Versa Networks Application Confidence Score
Many organizations that are using applications deployed in the cloud are using applications hosted by public cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI). However, some organizations are deploying the applications in their own private cloud environment.
For enterprises that access SaaS and IaaS applications over the internet, the applications are exposed to the public internet. This situation creates a risk to the organization, because remote attackers can compromise the application or the cloud environment in which the application is hosted, allowing the attackers to gain access to sensitive resources and cause material damage and loss to the enterprise.
While organizations may gain significant advantages by adopting cloud applications, they face challenges in ensuring that the applications meet high security and compliance standards to minimize risk exposure. One of the security challenges for organizations is to assess the security and risk posture of the cloud applications and then to decide whether to allow or block access to the cloud applications.
Versa assesses cloud applications based on various factors and associates a confidence score for each of those applications. The confidence scoring incorporates weights for the various security controls to indicate the importance associated with each based on the organizational requirements. This article describes how Versa evaluates the security controls enforced for each cloud application and then assigns a confidence score based on the evaluation.
Versa Application Confidence Score
Security Controls for Cloud Applications
The Cloud Security Alliance (CSA), an organization that defines best practices to help ensure a secure cloud computing environment, has created benchmarks for security controls implemented by cloud applications. The benchmarks required that cloud applications provide responses to the consensus assessments initiative questionnaire (CAIQ) and cloud controls matrix (CCM).
The Versa security research team starts with the security controls described in then CAIQ and CCM, and expands on them as deemed appropriate. The security controls are organized into the following categories:
- Audit and assurance
- Application and interface security
- Business continuity management and operational resilience
- Change control and configuration management
- Cryptography, encryption, and key management
- Data center security
- Data security and privacy lifecycle management
- Governance, risk, and compliance
- Human resources
- Identity and access management
- Interoperability and portability
- Infrastructure and virtualization security
- Logging and monitoring
- Security incident management, e-discovery, and cloud forensics
- Supply chain management, transparency, and accountability
- Threat and vulnerability management
- Universal endpoint management
Evaluating the Security Controls for Cloud Applications
The CSA defines over 200 security controls in a number of control categories. While assessing the security and risk posture of cloud applications, the Versa security team considers additional security controls. Applications may not implement all security controls. Additionally, when the implementation guidance and security best practices are considered, implementing the security controls for an application may be weak or strong. To simplify the evaluation process, Versa associates a score in the range of 0 through 100 for each security control. If the information about the security control is unknown or unavailable, a score of 0 is assigned. Otherwise, the Versa security research team analyzes the strength of the implementation for the security controls and assigns a confidence score in the range of 1 through 100.
The Versa security research team gathers information regarding the security controls implemented by the supported cloud applications and, based on the data, assigns confidence scores for all the security controls. The Versa security research team regularly monitors the supported cloud applications for changes in the security controls and updates the confidence scores for them based on any new data.
Quantifying the Importance of Security Controls for Cloud Applications
When assessing the security and risk posture of cloud applications, several security controls must be considered. However, the importance of each security control varies, depending on the cloud application and the organization’s security and compliance requirements. For example, if an organization does not process any financial data, including credit card data, any security controls related to the payment card industry (PCI) do not apply to the organization’s security requirements. To quantify the relevance and importance of each security control towards the organization’s usage of a cloud application, Versa supports weighting, which is a value in the range of 0 through 100. A weighting value of 0 means the security control is not relevant or important, and a value of 100 means the security control is of the highest importance for the organization’s usage of the application.
Versa supports a predefined weighting for the security control for the supported cloud applications. This weighting is determined based on researching and surveying the cloud applications and on the typical enterprise usage of the applications. The Versa security research team regularly reviews and updates the predefined weighting for the security controls of the supported cloud applications.
When an organization needs to override the predefined weighting provided by Versa. For this reason, you can customize the weighting for the security controls of the supported cloud applications in the Versa SSE software. A user-defined weighting takes precedence over the predefined weighting.
Computing the Versa Application Confidence Score
The Versa application confidence score is a weighted average of the confidence scores for all security controls for the application. The score is calculated as follows:
where:
- n is the number of security controls.
- W(k) is the predefined or user-defined weighting for the kth security control.
- C(k) is the confidence assigned to the kth security control.