Assuring the Cloud. Hans Bootsma Deloitte Risk Services +31 (0)

Transcription

1 Assuring the Cloud Hans Bootsma Deloitte Risk Services +31 (0)

2 Need for Assurance in Cloud Computing Demand Fast go to market Support innovation Lower costs Access everywhere Increase efficiency Business driven Organization Challenges Rules and regulations Internal policies Integration Espionage Data leakage Data classification Concerns Compliance Sox / internal control Export Controls Privacy Continuity of the provider Reputation Where is my data? Security Confidentiality Availability Integrity Lock-In Assurance

3 Why is there a need for Assurance in Cloud Computing? GoGrid: We are not responsible for use or misuse of data by any third party, including, without limitation, providers of Third Party Products & Services AWS: We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet Rackspace: We do not promise that the Services will be uninterrupted, error free, or completely secure. You acknowledge that there are risks inherent in Internet connectivity that could result in the loss of your privacy, confidential information, and property Contract and SLA s not transparent and agreements hard to verify Existing standards provide some assurance but is this enough? ISO 2700x: no assurance for operating effectiveness ISAE3402/SAS70: not suitable for Cloud Computing, main focus on Internal Control over Financial Reporting Other standards have limited acceptance (e.g. Trust Services)

4 Developments in the area of Cloud assurance Cloud Security Alliance (CSA) becomes increasingly important. Key themes: Increase trust in Cloud providers is priority #1 Transparency and controls lead to trust Call for clear SLA s Create transparency in service levels (e.g. availability) Operating effectiveness of controls needs to be validated by third parties Move to continuous monitoring Location of data increasingly important, not only for EU American Institute of CPA s (AICPA) launched new standard: Service Organization Controls 2 Comparable to ISAE3402 but specifically aimed at Security Currently reports issued in the US (e.g. Microsoft)

5 Cloud Assurance: SOC 1, 2 & 3

6 SOC2 based on Trust Services principles Security: The system is protected against unauthorized access (both physical and logical). Availability: The system is available for operation and use as committed or agreed. Processing integrity: System processing is complete, accurate, timely, and authorized. Confidentiality: Information designated as confidential is protected as committed or agreed. Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity s privacy notice and with criteria set forth in Generally Accepted Privacy Principles GAPP issued by the AICPA and Canadian Institute of Chartered Accountants.

7 Infrastructure as a Service Platform as a Service Software as a Service How to apply SOC2 in Cloud Computing Security Security Physical Physical Logical (internal and external) Logical (incl. platform) Resource Resource provisioning/deprovisioning provisioning/deprovisioning Infra change management Infra/platform change Incident management management Availability Incident management Resource planning Availability Resiliency Resource planning BCP and Backup Resiliency Processing integrity BCP and Backup Environment configuration Processing integrity Data integrity Environment configuration SLA monitoring and usage Platform functionality reporting Confidentiality Data integrity SLA monitoring and usage Tenant due diligence reporting Deprovisioning of resources Confidentiality Privacy not applicable Tenant due diligence Comingling of data Data destruction Commitments Privacy Generally accepted privacy principles Security Physical Logical (incl. platform) Infra/application change management Incident management Availability Resource planning Resiliency BCP and Backup Processing integrity Application functionality and operation Data integrity SLA monitoring and usage reporting Confidentiality Tenant due diligence Comingling of data Data destruction Commitments Privacy Generally accepted privacy principles

8 New assurance: Continuous monitoring, more frequent reporting Normally, assurance reports cover a longer period of time. Report is issued once a year. Potentially telling an organisation that security measures have not been operating effectively over the last months. Increased demand for More frequent assurance reporting Increased demand for continuous insight in effectiveness of controls Identity management Data separation Availability... Concerns about the location of data is according to Gartner one of the main inhibitors for large scale adoption of cloud computing. In addition: Patriot Act and impact on datacenters in Europe Rules & regulations: US Export Regulation (ITAR, EAR, OFAC), Privacy National Banks (a.o. Dutch National Banks): circulaire on Cloud risk assessments Cyber security Espionage Lock-in and unstable economical environments Trust but verify US Companies have similar concerns. Today s allies can be tomorrow s enemy.

9 New assurance: data location Reactie van Minister van Justitie op Kamervragen over de impact van de Patriot Act op data opgeslagen bij Amerikaanse providers: Aan uw Kamer is toegezegd dat gegevens van de overheid binnen de grenzen van Nederland moeten worden opgeslagen, en dat de Rijksdienst van een gesloten Rijkscloud gebruik zal maken. Om te voorkomen, dat gegevens van de overheid (ook over burgers) in het kader van de Patriot Wet door de Verenigde Staten kunnen worden opgevraagd kan bij uitbesteding van rekencentra in het programma van eisen een eis worden opgenomen, dat het de leverancier nooit is toegestaan gegevens van de overheid (ook over Burgers) in het kader van de Patriot Wet aan de Verenigde Staten te leveren. Dit betekent feitelijk, dat bedrijven uit de Verenigde Staten bij dergelijke aanbestedingen en opdrachten worden uitgesloten. Patriot Act: Concern for many of our customers Not sure what the impact will be under the revised EU privacy rules: Revised EU regulation specifically states that no transfer outside the EU should occur without proper authorization from the EU Protection authorities, even if this is done because of a legal requirement or court order outside the EU. This will cause a lot of friction with legal requirements such as the Patriot act. I am sure in the next couple of months, there will be a lot of debate regarding the wording of the new EU Data protection regulation in this regard. DNB: Voor cloud computing dient hierbij expliciete aandacht besteed te worden aan de risico s die samenhangen met onder meer de integriteit, vertrouwelijkheid en beschikbaarheid van data. Tevens dient inzichtelijk te zijn op welke locatie de bedrijfsdata wordt bewerkt en opgeslagen 8

10

11 Assurance Move to the Cloud responsibly Agreed upon procedures ISAE3402/SOC2 Data location ISO 2700x Contract and SLA Basic service Application/data confidentiality

12 Hans Bootsma Deloitte Risk Services +31 (0)