IT Security Compliance for Cloud Service Providers

Transcription

1 IT Security Compliance for Cloud Service Providers Access Management and Logging kpmg.hu

2 Contents Executive Summary...3 Introduction... 4 Severe Consequences for Non-compliance... 4 Market Survey on Compliance in the IT Service Provider Industry...5 Access Management and Logging in Compliance with ISO27001: Access Management and Logging in Compliance with PCI-DSS v Access Management and Logging in Compliance with CSA-STAR...10 How the SSAE 16/ISAE 3402 Auditing Standards Relate...11 to Access Management and Logging Best Practices for Log Management Best Practices for Privileged User Management Summary Appendix Mapping of Standards... 14

3 IT Security Compliance for Cloud Service Providers / 3 Executive Summary Compliance with increasingly stringent regulations for organizations providing outsourced IT services, particularly in regards to data protection, is becoming more and more difficult. Reputation and client trust are fragile assets, and compliance with industry standards and legal regulations is essential to earn and maintain them. Cloud service providers (CSP), therefore, consider compliance a magical term; on the one hand critical to their success, on the other hand imposing time-consuming burdens on the business. A special area of compliance is IT security compliance which is based on legal provisions and international standards. Geographic borders become blurred, however, in the provision of cloud services, making it impossible to regulate the sector solely based on local regulations. This calls for international IT security standards, such as PCI-DSS, ISO:27001, or SSAE 16/ISAE 3402 (formerly SAS 70). The largest CSPs such as Amazon Web Services and Microsoft Azure, amongst others, strengthen their customers trust by meeting these standards. The standards include a broad range of requirements which require a comprehensive approach to compliance. In each instance, CSPs need to understand and interpret the requirements from their own perspective, then enact a thorough implementation programme. This includes meeting certain requirements with specialized software. Privileged Access Management and centralized log management are areas in which software is typically used to meet compliance requirements, and can lead to significant cost reductions, as well as an increased level of security. The following summarizes the requirements of international IT standards specific to access monitoring and logging recommended for providers of outsourced IT services. We also introduce best practices which should be taken into consideration during related projects.

4 4 / IT Security Compliance for Cloud Service Providers Introduction Our ever globalizing world makes it hard to track changes in information technology. Nowadays organizations often involve service providers to carry out certain IT functions. At the same time, it is only right to question whether a service provider can securely perform the contracted services. For service providers, it is equally important to convince their current and potential customers that the services provided comply with the relevant security standards. And how does one determine if the organizations with which outsourcing companies are doing business (financial services firms, healthcare providers, utilities, educational and public sector institutions, just to mention a few) conduct their businesses securely from a data security perspective? It would be inefficient for service providers and clients to define and monitor a set of IT security requirements for each and every contract. Referencing internationally recognized and accepted standards is a much more efficient solution, as both sides are familiar with and, hopefully, similarly interpret them. Obtaining and maintaining a certification can be a one-time decision, a contractual obligation, or even a legal requirement. No matter the reason, implementing a complex IT security control system is necessary for compliance. Severe Consequences for Non-compliance Not only is obtaining certification significant, but the lack or loss of certification can be equally significant. At the very least, a company can be put at a competitive disadvantage, such as being disqualified from a request for proposal (RFP). However, failure to comply with PCI-DSS, for example, may lead to severe financial penalties, up to a USD 500,000 fine. In addition, a significant penalty is incurred for each security incident with the amount determined, in part, by the number of credit card numbers affected. A case between VISA and the footwear retailer Genesco filed in relation to a PCI-DSS fine of USD 13 million after their security incident in 2010 is still being litigated. Failing an SSAE 16/ISAE 3402 audit relating to financial reporting at a service provider can lead to serious consequences, and might affect the valuation of a company. The loss of ISO27001:2005 or CSA-STAR certification may be interpreted as a material breach of customer contracts, which could lead to liquidated damages. It is not the purpose of this paper to describe each and every aspect of ISO27001:2013, PCI-DSS v3.0, PCI Cloud Computing Guidelines, CSA- STAR, or standards not specific to IT security, such as SSAE 16/ISAE 3402, but to go into depth about access management and log management. These two topics, of course, are related to other control elements not mentioned in this document (for example, governance/regulation and system development) and should be integrated into a comprehensive control system.

5 IT Security Compliance for Cloud Service Providers / 5 Market Survey on Compliance in the IT Service Provider Industry BalaBit IT Security and KPMG in Hungary jointly conducted an international market survey entitled Compliance in the IT Service Provider Sector. The research involved 120 IT directors of IT and cloud service providers, and was conducted in February The following gives a summary of the findings. Findings Figure 1 shows that approximately 60% of service providers spend more than 10% of their annual IT budget on investments related to IT security compliance. Moreover, almost one out of five (17%+2%) spends more than 20% of their annual budget on compliance related items, which is well above the industry average. Figure 2 shows that more than two-thirds of those surveyed use compliance with standards primarily to ensure secure operations. This result is a positive development, as it indicates that most IT cloud service providers regard industry regulations as a framework for developing their companies risk management practices. The vast majority of respondents use compliance for maintaining their reputation and acquiring more customers, which clearly shows that service providers see compliance as crucial to building trust. Figure 1 Which percent of the annual IT budget are spent on compliance investments Figure 2 Motivation to meet compliance regulations Risk management being more secure 68% 43% spends less than 10% 43 2 % % spends more than 10% Regulatory compliance maintain reputation Competitive attract more customers Process improvement increase productivity Cost efficiency avoid penalty or other sanctions % 42% 40 60% 66% % % 10-20% Lower than 10%

6 6 / IT Security Compliance for Cloud Service Providers Figure 3 shows that most IT service providers consider compliance with the international standards (for example, ISO and PCI DSS) important. Naturally, the data protection regulations of the countries where a given service providers data centres reside are also important. It is, however, important to note that legal regulations usually build upon the principles of some international standard. It turns out that (privileged) user access control, as well as log management are critical elements of service providers compliance strategies, whereas basic technologies such as antivirus and firewall systems are much less important. For the majority of respondents (57%), monitoring internal and external access to cloud infrastructure is equally important. This can be explained by the fact that access monitoring systems provide strong evidence for service providers in disputes with their customers, and can settle differences of opinion quickly and cost-effectively. Figure 3 Most important regulations to comply ISO Local regulations EU Directives PCI-DSS SSAE 16/ISAE 3402 (former SAS7) HIPAA Safe Harbor (between EU and US) FISMA Figure 4 Which control area comes to mind first, when talking about compliance strategy? Access control incl. privileged users access Log management or SIEM 0 4% 2% 19% 20 28% 43% 40 53% 64% 60 66% 70% 79% 80 Vulnerability assessment 55% Data encryption 45% Data retention backups, archives Antivirus and firewall 38% 42% Figure 5 Which privileged users activity should be monitored as a first preference? 40 My employees activity to show customers what we do in their IT system % Customer s activity in my cloud Both are important 57 4

7 IT Security Compliance for Cloud Service Providers / 7 It is clear from our research that most service providers employ generic user management as well as various levels of authorization and authentication systems. However, only 42% of respondents monitor and audit privileged users activity. Without the right auditing tool, it is impossible to definitively determine who did what in a given network, which can lead to disputes over responsibility and costly investigations. Figure 6 Maturity level of Privileged User Management at companies User Management Authorization Management Authentication Management Provisioning, Monitoring and Audit % 40 68% 66% 64% 60 80

8 8 / IT Security Compliance for Cloud Service Providers Access Management and Logging in Compliance with ISO27001:2013 The ISO27001:2013 standard specifies the requirements of IT security management systems (ISMS for short). The standard sets out that implementations of such systems shall involve the detailed design of a process-focused security model, mandating continuous maintenance and supervision of the system as the essential requirement to have an up-todate, properly-operating system. Such a security model, however, cannot be implemented without user and log management. For cloud-based service providers, user and log management are of particular importance, as the same physical infrastructure can potentially serve multiple, or even competing, organizations. Service providers must provide an access control system that takes data protection issues, such as protection of personal information and trade secrets into consideration, and implements procedural and technical controls. In addition, it s in the interest of both service providers and customers to have a system that logs all activity in a network with the necessary level of detail. In the event of an incident, should a service provider clearly prove it is innocent (meaning the incident was beyond its control or not due negligence on its part), it can avoid responsibility for damages. Not only do service providers need to log and analyze the activities of their employees to prevent fraud and unauthorized access, but also the activities of their customers. Access management provisions of ISO27001:2013 cover all architectural levels. These include: A.9.2 (User access management), A.9.4 (System and application access control). Development of control environments should always be based on risk analysis. In practice, it s worth establishing different control environments for users with privileged access or access to sensitive information, and for normal users. (This can be justified by cost-benefit analysis.) Control environments need to particularly ensure the following points: only individuals with a job role specifically requiring access shall be granted privileged access; system and data shall only be accessible upon successful mandatory authentication; each and every action performed in the system shall be traceable to a specific person; activities performed in the system shall be able to be logged and traced; access shall only be granted upon authorization. The purpose of regulation of section A.12.4 (Logging and monitoring) of the standard requires detection of unauthorized information-processing actions. Audit logging shall ensure the following points: log messages are created and populated with all the necessary data; log messages are securely transmitted between log message sources and the central log collection facility; log files are kept for the expected duration in searchable form, and are deleted or archived afterwards; collected log messages are protected against accidental and intentional manipulation; only those individuals can access logs whose role specifically requires such access, since logs contain sensitive information; logs can be searched and analyzed (real-time and/or post-collection). Should the above requirements in the regulation appear trivial, it is important to stress that meeting all the requirements in heterogeneous IT environments is far from easy. Moreover, logging must not only be implemented at the hardware and operating system level, but at higher levels, too, including database and application levels. ISO27001:2013 dedicates a separate chapter for managing external service providers. Cloud service providers should be prepared for ISO27001:2013 certified customers to require them to demonstrate compliance with the security requirements.

9 IT Security Compliance for Cloud Service Providers / 9 Access Management and Logging in Compliance with PCI-DSS v3.0 Conforming to the Payment Card Industry Data Security Standard (PCI-DSS) 3.0 is mandatory for all organizations processing or handling bank and credit card data. Naturally, the standard includes access management and activity logging, as these are essential in meeting its goals, namely the protection of cardholder data and keeping potential damages to a minimum. To keep up with the times, the PCI Security Standards Council compiled its provisions regarding cloud-based services in its Cloud Computing Guidelines, which highlights access management and logging as separate areas, since the fundamental goals- the protection of cardholder data - cannot be ignored in the course of cloud-based services. It is vital to emphasize that services provided by CSPs must meet PCI-DSS requirements if applicable. The standard clearly emphasizes that compliance must be ensured collectively by CSPs and their customers. Regardless of the cloud-servicing model (for example, IaaS, PaaS, SaaS) employed, the responsibility of the service provider to develop and operate proper controls is unavoidable. The PCI Security Standards Council has not only demonstrated its support for implementing new technologies in the Cloud Computing Guidelines, but also in the latest version of PCI-DSS which emphasizes requirements for certain new technologies. Chapter 7 ( Restrict access to cardholder data by business need-to-know ) and Chapter 8 ( Identify and authenticate access to system components ) define specific requirements with regard to access protection. For systems that fall within the scope of the standard, properly planned and technically supported controls must be developed and maintained. This includes the following points: access to relevant systems and card data shall only be granted to individuals expressly authorized for such access, and access shall only be provided to the extent necessary (7.1*, 7.2*); managers/principals shall document approval of access requests (7.1*); access management shall be facilitated using automated processes (7.2*); unique user identifiers shall be used to support unambiguous identification, and the use of proper authentication methods shall be enforced (8.1*, 8.2*); user accounts provided for external parties shall be managed, monitored and controlled (8.1*); shared and generic user accounts shall not be used (8.5*). Naturally, the standard expands upon access management as preventive controls with logging detection controls (see Chapter 10, Track and monitor all access to network resources and cardholder data ). The standard stipulates the following points: logging shall be enabled for all systems so as to cover the activities/ events of all users (10.1*); logging shall include information about: all events of access to any card data (10.2*); all activities performed by privileged users (10.2*); access to logs (10.2*); unsuccessful login attempts (10.2*); changes in authentication and authorization (10.2*); starting, stopping, suspending and resuming logging (10.2*); creation and deletion of system objects (10.2*). Not only the events to record in logs are discussed in detail in the standard, however, but also the minimal set of information such log messages shall contain (10.3*). The standard includes log protection measures as well: access to logs shall be restricted to protect sensitive information contained therein (10.5)*; logs shall be protected against accidental changes and intentional manipulation (10.5*); as a means of manipulation protection, log messages shall be submitted to a central server (10.5*); log integrity shall be monitored (10.5*); immediate (real-time) access to logs from the prior 3 months shall be ensured (10.7*); all logs shall be kept for at least 1 year (10.7*). Log collection is not something done for its own sake; the purpose of collecting logs is to help discover if data has been compromised and minimize the impact of these incidents. Attaining these goals is not possible without continuous log analysis (10.6*). Of course, it s necessary to document policies relating to log management and ensure affected parties are familiar with them (10.8*).

10 10 / IT Security Compliance for Cloud Service Providers Access Management and Logging in Compliance with CSA-STAR Cloud-based services have become integral to modern business life. The mission of the Cloud Security Alliance (CSA), founded in 2008, is to promote the use of best practices for providing security assurance within Cloud Computing. The organization s efforts were quickly recognized by the community and complying with Cloud Security Alliance Security Trust & Assurance Registry (CSA-STAR) has become a goal for CSPs. Unlike other certifications, the CSA- STAR relies on self-assessment and transparency, but this has not diminished its recognition or acceptance. STAR Certification/ Attestation is a higher level certification based on a third-party assessment of compliance. The STAR Continuous level is based on continuous monitoring and auditing. Version 3.0 of the standard s Cloud Control Matrix (CCM) touches upon the question of access management and logging. With respect to access management, the standard s requirements include the following points: enforcement of the principle of least privileges, as well as that of segregation of duties, shall also be ensured by the contribution of technical/technology measures/ support (IAM-02*, IAM-05*, IAM-08*); access privileges shall rely on managerial/principal authorization and shall be reviewed regularly (IAM-09*, IAM-10*); measures to restrict access to software source code and other intellectual property shall include use of suitable technology (IAM-06*); access of external parties shall be managed in accordance with risk level, and compensating control shall be employed when necessary (IAM-07*); user rights shall be revoked or modified in a timely manner (IAM-11*); user identification shall rely on suitable technologies (IAM-12*); access to special system components and system configuration ports shall be restricted (IAM-03*, IAM-13*). In regards to logging, CCM requires the development of log/logging lifecycle by properly considering legal and other compliance requirements, so that in the event of suspicious activities and security incidents, personal accountability can be ensured (IVS- 01*). Logs shall be kept for the time set out in the standard (BCR-12*). The great diversity of cloud services makes the Consensus Assessments Initiative Questionnaire ( CAIQ ), to be completed as part of registering for CSA-STAR, very useful, since it serves as documentation of the controls in the applicant s organization.

11 IT Security Compliance for Cloud Service Providers / 11 How the SSAE 16/ISAE 3402 Auditing Standards Relate to Access Management and Logging SSAE 16 and ISAE 3402 are not IT security standards, but qualification criteria to be used by independent auditors reporting on the control environments of service organizations. The purpose of audit reports is to document proper design and operational effectiveness of the controls employed. These standards entrust the development and operation of a suitable control environments to the relevant organizations, rather than setting specific IT security requirements, as it is not the standards intended goal. The regulations of the Public Company Accounting Oversight Board (PCAOB), on the other hand, define the set of controls a properly designed and implemented control environment shall include or involve. Managers cannot ignore or skip a preliminary risk assessment when developing the control environment. Experience shows that efficient rights management, as a preventive measure, and recording and review of activity on systems, as a measure of detection control, are part of a well-developed internal control environment, though the effect of the latter is less emphatic. Controls for access management must always support the following points: managing access of privileged users; well-documented managerial approvals granting access rights; associating access events with individuals (natural persons). Organizations cannot ignore the protection of log messages over their entire life-cycle, thus ensuring: logging is enabled at the sufficient logging level; logs are protected against inadvertent and intentional manipulation during transmission and storing; storing, archival, and deletion of logs are in compliance with internal regulations, standards and the prevailing law; only individuals with specific permission can access log messages during transmission and storing; regular analysis of logs. The specific controls implemented may vary from organization to organization, though implementing these fundamental principles is necessary to develop adequate control environments.

12 12 / IT Security Compliance for Cloud Service Providers Best Practices for Log Management The following sections summarize aspects worth considering when implementing cost-effective log management systems. Setting Goals and Identifying Stakeholders Determining the scope of your log management needs is the most important step in getting the most out of the time and money invested in the project. It is crucial to set realistic goals about what types of logs can and should be collected, and what the desired result of gathering the data should be. The ROI of log management solutions can be increased by involving other departments, provided they can also obtain useful information using log management technology. Identifying Log Sources When determining the scope of log management, the sources of the data to collect should also be identified. It is necessary to investigate which tools/ software include logging functionality. Logging is, unfortunately, turned off by default in many tools and software solutions, or may not fit the goals specified. Identifying logs irrelevant to the project s stated goals can help to avoid collecting and analyzing unnecessary data and, consequently, avoid wasting resources. Identifying Limits and Bottlenecks A robust log management solution requires an infrastructure to handle the data being collected and transferred. During the planning process, it is useful to identify constraints such as network bandwidth and reliability, storage capacity, financial resources or even human resources. Not knowing limits makes it impossible to reach a log management project s goals. Assessing and Normalizing Log Formats One of the greatest challenges in log management is to distinguish useful information from noise, i.e., to extract useful information from a huge amount of usually unstructured data available in various formats. Standard formats facilitate log collection and normalization. A few relevant formats are worth emphasizing, including: SYSLOG is the most widely-adopted standard format for logs. There are two versions of the syslog protocol, RFC3164 and the later RFC5424. The latter supersedes the former with improvements. Simple Network Management Protocol (SNMP) is another commonly used format which is generally, but not exclusively, used by network devices to report on their status. Windows uses its own Event Log format. Applications running on Windows can also use this format. Many applications store log messages in database tables, with more or less structured data formats. A few new, primarily Java-specific logging technologies have also emerged recently (such as log4j). Useful information contained in log messages can only be collected efficiently by converting messages into a common format. It is worth beginning normalization at the assessment phase of log management implementation projects. Assessing Importance and Sensitivity of Log Messages Upon determining the log messages to collect, it is important to determine the importance and sensitivity of each kind of log. Higher priority log messages need to be processed faster, and often require immediate attention. Some log messages may contain sensitive or personal information like credit card numbers, social security number, or patient health information. Masking or redacting such information may become necessary in certain cases. Accessing and Analyzing Logs One of the biggest benefits of centralized log management is the ease of access management. Standards and legal regulations require that access to logs should be restricted to authorized personnel. People should only be able to access logs when their job function specifically requires such access. To achieve the stated goals of the log management project, it is often necessary to derive information from an ocean of log data. Collection and archiving of logs without analysis offers only minimal added value and, moreover, numerous regulations require regular reviews of log data. ROI can be increased by analyzing data according to the needs of not only a narrow domain or department, but by including the needs of other departments.

13 IT Security Compliance for Cloud Service Providers / 13 Best Practices for Privileged User Management Developing Retention Policies The retention periods of log messages are influenced by several factors. Log messages specific to security are recommended to be stored for a longer period than those relevant to operations. Many legal regulations and standards set specific log retention requirements. Interpreting these requirements will specify how long a given type of data needs to be stored. Without proper planning, log storage can become an issue. Logging Governance Just as with other areas of an organization, logging needs to be regulated to ensure that functions and responsibilities are clear. Changes in regulations and standards, new systems and functions, as well as potential log sources, all require continuous review and updates to logging policies. This section summarizes concepts recommended to consider in the course of privileged user management. These concepts can be applied to all users if required from a risk management perspective. Controlling Access Access management needs to be developed based on formal policies and processes. When developing access control/management systems, legal regulations and standards should be taken into consideration, and it is often worth treating users with privileged access separately. Granting Minimum Privileges Necessary Each user, including privileged users, should only be granted the rights absolutely necessary to perform their duties. Even system administrators should only have access to those systems they absolutely need for business and operational reasons. God Mode Only in Emergencies Built-in administrator accounts of the various systems (like root, Administrator and System accounts) are not generally required for daily operation. Access to these accounts should be restricted, and use of these accounts should be strictly controlled. Using Named Users Use named user accounts properly for personal accountability. There needs to be careful assessment of users other than named users, when and why these accounts are in use, and how such options can be eliminated. Should technical reasons justify the use of shared user accounts, it s then important to investigate what solutions can help mitigate the associated risks. Implementing a Central User Monitoring Solution Log management systems are not always capable of recording events and activities performed by privileged users. This gap is filled by Privileged Activity Monitoring (PAM) solutions, providing detailed and traceable records of actions performed by privileged users. More advanced solutions operate transparently; therefore implementation of these systems does not interfere with daily business and operation. Requiring Strong Authentication for Privileged Users Employing sufficiently strong and secure identification for privileged user access is of key importance, since the user may have a significant impact on the operation of the system. Some PAM systems support authentication methods giving stronger security by default. Other systems, however, do not support this, and supplementary solutions become necessary. Developing Real-time Protection Mechanisms It is practical to determine whether privileged users have access to functions and/or data which are accessed only occasionally, yet pose a risk for the organization. If such a situation is discovered, protection measures should be taken. User activity monitoring systems which feature real-time alerts or can prevent execution of unwanted commands/actions provide much higher added value than retrospectively analyzing logs.

14 14 / IT Security Compliance for Cloud Service Providers Summary IT service providers, including cloud service providers, need to comply with numerous data protection regulations and standards in their daily operations. ISO27001:2013, PCI-DSS (Cloud Computing Guidelines), Cloud Security Alliance Security Trust & Assurance Registry and SSAE 16/ISAE 3402 contain similar log and access management requirements. These include maintaining continuous security of customer data, the development of an effective and controlled user management system, increased monitoring of privileged users, and logging of activities performed in those systems. This requires tools and software to support these goals in complex and extensive IT systems. Proper support tools go further than just ensuring requirements are met, but provide evidence of compliance during audits, enhancing the security of service providers as well as increasing customer trust. Appendix Mapping of Standards Requirement: Relevant sections of ISO27001:2013 Relevant sections of PCI-DSS v3.0 Relevant sections of CCM v3.0 Privileged user management A IAM-02; IAM-05 Comply with authentication requirements A.9.2.4; A ; 8.2 IAM-12 Regular access audit A IAM-08; IAM-10 Restricting access A ; 7.2 IAM-03; IAM-13 Restricting access to software source code A IAM-06 Log access protection A IVS-01; Protection of log files against manipulation and deletion A IVS-01; Centralized log collection A IVS-01; Log retention A IVS-01; BCR-12

15

16 Contact György Sallai Director T.: E.: gyorgy.sallai@kpmg.hu Sándor Biczók Manager T.: E.: sandor.biczok@kpmg.hu kpmg.hu The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International KPMG Tanácsadó Kft., a Hungarian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative