Key Lessons & Next Steps: Workshop on Multi-Party Recognition
Between Cloud Security Certifications
Date: 13. May 2019
Location: EY Amsterdam, Amsterdam
Third party audits and certifications are considered a suitable solution to providing assurance and trust regarding a cloud service provider’s approach to security and privacy. They are also a credible way to show compliance to standards and regulations. Unfortunately, though, the number of existing national, international and sectorial standards, laws and regulations has drastically increased in the last few years, leading to increased complexity of the area of compliance. Such a proliferation of requirements has had the direct consequence of an increased cost of compliance for Cloud Service Providers (CSPs), which in some cases is reflected in an increased service price for the cloud customer.
Within the context of the European Commission funded project EU-SEC, we have analysed the issue of this proliferation of cloud security standards and compliance schemes, and we have observed that many security requirements and control objectives in different standards are largely overlapping. As a consequence, the process of adhering to different standards, laws and regulations for CSPs is not efficient, with a lot of duplicated work that unduly increases costs and complexity.
The EU-SEC project has worked on addressing these issues by, for instance, identifying the common denominators between widely known standards (e.g., ISO27001/02/17/18, SOC2, CSA STAR Certification and Attestation, BSI C5, ANSSI SecNumCloud and other national or sectorial schemes) and presenting them under a well-defined and comprehensive framework, namely the EU-SEC’s “Multi-Party Recognition Framework”.
The main idea behind the multiparty recognition framework is not to create yet another cloud certification or auditing architecture. Instead, it aims at providing a unified method of systematic activities, with the objective of minimising the burden for a CSP of obtaining certification “Y”, once it has already obtained certification “X”. More generally, the purpose of the framework is to streamline the compliance process within an organisation and reduce its burden.
EU-SEC’s Workshop on Multi-Party Recognition Between Cloud Security Certifications was held in Amsterdam on 13 May 2019. Thanks to the generous hospitality of EY, we were able to welcome participants at EY’s Amsterdam headquarters.
EU-SEC is creating a framework under which existing certification and assurance approaches can co-exist. Its goal is to improve the business value, effectiveness and efficiency of existing cloud security certification schemes. The aim of this workshop was to raise awareness of the project’s work on the Multi-Party Recognition Framework (MPRF), including the business drivers for adoption, and to promote commercial exploitation of the project’s innovative solution. The event was also an opportunity for the consortium to gather feedback from auditors, scheme owners and other potential users.
Business & Technical Drivers for MPRF
Daniele Catteddu from Cloud Security Alliance delivered a convincing argument on the benefits of implementing a multi-party recognition approach. Although cloud computing comes with many benefits, there is still a level of concern regarding security and privacy. Third-party audits and certifications provide assurance and promote trust regarding a cloud service provider’s approach to security and privacy, but the number of existing national, international and sectorial standards, laws and regulations has resulted in confusion and complexity. The presentation demonstrated the value proposition for cloud stakeholders, including Cloud Service Providers, auditors, consultants, scheme owners and cloud customers.
EY CertifyPoint: Activities, Structure & Governance
Bhavna Nakra from EY CertifyPoint gave in insight into EY CertifyPoint, which is an accredited, independent and impartial certification institute with experienced auditors all over the world, certifying some of the top international organizations.
EY CertifyPoint is already aligning their integrated auditing approach with the EU-SEC Framework.
Multi-Party Recognition between Cloud Security Certifications – how does it work?
The next session, delivered by Damir Savanović of Cloud Security Alliance, described the methodology and lifecycle of the framework in more detail, giving participants valuable background information on how the scheme works and how stakeholders are required to interact with the framework.
Valuable Feedback
“I think this is a big step towards managing compliance and providing a common framework to many large, complex and multi-site organizations.” Jatin Sehgal, Global Leader & Managing Partner at EY CertifyPoint
Following the presentations, there was a lively discussion among participants and EU-SEC project members and a general agreement that both auditors and auditees can benefit from adopting the MPRF. Many advantages were identified, including:
- MPRF’s benefit is not only the reduction of effort, but also the added value of delivering a secure and high-quality product to auditees
- Large multi-national companies will clearly benefit from cost reduction. Implementing different controls is very expensive, especially those which are country specific such as BSI C5
- MPRF can help CSPs understand the additional requirements that they need to meet when extending their business in new countries.
- MPRF gives an integrated view of compliance across various disciplines
- Enablement of trust in customers and hence improved business value as well as effectiveness and efficiency of existing cloud security framework
- Reduced audit fatigue due to integrated assessments
Fully Validated Solution
Björn Fanta from Fabasoft and Cristóvão Cordeiro from SixSq explained how the MPRF has been validated in a 12-month pilot which validate the MPRF by performing an MPRF-based audit approach and served as a continuous improvement process. The pilot clearly demonstrated that a Cloud Service Provider can benefit from using MPRF from just two certifications and there is significant potential for cost and effort reduction. In fact, Fabasoft estimated that by using the MPRF, they could reduce the amount of controls by 24 percent when applying for BSI C5.
What’s Next?
Participants made some interesting points regarding the standards and controls included in the MPRF which will be considered by the consortium with a view to updating the processes and activities. Training and awareness materials and being developed which will address the needs of the different target audiences and potential users will have the opportunity to attend workshops and tutorials in Berlin in October 2019.