On Demand Assurance

Background

As technologies and our reliance on them develop, both regulators and customers want greater assurances that cloud services are aligned with expectations and desired outcomes regarding security, reliability, and resiliency. Today, these assurances are most often developed and driven from a policy and compliance centric perspective and many of the standards on which compliance relies were created for and during a time when point-in-time assessments were the only viable method to measure these outcomes. Further, the popularity of point-in-time assessments has encouraged the ongoing development and use of standards and checklists that are slow to adapt and often become cluttered with controls that are no longer relevant for protecting evolving systems.

As customers and regulators grow more sophisticated, they want more data metrics and are asking deeper questions – beyond the traditional  “yes/no'' answers.  Assessments are simply not designed to address the most relevant questions regarding the security, reliability, and resiliency needed to face the threats to the industry today and into the future.

Path Forward

On-Demand Assurance (ODA) is an alternative to point-in-time assessments. ODA envisions a model that is grounded in transparency, open standards, and the availability of meaningful data on a continuous basis, accessible by cloud regulators, customers, and assessors who are enabled to ask for the most relevant and timely information on the abilities and posture of their cloud implementations. These stakeholders will be able to tailor the data they receive to be able to answer the security questions they deem most relevant for their business and operations.

On-Demand Assurance places the customer at the center of assurance mechanisms – having security assurance activities driven from the core designs—rather than being separated from the process that responds to a customer or regulator request.

A shift to On-Demand Assurance will require support from both cloud service providers, cloud customers, regulators, and assessors. There is the opportunity for cloud service providers to share their strong security practices, regulators to get more thorough information, customers to receive more timely information beyond what is provided by the standard point-in-time assessment, and assessors to provide deeper levels of assurance.

Moving to On-Demand Assurance is a fundamental departure from the way that point-in-time assurance mechanisms have worked. Industry, while working with other relevant partners including government agencies, must work together to create an updated framework that communicates how On-Demand Assurance can be used to provide greater transparency to regulators and consumers alike.

Next Steps

The Center for Cybersecurity Policy and Law, along with our industry partners, is undertaking this initiative to help bring the vision and benefits of the ODA model to all stakeholders. Through comprehensive research into the state of point-in-time assessments and cloud technology today, we will produce a report that provides the level of insight, stakeholder coordination, and details necessary to support ongoing efforts to create the necessary frameworks and standards, education, and promotion and awareness for global adoption.