Those of you that have analyzed ISO/IEC 27017 (or even if you are certified on it) have seen that it is a standard that, based on controls repository on ISO/IEC 27002, adds additional controls specific for cloud computing.
Besides, it has the peculiarity that controls added have into consideration customer and provider roles, in order to provide guidance to one or both of them in how to implement all its controls.
Anyway, we will like to analyze the control 14.1.1 Security requirements analysis and specification. In this control, the standard includes different functions for the previous roles:
- On the one hand, customer should specify security requirements, and, later, analyze and assess if her requirements are correctly implemented in the service.
- And, on the other hand, provider should provide information related to controls implemented for helping customer to perform the mentioned analysis of alignment between requirements and controls.
All of this is obvious and truly coherent, but as any standard, it sets the what, but not the how: How this request and send of information can be articulated avoiding the disclosure of sensitive information that could finally cause a security breach in itself?
Nevertheless, this scenario is what today, all the customers and service providers are facing:
- Each customer defines its own security requirements, specific for her needs.
- The provider answer to each of these requests individually and specifically.
- Customers assess each answer from their (potential) providers one by one.
- (At best) Each customer repeats this process every year for a relevant sample of providers.
Can the reader imagine a customer that has to do this process if she has more than 25 providers? And, if she has more than 50? Or, even more than 100? On the other hand, can the reader imagine a provider that has more than 25 customers? And, if she has more than 50? Or, around a thousand?
How this process can be implemented in a way that allows sending relevant information with revealing sensible security information and being cost-efficient?
For LEET Security this is one of the features (if not, “the” feature) of security rating. Because of transparency provided on security controls implemented in a service and, given that criteria are objective and publicly available, providers only have to undergone a single assessment process to rate the security of her services, making the whole process really efficient (following the principle “make once, use multiple times”).
Additionally, the new rating guide version will include a exhaustive mapping with controls on ISO/IEC 27002 and ISO/IEC 27017, and if you cannot wait until the release of the new version, do not hesitate to send us an email asking for it to info at leetsecurity.com.
You can follow us on twitter.com/leet_security