Article

Cloud security compliance is critical but complex. Cisco has a solution

Cisco’s Cloud Controls Framework streamlines a challenging array of security and privacy certifications.

Data privacy is so important today that many organizations — including Cisco and the U.N. — have declared it a fundamental human right. But meeting an accelerating number of industry and national security standards in the multi-cloud era is a complex challenge.  

That’s why Cisco created the Cloud Controls Framework (CCF). Originally an internal guideline for the company’s engineering, developer, and other teams to simplify and accelerate the essential but sometimes onerous task of meeting security certification requirements, Cisco is now making it available to all organizations.  

Prasant Vadlamudi is Cisco’s senior director for cloud compliance and a key creator of the Cloud Controls Framework. He shared his thoughts on the importance of data privacy and how CCF can help build and maintain a secure internet overall, while lending competitive advantage to those who adopt it.  

Thank you, Prasant! Perhaps we could begin with a few quick thoughts on the current climate for security, privacy, and compliance. What is driving increased attention in this space?  

Let’s first take a step back and look at how the industry in general has evolved. Two decades ago, most technology service providers would offer their services as on-premises devices. At Cisco, for example, we’d manufacture our products, write the code and deploy it on hardware that would get installed on the customer end. So, all of the confidential customers’ data was managed through that hardware, which was physically sitting on their premises.  

Cloud complicated all that, didn’t it? 

Yes, the concept of cloud subscription and cloud service providers have completely changed the way services are offered to customers. At Cisco, we are not only providing hardware expertise to customers, we’re also offering our services on the cloud. What this means is that customer’s data is stored, processed, and transmitted through a cloud. And across the board, globally, customers are increasingly asking service providers like Cisco to demonstrate our commitment towards security, privacy and availability. And we take that responsibility very seriously.  

How has certifying that data privacy become more complicated? 

Today, there are many different certifications to worry about. Not only in the various industries and sectors within the U.S., but around the world there are country-specific certifications and regulations. And with increased awareness, certifications and standards are not only a check-the-box requirement. Today, they are key sales drivers. Without them organizations are losing competitive advantage across countries and industries. Because from a consumer standpoint, these requirements are seen to truly protect their data.  

The Cloud Controls Framework began life as an internal Cisco tool. What is the strategy behind it? 

It comes down to having a strategic approach towards meeting the certifications in an efficient and scalable manner. There are so many different certifications, each with their own acronyms; it’s like an alphabet soup of certifications. These certifications require a lot of audit activities from engineering, developer, operations, and other teams. And that’s an arduous task inducing compliance strain on all of these teams. That is why at Cisco, we have created this in-house foundational framework called the Cloud Controls Framework, or CCF. 

How has the Cloud Controls Framework cut through all that mind-numbing complexity? 

We looked at all the various certifications and security regimes around the world. For Cisco, there are in excess of 3,000 different requirements. But when we started looking into these compliance and certification regimes in detail, we found a lot of commonality. At their core, they overlap across multiple certification domains. A few examples are identity and access management, encryption management, key management, change management, configuration, and security monitoring. These are examples where we needed to be audited on a periodic basis by separate third-party auditors. But the controls themselves span the same set of domains and families. So, we looked at this commonality across these various domains, and boiled them down into a set of about 200 security-controlled requirements. And that became a single certification framework, that we implemented across various engineering and product teams. We found we could achieve multiple certifications from this one set of implementations. 

Does the CCF help individual teams avoid getting bogged down in certifications that are not relevant to them? 

Yes, for example, part of the goal is to split the controls up and implement the right controls with the right teams. Engineering teams should be responsible for controls that they are responsible for and enterprise corporate teams should own their respective ones. This also helps each team to focus on their area of expertise. It creates a shared responsibility matrix, so each team does not feel they have to do everything. We don’t hire engineers to go through audits throughout the year. We hire engineers to build better products and better features. The shared responsibility matrix helps split controls, and in a way, free up some engineering time. 

What led Cisco to make this framework publicly available to other organizations? 

Building a trust story is also a competitive advantage today. If you do not demonstrate that you are doing the right thing in terms of security and privacy, you will hit roadblocks in the sales process. And much of that trust story comes from having the right set of certifications and the security artifacts that go along with those certifications. But teams have to do all that in parallel with improving security, developing better features, products, and functionalities – with limited resources and bandwidth.  

With the CCF working well inside Cisco, it was important for us to acknowledge that the industry is facing these same challenges. So, as a leader in the technology industry, we have publicly released the CCF so that everyone can use it and learn from it. We also want to contribute to broader security in the global risk-management community.  

Data privacy has been deemed a fundamental human right by Cisco, the U.N., and other organizations. How does the Cloud Controls Framework support Cisco’s core purpose of powering an inclusive future for everyone? 

In the past, compliance and certifications may have been seen as a necessary evil, if you will. But over time, many of the standardization bodies, which set up the certification requirements, have matured. So, it’s important for all organizations to understand the benefits of meeting these certifications, what they are asking for, and how to convert them into a set of controls and requirements. By achieving the certification, it will improve their own security baseline and contribute to building a more secure cloud.  

The awareness and demand from customers have also increased significantly. They no longer just trust that their data will be secured. They want it verified. So, it’s not just the right thing to do, it’s the smart thing to do. Our goal is to help organizations improve their security posture overall. So that compliance isn’t just an afterthought or a burden to engineering, but a standard in the development lifecycle. And that’s exactly what the CCF allows us to do.  

###

Related content: