1 Cloud Computing BENEFITS & RISKS Cloudy with a Chance of Risk
2 Presenters Ad Information Technology Matisse Long, CPA Jerry Jones, CPA, CISA, CISM, CGEIT, CRISC
3 Agenda What is cloud computing? What are cloud computing benefits? What are considerations for selecting cloud service providers? What are cloud computing risks? What are practical concerns for cloud compliance? What are cloud security considerations? What is cloud service provider compliance reporting SSAE16 (SOC 1) / SOC 2 / SOC 3?
4 Cloud Computing Intro to Cloud Based Services
5 Cloud Based Services What are Cloud based services and offerings?
6 Cloud Services Marketing Microsoft s To The Cloud TV Campaign To The Cloud
7 Microsoft To The Cloud
8 Cloud Services Survey Do you know what the Cloud is? Survey sponsored by Citrix August 2012 One-third of Americans believe the Cloud is weather related, not tech Only 16% responded correctly that the cloud is a computer network used to store, access and share data from an Internetconnected device. One in five have lied, pretending they know what the cloud is in conversation 65% have used online banking; 20% use file sharing services Source: Network World
9 Cloud Based Service Basics Cloud services are consumer and business products, services and solutions delivered and consumed over the Internet. Cloud computing is on-demand delivery of IT resources as a service via the Internet with pay-as-you-go pricing. Cloud computing services vary from renting hardware to utilizing Cloud application programming interfaces (API). Companies can rapidly deploy applications where the underlying technology components can expand and contract with the natural ebb and flow of the business life cycle Cloud computing incorporates virtualization, on-demand deployment, Internet delivery of services, and open source software and allow applications to be dynamically deployed onto the most suitable infrastructure at run time.
10 Electric Utility Businesses in the 1800s had to produce their own electricity. The shoe factory had to focus on making shoes and generating electricity. Engineering improvements made electricity transmission easier. Electric utilities started producing the electricity once produced internally; electricity became cheaper. The shoe factory could focus on the core business of making shoes. Electric utilities made it disadvantageous to produce electricity internally.
11 Utility Computing Utility computing is the packaging of computing resources, such as computation, storage and services, as a metered service. Foundation of on demand, software as a service and cloud computing. Attributes include virtualization, time sharing, multiple servers and distributed computing. Utility computing is not a new concept. IBM and other mainframe providers offered time sharing in the 1970 s and 1980 s. Cloud computing service providers are organized to deliver cost effective computing power. Like electric utilities, cloud computing allows the business to focus on the core business and not infrastructure and maintenance.
12 Utility Computing and Virtualization Creating a virtual version of a device or resource such as a server, storage device, network or operating system. To access multiple operating systems on one machine, the old standby was to dual boot or multi boot a hard drive. Required partitioned hard drive. Virtualization has roots in the mainframe environment when mainframe resources were logically divided into libraries or volumes. Virtualization introduced new features including snapshots of point in time image; can revert on demand back to that state. Can virtualize a physical server or workstation to migrate the server to the cloud. Desktop virtualization has helped some companies migrate to thin clients where processing is done at the server instead of the client / desktop.
13 Utility Computing and Virtualization Virtualization provides a hyper visor to allow physical resources to be independent of other systems. The virtual machines do not care where they physically are located. Advantages can include reduction in heat, reduction in hardware, faster redeployment, easier backups, better testing, hardware independence, easier disaster recovery, single purpose servers, extended life and easier cloud migration.
14 Utility Computing and Virtualization Virtualization can result in lower costs since resources can be more closely matched with requirements. Virtual servers can allow for hardware consolidation with more powerful servers. Servers can be moved in real time between data centers
15 Utility Computing and Virtualization Virtual Box (www.virtualbox.org); free open source software sponsored by Oracle
16 Cloud Computing Cloud Computing
17 Cloud Computing Services
18 Cloud Computing Definition What is Cloud computing? National Institute of Standards and Technology (NIST) Cloud computing is a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Five Essential Characteristics of Cloud Computing 1. On demand service 2. Broad network access 3. Resource pooling 4. Rapid elasticity or expansion 5. Measured service
19 Cloud Computing Definition Three services models of Cloud Computing 1. Software i.e. SaaS (Software as a Service) 2. Platform i.e. PaaS (Platform as a Service) 3. Infrastructure i.e. IaaS (Infrastructure as a Service)
20 Cloud Service Model Examples SaaS (Software as a Service) Software solutions that an end user can just use. Microsoft Office 365, Google Gmail and Cisco WebEx PaaS (Platform as a Service) A cloud based development platform used in building applications for the cloud. Microsoft Azure, VMware Cloud Foundry and Force.com (salesforce) IaaS (Infrastructure as a Service) The hardware and software platforms, provided on scale, that provides or extends the infrastructure needs of an organization. Rackspace and Amazon
21 Cloud Service Model Examples SaaS Example Office 365
22 Cloud Service Model Examples SaaS Example QuickBooks Online
23 Cloud Service Model Examples SaaS Example DropBox Considerations: Who controls encryption key and algorithm Must enable two factor authentication Central administrative panel
24 Cloud Service Model Examples PaaS Windows Azure
25 Cloud Service Model Examples PaaS SalesForce.com
26 Cloud Service Model Examples IaaS Example Rackspace Cloud with Hardware Based Firewall
27 Cloud Service Model Examples IaaS Example Rackspace Cloud with Hardware Based Firewall
28 Cloud Service Model Examples SaaS / IaaS Example Host Gator
29 Cloud Service Model Examples SaaS (Software as a Service) PaaS (Platform as a Service) IaaS (Infrastructure as a Service) Source: Oracle
30 Other as a Service Models o Backup as a Service (BaaS) VM snapshot storage, backups, etc. o Communication as a Service (CaaS) VOIP, video conferencing, etc. o Desktop as a Service (DaaS) access desktops remotely. o Hadoop as a Service (HaaS) Java based framework for processing and analyzing large amounts of data. o Identify as a Service (IDaaS) single sign-on for the cloud. o Load Balancing as a Service (LBaaS) directs traffic to balance load. o Monitoring as a Service (MaaS) hosted monitoring and notifications. o Disaster Recovery as a Service (DRaaS) cloud based DR. o Storage as a Service (SaaS) data storage as the primary service. o Security as a Service (SECaaS) security services like antivirus. o Etc.
31 Cloud Computing Definition Four deployment models of Cloud Computing 1. Private 2. Community 3. Public 4. Hybrid
32 Private, Public and Hybrid Deployment Deployment Goal Provide easy, scalable access to computing resources and IT services. Deployment Revisited 1. A public cloud sells services to anyone on the Internet, with all users leveraging a common and scalable implementation. 2. A private cloud has a similar implementation, but it is typically secured in an organizations data center, or managed by a hosting organization in a private and secure manner. 3. Hybrid" cloud has some of the desired solution existing securely in the private cloud data center and some of it existing in the public cloud. Public Cloud Deployment Benefits 1. Easy and inexpensive setup because hardware, application and bandwidth costs are covered by the provider. 2. Scalability to meet needs. 3. No wasted resources because you pay for what you use.
33 Cloud Computing Cloud Benefits
34 Cloud Benefits Reduced costs due to operational efficiencies, and more rapid deployment of new business services. Cost allocation flexibility for customers wanting to move CapEx into OpEx. Elastic nature of the infrastructure to rapidly allocate and deallocate massively scalable resources to business services on a demand basis. Flexibility to choose multiple vendors that provide reliable and scalable business services, development environments, and infrastructure that can be leveraged out of the box and billed on a metered basis with no long term contracts Decoupling and separation of the business service from the infrastructure needed to run it (virtualization)
35 Cloud Benefits Cloud service providers can provide data centers around the world which facilitates easy expansion. If the customer adds a location in Australia, a closer data center can improve performance by lowering latency and provide a better experience for customers at minimal cost.
36 Cloud Benefits Cloud Economic Considerations Opportunity costs Gartner estimates that 80% of IT budgets are spent on maintenance; cloud can allow for these resources to be focused on core business. CapEx verses OpEx Capital expenses have to be paid regardless of use; cloud can allow for operating expenses to be tied directly with use / need. Total cost of ownership Costs of salaries, licenses, electricity, etc. can be hard to budget; cloud can allow for better budgeting and calculations of total cost. Core business focus companies are typically not data center providers; cloud can allow for companies to focus on core business. Division of labor where specialized labor may be more productive.
37 Cloud Benefits Amazon Web Services (AWS) AWS allows customers to deliver content, reduce CapEx and OpEx costs, large amounts of capacity in a short time. Hundreds or thousands of servers can be deployed in minutes.
38 Cloud Service Model Benefits Standardized IT-based capability Cloud services are based on a level of standardization for technology components. The underlying logic is that a significant amount of IT client demand has more similarities than differences, and this key to economies of scale for many common technology requirements (processing power, storage, core applications, development platforms, etc.) Consumption billing Most cloud services models charge by actual use of the resources in CPU hours, gigabits (Gbs) consumed, gigabits per second (Gbps) transferred, accounts, etc., rather than only by number of servers, tickets, or authorized users. The pay-for-play economics, often with shorter contract durations, can be very attractive to clients. Scalable Scalability and resilience are key design components of cloud services. More of the delivery cost risk is on the service provider, but clients have more flexibility (within reasonable commercial limits) for increasing and decreasing demand while continuing to pay only for what is used (along with provider margins and some delivery cost spread across all clients). Web-based accessibility and flexibility Many cloud services use a standard Web browser to control demand and implement services without any unusual software add-ons or specific OS requirements. Clients can provision and manage services without significant involvement by the provider. Source: Forrester Cloud Service Offerings
39 Cloud Service Model Benefits Ease of operations you can control all your data with one service provider rather than multiple vendors. Cost effective applications are subscription-based, so you pay for only the features needed. There are no upfront license fees so the initial costs are lower. Since the provider will manage the infrastructure, it decreases your reliance on an already over-extended IT department (i.e., drives a lower TCO). Cloud solutions move to an Operational Expense model (OPEX) rather than a Capital Expense model (CapEx). Fast to market a SaaS deployment should be completed in weeks rather than the months or longer traditional software deployment takes. Less risk with a simpler model no software to download, no software license to negotiate and no IT Infrastructure to worry about. It's flexible, has a lower cost and overall, is a lower risk for any organization. Automatic updates the service provider takes the responsibility for adding new releases and feature enhancements to the system, often over a period of time so you can accept them when you are ready. No longer will your IT staff worry about individual users on different versions or the next "upgrade" cycle.
40 Cloud Computing Evaluating Cloud Service Providers
41 IT General Controls Security Security policy / user awareness / training Administration / provisioning Identification / authentication Configuration / settings Privileged users Physical access Monitoring Change Management SDLC / Change Control Security impact Data migration / interfaces TEST / DEV / QC / PROD Operations Backup data Monitoring Environmental controls
42 Cloud Service Compliance Determine compliance requirements and evaluate adherence: SOC 1 (SSAE16), SOC 2 and SOC 3 HIPAA (new updated guidance in 2013) Payment Card Industry (PCI) Data Security Standard (DSS) Gramm-Leach-Bliley (GLB) Sarbanes-Oxley (SOX) Federal Information Security Management Act (FISMA) / NIST guidelines Federal Risk and Authorization Management Program (FedRAMP) Federal Information Processing Standard (FIPS) Publication International Organization for Standardization (ISO) certification Cloud Security Alliance (CSA) Motion Picture Association of America (MPAA)
43 Cloud Informational Websites https://cloudsecurityalliance.org/ Provides education and research along with controls and mapping Provides information on the cloud computing services and create a dialog between cloud computing services vendors and consumers as well as developers to foster further understanding and adoption of cloud based solutions.
44 Cloud Obstacles and Opportunities S.No Obstacle Opportunity 1 Availability of Service Use Multiple Cloud Providers to provide Business Continuity; Use Elasticity to Defend Against DDOS attacks 2 Data Lock-In Standardize APIs; Make compatible software available to enable Surge Computing 3 Data Confidentiality and Audit Ability Deploy Encryption, VLANs, and Firewalls; Accommodate National Laws via Geographical Data Storage 4 Data Transfer Bottlenecks FedExing Disks; Data Backup/Archival; Lower WAN Router Costs; Higher Bandwidth LAN Switches 5 Performance Unpredictability Improved Virtual Machine Support; Flash Memory; Gang Scheduling VMs for HPC apps 6 Scalable Storage Invent Scalable Store 7 Bugs in Large-Scale Distributed Systems Invent Debugger that relies on Distributed VMs 8 Scaling Quickly Invent Auto-Scaler that relies on Machine Learning; Snapshots to encourage Cloud Computing Conservationism 9 Reputation Fate Sharing Offer reputation-guarding services like those for 10 Software Licensing Pay-for-use licenses; Bulk use sales Source: UC Berkeley : Above the Clouds
45 Cloud Misconceptions Cloud is just virtualization Cloud is just cost savings Private cloud is on premise Private cloud is just infrastructure Private cloud will always be private Cloud is not safe Cloud comparison shopping is easy Proprietary software will dominate the cloud Cloud data centers are killing the environment
46 Cloud Computing Cloud Risks
47 Cloud Risks Privileged user access ask the providers to supply specific information on the hiring and oversight of privileged administrators, and the control over their access, because outsourced services usually bypass the physical, logical and personnel security controls which exert over in-house programs. Regulatory compliance the providers who refuse to undergo this scrutiny are signaling that subscribers can only use them for the most trivial functions, as subscribers are ultimately responsible for the security and integrity of their own data even when it is held by a service provider. Data location and ownership ask the providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of the subscribers. Data segregation subscribers data should be segregated with data from other customers as the Cloud is typically a shared environment. The service providers should provide data encryption as options and evidence on the corresponding encryption schemes that were designed and properly tested by experienced specialists, as encryption accidents can make data totally unusable.
48 Cloud Risks (Continued) Recovery ask the providers if they have implemented and tested any disaster recovery procedures (DRP) which provides them with the ability to do a complete restoration and most importantly, how long it will take to execute the DRP. Investigative support get a contractual commitment from your service provider to support specific forms of investigation on inappropriate or illegal activity that happened to your services, along with evidence that the vendor has already successfully supported such activities, is important as Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. Long-term viability ask the providers how you would get your data back and if it would be in a format that you could import into a replacement application, as they might go broke or get acquired and even swallowed up by a larger company such that your company data may not be able to remain available after such an event.
49 Cloud Risks (Continued) End User Bypassing Policy and Procedure determine if Cloud computing is considered in company policy and procedure. An employee cannot use a company credit card to order the Cloud service for a department without following an approval and risk assessment process. Document and data retention / disposal should be specifically considered. Does Cloud service selected follow internal company best practice and standards.
50 Cloud Risks (Continued) NSA Domestic Spying Classified surveillance program NSA has undermined encryption models via hidden back doors, forcing providers to hand over keys or data, cracking encryption methods, etc.? Cloud Security Alliance (CSA) Guidance: Data should be encrypted before leaving the end user s organizational control Encryption should be implemented for data at rest, in transit and in user Encryption keys should be retained by the end user organization and not cloud service provider Select a cloud service provider that adheres to the CSA s best practices
51 Cloud Computing Cloud Practical Concerns
52 Cloud Practical Concerns Liability What recourse actions (e.g., financial compensation, early exit of contracts, etc.) can we agree on in the event of a security incident or failures to meet SLA? What conditions under which? Intellectual property Can we stipulate in the SLA that all my data (or applications), including all replicated and redundant copies, are owned by me? Ensure that your service agreement does not lead you to relinquish any IP rights. What would be the recourse if the information was hosted on the vendor s server which is located in a different country where the IP laws are not as strict and/or the vendor servers/infrastructure is confiscated by legal authorities for any reason what so ever. Scrutinize the language in the terms-of-service that governs the ownership of and rights to information that you place in the cloud. End of service support Specify what the cloud vendor will deliver at the end of the service period. Will data be packaged and delivered back to me? If so, in what format? How soon will I have all my data back? Will any remaining copies of data be erased completely from your network? If so, how soon will it happen? Specify and fees that may incur at the end of the service. Source: Forrester Cloud Computing Checklist
53 Cloud Practical Concerns (Continued) Data Protection Data Segregation How do you separate my data from other customers? Data-at-rest protection Where do you store my data? Encryption and data integrity Access control and authentication Documentation for auditors Data-in-motion protection How do you get data from me to you? How do you transfer data from one place to another? Data leak prevention capabilities (if applicable). Can any third party access my data (your service providers) and how? Can you ensure all my data is erased at the end of service? Vulnerability Management Show evidence of your vulnerability management program. How often do you scan for vulnerabilities on your network and applications? Can I conduct an external vulnerability assessment on your network and how? What s your vulnerability remediation process?
54 Cloud Practical Concerns (Continued) Identity Management Can you integrate directly with my directories and how? Review the architecture of integration Ensure it doesn t create a security risk for my own infrastructure. If you keep your own user accounts: How do you secure user IDs and access credentials? How do you handle user churns (e.g., provision and de-provision accounts)? Can you support SSO (single sign on) and which standards? Can you support federation and which standards? Physical and personnel security Restricted and monitored access to critical assets 24x7 If dedicated infrastructure is desired, ensure isolated and ask, how often do you scan for vulnerabilities on your network and applications? Background checks for all relevant personnel? How extensive? Do you document employee access to customer data? Have you gone through a SSAE16 / SOC1 / SOC2 / SOC 3, Type I or Type II? Can you share the audit result?
55 Availability Cloud Practical Concerns (Continued) How many nines do you guarantee in the SLA? What availability measures do you employ to guard against threats and errors? Do you use multiple ISPs? Do you have DDoS protection and how? How do you secure user IDs and access credentials? Provide availability historical data. What is your downtime plan? e.g., service upgrade, patch, etc.? What is your peak load and do you have enough capacity for such a load? Application Security Do you follow OWASP guideline for application development? Do you have a rigorous testing and acceptance procedure for outsourced and packaged application codes? What about third-party apps (components) you use in your services? What application security measures (if any) do you use in your production environment (e.g., application-level firewall, database auditing).
56 Cloud Practical Concerns (Continued) Incident Response What is your procedure in handling a data breach? Can notification occur within a specified time period? In what format do notifications go out and what info do they contain? Ensure that the vendor s incident response procedures do not violate our own incident response requirements. Privacy Ensure that critical data (e.g., payment card number) is properly masked and only authorized individuals have access to the entirety of the data. Show me how you protect digital identities and credentials and use them in cloud applications. What data do you collect about me (logs, etc.)? How is it stored? How is the data used? How long will it be stored? What are the conditions under which third parties, including government agencies, might have access to my data? Can you guarantee that third-party access to shared logs and resources won t reveal critical information about my organization?
57 Cloud Practical Concerns (Continued) Business continuity and disaster recovery Do you have any DR and BC planning documents and can we review Ensure the procedures are at least as robust as our own. Can we do a BC audit? Where are your recovery data centers located? What service-level guarantee can you offer under DR conditions? Logs and audit trails Can you accommodate time forensic investigation (e.g., ediscovery)? Can we agree on provisions in the SLA for investigation? What would we have access to? How? How long do you keep logs and audit trails? Can you keep them as long as we desire? Can we have dedicated storage of logs and audit trails, and how? Show evidence of tamper-proofing for logs and audit trails. Specific compliance requirements Are your data centers under local compliance requirements? If so, which ones? Does the local compliance requirements violate our own? Do you have a SSAE16 / SOC 1 / SOC2 / SOC3 report (if applicable)? Are you ISO compliant (if desired)?
58 Cloud Computing Cloud Security Considerations
59 Cloud Security Breach Examples Iran nuclear facility hit with malware that plays AC/DC Facebook users face new spam campaign providing malware /Trojan; photo tag notifications originate from Faceboook.com Yahoo, Twitter and LinkedIn passwords leaked Flame toolkit / Stuxnet worm that attacked Iran centrifuges Wikileaks unveils The Syria Files - its biggest data leak yet Dropbox possible security breach is to blame for a recent wave of spam Vegas casino employee takes high-roller info via
60 Cloud Security Risk Mitigation Checklist Operations Process and Checklists; Enforcing accountability and reporting like in accounting Anti-malware Covering workstations and servers; up to date and centrally monitored Proactive patch management Evaluate and apply critical items timely; include all levels including firmware Unauthorized / Unnecessary programs and services Resource intensive both machine and human capital wasted Proactive monitoring Event monitoring, assessment, documentation, escalation, resolution Privileged users Domain, enterprise and local admins; all systems considered including infrastructure and databases; least privilege concept
61 Cloud Security Risk Mitigation Checklist Authentication / Data Transmission Two-factor (e.g. token) is preferred, complex passwords, hashed and salted Encrypted transmission of data, HTTPS, SSL / TLS Security Hardening and Standardization Checklist for setting up production servers, periodic monitoring for changes Consistency minimizes risk and streamlines troubleshooting Change Management Changes to production are authorized, documented and tested Standards and corrections will remain in effect Logical Access Provisioning Authorized and documented requests; least privilege concept No modeling, use role based access instead Training and Education Ongoing end user training Budget and measurement of training results
62 Cloud Security Configuration Checklist Integrate online sites with Active Directory Implement IP restrictions Secure employee computers and devices Don t utilize user IDs and passwords across multiple sites Provide training and alerts to address phishing and malware Limit sessions with timeouts Implement two factor authentication Strengthen password policies Require secure sessions (HTTPS / SSL) Maintain authorized contacts (especially security)
63 Cloud Security Data Breaches Mission is to engage, educate and empower individuals to protect their privacy by identifying trends and communicating findings to advocates, policymakers, industry, media and consumers. Chronology of Data Record Breaches https://www.privacyrights.org/data-breach 617,070,844
65 SOC Reporting Background Introduction of a New Standard Statement on Auditing Standards No. 70 (SAS 70) became the most widely recognized and requested attestation report, though it was not always the right type of report for the subject matter AICPA recognized a need to provide additional guidance to ensure the appropriate application of the SAS 70 standard
66 SOC Reporting Background Introduction of a New Standard With its release of Statement on Standards for Attestation Engagements No. 16 (SSAE 16), the AICPA has replaced SAS 70 The AICPA recognized that service providers have needed alternative reporting standards to use to report on controls other than those related to financial reporting AICPA created new terminology: Service Organization Control (SOC) reports
67 SOC Reporting Background Diverse industries utilizing SOC reports Payroll Providers SaaS providers Direct Mailers Fulfillment Companies Data Centers Third Party Administrators Investment Managers Transfer Agents E-business Platforms Healthcare providers
68 SOC 1 (SSAE16) Reports American Institute of CPAs (AICPA) Auditing Standards Board (ASB Statement on Standards for Assurance Engagements (SSAE) International Federation of Accountants (IFAC) International Auditing and Assurance Standards Board (IAASB) International Financial Reporting Standards (IFRS) International Standard on Assurance Engagements (ISAE)
69 SOC 1 (SSAE16) Reports American Institute of CPAs (AICPA) Auditing Standards Board (ASB Statement on Standards for Assurance Engagements (SSAE) International Federation of Accountants (IFAC) International Auditing and Assurance Standards Board (IAASB) International Financial Reporting Standards (IFRS) International Standard on Assurance Engagements (ISAE)
70 SOC 1 (SSAE16) Reports Key highlights Management must include an assertion Management to identify risks that Control Objectives will not be achieved Management to have a basis for their assertion Auditor s opinion is on management s assertion Opinion covers the Design, Suitability, and Completeness (type 2) Description of the Service Organization s System Changes to Scope During the Reporting Timeframe Disclosing the reliance on the work of Internal Audit User Control Considerations are now call Complimentary User Entity Controls
71 SOC 1 (SSAE16) Reports In a Type 2 report, the opinion covers; Operating effectiveness, Suitability of the design and The fair presentation of the system implement, throughout the entire reporting period Significant changes to systems (including controls) need to be included in the description Changes in scope after the auditor is engaged will require a reasonable basis
72 SOC 1 (SSAE16) Reports Policies, procedures, and practices need to be documented SSAE 16 defines the service organization System as The policies and procedures designed, implemented and documented, by management of the service organization to provide user entities with the services covered by the service auditor s report. Paragraph 2, parts a and b state the focus of this SSAE is on controls at a service organization likely to be relevant to user entities internal control over financial reporting.
73 SOC 1 (SSAE16) Reports Service Organization Responsibilities
74 SOC 1 (SSAE16) Service Org. Responsibilities Three basic areas 1. Provide a description of its system 2. Provide a written assertion in the report 3. Maintain the environment and plan for changes
75 SOC 1 (SSAE16) System Description What is the system? Policies and procedures designed, implemented, and documented by management of the service organization Includes the infrastructure, software, people, and data that support them Services provided, including types of transactions Related processes or controls which affect transaction processing or services.
76 SOC 1 (SSAE16) System Description The service organization needs to provide adequate detail to allow the user of the report to understand the nature of services provided and the flow of transactions from initiation through reporting Initiation Recording Approval Posting or processing How errors and significant events are handled Processes related to reporting transactions
77 SOC 1 (SSAE16) System Description Control objectives must be indentified Significant changes in the system during the time period must be described But what are significant changes Who determines what is a significant change?
78 SOC 1 (SSAE16) Mgmt. Assertion Management will need to prepare a written assertion on: The fair presentation of the description of the service organization s system The suitability of the design of controls The operating effectiveness of controls for the timeframe of the report (Type 2 only) The service auditor will attest to management s assertion
79 SOC 1 (SSAE16) Mgmt. Assertion The assertion must be provided from the beginning timeframe of the report for a type 2 The service auditor cannot begin until the written assertion has been received Will need to be reaffirmed through written representations at the conclusion of the engagement Management must also present the basis for the assertion Monitoring activities Internal audit Other testing The service auditor s report on controls is not considered adequate in providing a basis for management s assertion.
80 SOC 1 (SSAE16) Mgmt. Assertion Similar to the assertion required under SOX Section 302 Is a separate component in the report and can be included with the description of systems Signed by a member of management Communicates management s responsibility for the description of the system Communicates achievement of the evaluation criteria of the description of the system
81 SOC 1 (SSAE16) Mgmt. Assertion Gives management more involvement in setting depth and breath of coverage in the report Places the burden on the service organization s management to explicitly acknowledge responsibility Requires management to provide a written statement to the auditor as of the first day of coverage which will be included in the report
82 SOC 1 (SSAE16) Identifying the Criteria Used in: Preparing the description evaluating if the controls were suitably designed to meet the control objectives, and evaluating if the controls were operating SSAE 16 references AT 101 for definition of Criteria Paragraphs 23, 24 and 33
83 SOC 1 (SSAE16) AT 101 Criteria.23 The third general standard is The practitioner must have reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users. Suitability of Criteria -.24 Criteria are the standards or benchmarks used to measure and present the subject matter and against which the practitioner evaluates the subject matter. Suitable criteria must have each of the following attributes: Objectivity Criteria should be free from bias Measurability Criteria should permit reasonable consistent measurement, qualitative or quantitative, of subject matter Completeness Criteria should be sufficiently complete so that those relevant factors that would alter a conclusion about the subject matter are not omitted Relevance Criteria should be relevant to the subject matter
84 SOC 1 (SSAE16) AT 101 Criteria Availability of Criteria -.33 The criteria should be available to users in one or more of the following ways: Available publicly Available to all users through inclusion in a clear manner in the presentation of the subject matter or in the assertion Available to all users through inclusion in a clear manner in the practitioner s report Well understood by most users, although not formally available (for example, The distance between points A and B is twenty feet: the criterion of distance measured in feet is considered to be well understood)
85 SOC 1 (SSAE16) Design, Implement, Maintain Controls Continue daily operations, ensuring controls are operating as designed and evidence documenting effectiveness of controls is retained and organized.
86 SOC 1 (SSAE16) Changes to Scope The service auditor and service organization need to agree and specify the scope and timeframe of the report before beginning the audit A reasonable basis is required to modify the scope or alter the timeframe for which the report covers once the auditor is engaged Example of a reasonable basis for a change in scope: Sale or purchase of a division that is significant to the controls and control objectives Example of an unacceptable change Altering the scope or timeframe to avoid a qualification to the opinion
87 Service Organization Responsibilities Provide a description of its system Specify the control objectives of the system and include those control objectives in the description of the system Identify significant changes in the system or controls Provide a written assertion in the report Have a basis for providing the assertion Identify the criteria used in preparing the description, evaluating if the controls were suitably designed to the control objectives, evaluating if the controls were operating effectively Identify the risks that threaten the achievement of the control objectives Design, implement and maintain controls to provide reasonable assurance that the control objectives will be achieved Changes to scope of the report
88 Engagement Planning Service auditors will need to be engaged with their clients early in the process Their planning will include: Reviewing the Service Organization assertion Documenting the scope and control objectives to be covered Understanding the basis for the assertion link existing controls and testing to control objectives and controls Understanding the risks that could prevent the control objectives from being achieved Understanding the criteria for evaluating the control objectives (AT 101) Obtaining an understanding of the system Assessing materiality
89 Engagement Planning ICFR / IT General Control Relationship Significant Accounts in Financial Statements Balance Sheet Income Statement Cash Flows Disclosures Forecasting & Budgeting Business Processes/ Transaction Classes Process 1 Process 1 Process 1 Internal Controls Over Financial Reporting Financial Applications Application X Application Y Application Z Application Controls IT Infrastructure Database Operating System General Controls Network Physical
90 SOC 2 & 3 Reports These reports cover subject matter that is not relevant to control over financial reporting. Addresses controls at a service organization that are pertinent to the joint AICPA-Canadian Institute of Chartered Accountants (CICA) Trust Services Principles and Criteria. These principles include the following: Security Availability Processing Integrity Confidentiality Privacy
91 SOC 2 Reports (Continued) These reports focus on Trust Services Principles and may be beneficial to a broad audience. Management identifies one or more Trust Services Principles that it believes it has achieved and the criteria upon which it will base its assertion of achievement. Intended for user organization management, but other stakeholders (e.g., business partners, customers) along with regulators knowledgeable about the subject matter and the criteria may also benefit.
92 SOC 2 Reports (Continued) These reports are similar in structure to a SOC 1 report. The independent service auditor s report Management s assertion letter A description of the system A section containing the service auditor s tests of the operating effectiveness of controls and the related test results (Type 2 report only).
93 SOC 3 Reports These reports are structured differently than SOC 2 reports, which allows for a much broader use. SOC 3 reports are short-form reports that include only a service auditor's opinion and a management assertion. SOC 3 reports do not include a description of the system or a detailed description of tests of controls and related test results. SOC 3 reports may be used by a broad audience as they may be accessed through a link/seal posted on a service organizations website(s).
94 SOC Report Decision Making Process The decision around which report to use begins with an assessment of needs:
95 SOC Report Decision Making Process (Continued) The needs of service organizations often extend beyond the scope of SOC 1:
96 SOC Report Decision Making Process (Continued) The needs of service organizations often extend beyond the scope of SOC 1:
97 What if needs are not met by SOC? Alternatives: AT 101 AT 601 Agreed Upon Procedures ISAE 3402 ISO 27002/3
98 Factors To Consider Alternatives: Adopting SOC s will take some time Management needs to document an assertion Identify the basis for the assertion Expand the Description of Controls into the Description of Systems Identify Risks Ensure the control objectives and related controls will be controls they believe their user organization auditors will be interested in for the financial audit of the user organizations Clients should work closely with their auditors throughout the time frame for a type 2 report Identify changes to controls and systems and determine if they are significant and discuss those changes with the auditor You may need multiple reports Consider other alternatives
99 Discussion / Q&A?
100 Contact Information Ad Information Technology Jerry Jones, CPA, CISA, CISM, CGEIT, CRISC Matisse Long, CPA
101 AdIT Practice Areas Governance, Risk & Compliance Services Process Optimization Services Financial and IT Risk Assessments Business, Financial and IT Process and Control Improvement Financial and IT Sarbanes-Oxley (SOX) IT Department and Personnel Evaluations IT Infrastructure Assessment IT New Hire / Candidate Skillset Evaluations Outsourced Internal Audit Services IT Strategic Planning Data Security and Privacy Part-Time / Interim IT Director and CIO IT General & Application Controls Testing (non-sox) IT Maturity Model Assessments IT Audit Specialist Support for CPA Firms Financial and IT Policy / Procedure Development SOC 1 (SSAE 16), SOC 2, SOC 3 Pre-Assessment, Remediation and Audits IT Project Planning and Management IT Managed Services IT Data Mining and Analysis (IDEA, ACL, and SQL) Technology Research IT Issue and Incident Root Cause Analysis & Remediation Cloud Computing Consulting Enterprise Risk Management (ERM) Disaster Recovery and Business Continuity Planning and Testing IT Vendor / Product Selection
102 Baseline Builder ( Baseline Builder ) promotes effective and practical internal controls while helping to support efficient governance, risk management and compliance ( GRC ) processes. Baseline Builder has also allowed many organizations to significantly improve the efficiency of GRC tasks, and the accuracy and the retention of documentation. Customer reviews and feedback help confirm that the application is streamlined, clean and very responsive. By leveraging the latest technology including ASP.net and SQL Server, the application provides one of the most effective processes for implementing and maintaining a governance, risk and compliance program. Unlike typical in house solutions, data and documentation is centrally managed in a database that allows for intuitive IT general, application, financial and operational control activity tracking, maintenance and reporting.
Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer
Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems
SMS Systems Management Specialists Cloud Computing Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales Cloud Computing The SMS Model: Cloud computing is a model for enabling ubiquitous, convenient,
Med Nautilus Greece Connected World April 10, 2014 Solutions as a Service N.Konstantinidis Technical Director - MNG MedNautilus Greece Solutions as a Service 2014 SINCE 2002 Data Center Physical Colocation
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
Information Security: Cloud Computing Simon Taylor MSc CLAS CISSP CISMP PCIRM Director & Principal Consultant All Rights Reserved. Taylor Baines Limited is a Registered Company in England & Wales. Registration
Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations Topics What is SaaS? How does SaaS differ from managed hosting? Advantages of SaaS
Cloud Computing; What is it, How long has it been here, and Where is it going? David Losacco, CPA, CIA, CISA Principal January 10, 2013 Agenda The Cloud WHAT IS THE CLOUD? How long has it been here? Where
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
Cloud computing: benefits, risks and recommendations for information security Dr Giles Hogben Secure Services Programme Manager European Network and Information Security Agency (ENISA) Goals of my presentation
Cloud Services Overview John Hankins Global Offering Executive Ricoh Production Print Solutions May 23, 2012 Cloud Services Agenda Definitions Types of Clouds The Role of Virtualization Cloud Architecture
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals
UT DALLAS Erik Jonsson School of Engineering & Computer Science Cloud Computing Trends What is cloud computing? Cloud computing refers to the apps and services delivered over the internet. Software delivered
Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications
Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro
Introduction to Cloud Computing Srinath Beldona firstname.lastname@example.org Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?
Journey to Cloud 9 Navigating a path to secure cloud computing Alastair Broom Solutions Director, Integralis March 2012 Navigating a path to secure cloud computing 2 Living on Cloud 9 Cloud computing represents
Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions
BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...
CLOUD SERVICES FOR EMS Greg Biegen EMS Software Director Cloud Operations and Security September 12-14, 2016 Agenda EMS Cloud Services Definitions Hosted Service Managed Services Governance Service Delivery
What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model
Security Overview Enterprise-Class Secure Mobile File Sharing Accellion, Inc. 1 Overview 3 End to End Security 4 File Sharing Security Features 5 Storage 7 Encryption 8 Audit Trail 9 Accellion Public Cloud
Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data
Hosted SharePoint: Questions every provider should answer Deciding to host your SharePoint environment in the Cloud is a game-changer for your company. The potential savings surrounding your time and money
White Paper on CLOUD COMPUTING INDEX 1. Introduction 2. Features of Cloud Computing 3. Benefits of Cloud computing 4. Service models of Cloud Computing 5. Deployment models of Cloud Computing 6. Examples
APPLICATION NOTE: CLOUD DATA TIERING Eversync has developed a hybrid model for cloud-based data protection in which all of the elements of data protection are tiered between an on-premise appliance (software
Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft
Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security, email@example.com Something Old, Something New New: Cloud describes the use of a collection of services, applications,
Secure Cloud Computing through IT Auditing 75 Navita Agarwal Department of CSIT Moradabad Institute of Technology, Moradabad, U.P., INDIA Email: firstname.lastname@example.org ABSTRACT In this paper we discuss the
Williamson County Technology Services Technology Project Questionnaire for Vendor (To be filled out withprospective solution provider) General Project Questions Please provide the proposed timeline estimate:
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
Cloud Service Model Selecting a cloud service model Different cloud service models within the enterprise Single cloud provider AWS for IaaS Azure for PaaS Force fit all solutions into the cloud service
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security
1 Introduction to Cloud Computing CERTIFICATION OBJECTIVES 1.01 Cloud Computing: Common Terms and Definitions 1.02 Cloud Computing and Virtualization 1.03 Early Examples of Cloud Computing 1.04 Cloud Computing
Key Considerations of Regulatory Compliance in the Public Cloud W. Noel Haskins-Hafer CRMA, CISA, CISM, CFE, CGEIT, CRISC 10 April, 2013 email@example.com Disclaimer Unless otherwise specified,
IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center @IIAChicago #IIACHI Cloud Computing: Risks Auditing Phil Lageschulte/Partner/KPMG Sailesh Gadia/Director/KPMG
Hosting Services VITA Contract VA-120416-AISN (Statewide contract available to any public entity in the Commonwealth) March 2014 Premier Provider of egov Services to the Commonwealth of Virginia Virginia
A COALFIRE PERSPECTIVE Moving to the Cloud A Summary of Considerations for Implementing Cloud Migration Plans into New Business Platforms NCHELP Spring Convention Panel May 2012 DALLAS DENVER LOS ANGELES
Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Businesses around the world have adopted the information security standard ISO 27002 as part of their overall risk
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
Public Clouds Krishnan Subramanian Analyst & Researcher Krishworld.com A whitepaper sponsored by Trend Micro Inc. Introduction Public clouds are the latest evolution of computing, offering tremendous value
Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
Your Platform of Choice The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing Mark Cravotta EVP Sales and Service SingleHop LLC Talk About Confusing? Where do I start?
Pursuing the Profession While Promoting the Public Good Cloud Computing Jenn CruverKibi, CPA July 27, 2016 2016 Annual Non-Profit Seminar What we will cover 1 What we will cover: What is cloud computing?
Radware Cloud Solutions for Enterprises How to Capitalize on Cloud-based Services in an Enterprise Environment - White Paper Table of Content Executive Summary...3 Introduction...3 The Range of Cloud Service
Overview The purpose of this paper is to introduce the reader to the basics of cloud computing or the cloud with the aim of introducing the following aspects: Characteristics and usage of the cloud Realities
SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific
FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development
IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security
IBM Solution scalability with rapid time to value Cloud-based deployment for full performance management functionality Highlights Reduced IT overhead and increased utilization rates with less hardware.
GETTING THE MOST FROM THE CLOUD A White Paper presented by Why Move to the Cloud? CLOUD COMPUTING the latest evolution of IT services delivery is a scenario under which common business applications are
ITU TRCSL Symposium on Cloud Computing Session 2: Cloud Computing Foundation and Requirements What Cloud computing means in real life Saman Perera Senior General Manager Information Systems Mobitel (Pvt)
security in the cloud White Paper Series 2 THE MOVE TO THE CLOUD Cloud computing is being rapidly embraced across all industries. Terms like software as a service (SaaS), infrastructure as a service (IaaS),
Courses Description 101: Fundamental Computing and Architecture Computing Concepts and Models. Data center architecture. Fundamental Architecture. Virtualization Basics. platforms: IaaS, PaaS, SaaS. deployment
SaaS Security for the Confirmit CustomerSat Software July 2015 Arnt Feruglio Chief Operating Officer The Confirmit CustomerSat Software Designed for The Web. From its inception in 1997, the architecture
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer What is Cloud Computing A model for enabling convenient, on-demand network access to a shared pool of configurable
Cloud Computing Bringing the Cloud into Focus November 2011 Introduction Ken Cochrane CEO, IT/NET Partner, KPGM Performance and Technology National co-leader IT Advisory Services KPMG Andrew Brewin Vice
Cloud Computing Risk and Rewards John Lazarine Vice President and Chief Audit Executive Mark Salamasick Director of Center for Internal Auditing For Dallas CPA Society Convergence 2013 May 8, 2013 John
Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station What is Cloud Computing? http://www.agent-x.com.au/ Wikipedia - the use of computing resources (hardware and software)
On Premise Vs Cloud: Selection Approach & Implementation Strategies Session ID#:10143 Prepared by: Praveen Kumar Practice Manager AST Corporation @Praveenk74 REMINDER Check in on the COLLABORATE mobile
PROVIDING IT SOLUTIONS FOR THE HEALTHCARE INDUSTRY The healthcare industry is facing unprecedented challenges as it evolves. New legislation and advances in technology are leading to obstacles and opportunities
1 The following is merely a collection of notes taken during works, study and just-for-fun activities No copyright infringements intended: all sources are duly listed at the end of the document This work
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
Cloud Computing: Compliance and Client Expectations February 15, 2012 MOSS ADAMS LLP 1 TODAY S PRESENTERS Moderator Kevin Villanueva, CPA, CISA, CISM, CITP, CRISC Sr. Manager, Infrastructure and Security
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types
INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS CLOUD COMPUTING Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing
The Cloud at Crawford Evaluating the pros and cons of cloud computing and its use in claims management The Cloud at Crawford Wikipedia defines cloud computing as Internet-based computing, whereby shared
How cloud computing can transform your business landscape Introduction It seems like everyone is talking about the cloud. Cloud computing and cloud services are the new buzz words for what s really a not
1 The intersection of IAM and the cloud Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Theory, practice, pros and cons with a focus on enterprise deployments of IAM and cloud
CompTIA Cloud+ 9318; 5 Days, Instructor-led Course Description The CompTIA Cloud+ certification validates the knowledge and best practices required of IT practitioners working in cloud computing environments,
THE SECURITY OF HOSTED EXCHANGE FOR SMBs In the interest of security and cost-efficiency, many businesses are turning to hosted Microsoft Exchange for the scalability, ease of use and accessibility available
Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls
1 Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors Scott Woodison Executive Director, Compliance and Enterprise Risk Office of Internal Audit and Compliance