CCAK

 View Only
  • 1.  How a cloud compliance program differs from a traditional compliance program

    CSA Instructor
    Posted Sep 02, 2021 04:37:00 AM
    This sounds like an interesting question to throw in the group.
    I have my opinions, but I'd rather hear yours first.

    How does a cloud compliance program differs from a traditional compliance program?
    Is it structurally different?
    Is it about different threat models and controls?
    Is it about higher volumes, automation, and attention to 3rd parties? 

    Curious.....

    ------------------------------
    Peter HJ van Eijk
    CCSK & CCAK trainer
    https://www.clubcloudcomputing.com/
    ------------------------------


  • 2.  RE: How a cloud compliance program differs from a traditional compliance program

    Posted Sep 10, 2021 10:55:00 AM
    Hmm...This is a good question, and something I too am curious about. 
    I'd like to hear what some of the CCAK lead developers, who worked on the compliance chapters, have to say. @John Guckian or @David Frei do you have any thoughts?​​​​​​​​​​​​

    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------



  • 3.  RE: How a cloud compliance program differs from a traditional compliance program

    CSA Instructor
    Posted Sep 07, 2022 07:02:00 AM
    Sounds like it was silent for a while. What about a new attempt at answering this?
    I see two points to start with.
    1. a cloud compliance program must be vastly more scaleable than a traditional program. Many more cloud solutions, much higher frequency of change and review
    2. as IT assets get deployed more automatically attention should shift from manual to more automated controls (compliance as code). 

    Your thoughts?

    ------------------------------
    Peter HJ van Eijk
    CCSK & CCAK trainer
    https://www.clubcloudcomputing.com/
    ------------------------------



  • 4.  RE: How a cloud compliance program differs from a traditional compliance program

    Posted Oct 26, 2022 09:17:00 AM
    How the Cloud and Cyber alter traditional GRC models are two of my favorite subjects. This is part of just about every presentation I give these days. I am in the midst of writing an article which will most likely evolve into a paper.

    I agree in principle with everything in the thread. My current thinking, is the big 4 differences to traditional GRC for the Cloud are below. Would love to know your thoughts.

    1. Increase reliance on non-technical controls, especially third-party attestations.
    2. Response to control failure is heavily reliant on third parties (e.g., Incident Response)
    3. Traditional tools (e.g., Risk Register, RIAC diagrams) must be modified to incorporate 3rd parties and recognize an increased use of Compensating controls
    4. Traditional enforcement mechanisms must be replaced with a greater reliance on Contracts and SLAs.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------