Central Jersey IIA Cloud Computing: The Basics and Beyond Protecting Data in the Cloud

Transcription

1 Central Jersey IIA Cloud Computing: The Basics and Beyond Protecting Data in the Cloud Dr. Yonesy F. Nuñez, CISSP, CISM, ISSAP, ISSMP, CRISC, CGEIT, MCSE, ISSPCS Manager, NYM IT Risk & Security Assurance

2 General Security Advantages Shifting public data to a external cloud reduces the exposure of the internal sensitive data Cloud homogeneity makes security auditing/testing simpler Clouds enable automated security management Redundancy / Disaster Recovery 2

3 Security Relevant Cloud Components Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elastic Elements: Storage, Processing, and Virtual Networks 3

4 Provisioning Service Advantages Rapid reconstitution of services Enables availability - Provision in multiple data centers / multiple instances Advanced honey net capabilities Challenges Impact of compromising the provisioning service 4

5 Data Storage Services Advantages Data fragmentation and dispersal Automated replication Provision of data zones (e.g., by country) Encryption at rest and in transit Automated data retention Challenges Isolation management / data multi-tenancy Storage controller - Single point of failure / compromise? Exposure of data to foreign governments 5

6 Cloud Processing Infrastructure Advantages Ability to secure masters and push out secure images Challenges Application multi-tenancy Reliance on hypervisors Process isolation / Application sandboxes 6

7 Cloud Support Services Advantages On demand security controls (e.g., authentication, logging, firewalls ) Challenges Additional risk when integrated with customer applications Needs certification and accreditation as a separate application Code updates 7

8 Cloud Network and Perimeter Security Advantages Distributed denial of service protection VLAN capabilities Perimeter security (IDS, firewall, authentication) Challenges Virtual zoning with application mobility 8

9 Cloud Security Advantages Part 1 Data Fragmentation and Dispersal Dedicated Security Team Greater Investment in Security Infrastructure Fault Tolerance and Reliability Greater Resiliency Hypervisor Protection Against Network Attacks Possible Reduction of C&A Activities (Access to Pre-Accredited Clouds) 9

10 Cloud Security Advantages Part 2 Simplification of Compliance Analysis Data Held by Unbiased Party (cloud vendor assertion) Low-Cost Disaster Recovery and Data Storage Solutions On-Demand Security Controls Real-Time Detection of System Tampering Rapid Re-Constitution of Services Advanced Honeynet Capabilities 10

11 Cloud Security Challenges Part 1 Data dispersal and international privacy laws EU Data Protection Directive and U.S. Safe Harbor program Exposure of data to foreign government and data subpoenas Data retention issues Need for isolation management Multi-tenancy Logging challenges Data ownership issues Quality of service guarantees 11

12 Cloud Security Challenges Part 2 Dependence on secure hypervisors Attraction to hackers (high value target) Security of virtual OSs in the cloud Possibility for massive outages Encryption needs for cloud computing Encrypting access to the cloud resource control interface Encrypting administrative access to OS instances Encrypting access to applications Encrypting application data at rest Public cloud vs.. internal cloud security Lack of public SaaS version control 12

13 Additional Issues Issues with moving PII and sensitive data to the cloud Privacy impact assessments Using SLAs to obtain cloud security Suggested requirements for cloud SLAs Issues with cloud forensics Contingency planning and disaster recovery for cloud implementations Handling compliance FISMA HIPAA SOX PCI SAS 70 Audits 13

14 The Why and How of Cloud Migration There are many benefits that explain why to migrate to clouds Cost savings, power savings, green savings, increased agility in software deployment Cloud security issues may drive and define how we adopt and deploy cloud computing solutions 14

15 Balancing Threat Exposure and Cost Effectiveness Private clouds may have less threat exposure than community clouds which have less threat exposure than public clouds. Massive public clouds may be more cost effective than large community clouds which may be more cost effective than small private clouds. Doesn t strong security controls mean that I can adopt the most cost effective approach? 15

16 Cloud Migration and Cloud Security Architectures Clouds typically have a single security architecture but have many customers with different demands Clouds should attempt to provide configurable security mechanisms Organizations have more control over the security architecture of private clouds followed by community and then public This doesn t say anything about actual security Higher sensitivity data is likely to be processed on clouds where organizations have control over the security model 16

17 Putting it Together Most clouds will require very strong security controls All models of cloud may be used for differing tradeoffs between threat exposure and efficiency There is no one cloud. There are many models and architectures. How does one choose? 17

18 Migration Paths for Cloud Adoption Use public clouds Develop private clouds Build a private cloud Procure an outsourced private cloud Migrate data centers to be private clouds (fully virtualized) Build or procure community clouds Organization wide SaaS PaaS and IaaS Disaster recovery for private clouds Use hybrid-cloud technology Workload portability between clouds 18

19 What, When, How to Move to the Cloud Identify the asset(s) for cloud deployment Data Applications/Functions/Process Evaluate the asset Determine how important the data or function is to the org 19

20 Evaluate the Asset How would we be harmed if the asset became widely public & widely distributed? An employee of our cloud provider accessed the asset? The process of function were manipulated by an outsider? The process or function failed to provide expected results? The info/data was unexpectedly changed? The asset were unavailable for a period of time? 20

21 Map Asset to Models 4 Cloud Models Public Private, internal, on premise Private, external Community -Hybrid Which cloud model addresses your security concerns? 21

22 Map Data Flow Map the data flow between your organization, cloud service, customers, other nodes Essential to understand whether & HOW data can move in/out of the cloud Sketch it for each of the models Know your risk tolerance! 22

23 Cloud Domains Service contracts should address these 13 domains Architectural Framework Governance, Enterprise Risk Mgt Legal, e-discovery Compliance & Audit Information Lifecycle Mgt Portability & Interoperability 23

24 Cloud Domains Security, Business Continuity, Disaster Recovery Data Center Operations Incident Response Issues Application Security Encryption & Key Mgt Identity & Access Mgt Virtualization 24

25 Security Stack IaaS: entire infrastructure from facilities to HW PaaS: application, Middleware, database, messaging supported by IaaS SaaS: self contained operating environment: content, presentation, apps, mgt 25

26 Security Stack Concerns Lower down the stack the cloud vendor provides, the more security issues the consumer has to address or provide Who do you trust? 26

27 Key Takeaways SaaS Service levels, security, governance, compliance, liability expectations of the service & provider are contractually defined PaaS, IaaS Customer sysadmins manage the same with provider handling platform, infrastructure security 27

28 Security Pitfalls How cloud services are provided confused with where they are provided Well demarcated network security border is not fixed Cloud computing implies loss of control 28

29 Overall Security Concerns Gracefully lose control while maintaining accountability even if operational responsibility falls upon 3 rd parties Provider, user security duties differ greatly between cloud models 29

30 Key Challenges We aren t moving to the cloud.. We are reinventing within the cloud Confluence of technology and economic innovation Disrupting technology and business relationships Pressure on traditional organizational boundaries Gold Rush mentality, backing into 20 year platform choice Challenges traditional thinking How do we build standards? How do we create architectures? What is the ecosystem required to managed, operate, assess and audit cloud systems?

31 Thinking about Threats Technology Unvetted innovations within the S-P-I stack Well known cloud architectures Business How cloud dynamism is leveraged by customers/providers E.g. provisioning, elasticity, load management Old threats reinvented: must defend against the accumulation of all vulnerabilities ever recorded, Dan Geer-ism Malware in the cloud, for the cloud Lots of black box testing

32 Evolving Threats 1/2 Unprotected APIs / Insecure Service Oriented Architecture Hypervisor Attacks L1/L2 Attacks (Cache Scraping) Trojaned AMI Images VMDK / VHD Repurposing Key Scraping Infrastructure DDoS

33 Evolving Threats 2/2 Web application (mgt interface!) XSRF XSS SQL Injection Data leakage Poor account provisioning Cloud provider insider abuse Financial DDoS "Click Fraud

34 Lots of Governance Issues Cloud Provider going out of business Provider not achieving SLAs Provider having poor business continuity planning Data Centers in countries with unfriendly laws Proprietary lock-in with technology, data formats Mistakes made by internal IT security several orders of magnitude more serious

35 Governance Identify, implement process, controls to maintain effective governance, risk mgt, compliance Provider security governance should be assessed for sufficiency, maturity, consistency with user ITSEC process 35

36 3 rd Party Governance Request clear documents on how facility & services are assessed Require definition of what provider considers critical services, info Perform full contract, terms of use due diligence to determine roles, accountability 36

37 Governance & ERM A portion of cloud cost savings must be invested into provider scrutiny Third party transparency of cloud provider Financial viability of cloud provider. Alignment of key performance indicators Increased frequency of 3 rd party risk assessments

38 Legal Plan for both an expected and unexpected termination of the relationship and an orderly return of your assets. Find conflicts between the laws the cloud provider must comply with and those governing the cloud customer Gain a clear expectation of the cloud provider s response to legal requests for information. Secondary uses of data Cross-border data transfers

39 Electronic Discovery Cloud Computing challenges the presumption that organizations have control over the data they are legally responsible for. Cloud providers must assure their information security systems are capable to preserve data as authentic and reliable. Metadata, log files, etc. Mutual understanding of roles and responsibilities: litigation hold, discovery searches, expert testimony, etc.

40 e-discovery Functional: which functions & services in the Cloud have legal implications for both parties Jurisdictional: which governments administer laws and regulations impacting services, stakeholders, data assets Contractual: terms & conditions 40

41 e-discovery Both parties must understand each other s roles - Litigation hold, Discovery searches - Expert testimony Provider must save primary and secondary (logs) data Where is the data stored? laws for cross border data flows 41

42 e-discovery Plan for unexpected contract termination and orderly return or secure disposal of assets You should ensure you retain ownership of your data in its original form 42

43 Security Audit - Hard to maintain with your security/regulatory requirements, harder to demonstrate to auditors - Right to Audit clause - Analyze compliance scope - Regulatory impact on data security - Evidence requirements are met - Does the provider have SAS 70 Type II, ISO 27001/2 audit statements? 43

44 Information Management Data security (CIA) Data Location All copies, backups stored only at location allowed by contract, SLA and/or regulation Compliant storage (EU mandate) for storing e-health records 44

45 Information Lifecycle Management Understand the logical segregation of information and protective controls implemented Understand the privacy restrictions inherent in data entrusted to your company, how it impacts legality of using cloud provider. Data retention assurance easy, data destruction may be very difficult. Recovering true cost of a breach: penalties vs. risk transference

46 Portability, Interoperability When you have to switch cloud providers Contract price increase Provider bankruptcy Provider service shutdown Decrease in service quality Business dispute 46

47 Portability & Interoperability Understand and implement layers of abstraction For Software as a Service (SaaS), perform regular data extractions and backups to a usable format For Infrastructure as a Service (IaaS), deploy applications in runtime in a way that is abstracted from the machine image. For Platform as a Service (PaaS), careful application development techniques and thoughtful architecture should be followed to minimize potential lock-in for the customer. loose coupling using SOA principles Understand who the competitors are to your cloud providers and what their capabilities are to assist in migration. Advocate open standards.

48 Compliance & Audit Classify data and systems to understand compliance requirements Understand data locations, copies Maintain a right to audit on demand Need uniformity in comprehensive certification scoping to beef up SAS 70 II, ISO 2700X

49 Traditional, BCM/DR Greatest concern is insider threat Cloud providers should adopt as a security baseline the most stringent requirements of any customer. Compartmentalization of job duties and limit knowledge of customers. Onsite inspections of cloud provider facilities whenever possible. Inspect cloud provider disaster recovery and business continuity plans. Identify physical interdependencies in provider infrastructure.

50 Security, Business Continuity, Disaster Recovery Centralization of data = greater insider threat from within the provider Require onsite inspections of provider facilities Disaster recovery, Business continuity, etc. SAS 70 Type II, WebTrust, SysTrust 50

51 Data Center Operations How does provider perform: On-demand self service Broad network access Resource pooling Rapid elasticity Measured service 51

52 Data Center Operations Compartmentalization of systems, networks, management, provisioning and personnel. Know cloud provider s other clients to assess their impact on you Understand how resource sharing occurs within your cloud provider to understand impact during your business fluctuations. For IaaS and PaaS, the cloud provider s patch management policies and procedures have significant impact Cloud provider s technology architecture may use new and unproven methods for failover. Customer s own BCP plans should address impacts and limitations of Cloud computing. Test cloud provider s customer service function regularly to determine their level of mastery in supporting the services.

53 Incident Response - Cloud apps aren t always designed with data integrity andsecurity in mind - Does provider keep app, firewall, IDS logs? - Does provier deliver snapshots of your virtual environment? - Sensitive data must be encrypted for data breach regulations 53

54 Incident Response Any data classified as private for the purpose of data breach regulations should always be encrypted to reduce the consequences of a breach incident. Cloud providers need application layer logging frameworks to provide granular narrowing of incidents to a specific customer. Cloud providers should construct a registry of application owners by application interface (URL, SOA service, etc.). Cloud providers and customers need defined collaboration for incident response.

55 Application Security Different trust boundaries for IaaS, PaaS, SaaS What is the provider s web application security? Secure inter-host communication channel 55

56 Application Security Importance of secure software development lifecycle magnified IaaS, PaaS and SaaS create differing trust boundaries for the software development lifecycle, which must be accounted for during the development, testing and production deployment of applications. For IaaS, need trusted virtual machine images. Apply best practices available to harden DMZ host systems to virtual machines. Securing inter-host communications must be the rule, there can be no assumption of a secure channel between hosts Understand how malicious actors are likely to adapt their attack techniques to cloud platforms

57 Storage Understand the storage architecture and abstraction layers to verify that the storage subsystem does not span domain trust boundaries. Ascertain if knowing storage geographical location is possible. Understand the cloud provider s data search capabilities. Understand cloud provider storage retirement processes. Understand circumstances under which storage can be seized by a third party or government entity. Understand how encryption is managed on multi-tenant storage. Can the cloud provider support long term archiving, will the data be available several years later?

58 Encryption From a risk management perspective, unencrypted data existent in the cloud may be considered lost by the customer. Application providers who are not controlling backend systems should assure that data is encrypted when being stored on the backend. Use encryption to separate data holding from data usage. Segregate the key management from the cloud provider hosting the data, creating a chain of separation. When stipulating standard encryption in contract language

59 Encryption, Key Management Encrypt data in transit, at rest, backup media Secure key store Protect encryption keys Ensure encryption is based on industry/government standards. - NO proprietary standard Limit access to key stores Key backup & recoverability - Test these procedures 59

60 Identity & Access Management Must have a robust federated identity management architecture and strategy internal to the organization. Insist upon standards enabling federation: primarily SAML, WS-Federation and Liberty ID-FF federation Validate that cloud provider either support strong authentication natively or via delegation and support robust password policies that meet and exceed internal policies. Understand that the current state of granular application authorization on the part of cloud providers is non-existent or proprietary. Consider implementing Single Sign-on (SSO) for internal applications, and leveraging this architecture for cloud applications. Using cloud-based Identity as a Service providers may be a useful tool for abstracting and managing complexities such as differing versions of SAML, etc.

61 Identity and Access Management Determine how provider handles: Provisioning, de-provisioning Authentication Federation Authorization, user profile mgt 61

62 Virtualization Virtualized operating systems should be augmented by third party security technology. The simplicity of invoking new machine instances from a VM platform creates a risk that insecure machine images can be created. Secure by default configuration needs to be assured by following or exceeding available industry baselines. Virtualization also contains many security advantages such as creating isolated environments and better defined memory space, which can minimize application instability and simplify recovery. Need granular monitoring of traffic crossing VM backplanes Provisioning, administrative access and control of virtualized operating systems is crucial

63 Virtualization What type of virtualization is used by the provider? What 3 rd party security technology augments the virtual OS? Which controls protect admin interfaces exposed to users? 63

64 64

65 Summary There are many security implications to consider when utilizing a cloud environment. Keeping your mind open and understanding the issues is essential to a protecting your data in the Cloud. 65

66 Section 2 Planning your Cloud Computing Audit 66

67 Planning Your Audit Defining your audit objectives Boundaries of review (e.g., cloud environment in-use or under consideration, types of cloud services, technical boundaries) Identify and document business risk associated with cloud solution Identification of audit resources requirement Requisite knowledge in information governance, IT management, network, data, contingency and encryption controls Proficient in risk assessment, information security components of IT architecture, threat & vulnerabilities and internet-based data processing Knowledge of web services standards such as OASIS and WSS Define deliverables and communication (e.g. communication to various stakeholders, nature of deliverables, timing, etc.) 67

68 s Cloud Assurance Framework Data Governance Right to Audit & Third Party Reviews Provider Continuity Portability and Interoperability SLA Management Interface Management Legal Compliance & e-discovery Contract Terms & Escrow Compliance FISMA SOX GLBA ISO PCI Cloud Strategy & Business Case Incident Management Dashboard & Reporting IaaS SaaS Private Public Technology Process People Community PaaS Hybrid BPaaS License Management Cloud Provider Management Enterprise Risk Management Metering and Usage Cloud Governance Monitoring Cloud Architecture Functional Implications Change Management Information Security Collaboration Capacity Planning Metrics & SLA Information Risk Management 68

69 Assessing Technical Architecture Service Delivery Application Security Data Security & Integrity Identity & Access Management Virtualization Provisioning P F T P F T P F T P F T P F T IaaS SaaS Private Public Technology Process People Community PaaS Hybrid BPaaS Infrastructure Management Configuration Management Asset Management Virtualization Anti Virus Patch Management Release Management P F T P F T P F T P F T P F T P F T Servers Storage Network Infrastructure P F T P F T Power/Cooling P F T People P Process F Flow Technology T 69

70 #1 Shadow Cloud Practices Will Surface Audit Focus Areas Data Governance Right to Audit & Third Party Reviews Provider Continuity Portability and Interoperability SLA Management Interface Management Legal Compliance & e-discovery Contract Terms & Escrow Compliance FISMA SOX GLBA ISO PCI Cloud Strategy & Business Case Incident Management Dashboard & Reporting IaaS SaaS Private Public Technology Process People Community PaaS Hybrid BPaaS License Management Cloud Provider Management Enterprise Risk Management Metering and Usage Functional Implications Change Management Information Security Collaboration Capacity Planning Metrics & SLA Information Risk Management

71 #1 Shadow Cloud Practices Will Surface Risk Area Scenario Unauthorized use of Public Cloud Services is a common problem. Client X was using over 25 different CSPs spanning across their ERP, HR, Fixed Assets, CRM, Support, Collaboration, Ticketing System, etc. Majority of these cloud services were procured with the knowledge and approval of IT / Procurement bypassing procedures put in place by our client to manage and maintain security and data protection. Governance over Cloud Adoption Audit Considerations 1. Functional Implications Has the company establish a companywide documented policy for appropriate use of Cloud Computing Services? Has an information management liaison been established to manage an inventory of CSPs, evaluate policies of on/off boarding? Including backout policy considerations? 2. Information Security Collaboration Has an education and awareness program to communicate the risks associated with unauthorized use of Public Cloud Services? Has IT performed an assessment on security? interfaces? 71

72 #2 Don t just sign on the dotted line Risk Area Scenario Contracts with Cloud Providers often lack key security requirements important to the organization (e.g. security breach, location of data, service termination). This is most prevalent when business users procure services outside of the normal channels in order to get the service up and running quickly. Cloud Provider Contract (Terms/Conditions) Audit Considerations 1. Has all Cloud Services undergone a formal risk assessment as a preliminary step to contract negotiation? 2. Have the following been considered as part of contract negotiations -: Confidentiality, Limitation of Liability, Indemnification, Service Termination, Service Level Agreements and Non-Performance Clauses, Software Escrow, Security Incident Procedures, Ownership Changes, Privacy, Jurisdiction, Notification, and Modifications? 3. Is there a process in place to review the periodically the commitment of the Cloud Provider throughout the course of the contract? 72

73 #3 You will need to retain Ownership for Access Roles and Permissions Application Security Service Delivery Infrastructure Management Infrastructure Data Security & integrity Identity & Access Management Virtualization Provisioning Configuration Management Asset Management Virtualization Anti Virus Patch Management Release Management Servers Storage Network Power/Cooling Audit Focus Areas

74 #3 You will retain ownership for Roles and Permissions Risk Area Scenario Access control mechanisms for Cloud Providers are typically separate from internal processes and fall outside approved and documented methods to manage access. Client X utilized a CSP to perform and allowed contractors to perform some day-today finance functions. As part of their access, the contractors were also able to see quarterend and year-end information which should have been restricted. Identity and Access Management Audit Considerations 1. Provisioning Does the current access controls of the Cloud service provider meet existing company requirements for roles and permissions? 2. Identity and Access Management Has the company determine if the company s Access Control Procedures require modification to meet the needs of extending to a Cloud Provider e.g. IAM Federation. How have we evaluated the complexities of auditing APIs, Hypervisors, Virtualized environments? 74

75 #4 - Moving to the Cloud Doesn t Mean Farming Out Your IT Management Responsibilities Audit Focus Areas Application Security Service Delivery Infrastructure Management Infrastructure Data Security & integrity Identity & Access Management Virtualization Provisioning Configuration Management Asset Management Virtualization Anti Virus Patch Management Release Management Servers Storage Network Power/Cooling 75

76 #4 - Moving to the Cloud Doesn t Mean Farming Out Your IT Management Responsibilities Risk Area Scenario Client X adopted a cloud based ERP solution. Change management processes have not been established for changes made to scripts and the 30 customizations they had made to their ERP. In addition, a staging environment was not procured containing a mirror of production data was not available to conduct sufficient testing. Cloud Release and Configuration Management Audit Considerations 1. Configuration management Have a change management log been established that requires change board approvals? 2. Release management Have policies for release management been adequately established for to cloud-based ERP solution? Does a change board exists? Has a QA environment that contains sufficient data to conduct scenario testing is procured? 3. SOC Report Have all user control considerations from SOC report have been fully considered? 76

77 #5 No One Will Care More About Your Data Than You Audit Focus Areas Data Governance Right to Audit & Third Party Reviews Provider Continuity Portability and Interoperability SLA Management Interface Management Legal Compliance & e-discovery Contract Terms & Escrow Compliance FISMA SOX GLBA ISO PCI Cloud Strategy & Business Case Incident Management Dashboard & Reporting IaaS SaaS Private Public Technology Process People Community PaaS Hybrid BPaaS License Management Cloud Provider Management Enterprise Risk Management Metering and Usage Functional Implications Change Management Information Security Collaboration Capacity Planning Metrics & SLA Information Risk Management

78 #5 No One Will Care More About Your Data Than You Risk Area Scenario Data/information to be stored in the Cloud should adhere to the guidance provided for information/data protection including the risk of data being targeted by an Advanced Persistent Threat. Client X s legal department had moved case management to a CSP. The data is stored in a multi-tenancy environment. When internal audit requested for assurance over controls, the SAS70 for the data center where the application is hosted was provided. Data Protection and Rights to Audit Audit Considerations 1. Data Protection Security Has a Data Classification scheme to data/information considered for a Cloud Solution? Has the company evaluated the need for a Digital Rights Management (DRM) or Data Loss Prevention (DLP) solution been considered? 2. Have the contracts been reviewed by legal (rights & obligations), internal audit (rights to audit) and IT (service level agreements)? 78

79 #6 - Bad Processes Will Not Become Good Processes By Just Moving To The Cloud Risk Area Scenario Client X moved to a SaaS CRM solution 2 years ago as the company was growing significantly and they realized it was difficult to manage its customer data. Today, the company realizes that retrieval of customer data was a significantly manual process through compilation of spreadsheets given the complexity of customer hierarchy and lack of integration between its ERP. Portability and Interoperability and Data Integrity Audit Considerations 1. Have we considered all our reporting requirements in the context of the company prior to moving to a CSP? What about the data architecture? Data governance and customer data dictionary? 2. Has integration and interfaces with existing systems been fully considered? 79

80 #7 It s like your phone bill. If you don t review your minutes, be prepared to pay the price Risk Area Scenario Invoices provided by Cloud Provider for bursting revenue is in excess of what is truly consumed by the company. In addition, there isn t a process to monitor the monthly consumption of data used to determine if a move to a higher subscription package is required. Metering and Bursting Revenue Audit Considerations 1. Are there processes in place to monitor the data usage and any bursting charges incurred? 2. Has the company evaluated what the appropriate subscription package based on total company consumption of bandwidth? 3. Have we considered requesting an independent assessment on the data provided by the company or its internal controls? 80

81 #8 Everybody wants to be in the cloud. It s not that simple Risk Area Scenario Client X had just completed building a successful SaaS based solution for it s products. To meet the increased high transaction volume from this move, they decided to develop a private IaaS solution. Project Risk and Third Party Management CSP Audit Considerations 1. What was the evaluation undertaken to determine fit in-terms of experience and skill set when selecting an system integrator for a Cloud based solution? (e.g. integrations?, data cleansing?) They had engaged the CSP to help implement the solution and after 6 months, found that while technically strong the CSP did not have the right process knowledge, change management expertise and sufficient understanding of the clients business. 81

82 Summary - Plan for Success Engage in the strategy for moving to the cloud Understand your company s rationale for adopting cloud Review impacted business activities in as is and to be state Assess capabilities of existing personnel to manage transition and to perform roles in new state Treat the move as a process not a project Assess risk and build a plan to manage accordingly 82

83 Closing Comments Cloud Reporting: What exists today Cloud customers gather information through inefficient activities often led by vendor management or procurement functions: Provider self-assessments, typically focus on security policies Responses to customer-prepared questionnaires Service level agreements (SLAs) describing the provider s obligations Third-party SAS 70 (now SSAE 16) reports Other certifications PCI, ISO 27002, HIPAA, FISMA, etc. Do not address comprehensively address the service offering and the relevant compliance requirements from the perspective of the customer s needs or expectations Are not focused on the cloud provider s unique service offering 83

84 Closing Comments Cloud Reporting: Looking forward No globally recognized framework exists and may not for the foreseeable future Consideration Point AICPA Service Organization Reports Custom Attest SOC 1 / SSAE16 (Replacement for SAS70 6/11) SOC2 SOC3 AICPA suggested scope Controls over financial reporting. Used in conjunction with an audit of users financial statements Controls relevant to compliance or operations, which could include (*) Security Availability and processing integrity Confidentiality Privacy Data integrity and ownership (*) Use of AICPA Trust Principles Required Management defined Can include controls relevant and unique to Operations, Billing, Technology Security, Privacy and beyond Intended Audience Restricted use General Use (with public seal); Generally restricted use but may be unrestricted Content of Report Management s assertion Management s description of service organization s system Description of controls Report may be Type 1 (Design only or Type 2 (Design and Operating Effectiveness) opinion on control effectiveness Management assertion Unaudited system description opinion of control effectiveness Management assertion opinion on control effectiveness AICPA Attestation Standard SSAE 16 AT 101, Attest Engagements 84

85 Stay Engaged as the Cloud Evolves Cloud computing is fundamentally changing business across all industries and markets Keeping pace with the change and adapting as it evolves is key for all cloud adopters, including IT compliance and audit professionals More resources

86 Areas of Expertise Security Governance, Strategy and Compliance Data Privacy and Protection Security Frameworks and Regulatory Compliance Security Risk Assessments Payment Card Industry (PCI) Strategy and Compliance Readiness Secure Network Architecture and Design Security Information and Event Management Systems Emerging Technologies (i.e. Mobile Devices, Cloud Computing) Dr. Yonesy F. Nuñez Manager Contact Details: Phone: Background: Yonesy is a Manager in the New York Metro IT Risk and Security Assurance Practice and has 14 years of experience delivering Information Security services. Yonesy has led efforts to create and institute comprehensive information security programs for a variety of industries. He works with various clients to balance security, risk, IT operations, threat-vector landscape, and business objectives to enable efficient business decisions in preparation of and during severe crisis events. He has managed and successfully supported internal audit engagements as they relate to application security, outsourced development, network security, threat and vulnerability assessment, attack and penetration, business impact analyses, incident management, multi-tenancy cloud environments reviews, business continuance and disaster recovery plans, Data Loss Prevention, and IT Risk assessments. He is a nationally respected Speaker and Instructor for Information Security Strategy, Industry Regulations and Compliance, Cloud Computing, Data Encryption, Virtual Computing, and IT Audit. He holds numerous information security, risk, and governance certifications. He has a B.S. in Finance and Computer Information Systems from Manhattan College, an M.S. in Information Systems Engineering from The Polytechnic Institute of NYU, and a Doctorate in Computing, Information Assurance and Security from Pace University. Relevant Projects and Experience: Led global efforts in IT Governance, Security and Compliance including: - Global Data Privacy / Information Security Strategy - Global SOX ITGC Testing - Organizational Strategy - ISO 27001:4 Control Framework - Technical Remediation - Application security development / secure coding - Japan PPI, European Data Directives, Safe Harbor, ITAR IT Audit External Audit Support Security Framework Development Threat and vulnerability / Attack and Penetration / Application Security Disaster Recovery / Data Center Reviews Business Continuity Management TPA: Cloud Computing FISMA Virtualized Environments Outsourcing Application Development Security Internet Vulnerability and Attack & Penetration Assessment Current Certifications CGEIT - Certified in the Governance of Enterprise IT CRISC - Certified in Risk and Information Systems Control CISM - Certified Information Security Manager CISSP - Certified Information Systems Security Professional ISSAP - Information Systems Security Architecture Professional ISSMP - Information Systems Security Management Professional ISSPCS - International Systems Security Professional Certification Scheme MCSE: Microsoft Certified Systems Engineer MCSA: Microsoft Certified Systems Administrator Security + Subject Matter Expert Member of ISSA, ISACA, Infragard, and ALPFA