Self-Certification for IT Compliance in a Cloud Environment

By Rick Dakin, CEO and Chief Security Strategist, Coalfire

Bookmark and Share

For many years organizations have adopted in-house risk management and self-certification programs for IT compliance.  While cost-effective, it may no longer be adequate as enterprise applications and data migrate to a cloud environment.

Two recent examples of where self-certification is no longer acceptable are:

  1. GSA requirements for independent third-party assessment for participation in the FedRAMP cloud migration program, and
  2. European Commission (advisory body, Working Party) determination that self-certified Safe Harbor introduces too much risk in a cloud environment.

Neither of these programs directly impact the majority of Coalfire clients, but the trends established in these adjacent industries and regulatory regimes will ultimately impact banking, healthcare, card processing and state privacy programs throughout the U.S.  Essentially, each of these two programs have identified the known deficiencies for self-certification:

  • Independence –  stakeholders in every program want to rely on the information provided by any organization.  Increasingly, this level of trust can only be established through rigorous third-party testing and validation of industry-accepted controls.
  • Current Skills –  migration to mobile and cloud technologies introduces new risks and concerns by the users of those systems.  Unfortunately, the controls used to protect data on static workstations in no longer adequate to protect mobile data or services delivered from shared environments in the cloud.  New security and audit skills are required to deliver the assurance that both data owners and users require.
  • Industry Certification or Acceptance -  the implementation of industry-accepted standards has been under way for several years.  However, the trust that key stakeholders require establishes a need for higher levels of transparency.  In many cases, an independent attestation is required to meet regulatory or industry acceptance.

A recent ruling from an independent European advisory body on EU Safe Harbor (WP 196) came to the following conclusion:

"…[I]n the view of the Working Party, sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment," the document stated. "The Working Party considers that companies exporting data should not merely rely on the statement of the data importer claiming that he has a Safe Harbor certification. On the contrary, the company exporting data should obtain evidence that the Safe Harbor self-certifications exists and request evidence demonstrating that their principles are complied with."

Click here to access the full report.

The General Services Administration (GSA) was even more clear.  As the federal government  comes to grips with a pressing budget shortfall, the need to adopt more economical IT models is forcing a “Cloud First” initiative.  However, the sensitivity of much of the data has caused the GSA to require that all systems migrated to the cloud must first be tested and validated to NIST security standards prior to deployment in the FedRAMP cloud migration program.  

We as citizens expect our government agencies, and those that are entrusted with our personal and private data, to protect that data in a transparent and accountable manner.  Accordingly, the Third-Party Assessor Organizations (3PAO) that perform the independent assessments must not only test and validate applications upon initial deployment, they must deploy a continuous monitoring program to ensure that compliance to rigorous security standards is maintained.  

All of us can learn from these new developments.  Migration to the cloud is inevitable.  We have to lower IT costs and become more nimble in serving a wider range of clients and citizens.  However, the pressure to protect sensitive data in a shared hosting and network delivery model to increasingly mobile users requires a higher level of IT and security governance.  To fully address the need for independence, new cloud skills and greater transparency, every organization should carefully consider the level of third-party validation integrated into every mission-critical program.