
training/awareness programs based on the most up-to-date knowledge. They
are also well-versed in discussing strategy, planning and crisis management
with people outside the IT department, specifically the executive.
The Need for Constantly Updated Risk Awareness and Mitigation

Attacks come from every type of connection point; not just cloud, but every
other type of technology that touches a company, such as SaaS services,
BYOD devices, even phishing emails. According to some experts, more than
400,000 new malware instances are recognized daily.

Cloud service providers must be able to protect themselves as well as their
customers, while simultaneously staying competitive, through innovation,
scalability, and reliability. Much like a physician who must stay healthy
while supporting the health of her patients, CSPs must be constantly on
guard for threats and must stay permanently up-to-date. They must use tools
and configurations that are very different from those that they give to
their customers, for example, the technologies and protocols specific to
hypervisor environments, which must remain isolated from their customers’
own structure.

CCSPs must also ensure their clients keep tabs on cloud security challenges
that happen on an individual level, for example, when employees either
choose or unwittingly start to use convenient commercial “DropBox-style”
cloud storage providers or even infected USB drives. When they use these
technologies, employees inevitably lead their companies into situations of
heightened vulnerability by circumventing established security protocols.
The Need to Constantly Deliver Proof of Security

Ultimately, cloud service providers must satisfy the customer’s concerns
around a range of issues. These include transparency regarding where the
data resides and how it is being protected; proof of a CSP’s ability to
protect that data; proof of experience and up-to-date capability, and a
guarantee of available resources and expertise.

CCSPs give cloud service providers the capacity to build, operate, and
demonstrate a security policy that can be proactive, and which is also able
to react with great speed, accuracy, and completeness.

The CCSP allows the cloud service provider to remain a trusted advisor and
a trusted repository of their customers’ vital data, prosperity and
reputation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171017/d0764f01/attachment.html>