inContact is a member or the Cloud Security Alliance (CSA) because we recognize the importance and value of what CSA is doing in developing and promoting best practices in cloud security. One example of a great tool for both Cloud Providers and Users is the Cloud Controls Matrix or CCM. The CCM provides a list of some 134 recommended controls, cross referenced to other standards such as PCI, HIPAA, ISO, NIST and others that a Cloud User should assess against Cloud Providers. I want to discuss the important role of three special areas: Governance, Standards and Transparency.
Governance refers to processes associated with, or responsible for, governing the security of the Cloud Provider. I cannot overstate the vital role that Governance plays in assessing a Cloud Provider. Governance includes policies, procedures and personnel. It’s not uncommon for companies to have governance bodies such as its Executive and Auditing staff. In a mature Cloud Provider, you should expect to find a dedicated and trained body whose mission is focused on security. The Trust Department at inContact fulfills that mission by focusing on the development, application of and adherence to policies and procedures that ensure the security of inContact and its customers' information and physical assets.
The utilization of adherence to recognize Standards is a second critical milepost in the analysis of a Cloud Provider. Standards such as ISO, NIST or PCI represent years of experience and analysis in developing those best practices most able to produce a secure environment. Understanding how Standards should be applied in Cloud environments can be challenging. inContact recognizes that its customers have to address the compliance and regulatory requirements of many industries. We address this by adhering to a body of core control requirements designed to meet the Standards required for handling PII, ePHI and PCI data types.
Finally, Transparency into the Cloud Provider's operation is essential to the Cloud Customers' assessment. Cloud Customers should be able to obtain assurance instruments that identify, explain and attest to the Cloud Providers controls. Some of these assurance instruments will include material directly from the Cloud Provider such as technical white papers, policy documentation, disaster recovery plans and security programs. The next type of assurance comes in the form certifications to recognized standards such as PCI Attestations, ISO certifications and 3rd party audited SOC reports.
My recommendation to Cloud Users and Providers is to pay attention to Governance, Standards and Transparency. You will find that the Cloud Security Alliance is a resource that will be of mutual benefit to both.