The Shared Security Responsibility Model (SSRM) Documentation Review is a critical control that ensures organizations thoroughly review and validate the SSRM documentation for all the cloud services they use. This process helps identify any gaps or issues in the shared security responsibilities between the cloud service provider (CSP) and the cloud service customer (CSC). By engaging in this review, organizations can ensure a seamless integration of security controls and a clear understanding of their responsibilities.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26, which can be downloaded from the Cloud Security Alliance website. The CSA CCM is a comprehensive set of controls designed to help organizations assess the security risks associated with cloud computing and implement the necessary security measures to mitigate those risks.

Who should care?

• Information Security Managers responsible for ensuring the security of cloud services used by their organization
• Compliance Officers tasked with maintaining regulatory compliance in cloud environments
• Cloud Architects designing and implementing secure cloud solutions
• DevOps Engineers integrating security controls into cloud deployments

What is the risk?

Failing to review and validate SSRM documentation can lead to:

• Unclear security responsibilities between the CSP and CSC, resulting in security gaps
• Inadequate security controls, leaving the organization vulnerable to data breaches and cyber attacks
• Non-compliance with regulatory requirements, leading to potential fines and reputational damage

The STA-05 control helps mitigate these risks by ensuring a thorough review of the SSRM documentation, identifying any issues, and implementing the necessary security controls.

What's the care factor?

The care factor for STA-05 is high for organizations heavily reliant on cloud services to store and process sensitive data. A clear understanding of shared security responsibilities is essential to maintain the confidentiality, integrity, and availability of this data. However, for organizations with limited cloud usage or less sensitive data, the care factor may be lower, but still important to ensure a secure cloud environment.

When is it relevant?

The STA-05 control is relevant in the following situations:

• When an organization is considering adopting a new cloud service
• When there are updates to the SSRM documentation provided by the CSP
• During regular security assessments and audits of the organization's cloud environment

The control may be less relevant for organizations that have already conducted a thorough review of the SSRM documentation and have a well-established process for managing shared security responsibilities.

What are the trade-offs?

Implementing the STA-05 control requires time and effort from the organization's security team to review and validate the SSRM documentation. This may involve engaging with the CSP to clarify any issues or concerns, which can be time-consuming. Additionally, implementing the necessary security controls based on the SSRM review may require changes to existing processes and workflows, potentially impacting usability and user experience.

How to make it happen?

1. Obtain the latest version of the SSRM documentation from the CSP for each cloud service used by the organization.
2. Review the SSRM documentation to understand the shared security responsibilities between the CSP and CSC.
3. Identify any gaps or issues in the SSRM documentation and engage with the CSP to address these concerns.
4. Incorporate any necessary changes to the organization's security controls and implementation plans based on the SSRM review.
5. Share any CSC changes to the finalized SSRM documentation with the CSP as enhancement feedback.
6. Implement the finalized SSRM controls and test them to validate the proper operation of CSC security controls, including CSP integration where there are dependencies.
7. Conduct regular reviews of the SSRM documentation and update the organization's security controls as necessary.

What are some gotchas?

• Ensure that the organization has the necessary permissions and access to the latest SSRM documentation from the CSP. This may require establishing a non-disclosure agreement (NDA) with the CSP.
• Be aware of any specific security requirements or regulations applicable to the organization's industry, such as HIPAA for healthcare or PCI DSS for payment card processing, and ensure that the SSRM review addresses these requirements.
• When implementing security controls based on the SSRM review, ensure that the necessary permissions are configured correctly. For example, when using AWS, the ec2:StartInstances permission is required to start EC2 instances. Refer to the AWS documentation for more information on IAM permissions for EC2.

What are the alternatives?

While there are no direct alternatives to reviewing the SSRM documentation, organizations can consider the following complementary measures:

• Conducting regular security assessments and penetration testing of the cloud environment to identify any vulnerabilities or weaknesses.
• Implementing a robust incident response plan to promptly detect and respond to security incidents in the cloud.
• Leveraging automated security tools and services, such as AWS Security Hub or Azure Security Center, to continuously monitor the cloud environment for potential security threats.

Explore further

• CSA Cloud Controls Matrix (CCM) v4.0.10: Download
• AWS Shared Responsibility Model: Documentation
• Azure Shared Responsibility Model: Documentation
• Google Cloud Shared Responsibility Matrix: Documentation
• CIS Controls v8: Website
  • Control 18: Secure Software Configuration

‍