Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls to Protect Information Assets
SPEAKER BIOGRAPHY Mike Schiller, CISA, is the director of global server, database, and storage infrastructure at Texas Instruments (TI) and is the co-author of IT Auditing: Using Controls to Protect Information Assets (2011, McGraw-Hill). He has more than 15 years of experience in the IT audit field, including as the worldwide IT audit manager at TI and as the IT audit manager at Sabre. He is an active speaker on IT auditing, including conferences such as CACS, InfoSec World, and ASUG, and has been an instructor of IT audit curriculum at Southern Methodist University. Schiller has held numerous IT leadership positions at TI, including as the director of user support, data centers, and asset management and manager of support for TI s web applications and infrastructure.
Agenda The Basics Vendor selection controls Items to include in vendor contracts Data security requirements Operational concerns Legal concerns and regulatory compliance Additional resources
The Basics
The Basics Why outsource IT services? Reduce costs Focus on core competencies
The Basics Two Categories of IT Outsourcing IT Systems and Infrastructure Outsourcing Hiring another company to provide your IT environment e.g. data center, servers, operating systems, applications Two sub-categories: Cloud computing Dedicated hosting IT Service Outsourcing Hiring another company to perform your IT operations functions (people and processes) e.g. help desk, PC support Two sub-categories On-site Off-site (or a hybrid)
The Basics Cloud Computing Definitions Gartner: a style of computing that provides scalable and elastic, ITenabled capabilities as a service to external customers via Internet technologies. NIST: a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Bottom line: Cloud computing provides IT services over the Internet in such a way that the end user doesn t have to worry about where the data is being stored, where the infrastructure is located, and so on.
The Basics Characteristics of Cloud Computing (NIST) On-Demand Self-Service Broad Network Access Resource Pooling Rapid Elasticity Measured Service
The Basics Cloud Computing Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)
The Basics Software as a Service (SaaS) Access the cloud provider s applications, which are running on a cloud infrastructure. Company 1 Company 2 Company 3 Company 4 Dedicated Data Data Data Data Application Shared DBMS Middleware OS Network Physical Figure copyright 2011 The McGraw-Hill Companies
The Basics Platform as a Service (PaaS) Deploy applications you created or acquired onto the provider s cloud infrastructure, using programming languages and tools supported by the cloud provider. Dedicated Shared Company 1 Company 2 Company 3 Company 4 Data Data Data Data Application Application Application Application DBMS Middleware OS Network Physical Figure copyright 2011 The McGraw-Hill Companies
The Basics Infrastructure as a Service (IaaS) Deploy and run arbitrary software, which can include operating systems and applications. Dedicated Shared Company 1 Company 2 Company 3 Company 4 Data Data Data Data Application Application Application Application DBMS DBMS DBMS DBMS Middleware Middleware Middleware Middleware OS OS OS OS Network Physical Figure copyright 2011 The McGraw-Hill Companies
The Basics Dedicated Hosting Dedicated infrastructure provided by a third party. Examples: co-lo data center, ASP Dedicated Shared Company 1 Company 2 Company 3 Company 4 Data Data Data Data Application Application Application Application DBMS DBMS DBMS DBMS Middleware Middleware Middleware Middleware OS OS OS OS Network Network Network Network Physical Figure copyright 2011 The McGraw-Hill Companies
The Basics IT Systems and Infrastructure Outsourcing Model Comparisons Hosting IaaS PaaS SaaS Data Dedicated Dedicated Dedicated Dedicated Application Dedicated Dedicated Dedicated Shared DBMS Dedicated Dedicated Shared Shared Middleware Dedicated Dedicated Shared Shared OS Dedicated Dedicated Shared Shared Network / Servers Dedicated Shared Shared Shared Physical Data Center Shared Shared Shared Shared Figure copyright 2011 The McGraw-Hill Companies
The Basics IT Service Outsourcing Models On-site Off-site Other Considerations for IT Services Sourcing Other Considerations for IT Services Sourcing Supplemental Labor Offshoring
The Basics IT Service Sourcing Models Internal employees only Internal employees plus supplemental labor Outsourced: on-site Outsourced: off-site Outsourced: on-site/off-site mix For each of these models you can deploy For each of these models, you can deploy Onshore Offshore Onshore/offshore mix
The Basics SAS 70 Reports Provided a standard by which service organizations (such as those that provide IT services) could demonstrate the effectiveness of their internal controls without having to allow each of their customers to come in and perform their own audit. Focused on internal controls over financial reporting Performed by certified independent service auditor Type 1: Description of and opinion on the design of the service organization s internal controls at a point in time Type 2: Also contains the results of testing regarding whether the controls were operating effectively during the period under review Effectively replaced by SSAE 16 in 2011
The Basics Service Organization Control (SOC) Reports SOC 1 essentially replaces SAS 70 reports (focuses on financial controls), complete with Type 1 and Type 2 reports. Performed under SSAE 16 guidance. SOC 2 for non-financial controls restricted use for use between een auditors of a service provider and their clients. Can be Type 1 or Type 2. SOC 3 for non-financial controls general use can be used by service provider to provide assurance to potential clients and for marketing purposes SOC 2 and 3 use predefined control criteria related to security, availability, processing integrity, confidentiality, and privacy of a system and its information
Test Steps
Test Steps Categories: Preliminary Vendor Selection and Contracts Data Security Operations Legal Concerns and Regulatory Compliance Catch-all
Preliminary
Preliminary Test Steps 1. Request and review independent assessments (e.g. SOC reports, ISO 27001, web security certifications) Reduces your need to audit (and may in fact be all you re allowed to access) Include subcontracted functions (e.g. SaaS vendor using a co-lo data center) Review scope of assessment Identify gaps between your control objectives and those covered by assessment Review results and remediation plans Validate qualifications of certifying company Validate relevance of time period covered by assessment If assessments don t exist, attempt to perform your own Depends on the rights, influence, and relationship you have with your supplier (contract is key) This step is most applicable to cloud computing, dedicated hosting, and offsite service outsourcing
Vendor Selection and Contracts
Vendor Selection and Contracts Test Steps 1. Review contracts Your only true fallback mechanism Ensure they identify all pertinent deliverables, requirements, and responsibilities Early involvement is key here This step is applicable to all forms of outsourcing
Vendor Selection and Contracts Test Steps 1. Review contracts (continued): Key elements SLA s Availability, yperformance, support coverage, MTTR, other key performance indicators SLA s for security Encryption, access to your data, data retention and destruction, security training and background checks, business continuity, support for investigations, control frameworks Compliance / third-party assessments SAS 70, HIPAA, PCI Penalties for non-performance / conditions for terminating Right to audit clause Subcontracting relationships Right of denial Access to subcontractor s SAS 70 NDA s Evidence of procurement and legal involvement Anything else you care about!
Vendor Selection and Contracts Test Steps 2. Review the vendor selection process Key elements: Competitive bidding Predefined criteria Vendor financial stability Vendor experience and technical support capabilities Involvement Procurement, operations, legal Cost analysis (TCO) Startup activities Hardware and related power, cooling and maintenance Software and maintenance Storage Support (labor) Early involvement is key here This step is applicable to all forms of outsourcing
Data Security
Data Security Test Steps 1. Determine how your data is segregated from other customers Protection from other customers Protection from collateral damage (breaches and viruses) Controls depend on type of technology and outsourcing Segmented networks (dedicated hosting) Segregated databases (SaaS) This step is most applicable to cloud computing and dedicated hosting
Data Security Test Steps 2. Evaluate usage of encryption Reduces risk of a breach impacting confidentiality or integrity of your data Review encryption in transit (e.g. SSL) and at rest Specify algorithm and key length in contract Determine how key management is performed Ideally performed either by your company or by a separate vendor (providing SOD) This step is most applicable to cloud computing, dedicated hosting, and offsite service outsourcing
Data Security Test Steps 3. Determine how vendor employee access to your systems and data is controlled Approval process Minimum necessary access SOD Processes for hiring and screening employees Security training Third-party relationships and interfaces This step is most applicable to cloud computing, dedicated hosting, and offsite service outsourcing
Data Security Test Steps 4. Evaluate processes for controlling non-employee logical access to your internal network and internal systems Policies for approval and sponsorship Communication of company policies Removal of access upon termination This step is most applicable to onsite and offsite service outsourcing plus supplemental labor
Data Security Test Steps 5. Ensure that data stored at vendor locations is being protected in accordance with your internal policies No matter where you store your data, it is still subject to your internal policies and you still have responsibility for its protection Ensure compliance with your data classification policy Encryption helps here This step is most applicable to cloud computing and dedicated hosting
Data Security Test Steps 6. Review controls to prevent, detect, and react to attacks Intrusion Detection Intrusion Prevention Incident Response Discovering and Remediating Vulnerabilities Logging Patching Protection from Viruses and Other Malware This step is most applicable to cloud computing, dedicated hosting, and possibly offsite service outsourcing
Data Security Test Steps 7. Determine how identity management is performed Users can end up with accounts with multiple cloud providers, each requiring a unique ID and password Déjà vu Leads to poor governance Risk of account sharing, inconsistent password controls, poor account cleanup, employees with unnecessary access Look for usage of federated identity management Your vendor trusts your assertion that your user has been properly authenticated. Allows you to use your enterprise ID and provides benefits of centralized identity management Allows you to avoid storing user credentials with vendor If used, ensure your internal credential data isn t made directly available to the vendor and is encrypted If not used, review the identity management controls over your outsourced systems to ensure they meet your policy requirements This step is most applicable to cloud computing, particularly SaaS, and dedicated hosting, particularly of purchased applications.
Data Security Test Steps 8. Review data retention and destruction practices Should comply with internal policy Look for requirements regarding How long data should be active When and how long data should be archived When data should be destroyed Review evidence that lifecycle requirements have been implemented Concentrate especially on evidence that your vendor has destroyed data per your requirements This step is most applicable to clo d comp ting dedicated hosting and offsite ser ice o tso rcing (if the s pplier is This step is most applicable to cloud computing, dedicated hosting, and offsite service outsourcing (if the supplier is storing your data)
Data Security Test Steps 9. Review and evaluate the vendor s physical security Physical access can override logical access controls Review controls such as Badge readers and/or biometric scanners Security cameras Security guards Fences Lighting Locks and sensors Processes for granting physical access This step is most applicable to cloud computing, dedicated hosting, and offsite service outsourcing
Operations
Operations Test Steps 1. Evaluate processes for monitoring the quality of outsourced operations Determine how compliance with SLAs and other contractual requirements are monitored Availability Performance Vendor response time to support requests Issue resolution time Security and compliance requirements Other key metrics and performance indicators If you don t monitor, you won t know if the vendor is delivering per your contract Review metrics slides from operations reviews corrective action plans Review metrics, slides from operations reviews, corrective action plans This step is applicable to all forms of outsourcing
Operations Test Steps 2. Ensure adequate disaster recovery processes are in place Two angles to review: The vendor s disaster recovery procedures Expect your vendor to follow sound DR practices (offsite backups, documented recovery procedures, periodic testing, HW redundancy, etc.) Documented procedures for how your company would recover in the event of a disaster at your vendor Notification and escalation procedures Hand-offs between ee you and vendor during recovery e Manual workarounds while waiting for recovery Contingency plans if the vendor can t recover for extended period (or ever) This step is most applicable to cloud computing, dedicated hosting, and offsite service outsourcing
Operations Test Steps 3. Review governance over engagement of new cloud services Cloud computing makes it easy to outsource without engaging with IT, legal, procurement, etc. Potential to bypass all of the governance processes normally in place to ensure proper security of company data, interoperability of systems, appropriate support capabilities Review policies, awareness, and enforcement practices This step is most applicable to cloud computing
Operations Test Steps 4. Review plans to be used in the event of termination of the outsourcing relationship Should address expected or unexpected termination Avoid vendor lock-in Retain leverage to influence price and service quality Portability of systems and data is key Documented plan for bringing function in-house (or moving to another vendor) Identification of alternate vendors Interim contingency plans for keeping the business running Return of your data and assets Data delivered periodically in predefined format Code in escrow This step is applicable to all forms of outsourcing
Operations Test Steps 5. Review the vendor s processes for ensuring quality of staff and minimizing the impact of turnover Documented job descriptions and minimum qualifications for each position Employee screening process / background checks Turnover protection pipeline and cross-training Processes to maintain employee skills (training programs) Attendance monitoring If offshore: Language training Hand-off / status meetings Extra emphasis on attendance monitoring Local employee for monitoring and oversight This step is most applicable to IT service outsourcing (onsite and offsite)
Legal Concerns and Regulatory Compliance
Legal and Regulatory Test Steps 1. Review your ability to obtain data needed to support investigations May be needed for e-discovery or internal investigations You re legally responsible for your information, regardless of where it s stored Review the contract for Log requirements Requirements for response time to requests Defined responsibilities i (who is responsible for conducting searches, freezing data, providing expert testimony) This step is most applicable to cloud computing
Legal and Regulatory Test Steps 2. Review requirements for security breach notifications Definition of what constitutes a breach When and how you should be notified by vendor Clearly defined internal processes when notified of breach Contractual penalties for costs incurred This step is most applicable to cloud computing and dedicated hosting
Legal and Regulatory Test Steps 3. Determine how compliance with applicable privacy laws and other regulations is ensured You are responsible no matter where your data is stored Contractual requirements for compliance with PCI, HIPAA, etc. and for external certification of compliance Internal process for obtaining reports, reviewing results, and tracking issues Contractual language specifying who is liable in the event of noncompliance This step is most applicable to cloud computing and dedicated hosting
Legal and Regulatory Test Steps 4. Review processes for ensuring software license compliance Consider software hosted offsite or used by non-employees Inventory of entitlements and deployments Process for investigating and addressing discrepancies This step is applicable to all forms of outsourcing
Catch all
Catch all Test Steps 1. Perform audit steps from normal internal audits as applicable The risks present for an insourced function are also present for an outsourced function Examples: Data center physical security and environmental controls Application controls (access controls, change controls, data input controls) Operating system security Database security Pick your battles You won t have the same level of access as you would for an internal system Depends on the rights, influence, and relationship you have with your supplier (contract is key) This step is applicable to all forms of outsourcing
Resources
Resources The National Institute of Standards and Technology (NIST) http://csrc.nist.gov/groups/sns/cloud-computing/ Definitions and standards related to cloud computing Guidance for secure usage. The Cloud Security Alliance (CSA) www.cloudsecurityalliance.org org Promotes best practices for security with cloud computing ISACA http://isaca.org/ White paper on cloud computing security The cloud security blog http://cloudsecurity.org/ org/ IT Auditing: Using Controls to Protect Information Assets, Second Edition by Chris Davis and Mike Schiller
Thank you!
Collaborate Contribute Connect www.isaca.org/knowledge-center The Knowledge Center is a collection of resources and online communities that connect ISACA members globally, across industries and by professional focus - under one umbrella. Add or reply to a discussion, post a document or link, connect with other ISACA members, or create a wiki by participating in a community today!