Continuous Auditing Based Certification
Concerns about security, privacy and regulatory requirements hinder cloud adoption, especially for customers working with highly sensitive data. Third- party certification and attestation play a key part in a cloud assurance program, but they don’t go far enough. Traditional point-in-time auditing doesn't completely allay fears, due, amongst other things, to lapse of time between audits and lack of automation.
The EU-SEC project’s solution is to adopt a Continuous Auditing based Certification for cloud services.
What is it?
By using technology to monitor and flag noncompliant activity on an ongoing basis, continuous auditing delivers an enhancement to traditional certification. The idea is to conduct an ongoing audit process in order to overcome the limitations of any ‘point in time’ assessment and, consequently, provide a more precise insight into the security and the privacy posture of an organisation
Why is it necessary?
- Point-in-time approaches to security certification do not provide the high assurance and transparency required by cloud stakeholders with high risk profiles
- Currently, security audits are usually performed at intervals of 6 or 12 months, leaving a window of risk where no audit is performed
- Cloud service customers do not have an up-to-date status on the fulfilment of the requirements established by the certification goals
- Continuous Location Validation of Cloud Service Components
- A Process Model to Support Continuous Certification of Cloud Services
- Towards Continuous Security Certification of SaaS Applications Using Web Application Testing Techniques
- Evaluating the Performance of Continuous Test-based Cloud Service Certification