Auditing the Cloud. Paul Engle CISA, CIA

Similar documents
Cloud Computing, SaaS and Outsourcing

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

PCI DSS Compliance and the Cloud

Privacy hacking & Data Theft

SECURITY & PRIVACY DOCUMENTATION

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Choosing a Secure Cloud Service Provider

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Recommendations for Implementing an Information Security Framework for Life Science Organizations

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Vendor Security Questionnaire

Data Security: Public Contracts and the Cloud

NEXT GENERATION CLOUD SECURITY

ASD CERTIFICATION REPORT

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

locuz.com SOC Services

Twilio cloud communications SECURITY

Accelerating the HCLS Industry Through Cloud Computing

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

Cloud First Policy General Directorate of Governance and Operations Version April 2017

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Study concluded that success rate for penetration from outside threats higher in corporate data centers

Copyright 2011 EMC Corporation. All rights reserved.

Effective Strategies for Managing Cybersecurity Risks

MIS Week 9 Host Hardening

Locking Down the Cloud Security is Not a Myth

Google Cloud & the General Data Protection Regulation (GDPR)

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

Driving Cloud Governance and Avoiding Cloud Chaos

ADIENT VENDOR SECURITY STANDARD

Security and Privacy Mechanisms: An Analysis of Cloud Service Providers for the US Government

COMPLIANCE IN THE CLOUD

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

How Credit Unions Are Taking Advantage of the Cloud

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

SoftLayer Security and Compliance:

Building Trust in the Era of Cloud Computing

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Security Principles for Stratos. Part no. 667/UE/31701/004

Data Security and Privacy Principles IBM Cloud Services

Information Technology General Control Review

Title: Planning AWS Platform Security Assessment?

hcloud Deployment Models

Security and Compliance at Mavenlink

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

ALI-ABA Topical Courses ESI Retention vs. Preservation, Privacy and the Cloud May 2, 2012 Video Webcast

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

HITRUST CSF: One Framework

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Why the cloud matters?

The Business of Security in the Cloud

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Leveraging the Cloud for Law Enforcement. Richard A. Falkenrath, PhD Principal, The Chertoff Group

Introduction to AWS GoldBase

Security Models for Cloud

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

QuickBooks Online Security White Paper July 2017

The Honest Advantage

Chapter. Securing the Cloud THE FOLLOWING COMPTIA SECURITY+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:

Exploring Emerging Cyber Attest Requirements

IBM Security Intelligence on Cloud

Layer Security White Paper

Watson Developer Cloud Security Overview

Managing SaaS risks for cloud customers

Moving to computing are auditors ready for the security challenges? Albert Otete CPA CISA ISACA Uganda Workshop

Juniper Vendor Security Requirements

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

Checklist: Credit Union Information Security and Privacy Policies

STAFF SYMPOSIUM SERIES INFORMATION TECHNOLOGY TRACK FACILITATORS

Cloud Computing Lectures. Cloud Security

Mitigating Risks with Cloud Computing Dan Reis

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

IT Attestation in the Cloud Era

GDPR Update and ENISA guidelines

Cloud Customer Architecture for Securing Workloads on Cloud Services

SECURITY PRACTICES OVERVIEW

How to ensure control and security when moving to SaaS/cloud applications

ISACA Cincinnati Chapter March Meeting

Cloud Computing: Is it safe for you and your customers? Alex Hernandez DefenseStorm

WORKSHARE SECURITY OVERVIEW

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

SOC 3 for Security and Availability

CLOUD COMPUTING WHAT HEALTH CARE INTERNAL AUDITORS NEED TO KNOW GABRIELA MERINO DIRECTOR BUSINESS ADVISORY SERVICES

10 Considerations for a Cloud Procurement. March 2017

Transcription:

Auditing the Cloud Paul Engle CISA, CIA

About the Speaker Paul Engle CISA, CIA o Fifteen years performing internal audit, IT internal audit, and consulting projects o Internal audit clients include ADP, Berwind Corporation, Center for Medicare and Medicaid Services (CMS), American Woodmark, Playtex Products, MothersWork, American Public Education, and Choice Hotels. o Consulting clients include State of Arizona, AARP, HealthSouth, Allen and Shariff, Northwestern Human Services, and Konica-Minolta.

Learning Objectives Provide a framework and approach Discuss areas of highest risk Address your questions Provide an example or two Keep you awake Any others?

Let s make this more interesting!

Who Defined the Term Cloud Computing? Al Gore IBM Jeff Bezos Mell and Grance Bill Gates

Who Defined the Term Cloud Computing? Al Gore IBM Jeff Bezos Mell and Grance Bill Gates

Cloud Computing Definition Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. The NIST 800-145 Definition of Cloud Computing, Peter Mell and Timothy Grance, September 2011

Cloud Computing Definition Cloud computing is a model for enabling: o ubiquitous, o convenient, o on-demand network access to a shared pool of configurable computing resources that: o can be rapidly provisioned and released with: minimal management effort or service provider interaction. This cloud model is composed of: o five essential characteristics, o three service models, and o four deployment models.

5 Essential Characteristics 1.Broad-band access 2.On-demand self-service 3.Resource pooling 4.Rapid elasticity 5.Measured service

Metaphor IT services are delivered using a utility model

3 Service Models 1.SaaS Software as a Service o Salesforce, Google, Workday, Office 365, just about every new application 2.PaaS Platform as a Service o Microsoft Azure, many others 3.IaaS Infrastructure as a Service o Amazon Web Services (AWS), many others

True or False? AWS is the world s largest cloud provider. Their SLA is 99.99% uptime.

And the answer is Amazon Elastic Compute Cloud (EC2) = 99.95% Amazon Virtual Private Cloud (VPC) = 99.95%(?) Amazon Elastic Block Storage (EBS) = 99.95% Amazon Simple Database (Simple DB) = 99.95%(?) Amazon Relational DB Service (RDS) = 99.95%(?) Amazon Redshift = 99.95%(?) (many more) Source: Amazon Web Services

Amazon EC2 SLA Exclusions The Service Commitment does not apply to any unavailability, suspension or termination of Amazon EC2 or Amazon EBS, or any other Amazon EC2 or Amazon EBS performance issues: (i) that result from a suspension described in Section 6.1 of the AWS Agreement; (ii) caused by factors outside of our reasonable control, including any force majeure event or Internet access or related problems beyond the demarcation point of Amazon EC2 or Amazon EBS; (iii) that result from any actions or inactions of you or any third party, including failure to acknowledge a recovery volume; (iv) that result from your equipment, software or other technology and/or third party equipment, software or other technology (other than third party equipment within our direct control); (v) that result from failures of individual instances or volumes not attributable to Region Unavailability; (vi) that result from any maintenance as provided for pursuant to the AWS Agreement; or (vii) arising from our suspension and termination of your right to use Amazon EC2 or Amazon EBS in accordance with the AWS Agreement (collectively, the Amazon EC2 SLA Exclusions ). If availability is impacted by factors other than those used in our Monthly Uptime Percentage calculation, then we may issue a Service Credit considering such factors at our discretion. Source: Amazon Web Services

4 Deployment Models Public Cloud o AWS, many others Private Cloud o Arizona State Data Center Hybrid Cloud o Public Cloud + Private Cloud Community Cloud

Why am I telling you this? Risk profiles may be very different for each Service and Deployment model Most audits are risk based, so the client s model matters A LOT!

What Does CIA Stand For? Central Intelligence Agency Certified Internal Auditor Confidentiality, Integrity, Availability Culinary Institute of America All of the above

3 Risks 1. Someone will compromise your data (Confidentiality) 2. Someone or somethng will corrupt your data (Integrity) 3. Someone or something will prevent access to your data (Availability)

3 Risks 1. Someone will compromise your data (Confidentiality) 2. Someone or something will corrupt your data (Integrity) 3. Someone or something will prevent access to your data (Availability)

3 Risks 1. Someone will compromise your data (Confidentiality) 2. Someone or something will corrupt your data (Integrity) 3. Someone or something will prevent access to your data (Availability)

Confidentiality Risk Unauthorized or inappropriate disclosure of confidential information Examples opii ofinancial data ogovernment records and communications

Integrity Risk Unauthorized or inappropriate manipulation of information Examples: ofinancial information o Student records o Attendance records

Availability Risk Data and / or services will become unavailable to users Examples: onatural or man-made disasters o Distributed denial of service attacks ocloud service provider fouls up oisp goes down

Everyone s Nightmare

Government Reacts Oh X&%$#!

Cloud Computing Risk Universe People Process Technology

Cloud Risk Domains 1.Governance 2.Operations 3.Data Security and Encryption

Governance Domain Policies, standards and procedures How are providers selected and managed? Who is in charge of security? Who sets SLAs and monitors? How is risk management handled? How is compliance addressed?

Operations Domain How are incident response, notification and remediation addressed? How are services / performance monitored? Virtualization what controls are in place? What happens when the client leaves the provider?

Data Security and Encryption Data in Transit how strong is encryption? How is it managed? Data at Rest how is this implemented and managed? Who s in charge? Key management! Access and Authentication what s the process? DR and Business Continuity Backups who manages? How is it tested?

The Client or the Client s Client SaaS Risk The Client s Data The Client s Provider

The Client or the Client s Client PaaS Risk The Client s Data The Provider s Provider

IaaS Risk The Client The Client s Client The Client s Data

Questions to ask Who are the client s providers? o How do you know? o What controls do they offer? o Who decides / who manages? Who determines what data is stored? Where is the data stored? How is the data protected? o During data entry o During transport o During storage and retrieval o In the event of a disaster o In the event of a breach What happens in case of an incident?

Auditing 101 1. Scoping 2. Risk Assessment 3. Audit Planning 4. Gather evidence 5. Perform testing 6. Analyze results 7. Identify issues 8. Meet with client 9. Finalize results 10. Provide to client 11. Enter client response 12. Publish

Scoping Products, services, organization, risk appetite Supported business processes Service models Deployment models Locations Number, types of users Number, types of providers Types of data Number, types of applications Compliance requirements History Others?

Risk Assessment Data People o Who enters it o Who processes it and how o Who uses it o Who has access, and how is access controlled Process o How is it transported o How is it stored Technology o Reliability o Availability o Confidentiality o Compliance requirements

Audit Planning Identify and select an appropriate controls framework (e.g. CobiT, ISO, NIST, Cloud Security Alliance) Determine areas of highest risk Identify areas of change Identify past issues Decide how deep to dive

Gather Evidence Interview the key players Obtain: o Current policies, standards, and procedures o Equipment, service, provider, application, and data inventories o Network diagrams o Contracts including SLAs for key providers o Service logs o Results of penetration and vulnerability testing o DR and Business Continuity documents o Certificate documentation o SOC reports, ISO or PCI certifications, FedRAMP information

Perform Testing Identify the most important controls mitigating the areas of highest risk Examples: o Governance who can add / terminate providers o Data classification o Change management o Certificate management / Encryption o Disaster recovery and testing o Privacy who determines what PII to collect and where to store it

Analyze Results Compare identified controls to the appropriate framework: o What s there, what s missing, is it important Compare service logs to SLAs o Is the client receiving the appropriate level Compare service logs to policies and standards o Did the client do what they said they were going to do Analyze audit reports and certifications o Are there holes, and are the controls appropriate Review incidents and response

Identify Issues Focus on areas of highest risk Identify the issue and the associated risks Refer to the policy, standard, or control framework Provide realistic recommendations and examples, if appropriate

True or False AWS provides adequate controls for data security

Shared Responsibility Environment Moving IT infrastructure to AWS creates a shared responsibility model between the customer and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. In turn, you assume responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS provided security group firewall. You should carefully consider the services you choose as your responsibilities vary depending on the services you use, the integration of those services into your IT environment, and applicable laws and regulations. It is possible for you to enhance security and/or meet more stringent compliance requirements by leveraging technology such as hostbased firewalls, host based intrusion detection/prevention, and encryption. Source: Amazon Web Services: Overview of Security Processes June 2014

True or False Providers offering SOC reports include adequate controls for data security

SOC Reports Report Standard Intent / Usage Report Contents SOC 1 (Type 2) SOC 2 (Type 2) SSAE No. 16 / AT 801 (AICPA) AT 101 (AICPA) SOC 3 AT 101 (AICPA) SOX Financial Reporting Security Availability Processing integrity Confidentiality Privacy (one or more) Description of service organization s system. CPA s opinion on fairness of description, suitability of design and operating effectiveness of controls. Description of CPA s tests of controls and results (Description of system and CPA s tests deleted) Source: AICPA

True or False FedRAMP is a new program designed solely for Federal Agencies

Source: http://cloud.cio.gov/fedramp

True or False PCI DSS 3.0 compliance insures adequate controls for data security

Example: SaaS Audit The Client or the Client s Client The Client s Data The Client s Provider

Example: SaaS Key risks The Client or the Client s Client 1. Governance who controls / manages the provider? 2. Access who may enter / access the application? 3. Availability who monitors performance vs. SLAs?

Example: SaaS Key risks Transport Type of encryption who decides and who monitors? How? Certificates how are they managed? Ports which ports and why? Firewall standard or next-generation? ISP SLAs

Example: SaaS Key risks Data storage and processing 1. Encryption? How strong? 2. Certificates how are they managed? 3. Provider controls 4. Authentication 5. Firewall 6. Anti-virus, penetration and vulnerability testing 7. Verification (SOC-2, FedRAMP, PCI)

Example: SaaS Key risks The Client s Provider 1. Change Management 2. Access / Authorization / Authentication 3. Firewall 4. Anti-virus, penetration and vulnerability testing 5. Verification (SOC-1, FedRAMP, PCI)

References Controls and Assurance in the Cloud: Using CobiT 5 (ISACA) Cloud Computing Management Audit / Assurance Program (ISACA) NIST SP800-144 Guidelines on Security and Privacy in Public Cloud Computing FedRAMP Security Controls Baseline Cloud Security Alliance Cloud Controls Matrix Security Guidance for Critical Areas of Focus in Cloud Computing (CSA) Cloud Computing Benefits, risks and recommendations for information security (ENISA)

Thank You! Paul Engle CISA, CIA paulfengle@outlook.com 443 629 1176

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback