Close-Up on Cloud Security Audit

Similar documents
Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Ayla Networks, Inc. SOC 3 SysTrust 2015

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012

GRC Stack Research Sponsorship

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Cloud Security Certification

How To Protect Your Cloud From Attack

How To Build Trust In The Cloud

OCTOBER 2015 TAULIA SUPPLIER ARCHITECTURE OVERVIEW TAULIA 201 MISSION STREET SAN FRANCISCO CA 94105

Security Practices, Architecture and Technologies

Time to Value: Successful Cloud Software Implementation

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Cloud and Regulations: A match made in heaven, or the worst blind date ever?

Logically Securing a Public Cloud Service

THE BLUENOSE SECURITY FRAMEWORK

Building Energy Security Framework

Building an Effective

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

Digi Device Cloud: Security You Can Trust

SysAid Cloud Architecture Including Security and Disaster Recovery Plan

How To Be A Successful Compliance Officer

SOC 3 for Security and Availability

Cloud Audit and Cloud Trust Protocol. By David Lingenfelter 2011

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

How To Protect Your Data From Being Stolen

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Birst Security and Reliability

AWS Worldwide Public Sector

Amazon Web Services: Risk and Compliance January 2013

Cloud Security. DLT Solutions LLC June #DLTCloud

Application Security Best Practices. Matt Tavis Principal Solutions Architect

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

APIs The Next Hacker Target Or a Business and Security Opportunity?

How To Audit Cloud Computing

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

WHY we left. Amazon Web Services for. Regulatory Compliance Improved Efficiency NO SURPRISES. Why We Left Amazon Web Services 1

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

BENEFITS OF A CLOUD ERP SYSTEM April 12, 2016

With Eversync s cloud data tiering, the customer can tier data protection as follows:

SECURITY RISK MANAGEMENT

Consolidated Audit Program (CAP) A multi-compliance approach

GoodData Corporation Security White Paper

BMC s Security Strategy for ITSM in the SaaS Environment

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Network Segmentation

TOOLS and BEST PRACTICES

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Empowering Your Business in the Cloud Without Compromising Security

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Selecting a Cloud Service Provider (CSP)

Live Guide System Architecture and Security TECHNICAL ARTICLE

Security in the Software Defined Data Center

Famly ApS: Overview of Security Processes

TRUSTED CLOUD. Our commitment to provide a cloud you can trust. Fernando Machado Píriz September 2014

SANS Top 20 Critical Controls for Effective Cyber Defense

PCI DSS 3.0 Compliance

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Must Haves for your Cloud Toolbox Driving DevOps with Crowbar and Dasein

Cybersecurity Health Check At A Glance

PCI Requirements Coverage Summary Table

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

Enterprise Cloud Use Cases and Security Considerations

CONTENT OUTLINE. Background... 3 Cloud Security Instance Isolation: SecureGRC Application Security... 5

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Addressing Security for Hybrid Cloud

Architecting Security for the Private Cloud. Todd Thiemann

A Sumo Logic White Paper. Sumo Logic Security Model. Secure by Design

Federal Aviation Administration. efast. Cloud Computing Services. 25 October Federal Aviation Administration

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Payment Card Industry (PCI) Data Security Standard

SECURITY IS JOB ZERO. Security The Forefront For Any Online Business Bill Murray Director AWS Security Programs

Compliance and the Cloud: What You Can and What You Can t Outsource

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Dispelling the Myths about Cloud Computing Security

Security from a customer s perspective. Halogen s approach to security

PCI-DSS Penetration Testing

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

SecurityMetrics Business Associate HIPAA compliance program

Freedom Stairway to the Cloud Offering

VIEWABILL. Cloud Security and Operational Architecture. featuring RUBY ON RAILS

Microsoft Azure. White Paper Security, Privacy, and Compliance in

How To Create A Walkme.Com Walkthrus.Com Website And Help With Your Website Or App On A Pc Or Mac Or Ipad (For Pc) Or Mac (For Mac) Or Ipa (For Ipa) Or Pc

IAN MASSINGHAM. Technical Evangelist Amazon Web Services

On Demand Unlimited Network Vulnerability Scanning. February 2013

How To Manage A Cloud System

Cloud Architecture and Management. M.I. Deen General Manager (Enterprise Solutions) Sri Lanka Telecom

Keeping watch over your best business interests.

Governance and Control in the Cloud. Infrastructure as a Service

Security Document. Issued April 2014 Updated October 2014 Updated May 2015

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Transcription:

Close-Up on Cloud Security Audit Douglas W. Barbin 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 1

About Me Partner at BrightLine 17 years experience in security, assessments, forensics, and product management Previously at PwC, Guardent, and VeriSign Roles included auditor and auditee CPA, CISSP, QSA, ISO 27001 Lead Auditor, & CCSK! Participant in CSA including CCM and CloudAudit 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 2

Key Themes Auditing a cloud starts with understanding cloud providers Controls are where audits and compliance come together, not requirements Organization and preparation is key Evidence collection and analysis adjustments must be made Want to audit cloud? Better use it. 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 3

Setting the Stage Acme Analytics Cloud SaaS-based data analytics provider that includes financial and health care clients Hosted at Amazon Clients requires SOC 2 w/ CSA STAR Attestation, PCI, and HIPAA assessments ISO and FedRAMP potential future initiatives 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 4

Understanding Cloud: More than *aas Source: PCI Standards Council Cloud Computing Information Supplement (2013) Auditors must understand the delivery model in-depth prior to showing up onsite 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 5

Understanding Cloud: The New Architectures Dude Where s my DMZ? 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 6

Planning: Scoping The architecture review should happen during the sales/sow process not kickoff Key elements: Operational locations Use of subservice organizations i.e. AWS Roles/responsibility of subservice orgs Systems inventory and role of sampling Development model (i.e. DevOps) 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 7

Planning: Understanding the Requirements Controls assessments vs. management systems Requirements (PCI) vs safeguards (HIPAA) vs criteria (SOC 2) Point-in-time, review-period, phases / stages CCM and CAIQ can help but needs support from CSP 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 8

Project Initiation and Evidence Request First, identify control activities Then, draft specific evidence request lists (ERL) 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 9

Managing Requests Introducing: AuditSource.com Primary Goal: Replace the spreadsheet! Simple front end supported by two leading cloud service providers 2-factor authentication Double-encryption and storage Assigns evidence items to persons and also supports super user roles at Clients 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 10

2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 11

Collaboration and Feedback! Mission ERL Item Zero! 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 12

Audit Test Considerations for Cloud Policies and procedures on Wiki Technical course corrections Must be able to understand non-traditional firewalls (e.g. AWS Security Zones) Follow the authentication path for access control Understand use of puppet and other replication tools Understand sources and uses of logging and how to evaluate cloud-based log management Last - Understand Agile and DevOps or go home! 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 13

Scanning and Penetration Testing Considerations for Cloud Environments Authorization by provider is always required Typical details needed include ip addresses, start and end time, contact, etc. Technical Considerations Be mindful of cloud networking devices and load balancers and their potential impact on port scans Many vulnerability scanners leverage APIs and become configuration scanners 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 14

Analysis, Reporting, and Work Paper Management Reports are modular in nature and include multiple testing matrices Developing a report is collaborative Derivative reports require coordination Workpapers must be secured and maintained So why not use the Cloud? 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 15

What Can Improve in Cloud Auditing More online collaboration for analysis and reporting (working on that ) More real-time continuous monitoring tools and interfaces Automated mechanisms to collect assertions and control types i.e 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 16

Want to Audit the Cloud? Use with the Cloud BrightLine maintains zero hardware other than laptops We use best of breed cloud providers and demand the same assurance reports We also get the same client objections and defend those objections! 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 17

Keys Success Factors for Cloud Auditing Taking the time to learn cloud Understand the architecture and delivery model before boots to the ground Altering techniques Audit the cloud with the cloud! 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 18

WWW.BRIGHTLINE.COM 2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 19

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information