Close-Up on Cloud Security Audit Douglas W. Barbin 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 1
About Me Partner at BrightLine 17 years experience in security, assessments, forensics, and product management Previously at PwC, Guardent, and VeriSign Roles included auditor and auditee CPA, CISSP, QSA, ISO 27001 Lead Auditor, & CCSK! Participant in CSA including CCM and CloudAudit 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 2
Key Themes Auditing a cloud starts with understanding cloud providers Controls are where audits and compliance come together, not requirements Organization and preparation is key Evidence collection and analysis adjustments must be made Want to audit cloud? Better use it. 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 3
Setting the Stage Acme Analytics Cloud SaaS-based data analytics provider that includes financial and health care clients Hosted at Amazon Clients requires SOC 2 w/ CSA STAR Attestation, PCI, and HIPAA assessments ISO and FedRAMP potential future initiatives 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 4
Understanding Cloud: More than *aas Source: PCI Standards Council Cloud Computing Information Supplement (2013) Auditors must understand the delivery model in-depth prior to showing up onsite 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 5
Understanding Cloud: The New Architectures Dude Where s my DMZ? 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 6
Planning: Scoping The architecture review should happen during the sales/sow process not kickoff Key elements: Operational locations Use of subservice organizations i.e. AWS Roles/responsibility of subservice orgs Systems inventory and role of sampling Development model (i.e. DevOps) 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 7
Planning: Understanding the Requirements Controls assessments vs. management systems Requirements (PCI) vs safeguards (HIPAA) vs criteria (SOC 2) Point-in-time, review-period, phases / stages CCM and CAIQ can help but needs support from CSP 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 8
Project Initiation and Evidence Request First, identify control activities Then, draft specific evidence request lists (ERL) 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 9
Managing Requests Introducing: AuditSource.com Primary Goal: Replace the spreadsheet! Simple front end supported by two leading cloud service providers 2-factor authentication Double-encryption and storage Assigns evidence items to persons and also supports super user roles at Clients 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 10
2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 11
Collaboration and Feedback! Mission ERL Item Zero! 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 12
Audit Test Considerations for Cloud Policies and procedures on Wiki Technical course corrections Must be able to understand non-traditional firewalls (e.g. AWS Security Zones) Follow the authentication path for access control Understand use of puppet and other replication tools Understand sources and uses of logging and how to evaluate cloud-based log management Last - Understand Agile and DevOps or go home! 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 13
Scanning and Penetration Testing Considerations for Cloud Environments Authorization by provider is always required Typical details needed include ip addresses, start and end time, contact, etc. Technical Considerations Be mindful of cloud networking devices and load balancers and their potential impact on port scans Many vulnerability scanners leverage APIs and become configuration scanners 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 14
Analysis, Reporting, and Work Paper Management Reports are modular in nature and include multiple testing matrices Developing a report is collaborative Derivative reports require coordination Workpapers must be secured and maintained So why not use the Cloud? 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 15
What Can Improve in Cloud Auditing More online collaboration for analysis and reporting (working on that ) More real-time continuous monitoring tools and interfaces Automated mechanisms to collect assertions and control types i.e 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 16
Want to Audit the Cloud? Use with the Cloud BrightLine maintains zero hardware other than laptops We use best of breed cloud providers and demand the same assurance reports We also get the same client objections and defend those objections! 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 17
Keys Success Factors for Cloud Auditing Taking the time to learn cloud Understand the architecture and delivery model before boots to the ground Altering techniques Audit the cloud with the cloud! 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 18
WWW.BRIGHTLINE.COM 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 19