This blog post addresses the issues described in “Common Issues with Going Global: Part 1” and provides guidance to support service roadmap and go-to-market planning. In this guide, we’ll explore practical strategies and recommendations tailored for cloud providers aiming to expand into the global cloud security market. Our focus is on effective management and compliance with the multifaceted global laws and regulations.
Join us as we explore actionable solutions to the intricate challenges faced when expanding into global cloud security.
How to Approach Global Cloud Compliance Standards
In addressing the complexities of global cloud compliance, it’s crucial to have a clear starting point and a strategic approach. This section of our guide breaks down the key areas of focus for cloud providers looking to navigate the global market.
Build Momentum with FedRAMP
Rip off the band-aid and do FedRAMP first! If you initially forego this step, you’ll find yourself dedicating substantial time to gap analyses, risk assessments, and crosswalks. Eventually, you’ll likely realize that adopting FedRAMP as the benchmark for your entire environment is more efficient and cost-effective.
Many international standards, like Canada’s Protected B, are already aligning with FedRAMP requirements. Conversely, frameworks like Australia’s IRAP and Singapore’s OSPAR share fewer controls in common with FedRAMP. It’s only a matter of time before most or all of the global standards revise their requirements to match FedRAMP.
Existing business deals, pipeline, compliance, and renewal risks, etc. should factor in the decision of which global authorization to obtain next. However, we’ve seen providers achieve great success by taking the FedRAMP plunge and tackling it early on.
Be Consistent and Efficient
While there are many differences among the frameworks, you can save time by standardizing certain processes and adjusting as needed to meet the specific requirements.
For example, IRAP in Australia, SecNumCloud in France, and CSA STAR all have a requirement to maintain a register of 3rd party services. As you depend more and more on systems and services from external providers, you can build a process to collect the information you need to maintain in a register. This should be part of your overall Supply Chain Risk Management program, but tailored as needed to meet each specific framework.
For example, CSA STAR broadly mandates an inventory of all supply chain relationships. In contrast, IRAP demands detailed information for each outsourced cloud service, such as name, purpose, data classification, and point of contact. Additionally, SecNumCloud requires explicit details on the contribution of third parties to the service and the processing of personal data. It also necessitates considering subcontracting at various levels.
The best approach is to combine all related requirements and advise services to achieve the highest, most stringent requirement (which is likely FedRAMP). Ultimately, if the process is repeatable and well-managed, it enables efficient security compliance across multiple geographical regions. This approach also helps in standardizing expectations for meeting diverse compliance requirements.
Other domains that often overlap across frameworks include:
- Account management and reviews
- Asset inventory
- Vulnerability management
- 3rd party contracts/agreements
- Service agreements between CSPs and tenant customers
- Crypto key management and protection
- Malicious code protection
- Incident response and reporting out to relevant authorities
- All the NIST SP 800-53 families
How to Take Action
Instead of investing significant time and resources in comparing and analyzing various frameworks and metrics, a different approach may be more beneficial. Prioritizing easier certifications first can pave the way for making progress on more challenging frameworks.
Build a Compliance Roadmap
Consider your roadmap: it might be advantageous to start with CSA STAR Level 1, which is essentially a security self-assessment reviewed annually. Another option is the NHS in the UK, which lacks a formal audit/certification process and relies on self-assessments, whitepapers, and similar documents for evidence.
Others that have a higher level of effort but aren’t as exhaustive as FedRAMP include IRAP in Australia. IRAP is risk-based and accepts alternative implementations. Or, ENS in Spain, where the provider defines the system boundary. Shifting time from analysis to authorization for some of the simpler certifications can have you on the road to continuous monitoring in no time.
Develop a Custom Control Set
By developing their own control set and integrating relevant industry and global compliance requirements, a cloud service provider can:
- Simplify the adoption process and enable different groups to concentrate on controls within their areas of expertise;
- Adapt to changing requirements and incorporate new technologies and processes without significant disruption; and
- Provide a larger view of control responsibility or inheritance across services, entities, and customers, with the aim of bringing business, IT, and cybersecurity teams together to work towards a common goal.
Further, there are a number of reasons why cloud service providers might choose to build their own control set with custom requirements that are not tied to the NIST framework. Some potential reasons for doing so include the ability to tailor their framework to meet their specific needs and requirements.
This can be particularly helpful if the provider serves a niche market or operates in a specific industry that has unique compliance requirements. Custom frameworks offer increased flexibility and agility. Meaning, they’re not confined by the standards and guidelines of NIST or other industry-standard frameworks. This can allow the provider to adapt more quickly to changing industry and compliance requirements.
Maintaining control over the framework proves beneficial for providers with strong internal compliance expertise. It also suits those aiming to set high standards in ethical and responsible operations.
Finally, building a custom framework can also be a way for them to differentiate itself from competitors. By creating a unique set of compliance standards and requirements, the provider can set itself apart and potentially appeal to customers looking for a more specialized or differentiated service.
Let Automation Do the Hard Work
Addressing the issue of over-reliance on automation and tool dependence involves adopting a balanced approach. This means finding a healthy blend of automation and human judgment in decision-making.
Specifically, you should be:
- Identifying the most appropriate tasks for automation;
- Establishing backup processes;
- Training employees on manual processes; and
- Regularly reviewing and updating automation strategies.
While custom automation solutions require more upfront investment, they do offer significant benefits in terms of efficiency, functionality, integration, and flexibility. This makes them a worthwhile consideration for organizations that have specific needs and requirements.
Invest in Professional Guidance
Investing in professional services or consulting support can aid organizations in effectively integrating new tools with their existing systems and processes. This ensures they derive maximum value from these integrations.
OSCAL is a comprehensive system for managing and exchanging information about security controls and assessment results. Its standardized data models, schemas, and tools are designed to be adaptable and flexible. These customization capabilities allow organizations to meet their unique needs and requirements. With OSCAL, organizations can easily assess their cybersecurity posture, identify areas for improvement, and share this information with others in a standardized and interoperable way.
Overall, adopting a measured approach and implementing a system of checks and balances is beneficial. It helps maintain control over compliance processes and ensures the achievement of optimal results.
Develop a Clear and Definitive Policy
Defining the scope of policies and procedures and anticipating all of the situations in which they might apply can be a challenging task. Doing so requires a thorough understanding of the organization’s operations and the potential risks and challenges it may face.
That’s why it’s helpful to take a proactive and continuous approach, involving stakeholders in the policy development process. Specifically:
- Engage employees and external experts;
- Establish clear processes for identifying and addressing gaps in coverage or ambiguities in policy language; and
- Regularly review and update policies to ensure they reflect the organization’s needs and goals.
When policies need to cover a wide range of global requirements, it’s easy for them to become a disjointed patchwork policy. You need to ensure that policies are relevant only to the services subject to them. Provide clarity on the requirements and who is responsible for meeting them.
As you adopt new frameworks, additional requirements should be added to the policy with a standardized and consistent approach. Consider adopting a standardized policy template that includes scope, purpose, definitions, and responsibilities.
Also, make sure you communicate the policies so all employees are aware of them and understand their responsibilities. Provide any necessary training and regularly monitor compliance with the policies to ensure that they are being followed.
Gain More Expert Guidance from 38North
Going global can be a complex and challenging process for businesses of all sizes. However, it can also be a rewarding and lucrative opportunity. Companies must be well-prepared and willing to invest the time and resources needed to succeed in the global cloud security market.
38North Security serves a worldwide client base. Our Senior Advisors have decades of experience solving cloud security, compliance, and business challenges at a global scale. As a global company, we’ve guided clients through a myriad of obstacles, helping them successfully navigate the complex world of international compliance.
Contact us today to book a conversation with one of our experts to see how 38North can help you achieve your business goals.