Cloud and mobile services have not only disrupted traditional business models but have also created challenges when it comes to securing data and achieving particular compliance requirements. Since their introduction into corporate IT environments, these services have shifted the traditional enterprise perimeter. Devices and users operate freely beyond the corporate firewall making it difficult for IT to secure corporate data and comply with particular regulatory frameworks such as PCI, SOX, and GDPR.
The Statement on Standards for Attestation Engagements (SSAE) 18 which came into effect in May 2017 addresses this fundamental shift in modern business operating models. This new standard introduced a few key changes that organizations needed to take into account regarding System and Organization Controls (SOC) engagements. Some of the changes made by SSAE 18 require service organizations to implement a formal third-party vendor management program and an annual risk assessment process.
Organizations who are actively using external cloud services and mobile devices must take these new requirements into account paying particular attention to the implementation of the third-party vendor management program. Part of the SSAE 18 audit process is the SOC 2 report which deals with availability, security, processing integrity, confidentiality, and privacy. However, how has cloud and mobile affected an organization’s ability to comply with SSAE 18 and what measures need to be put in place to ensure compliance?
1 – The Perimeter has Shifted
Before cloud and mobile were part of everyday enterprise IT, organizations ran all their services on-site and protected them with a firewall, and all devices were behind the firewall perimeter and were under the direct control of IT. This deployment model allowed IT to enforce policies and dictate what actions users were able to perform on the network and their devices. Cloud and mobile have fractured that corporate IT operating model. Users are now using their own devices to access sensitive business data, and that data is no longer exclusively stored on-site. As such, the perimeter is no longer protected by the four walls of the data center and the firewall, but the user or device.
2 – IT No Longer Controls Every Device
As mentioned, before the proliferation of mobile devices, IT managed every device. However, in today’s digitally driven society, users are using their personal phones, tablets, and computers to access corporate data often using insecure networks. This common practice is putting sensitive business data at risk and organizations need to actively implement measures to protect themselves and comply with the stipulations defined in SSAE 18.
3 – Data is Everywhere
When organizations operated their own infrastructure, all services ran on-premise, and the management of the data was under the direct control of IT. With the cloud and mobile infiltrating the corporate IT landscape this is no longer the case. Users store sensitive information on their mobile devices and so do the servers operated by independent cloud providers. The new requirements which form part of SSAE 18 take this business risk into account and organizations need to implement a formal third-party vendor management program to comply with its requirements.
4 – Complexity has Increased
The introduction of cloud and mobile has not only increased productivity but has also introduced complexity when it comes to managing IT resources. Hybrid infrastructures, where services run on-premise and in the cloud, are challenging to maintain. Of particular concern is the rise of shadow IT. Users can subscribe to cloud services without IT’s knowledge or supervision. Ensuring the necessary access controls and managing user accounts across multiple systems can also be challenging.
Consider Implementing Zero Trust
The Zero Trust Extended Ecosystem (ZTX) from Forrester research is an excellent framework which solves the challenges faced by modern organizations operating in a cloud-first mobile world. ZTX states that data should always be encrypted whether it be in transit or at rest. It also identifies devices, people, networks, and workloads who can access and modify the data and states that all are untrusted.
Implementing Zero Trust requires the successful authentication of every resource before granting them access and the implementation of strict access control. ZTX also recommends constant monitoring of the environment to identify and remedy any security threats proactively, and also suggests the deployment of automation and orchestration to deal with the inherent complexity created by cloud and mobile environments.
By implementing the recommendations found in the Zero Trust Extended Ecosystem, implementing a formal third-party vendor management program and an annual risk assessment process, organizations can rest assured they will meet the stipulated requirements of SSAE 18.
Ensure You Take These Factors into Account for SSAE 18 Compliance
There is no disputing the fact that cloud and mobile have disrupted traditional IT operating models. Users having the ability to consume services both on-premise and in the cloud as well as having the capability to use any device from anywhere has not only increased productivity but has also created a challenge for traditional IT security. The hard perimeter which once protected every corporate IT asset has fractured and has effectively moved to edge with the user and device now forming the first line of defense. The fact that IT no longer controls these devices and that storing data on third-party cloud services has become the norm has also added a layer of complexity when it comes to protecting confidential information. SSAE 18 addresses this fundamental shift by requiring organizations to implement a formal third-party vendor management program and an annual risk assessment process. When completing an SSAE 18 SOC engagement, organizations must take these changes into account and ensure they account for every device and cloud service they utilize.
