Cloud Security Frameworks and Standards

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Wow, there are a lot of different facets
00:00
to Cloud Security.
00:00
How do we know that our organization is
00:00
really creating a comprehensive,
00:00
layered approach that addresses
00:00
the risks that are relevant to
00:00
our data and our regulations
00:00
that our companies objected to.
00:00
Well, that's where cloud security frameworks
00:00
and standards come in.
00:00
In this lesson, we're going to explain
00:00
the common frameworks and standards for cloud security.
00:00
Talk about the business case
00:00
that's really should drive what
00:00
framework your organization or
00:00
what standard your organization is trying to meet.
00:00
Then we're going to compare and contrast
00:00
some of the major security frameworks.
00:00
There are really three that I think are most important
00:00
to talk about in the context of this certification.
00:00
The first one is ISO.
00:00
ISO stands for
00:00
the International organizations of standards
00:00
and/the International Electrotechnical Commission,
00:00
ISO or IEC.
00:00
The 27,000 series are
00:00
really the most important technical standards
00:00
produced by ISO,
00:00
and the cloud standards are the 2,717 series.
00:00
These standards, they are
00:00
really the guidelines for provisioning cloud services,
00:00
how to protect customer information and privacy.
00:00
Now, these ISO standards are not laws,
00:00
but they reflect the EU regulations and are
00:00
required in some countries as an industry standard.
00:00
They are quite lengthy and quite granular
00:00
and it can be costly to implement the ISO standard.
00:00
But it does have
00:00
strong reputation internationally because
00:00
it is international standard
00:00
and meets many of the requirements that countries have
00:00
to operate their FedRAMP.
00:00
This is the US Federal set of
00:00
standards regarding Cloud products and services.
00:00
It leverages the NIST standards,
00:00
the National Institute of Standards and Technology,
00:00
which releases publications on
00:00
the best practices for protecting
00:00
data in a non classified government systems.
00:00
FedRAMP really is the standard
00:00
that organizations need to hit in order
00:00
for US government entities to participate in there,
00:00
usually licking their Cloud services.
00:00
FedRAMP is very expensive and very time costs
00:00
and debt and labor-intensive to meet.
00:00
That's why really it's only
00:00
>> appropriate for organizations
00:00
>> that are going to be vendors of the government.
00:00
Then there's CSA star.
00:00
This is from the Cloud Security Alliance and star
00:00
is really an acronym for
00:00
security trust assurance at risk.
00:00
This is an audit framework
00:00
provided by the Cloud Security Alliance,
00:00
is freely available organizations.
00:00
It doesn't cause something to be
00:00
audit against the standard.
00:00
We're going to go into more of the levels of
00:00
maturity that are associated with
00:00
the CSA star standard in future modules.
00:00
But one of the good things about it is
00:00
that any organization that has even
00:00
contemplating whether they want to go to
00:00
the Cloud should really leverage this as
00:00
a great resource to look at how
00:00
their control stack up against this standard.
00:00
It's built on the existing controls
00:00
that exist in some of the other standards
00:00
such as ISO as well as
00:00
the AICPA's standard referred to as SSH 18.
00:00
It really covers most of the cloud best practices.
00:00
It is fairly easy to implement
00:00
and encourages continual auditing.
00:00
This is an organization that's publicly
00:00
available and can be updated fairly frequently.
00:00
One of the other advantages is that once you've
00:00
undergone a third party
00:00
assessment with the CSA star program,
00:00
you can publicly register
00:00
that at a station on their website.
00:00
Your vendors and other organizations
00:00
can investigate and look at
00:00
your third party report
00:00
and see how you stack up against the CSA star standard.
00:00
Quiz question; which framework would be best from
00:00
multinational corporations operating Cloud environment
00:00
and different geographic regions.
00:00
The ISO standard, the Cloud Security Alliance
00:00
standard, or the FedRAMP?
00:00
If you said ISO, you're correct.
00:00
It has an international and the title and it is
00:00
well regarded and recognize as being
00:00
one of the highest caliber international standards
00:00
for Cloud security best practices.
00:00
In summary, we talked about
00:00
the common security frameworks and
00:00
standards that you organizations
00:00
can leverage to ensure that they are meeting
00:00
their compliance and security obligations in the Cloud.
00:00
We've talked about the use cases really that ISO is
00:00
excellent for international organizations.
00:00
FedRAMP, if any
00:00
company that's really going
00:00
>> to be a vendor or servicing,
00:00
>> the US government, FedRAMP is a good option for that.
00:00
Then CSA-star is really
00:00
organization that don't necessarily have
00:00
the most sensitive data or don't have the budget to
00:00
really implement or audit
00:00
against some of these more expensive standards.
00:00
That's a great place to start and it covers
00:00
most of the best practices and sets an organization up.
00:00
If they want to meet future standards in the future,
00:00
such as ISO or some of the SASA 16 or 18 standards.
00:00
CSA star really sets
00:00
organizations that well if they want to
00:00
have other third-party audits
00:00
of standards against them in the future.
00:00
Standards help us meet the rules of the road.
00:00
I'll see you in the next lesson.
Up Next