CCM, CAIQ and STAR

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:00
>> In this video, we're going to take a
00:00
step away from the slideshows
00:00
and examine the Cloud security matrix,
00:00
the CAIQ, and the STAR registry.
00:00
In the first module, we talked
00:00
about downloading some materials
00:00
from Cloud Security Alliance. I hope you did that.
00:00
But if you didn't, some of the materials we're looking at
00:00
in this particular video are also posted there.
00:00
I ask that you go back to cloudsecurityalliance.org,
00:00
take a look at the assurance,
00:00
and we're going to be looking at
00:00
the different STAR tools.
00:00
First thing is going to be the CCM,
00:00
the Cloud Controls Matrix.
00:00
As you can see, the purpose of this is to map
00:00
the variety of different standards
00:00
with different regulations,
00:00
frameworks, and controls that you want
00:00
to have in place for your cloud security.
00:00
If you haven't done it already,
00:00
go ahead and download the CCM.
00:00
It's going to require you
00:00
provide some information about yourself.
00:00
Then you're going to get an Excel sheet.
00:00
Once you've downloaded the CCM,
00:00
go ahead, give it an open,
00:00
and let's take a look at it.
00:00
I'm going to go through the different columns first.
00:00
We're certainly not going to look at
00:00
each and every row in the CCM.
00:00
As you can see, quick glance,
00:00
I think last year was up to
00:00
a 130 different controls that
00:00
it discusses. It looks like it's growing.
00:00
New versions of this are coming out on a regular basis.
00:00
Now we can see we have almost a 135 different controls
00:00
that get examined in the CCM.
00:00
I've mentioned that this is one of the tools
00:00
when we're talking about vendor assessments,
00:00
looking at risk, doing gap analysis,
00:00
really understanding what is
00:00
your Cloud provider giving you,
00:00
and then what are the other things that you need to
00:00
put in to fill that gap to
00:00
mitigate the different risks that are outstanding.
00:00
The CCM and
00:00
the other utilities that we're going to be looking
00:00
at in this video are
00:00
not fancy software in their own right,
00:00
but they have a lot of real powerful
00:00
information that can make
00:00
your life much easier when making these decisions.
00:00
The first, we have the control
00:00
domain that's going to describe
00:00
a variety of different general domains of control.
00:00
In the Cloud, you want
00:00
a unique ID according to this CCM.
00:00
In the CCSK,
00:00
you're going to need to not
00:00
understand each and every facet of the CCM
00:00
and you're definitely going to want to have a copy of
00:00
the CCM out and ready when you're taking the exam.
00:00
But it's very important that you
00:00
also understand the purpose and
00:00
the intention and the use of
00:00
the CCM because there's a lot of questions around that.
00:00
Moving to column C, here's a description.
00:00
What is the thing,
00:00
the control that we're talking about?
00:00
This very first one,
00:00
application and programming interfaces
00:00
shall be designed, developed, deployed,
00:00
and tested in accordance with leading industry standards,
00:00
such as OWASP for web applications,
00:00
and adhere to applicable legal, statutory,
00:00
or regulatory compliance obligations.
00:00
That's the content. That's the standard.
00:00
That's what you need to be doing.
00:00
Continuing along, we can see
00:00
there's architectural relevance columns.
00:00
Is this something that's
00:00
applicable at the physical layer,
00:00
the network compute storage,
00:00
app layer, the data layer?
00:00
Is this control something to be
00:00
considered for corporate governance?
00:00
What is this cloud service delivery model
00:00
that this particular control provides to us?
00:00
This is the big three we've spoken about
00:00
several times: SaaS, PaaS, IaaS.
00:00
In the supplier consumer relationship,
00:00
who does the majority of
00:00
the burden fall upon to realize this control?
00:00
Service provider or the tenant consumer?
00:00
Then we have a whole lot of other columns.
00:00
These are different specifications and
00:00
standards and regulations that exist out there.
00:00
In future videos I'm going to touch on many of these.
00:00
You don't need to know what each and every one
00:00
of these is for the CCSK exam.
00:00
However, in your day-to-day practice in your life,
00:00
there are going to be certain standards that are
00:00
very applicable to the company you're working at,
00:00
the industry that it resides in.
00:00
It will be helpful to give this
00:00
again because you may find
00:00
that some of these standards are
00:00
very applicable to your day to day.
00:00
For example, COPPA,
00:00
a Child Online Privacy Protection Act is very common
00:00
to pretty much anybody who is
00:00
providing a means for
00:00
users to register with their service.
00:00
If the user is 13 years or younger,
00:00
they should not be allowed to sign up on your service.
00:00
Go through, check them out.
00:00
You can see there are a lot.
00:00
This is a very valuable utility.
00:00
When you're evaluating the gaps,
00:00
you're looking at a cloud provider,
00:00
and you want to see
00:00
the cross relationships between the different standards,
00:00
you want to see what do they map to and commonality
00:00
between the different standards as well
00:00
as the underlying cloud controls,
00:00
and it's just going to make things
00:00
a lot simpler instead of having to
00:00
be an expert in each and every standard yourself,
00:00
you're going to be able to evaluate something like this.
00:00
Evaluate the Cloud provider, cross-reference,
00:00
what are the controls in place with
00:00
the Cloud provider and how does that relate to
00:00
compliance with the variety of different standards
00:00
that the CCM outlines here?
00:00
Once again, you're not going to be required to know
00:00
all these different standards in the CCSK exam.
00:00
We will be glossing over some of
00:00
these standards in future videos in this lesson.
00:00
But the biggest point that you're
00:00
going to want to understand is,
00:00
what is the purpose of the CCM?
00:00
Why would you want to use it?
00:00
What is the value it brings?
00:00
I personally find this a very helpful tool,
00:00
and go ahead and explore it for a little bit
00:00
just so you understand the different domains,
00:00
control domains, and take
00:00
some samples of different controls
00:00
specification that you find.
00:00
Now I'm going to hop back
00:00
to the cloudsecurityalliance.org,
00:00
and we're going to proceed to take a look at
00:00
an additional STAR tool called the CAIQ.
00:00
This is the Consensus
00:00
Assessment Initiative Questionnaire.
00:00
Just like the CCM, you're going to need to
00:00
fill out a little form, download the video.
00:00
If you haven't done so,
00:00
pause this video for a second, and then come back.
00:00
I'm going to shoot over to the CAIQ right now,
00:00
my own copy that I've downloaded and have open.
00:00
Well, let's take a look at this.
00:00
The first few columns have
00:00
a tri correlation with the CCM.
00:00
We have the application domain
00:00
and we also have the control ID.
00:00
There's a direct mapping between the control IDs
00:00
defined in the CAIQ and those defined over in the CCM.
00:00
If I shoot over to that,
00:00
and you just give me a second.
00:00
Here's AS-01.
00:00
[NOISE] We come back to the CAIQ AS-01 there.
00:00
Then there's the control specification,
00:00
this also lines up directly with the CCM.
00:00
Here's the control set specification text.
00:00
You can see the relationship there.
00:00
Now where the CAIQ comes into
00:00
value is the assessment questionnaire.
00:00
You remember the difference between
00:00
assessments and audits,
00:00
assessments are more just stated,
00:00
not actually proven in fact.
00:00
These sequence of questions allows
00:00
you when you're doing the evaluation or
00:00
allows the Cloud provider themselves when they're doing
00:00
an introspective evaluation and
00:00
assessment on how their
00:00
compliance with these different points,
00:00
these questions help them understand breakdown.
00:00
To get this control specification met,
00:00
what are some of the things we need to ask ourselves,
00:00
and based on those answers,
00:00
we're going to get a better gauge on
00:00
the specifics of how well we are
00:00
meeting this particular control specification.
00:00
As a Cloud customer, you can use the CAIQ,
00:00
and have a conversation with your Cloud provider,
00:00
and it'll help you and walk
00:00
you through asking the right questions.
00:00
If you're in the Cloud provider side,
00:00
you can proactively address
00:00
questions and use the CAIQ
00:00
as a basis to examine these things.
00:00
Go through these different questions
00:00
based on your answers in
00:00
the different control IDs that you
00:00
are able to realize and enforce internally.
00:00
You can then come back,
00:00
look at the CCM and say,
00:00
okay, we're checkbox on this particular control,
00:00
so if somebody asks us about the
00:00
specific one of these regulations
00:00
and certifications, we can also,
00:00
with a good amount of confidence,
00:00
say that these particular points on the regulation,
00:00
we're adhering to those as well.
00:00
[NOISE] Hopefully you realize the value of
00:00
the CAIQ both for cloud providers and cloud consumers.
00:00
This continues to move on and have
00:00
line items that line up directly with the CCM itself.
00:00
I do recommend you make sure that you're always
00:00
downloading the latest update of the CAIQ.
00:00
It does get revised.
00:00
You can see here this is
00:00
the change log for the most recent revision.
00:00
I'm actually looking at one updated
00:00
as of April 14th, 2020.
00:00
At the time you're watching this,
00:00
you may be looking at even a newer revision of this.
00:00
A lot of time and effort is spent
00:00
improving the questions to get that alignment
00:00
between the security control and assessing how well is
00:00
the Cloud provider fulfilling
00:00
that security control with their own internal procedures.
00:00
Jumping back to cloudsecurityalliance.org,
00:00
we can also see that there is
00:00
a light version of the CAIQ.
00:00
Some simpler questionnaires not
00:00
addressing each and every item.
00:00
Take a look at that from
00:00
your practical day-to-day use perspective.
00:00
But it's not something that's going to be
00:00
covered on the CCSK exam.
00:00
Finishing off this video,
00:00
what I'd like to go through is the STAR registry.
00:00
The STAR registry brings some value to you in that you
00:00
don't have to use this CAIQ to
00:00
assess each and every individual cloud provider.
00:00
STAR registry actually provides
00:00
the different Cloud providers themselves
00:00
with the opportunity to perform
00:00
this assessments on themselves,
00:00
walk through the CAIQ,
00:00
answer the different questions,
00:00
and then upload their results
00:00
to a centralized repository.
00:00
You as a cloud consumer,
00:00
can then search for the cloud provider,
00:00
and examine the evaluations and assessments that
00:00
they may have submitted to the STAR registry.
00:00
This prevents you from having to go through
00:00
that whole assessment process with the Cloud provider.
00:00
I encourage you to use the STAR registry as you're
00:00
looking at and evaluating different Cloud providers.
00:00
For purposes of the CCSK exam,
00:00
there's not a ton of focus on the actual STAR registry.
00:00
Certainly, they don't get into
00:00
the individual cloud providers that are in that registry.
00:00
Of thing to note though,
00:00
is there's a few different tiers that
00:00
the providers themselves can fall upon once they submit.
00:00
There's this self-assessment, meaning the provider,
00:00
they assess themselves and they
00:00
answer the questionnaire themselves.
00:00
But then there's also some
00:00
certified cloud providers as well,
00:00
where an external party has
00:00
come in and actually done an audit,
00:00
and then submitted their audit results.
00:00
You can see a little bit on
00:00
the select a submission path,
00:00
you can be a Cloud certified,
00:00
the Level 1 here
00:00
where you're just saying, "Here's what I do."
00:00
Level 2 is where you're actually making attestations,
00:00
legally binding assertions of this is
00:00
indeed what I'd do a little bit
00:00
above and beyond and assessment.
00:00
Then you can, of course,
00:00
hire a third party to come in and make
00:00
additional attestations on your behalf,
00:00
and they themselves are saying,
00:00
"We've gone through an audit
00:00
and we've really made sure that
00:00
this cloud provider is
00:00
adhering to these different controls."
00:00
On that note, we have gotten
00:00
deep enough into the STAR registry to
00:00
teach you everything you're going to know
00:00
relative to the CCSK exam.
00:00
We've also talked about the Cloud Controls Matrix,
00:00
and then we reviewed the CAIQ itself,
00:00
and it wraps it up for this video as well.
00:00
I look forward to seeing you in future videos.
Up Next