Assuring the Cloud. Hans Bootsma Deloitte Risk Services hbootsma@deloitte.nl +31 (0)6 1098 0182



Similar documents
GMP-Z Annex 15: Kwalificatie en validatie

Met je hoofd in de wolken. Ard-Jan Glas

Cloud Computing voor de overheid IBMs perspectief

ABN AMRO Bank N.V. The Royal Bank of Scotland N.V. ABN AMRO Holding N.V. RBS Holdings N.V. ABN AMRO Bank N.V.

IP-NBM. Copyright Capgemini All Rights Reserved

ISACA Roundtable. Cobit and 7 september 2015

Cloud Security Introduction and Overview

Platform voor Informatiebeveiliging IB Governance en management dashboards

Examen Software Engineering /09/2011

Advanced Metering Infrastructure

Citrix Access Gateway: Implementing Enterprise Edition Feature 9.0

How to manage Business Apps - Case for a Mobile Access Strategy -

The Perfect Storm in IT

(Optioneel: We will include the review report and the financial statements reviewed by us in an overall report that will be conveyed to you.

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Hoe kies je de juiste Microsoft Hosted Exchange Service Provider?

Cloud. Gebruik. Cases.

Risk-Based Monitoring

NL VMUG UserCon March

Public. Big Data in ASML. Durk van der Ploeg. ASML System Engineering Product Industrialization, October 7, 2014 NTS Eindhoven

Informatiebeveiliging volgens ISO/IEC 27001:2013

ruimtelijk ontwikkelingsbeleid

CO-BRANDING RICHTLIJNEN

Information Security Governance

The state of DIY. Mix Express DIY event Maarssen 14 mei 2014

Hot Topics Treasury Seminar

100 Series Keyboard Tray Pivot

IC Rating NPSP Composieten BV. 9 juni 2010 Variopool

Logging en Monitoring - privacy, beveiliging en compliance Enkele praktijkvoorbeelden

Security Assessment Report

Data Driven Strategy. BlinkLane Consul.ng Amsterdam, 10 december Ralph Hofman Arent van t Spijker

UvA college Governance and Portfolio Management

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

Citrix XenApp and XenDesktop Fast Track

Ons privacybier. Derde privacycafé Data Protection Institute 13 januari 2016 Thomas More Mechelen 21/01/16

Dutch Mortgage Market Pricing On the NMa report. Marco Haan University of Groningen November 18, 2011

Network Assessment Client Risk Report Demo

DO BUSINESS WITH FINANCIALS

Maximizer Synergy. BE Houwaartstraat 200/1 BE 3270 Scherpenheuvel. Tel: Fax:

Adopting Cloud Computing with a RISK Mitigation Strategy

Opportunities in the South Korean cheese market. Kansendossier Zuid-Korea

IJkdijk: June :33:06

MAYORGAME (BURGEMEESTERGAME)

ABN AMRO Bank N.V. The Royal Bank of Scotland N.V. ABN AMRO Holding N.V. RBS Holdings N.V. ABN AMRO Bank N.V.

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

Digitale muziekbewerking en productie

ABN AMRO Bank N.V. The Royal Bank of Scotland N.V. ABN AMRO Holding N.V. RBS Holdings N.V. ABN AMRO Bank N.V.

Intermedia s Dedicated Exchange

How to ensure control and security when moving to SaaS/cloud applications

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

De tarieven van Proximus Niet meer gecommercialiseerde Bizz packs

Cloud Computing An Auditor s Perspective

Vendor Management Best Practices

Use of trademarks with a reputation as Adwords by competitors: Permissible comparative advertising or impermissible coat-tail riding / dilution?

ITCulinair Cisco InterCloud

INSEAD ALUMNI ASSOCIATION THE NETHERLANDS EVENT CALENDAR

Load Balancing Lync Jaap Wesselius

How To Be A Successful Compliance Officer

Tooway 2015 prices / prijslijst

Relationele Databases 2002/2003

TELECOM SOCIETY 2 JULI Over de moeizame verhouding tussen de privacywet en big data. En wat we daaraan kunnen doen. prof mr.

Big Data.. Big Business?

Business opportunities by legislative developments in infrastructure, environment, water and waste management

Oversight Management: een zinvolle aanvulling!

The Chinese market for environmental and water technology. Kansendossier China

Hans Bos Microsoft Nederland.

IT-waardeketen management op basis van eeuwenoude supply chain kennis

OGH: : 11g in de praktijk

SSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011

Orchestrating the New Paradigm Cloud Assurance

Brad Smith, General Counsel & Executive Vice President, Legal and Corporate Affairs, Microsoft

COOLS COOLS. Cools is nominated for the Brains Award! Coen Danckmer Voordouw

Het Dynamisch Datacenter uitgelicht. Arne Peleman

Anton Wilsens. The LIRIS Academy Keys to a successful mobile channel in the Financial Services Sector and beyond

ABN AMRO Bank N.V. The Royal Bank of Scotland N.V. ABN AMRO Holding N.V. RBS Holdings N.V. ABN AMRO Bank N.V.

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

Word -Introduction. Contents

Software VOC netwerkbijeenkomst De kansen van OEM. Hans Schut OEM Partner Manager Nederland 9 juli 2014

Key Considerations of Regulatory Compliance in the Public Cloud

How to deliver Self Service IT Automation

Private Equity Survey 2011

Simple. STYLE control system. and quick programming. Machine builders since 1991 For single pieces and small series.

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Transcription:

Assuring the Cloud Hans Bootsma Deloitte Risk Services hbootsma@deloitte.nl +31 (0)6 1098 0182

Need for Assurance in Cloud Computing Demand Fast go to market Support innovation Lower costs Access everywhere Increase efficiency Business driven Organization Challenges Rules and regulations Internal policies Integration Espionage Data leakage Data classification Concerns Compliance Sox / internal control Export Controls Privacy Continuity of the provider Reputation Where is my data? Security Confidentiality Availability Integrity Lock-In Assurance

Why is there a need for Assurance in Cloud Computing? GoGrid: We are not responsible for use or misuse of data by any third party, including, without limitation, providers of Third Party Products & Services AWS: We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet Rackspace: We do not promise that the Services will be uninterrupted, error free, or completely secure. You acknowledge that there are risks inherent in Internet connectivity that could result in the loss of your privacy, confidential information, and property Contract and SLA s not transparent and agreements hard to verify Existing standards provide some assurance but is this enough? ISO 2700x: no assurance for operating effectiveness ISAE3402/SAS70: not suitable for Cloud Computing, main focus on Internal Control over Financial Reporting Other standards have limited acceptance (e.g. Trust Services)

Developments in the area of Cloud assurance Cloud Security Alliance (CSA) becomes increasingly important. Key themes: Increase trust in Cloud providers is priority #1 Transparency and controls lead to trust Call for clear SLA s Create transparency in service levels (e.g. availability) Operating effectiveness of controls needs to be validated by third parties Move to continuous monitoring Location of data increasingly important, not only for EU American Institute of CPA s (AICPA) launched new standard: Service Organization Controls 2 Comparable to ISAE3402 but specifically aimed at Security Currently reports issued in the US (e.g. Microsoft)

Cloud Assurance: SOC 1, 2 & 3

SOC2 based on Trust Services principles Security: The system is protected against unauthorized access (both physical and logical). Availability: The system is available for operation and use as committed or agreed. Processing integrity: System processing is complete, accurate, timely, and authorized. Confidentiality: Information designated as confidential is protected as committed or agreed. Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity s privacy notice and with criteria set forth in Generally Accepted Privacy Principles GAPP issued by the AICPA and Canadian Institute of Chartered Accountants.

Infrastructure as a Service Platform as a Service Software as a Service How to apply SOC2 in Cloud Computing Security Security Physical Physical Logical (internal and external) Logical (incl. platform) Resource Resource provisioning/deprovisioning provisioning/deprovisioning Infra change management Infra/platform change Incident management management Availability Incident management Resource planning Availability Resiliency Resource planning BCP and Backup Resiliency Processing integrity BCP and Backup Environment configuration Processing integrity Data integrity Environment configuration SLA monitoring and usage Platform functionality reporting Confidentiality Data integrity SLA monitoring and usage Tenant due diligence reporting Deprovisioning of resources Confidentiality Privacy not applicable Tenant due diligence Comingling of data Data destruction Commitments Privacy Generally accepted privacy principles Security Physical Logical (incl. platform) Infra/application change management Incident management Availability Resource planning Resiliency BCP and Backup Processing integrity Application functionality and operation Data integrity SLA monitoring and usage reporting Confidentiality Tenant due diligence Comingling of data Data destruction Commitments Privacy Generally accepted privacy principles

New assurance: Continuous monitoring, more frequent reporting Normally, assurance reports cover a longer period of time. Report is issued once a year. Potentially telling an organisation that security measures have not been operating effectively over the last months. Increased demand for More frequent assurance reporting Increased demand for continuous insight in effectiveness of controls Identity management Data separation Availability... Concerns about the location of data is according to Gartner one of the main inhibitors for large scale adoption of cloud computing. In addition: Patriot Act and impact on datacenters in Europe Rules & regulations: US Export Regulation (ITAR, EAR, OFAC), Privacy National Banks (a.o. Dutch National Banks): circulaire on Cloud risk assessments Cyber security Espionage Lock-in and unstable economical environments Trust but verify US Companies have similar concerns. Today s allies can be tomorrow s enemy.

New assurance: data location Reactie van Minister van Justitie op Kamervragen over de impact van de Patriot Act op data opgeslagen bij Amerikaanse providers: Aan uw Kamer is toegezegd dat gegevens van de overheid binnen de grenzen van Nederland moeten worden opgeslagen, en dat de Rijksdienst van een gesloten Rijkscloud gebruik zal maken. Om te voorkomen, dat gegevens van de overheid (ook over burgers) in het kader van de Patriot Wet door de Verenigde Staten kunnen worden opgevraagd kan bij uitbesteding van rekencentra in het programma van eisen een eis worden opgenomen, dat het de leverancier nooit is toegestaan gegevens van de overheid (ook over Burgers) in het kader van de Patriot Wet aan de Verenigde Staten te leveren. Dit betekent feitelijk, dat bedrijven uit de Verenigde Staten bij dergelijke aanbestedingen en opdrachten worden uitgesloten. Patriot Act: Concern for many of our customers Not sure what the impact will be under the revised EU privacy rules: Revised EU regulation specifically states that no transfer outside the EU should occur without proper authorization from the EU Protection authorities, even if this is done because of a legal requirement or court order outside the EU. This will cause a lot of friction with legal requirements such as the Patriot act. I am sure in the next couple of months, there will be a lot of debate regarding the wording of the new EU Data protection regulation in this regard. DNB: Voor cloud computing dient hierbij expliciete aandacht besteed te worden aan de risico s die samenhangen met onder meer de integriteit, vertrouwelijkheid en beschikbaarheid van data. Tevens dient inzichtelijk te zijn op welke locatie de bedrijfsdata wordt bewerkt en opgeslagen 8

Assurance Move to the Cloud responsibly Agreed upon procedures ISAE3402/SOC2 Data location ISO 2700x Contract and SLA Basic service Application/data confidentiality

Hans Bootsma Deloitte Risk Services hbootsma@deloitte.nl +31 (0)6 1098 0182

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information