INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE
INTRODUCTION
AGENDA 01. Overview of Cloud Services 02. Cloud Computing Compliance Framework 03. Cloud Adoption and Enhancing Compliance Posture in the Cloud 04. Real-World Experiences Benefits 05. Real-World Experiences Challenges 06. Q&A
OVERVIEW OF CLOUD SERVICES
CLOUD SERVICE MODELS Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)
CLOUD SERVICE MODELS
CLOUD SERVICE MODELS
CLOUD DEPLOYMENT MODELS Public Private Hybrid Community
CLOUD COMPUTING COMPLIANCE FRAMEWORK
COMPLIANCE OVERVIEW
TERMINOLOGY AND CONCEPTS Financial reporting impact (ICOFR Internal Controls Over Financial Reporting) Control Objectives / Trust Principles / Criteria / Standards / Management System Standards /Annexes / Frameworks Certification / Attestation / Audit / Benchmarking Assessments (Consulting Reports) Type 1 vs Type 2 for SOC Reports Backward looking / Point in Time / Forward Looking Accounting Standards - US / International - SSAE / AT vs ISAE Shelf Life Generally Annual Annual / 2 Year Cycle / 3 Year Cycle Restricted use / Restricted Distribution / Unrestricted
UNDERSTANDING COMPLIANCE NEEDS Cloud Service Customer Know customer / contractual requirements Know cloud service provider commitments Cloud Service Provider Know customer / contractual requirements Know market need
GENERAL CONTROL ASSESSMENTS SOC 1 SOC 2 CSA STAR Program Level 2 ISO 27001 / 27017
INDUSTRY SPECIFIC ASSESSMENTS Healthcare Federal Industry Payment Card Transactions Privacy / PII Compliance Options HIPAA / HITECH, HITRUST FedRAMP, NIST, FISMA PCI DSS ISO 27018, Privacy Shield
CLOUD ADOPTION AND ENHANCING COMPLIANCE POSTURE IN THE CLOUD
CLOUD OPERATIONAL CONSIDERATION Traditional security infrastructure Business continuity/ disaster recovery operations Disaster Recovery v. High Availability Access and identity Nuts and bolts of connecting internal user stores with external provider / access to internal information by external provider
CLOUD OPERATIONAL CONSIDERATIONS Incident management Coordination and escalation with external provider Encryption management (if applicable) Key management and scalable encryption requirements Technical infrastructure Virtualization, connectivity, bandwidth, performance, etc.
UNDERSTANDING RESPONSIBILITY Outsourcing may not extend to compliance Ensure clear SLAs (and continuous monitoring of them) Target comprehensive coverage Anticipate
UNDERSTANDING RESPONSIBILITY - IAAS Controls Environment Customer: Application usage and user provisioning. Application security Database security Operating system configuration Provider: Hardware provisioning and management Network management Facilities management Application Data Operating System Hardware Network Facility
UNDERSTANDING RESPONSIBILITY - PAAS Controls Environment Customer: Application usage and user provisioning. Application development, deployment and security Database management and security Application Data Provider: Operating system configuration and provisioning Hardware management Network management Facilities management Operating System Hardware Network Facility
UNDERSTANDING RESPONSIBILITY - SAAS Controls Environment Customer: Application usage and user provisioning. Provider: Application, development, management and security Database management and security Operating system configuration Hardware management Network management Facilities management Application Data Operating System Hardware Network Facility
CLOUD COMPUTING EXAMPLE RASCI MODEL R Responsible "The doer" A Accountable "The buck stops here" S Supported "The Helper" C Consulted "In the loop" I Informed "Notify me" BEFORE Cloud Provider Infrastructure Layer Customer Cloud Provider External Network & Security R A S C I Applications: Configuration & Patching R A S C I Internal Network & Security R A S C I Operating System: Updates & Patching R A S C I Vmware R A S C I Computing Hardware - "Bare Metal" R A S C I AFTER Cloud Provider Infrastructure Layer Customer Cloud Provider External Network & Security R A C I R A S C I Applications: Configuration and Patching R A C I R A S C I Internal Network & Security I R A S C I Operating System: Updates & Patching I R A S C I Vmware I R A S C I Computing Hardware - "Bare Metal" I R A S C I
KNOW WHERE THE DATA IS Customers and providers may have external obligations National / Regional / Local data management requirements Can data be moved without customer consent Who can view it (subcontractors / offshore) Safeguarding for discovery
TAKE YOUR TIME Adoption is a process Management commitment Defined goals and stated objectives Involve all interested parties, especially information technology / information security
REAL-WORLD EXPERIENCES BENEFITS
BENEFITS OF CLOUD COMPUTING Eliminates single points of failure Risk transfer to the cloud service provider Allows for the use of third party expertise
BENEFITS OF CLOUD COMPUTING Time savings (varies by cloud model) Allows organization to concentrate on core competencies Enhanced availability and continuity
REAL-WORLD EXPERIENCES CHALLENGES
CHALLENGES OF CLOUD COMPUTING Relinquishing Control Reduced control of data as more responsibility shifts to third parties. Meeting Regulations Regulations govern the way data must be protected. The cloud service provider may not be heavily regulated but the customers may be. As their trust supplier, a customer s requirements flow down to the cloud service provider, meaning the cloud must have proper controls.
CHALLENGES OF CLOUD COMPUTING Business Interoperability Today s clouds must be able to communicate with each other and offer data portability. Convenience vs. Security Using the cloud, we want both convenient access and secure data protection, creating a difficult balancing act. Management Reporting To meet many of today s regulations, the ability to report where data is and how it is protected is essential.
CHALLENGES OF CLOUD COMPUTING Data Integration and Transfer We must find a way to transfer data into the cloud in a way that is both safe and cost effective. Due diligence Allow for a full assessment of cloud service provider prospects, applicable to the model chosen and understanding the boundaries of responsibility
Q&A
THANK YOU!