Cloud computing risks and the controls that weather the storm has been saved
Perspectives
Cloud computing risks and the controls that weather the storm
Service providers can win customer trust with coveted certifications
Do you have a client who needs information on a trusted cloud provider? As companies expand their presence in the cloud, additional risk considerations beyond protecting the perimeter continue to emerge. Explore cloud computing deployment models and the role of SOC 2 and SOC 2+ reports in providing assurance over cloud controls.
The journey to the cloud—from perimeter to mobile and more
For many businesses, cloud computing represents the new normal. As companies expand their presence in the cloud, additional risk considerations beyond protecting the perimeter continue to emerge.
Deloitte stands against systemic bias, racism, and unequal treatment
If the perimeter was intact, the crown jewels remained safe
- Perimeter-based security
- Crown jewels were protected by the organization’s strong perimeter
Users and crown jewels…became mobile
- Increasingly porous perimeters
- Security embraced remote and mobile users
- Focus shifted to compliance
- Private networks still dominated
Organizations are leveraging cloud technologies for additional capabilities
- More complex threat landscape
- User-based security
- Security by design
- Security as a business enablerm
- Increased support for bring your own device (BYOD)
Cloud service providers and the growing need for assurance
For cloud service providers, security, controls, compliance, and transparency are rapidly becoming baseline expectations of users, especially enterprise customers.
Safeguarding trust with SOC 2 reports
Cloud service providers typically make a System and Organization (SOC) 2 report available to their customers to build trust and provide assurance over the controls that intersect with the related trust services categories. They are often a cornerstone of conducting business and can provide a competitive advantage.
Who is Cloud Security Alliance (CSA)?
Over time, cloud service providers may incorporate additional cloud-specific frameworks, such as CSA, in their SOC 2 reports. The CSA is the world’s leading organization dedicated to defining and raising awareness of leading practices to help ensure a secure cloud computing environment.
CSA’s objective is to:
- Promote “best practices for providing security assurance within Cloud Computing.”
- Inform consumers and providers on security issues.
- Play a role in addressing and implementing viable solutions for security challenges.
- Increase size and relevance as interest in implementing cloud solutions proliferate.
What’s Cloud Controls Matrix (CCM)?
Being on a global registry, CCM provides potential customers with transparency and creates a competitive advantage.
- The CSA CCM V4 provides a controls framework that gives a detailed understanding of security concepts and principles aligned with the CSA guidance in 17 domains.
- The CSA CCM framework is broken down by control groups, controls specification, and consensus assessment questions to assist in determining cloud-related controls.
- It can be obtained directly from the CloudSecurityAlliance.org website.
The industry’s most powerful cloud security assurance program—The STAR Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud services. There are two levels of assurance for companies that submit to the STAR registry:
Level 1: At this level, organizations can submit one or both security and General Data Protection Regulation (GDPR) self-assessments and use the CCM to assess and document their cloud security controls.
Level 2: At this level, organizations can build off other industry certifications and standards to make them specific for the cloud providing greater flexibility for companies to grow and innovate.
SOC 2+ is a way to demonstrate that the more precise cloud-specific requirements of the CCM are also fulfilled in conjunction with the Trust Services Criteria (TSC).

How can we help ?
Deloitte is a leading provider of SOC services, issuing 800+ SOC reports in the United States annually. Representative clients range from emerging companies embarking on their first SOC report to Fortune 100 companies with many SOC reports. We are also at the forefront of issuing SOC 2+ reports and have experience working with cloud frameworks, including CSA CCM. We have an extensive team of professionals specializing in internal controls, cloud, third-party assurance, cybersecurity, and information systems.
Get in touch
Sara Lademan |
Dimitri Ramon |
Shar Qureshi |
Tushar Jain |
Recommendations
Privacy and how to protect it with Third-party Assurance
Streamlining TPA compliance before it becomes a concern