IAAS- Infrastructure As A Service. The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
PAAS- Platform As A Service. The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider.
SAAS- Software As A Service. The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure.
The Cloud Security Alliance (CSA) is an industry consortium, volunteer based and open. It provides a suite of four integrated and reinforcing CSA initiatives (the “stack packages”) The Stack Packs are designed to support cloud consumers and cloud providers and prepared to capture value from the cloud as well as support compliance and control within the cloud:
• Cloud Controls Matrix(CCM)
• Consensus Assessments Initiative(CAI)
• Cloud Audit
• Cloud Trust Protocol (CTP)
Security, Trust and Assurance Registry (STAR) is CSA initiative. An online clearinghouse where cloud providers can submit documentation detailing their security controls for review by potential customers, indexed by CAIQ reference with 22 participating providers, including Amazon Web services, Microsoft Azure. For more details visit CSA site.
Note :All the above self explanatory figures are taken from Cloud Security Alliance(CSA).
The CSA STAR packages only have Self Assessments for Compliance which provides:
•High risk – Low Reliability
• Requires high degree of trust in the person making the attestation
•Lack of accountability. Leads to cutting corners because no one is looking.
Whereas a Third Party Point- in-Time (SOC2 Type 1) assessments provides:
•Medium Risk & Reliability
•Provides minimal if any assurance, and still requires trust
•Lack of accountability. Leads to cutting corners when no one is looking.
The Most Reasonable Assurance is a Third Party Period- of-Time (SOC2 Type II) that provides:
•Low Risk – High Reliability “Trust, but verify”
•Provides reasonable assurance.
•Accountability exists - When corners are cut, there is a high likelihood of being caught
The Cloud Security Alliance (CSA) recommends the AICPA’s SOC2 reporting for Cloud environments.
The SOC2 Attestation Standard (AT-101 or SSAE 10~14) allows for inclusion of other standards “Additional Subject Matter” such as Cloud STAR, PCI DSS, ISO 27001 NIST, etc. CPA firms can partner with QSAs and ISO registrars to conduct testing together eliminating testing redundancy.
SOC2 and “Additional Subject Matter” engagements can be undertaken jointly with your existing vendors. At the end of the engagement, organizations receive a SOC2 report that covers a period of time AND they receive separate reports covering the other standards-i.e. PCI-DSS (ROC), and / or ISO 27001 Certificate.
In nut shell use SOC2 Type 2 Report as the Assurance wrapper for any or all of the following:
•ISO 27001
•CSA CCM
•PCI-DSS
•HIPAA/HITECH
•NIST 800-53
Advantages
•Joint audit work serves as the basis for multiple reports that You receive
•Solid detail great standards for your compliance needs
•Inclusion of Cloud standards like CSA CCM
•Little to No Risk – Very high reliability provided by period of time testing
•Specific reports to satisfy everybody
•International Acceptance
For the Cloud, new security issues and controls exist. Security in the Cloud is the biggest fear amongst CIO’s/CISO’s. Besides, research has indicated that about 60-70% threats are from insiders, not outsiders. Having a SOC2 can give your organization a competitive edge. A process driven well defined SOC2 can reduce the insider threat in your organization. Knowing how much extra value and assurance a SOC2 can deliver, many clients find that it makes sense to take steps to ensure a more successful outcome, including hiring experts who are skilled in helping companies be more thorough and thoughtful in how they approach their audits.
•Helps in building trust
•Differentiates service organization from peers
•Provides management insight into the effectiveness of controls and possible areas for improvement
•Provides an independent assurance by a CPA
•Allows service organization to meet regulatory/contractual requirements
•Provides a level of comfort over control consciousness of the service organization and its services
•More weightage than an Self-Assessment
•Can include Cloud Control Matrix (CCM)/ other Cloud or any other Compliance requirements.
Typical Scope
The AICPA, AT 101 defines the standards used by a service auditor to assess the internal controls of a service organization. The control objectives and activities vary based on the specific scope of the client operations. The Scope of Work (SOW) is based on:
•Trust Services Principles TSP 100, Criteria and Illustrations of Generally Accepted Privacy Principles (GAPP)
• The relationship between the service organization and the user organizations to help determine the controls that should be included in the engagement
• Reviewing the Service Level Agreements (SLA) or End User Licencing Agreements (EULA)
• Current data and privacy management
• Regulatory requirements
• Any other specific requirements
Some of Your Advantages
• Managed risks of Cloud
• Managed security for outsourced services
•Joint audit work serves as the basis for multiple reports that You receive solid detail great standards for your compliance needs
• Inclusion of specific data security and privacy compliance regulations such as HIPAA , PCI-DSS, GLBA
• International Acceptance
• Reduced cost of overall compliance
Why Us ?
We provide end to end process for SSAE 16, SOC 1/ AT 101 Engagements. With data moving into the Cloud and increased use of BIG DATA, Cloud Security and Privacy concerns are on the rise. We conduct integrated Cyber security engagements with privacy engagements. AICPA has developed the SOC reporting framework for privacy, which can help organizations to ascertain their level of maturity for privacy. With more stringent regulations like HIPAA, EU-GDPR and enforcement of these privacy issues are causing nightmares to organizations.
Some of the advantages of working with Us are:
Download our SOC Reporting Services
Download our SOC 2 for Cloud Services
Download our SOC 2 for HITRUST/HIPAA Services