• On-demand self service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured service
Data Center Operations
Compartmentalization of systems, networks, management, provisioning and personnel.
Know cloud provider’s other clients to assess their impact on you
Understand how resource sharing occurs within your cloud provider to understand impact during your business fluctuations.
For IaaS and PaaS, the cloud provider’s patch management policies and procedures have significant impact
Cloud provider’s technology architecture may use new and unproven methods for failover. Customer’s own BCP plans should address impacts and limitations of Cloud computing.
Test cloud provider’s customer service function regularly to determine their level of mastery in supporting the services.
Incident Response
- Cloud apps aren’t always designed with data integrity andsecurity in mind
- Does provider keep app, firewall, IDS logs?
- Does provier deliver snapshots of your virtual environment?
- Sensitive data must be encrypted for data breach regulations
Incident Response
Any data classified as private for the purpose of data breach regulations should always be encrypted to reduce the
consequences of a breach incident.
Cloud providers need application layer logging frameworks to provide granular narrowing of incidents to a specific customer.
Cloud providers should construct a registry of application owners by application interface (URL, SOA service, etc.).
Cloud providers and customers need defined collaboration for
Application Security
Different trust boundaries for IaaS, PaaS, SaaS
What is the provider’s web application security?
Secure inter-host communication channel
Application Security
Importance of secure software development lifecycle magnified IaaS, PaaS and SaaS create differing trust boundaries for the
software development lifecycle, which must be accounted for during the development, testing and production deployment of applications.
For IaaS, need trusted virtual machine images.
Apply best practices available to harden DMZ host systems to virtual machines.
Securing inter-host communications must be the rule, there can be no assumption of a secure channel between hosts
Understand how malicious actors are likely to adapt their attack techniques to cloud platforms
Storage
Understand the storage architecture and abstraction layers to verify that the storage subsystem does not span domain trust boundaries.
Ascertain if knowing storage geographical location is possible.
Understand the cloud provider’s data search capabilities.
Understand cloud provider storage retirement processes.
Understand circumstances under which storage can be seized by a third party or government entity.
Understand how encryption is managed on multi-tenant storage.
Can the cloud provider support long term archiving, will the data be available several years later?
Encryption
From a risk management perspective, unencrypted data existent in the cloud may be considered “lost” by the customer.
Application providers who are not controlling backend systems should assure that data is encrypted when being stored on the backend.
Use encryption to separate data holding from data usage.
Segregate the key management from the cloud provider hosting the data, creating a chain of separation.
When stipulating standard encryption in contract language
Encryption, Key Management
Encrypt data in transit, at rest, backup media Secure key store
• Protect encryption keys
• Ensure encryption is based on industry/government standards.
- NO proprietary standard
• Limit access to key stores
• Key backup & recoverability
Identity & Access Management
Must have a robust federated identity management architecture and strategy internal to the organization.
Insist upon standards enabling federation: primarily SAML, WS-Federation and Liberty ID-FF federation
Validate that cloud provider either support strong authentication natively or via delegation and support robust password policies that meet and exceed internal policies.
Understand that the current state of granular application authorization on the part of cloud providers is non-existent or proprietary.
Consider implementing Single Sign-on (SSO) for internal applications, and leveraging this architecture for cloud applications.
Using cloud-based “Identity as a Service” providers may be a useful tool for abstracting and managing complexities such as differing versions of
SAML, etc.
Identity and Access Management
Determine how provider handles:
• Provisioning, de-provisioning
• Authentication
• Federation
• Authorization, user profile mgt
Virtualization
Virtualized operating systems should be augmented by third party security technology.
The simplicity of invoking new machine instances from a VM platform creates a risk that insecure machine images can be created. Secure by default configuration needs to be assured by following or exceeding available industry baselines.
Virtualization also contains many security advantages such as creating isolated environments and better defined memory space, which can minimize application instability and simplify recovery.
Need granular monitoring of traffic crossing VM backplanes
Provisioning, administrative access and control of virtualized operating systems is crucial
Virtualization
What type of virtualization is used by the provider?
What 3rd party security technology augments the virtual OS?
Which controls protect admin interfaces exposed to users?
Summary
There are many security implications to consider when utilizing a cloud
environment.
Keeping your mind open and understanding the issues is essential to a protecting your data in the Cloud.
Section 2
Planning your Cloud Computing Audit
Planning Your Audit
• Defining your audit objectives
• Boundaries of review (e.g., cloud environment in-use or under consideration, types of cloud services, technical boundaries)
• Identify and document business risk associated with cloud solution
• Identification of audit resources requirement
• Requisite knowledge in information governance, IT management, network, data, contingency and encryption controls
• Proficient in risk assessment, information security components of IT architecture, threat & vulnerabilities and internet-based data processing
• Knowledge of web services standards such as OASIS and WSS
• Define deliverables and communication (e.g. communication to various stakeholders, nature of deliverables, timing, etc.)
PwC’s Cloud Assurance Framework
Right to Audit & Third Party Reviews
Legal Compliance &
e-Discovery
Contract Terms &
Escrow
Cloud Provider Management
Enterprise Risk Management Cloud Strategy &
Business
Portability and Interoperability
Assessing Technical Architecture Data Security & Integrity
Virtualization
Identity & Access Management
Servers Storage Network
Anti Virus Patch Management Release Management
Asset Management Configuration Management
P F T
Service DeliveryInfrastructure Managementucture
#1 – ‘Shadow Cloud’ Practices Will Surface
Audit Focus Areas
Technology Process
Right to Audit & Third Party Reviews
Legal Compliance &
e-Discovery
Contract Terms &
Escrow
Cloud Provider Management
Enterprise Risk Management Cloud Strategy &
Business
Portability and Interoperability
#1 – ‘Shadow Cloud’ Practices Will Surface
Risk Area Governance over Cloud Adoption
Scenario Audit Considerations
Unauthorized use of Public Cloud Services is a common problem. Client X was using over 25 different CSPs spanning across their ERP, HR, Fixed Assets, CRM, Support,
Collaboration, Ticketing System, etc.
Majority of these cloud services were
procured with the knowledge and approval of IT / Procurement bypassing procedures put in place by our client to manage and maintain security and data protection.
1. Functional Implications
• Has the company establish a companywide documented policy for appropriate use of Cloud Computing Services?
• Has an information management liaison been established to manage an inventory of CSPs, evaluate policies of on/off boarding? Including backout policy considerations?
2. Information Security Collaboration
• Has an education and awareness program to communicate the risks associated with
unauthorized use of Public Cloud Services?
• Has IT performed an assessment on security?
interfaces?
#2 – Don’t just sign on the dotted line
Risk Area Cloud Provider Contract (Terms/Conditions)
Scenario Audit Considerations
Contracts with Cloud Providers often lack key security requirements important to the organization (e.g. security
breach, location of data, service
termination). This is most prevalent when business users procure services outside of the normal channels in order to get the service up and running quickly.
1. Has all Cloud Services undergone a formal risk assessment as a preliminary step to contract negotiation?
2. Have the following been considered as part of contract negotiations -: Confidentiality, Limitation of Liability, Indemnification, Service Termination, Service Level Agreements and Non-Performance Clauses, Software Escrow, Security Incident Procedures, Ownership Changes, Privacy, Jurisdiction, Notification, and Modifications?
3. Is there a process in place to review the periodically the commitment of the Cloud Provider throughout the course of the contract?
#3 –You will need to retain Ownership for Access Roles and Permissions
Virtualization Provisioning Application Security Data Security & integrity
Virtualization
Identity & Access Management
Servers Storage Network
Anti Virus Patch Management Release Management
Asset Management Configuration Management
Service DeliveryInfrastructure Managementre
#3 –You will retain ownership for Roles and Permissions
Risk Area Identity and Access Management
Scenario Audit Considerations
Access control mechanisms for Cloud Providers are typically separate from internal processes
and fall outside approved and documented methods to manage access.
Client X utilized a CSP to perform and allowed contractors to perform some day-to-day finance functions. As part of their access, the contractors were also able to see quarter-end and year-quarter-end information which should have been restricted.
1. Provisioning
• Does the current access controls of the Cloud service provider meet existing company requirements for roles and permissions?
2. Identity and Access Management
• Has the company determine if the company’s Access Control Procedures require modification to meet the needs of extending to a Cloud
Provider e.g. IAM Federation.
• How have we evaluated the complexities of auditing APIs, Hypervisors, Virtualized environments?
#4 - Moving to the Cloud Doesn’t Mean Farming Out Your IT Management Responsibilities
Virtualization Provisioning Application Security Data Security & integrity
Virtualization
Identity & Access Management
Servers Storage Network
Anti Virus Patch Management Release Management
Asset Management Configuration Management Service DeliveryInfrastructure Managementre
Audit Focus Areas
#4 - Moving to the Cloud Doesn’t Mean Farming Out Your IT Management Responsibilities
Risk Area Cloud Release and Configuration Management
Scenario Audit Considerations
Client X adopted a cloud based ERP solution.
Change management processes have not been established for changes made to scripts and the 30 customizations they had made to their ERP. In addition, a staging
environment was not procured containing a mirror of production data was not available to conduct sufficient testing.
1. Configuration management
• Have a change management log been established that requires change board approvals?
2. Release management
• Have policies for release management been adequately established for to cloud-based ERP solution? Does a change board exists?
• Has a QA environment that contains sufficient data to conduct scenario testing is procured?
3. SOC Report
• Have all user control considerations from SOC
#5 – No One Will Care More About Your Data Than You
Audit Focus Areas
Technology Process
Right to Audit & Third Party Reviews
Legal Compliance &
e-Discovery
Contract Terms &
Escrow
Cloud Provider Management
Enterprise Risk Management
Information Risk Functional
Cloud Strategy &
Business
Portability and Interoperability
#5 – No One Will Care More About Your Data Than You
Risk Area Data Protection and Rights to Audit
Scenario Audit Considerations
Data/information to be stored in the Cloud should adhere
to the guidance provided for
information/data protection including the risk of data being targeted by an Advanced Persistent Threat.
Client X’s legal department had moved case management to a CSP. The data is stored in a multi-tenancy environment. When
internal audit requested for assurance over controls, the SAS70 for the data center where the application is hosted was provided.
1. Data Protection Security
• Has a Data Classification scheme to data/information considered for a Cloud
Solution? Has the company evaluated the need for a Digital Rights Management (DRM) or Data Loss Prevention (DLP) solution been considered?
2. Have the contracts been reviewed by legal (rights
& obligations), internal audit (rights to audit) and IT (service level agreements)?
#6 - Bad Processes Will Not Become Good Processes By Just Moving To The Cloud
Risk Area Portability and Interoperability and Data Integrity
Scenario Audit Considerations
Client X moved to a SaaS CRM solution 2 years ago as the company was growing
significantly and they realized it was difficult to manage its customer data.
Today, the company realizes that retrieval of customer data was a significantly manual process through compilation of spreadsheets given the complexity of customer hierarchy and lack of integration between its ERP.
1. Have we considered all our reporting
requirements in the context of the company prior to moving to a CSP? What about the data
architecture? Data governance and customer data dictionary?
2. Has integration and interfaces with existing systems been fully considered?
#7 – It’s like your phone bill. If you don’t review your minutes, be prepared to pay the price
Risk Area Metering and Bursting Revenue
Scenario Audit Considerations
Invoices provided by Cloud Provider for bursting revenue is in excess of what is truly consumed by the company. In addition, there isn’t a process to monitor the monthly consumption of data used to determine if a move to a higher subscription package is required.
1. Are there processes in place to monitor the data usage and any bursting charges incurred?
2. Has the company evaluated what the appropriate subscription package based on total company consumption of bandwidth?
3. Have we considered requesting an independent assessment on the data provided by the company or its internal controls?
#8 – Everybody wants to be in the cloud. It’s not that simple…
Risk Area Project Risk and Third Party Management – CSP
Scenario Audit Considerations
Client X had just completed building a successful SaaS based solution for it’s products . To meet the increased high transaction volume from this move, they decided to develop a private IaaS solution.
They had engaged the CSP to help
implement the solution and after 6 months, found that while technically strong the CSP did not have the right process knowledge, change management expertise and sufficient understanding of the clients business.
1. What was the evaluation undertaken to
determine fit in-terms of experience and skill set when selecting an system integrator for a Cloud based solution? (e.g. integrations?, data
cleansing?)
Summary - Plan for Success
Engage in the strategy for moving to the cloud
Understand your company’s rationale for adopting cloud Review impacted business activities in ‘as is’ and ‘to be’ state
Assess capabilities of existing personnel to manage transition and to perform roles in new state
Treat the move as a “process” not a project
Assess risk and build a plan to manage accordingly
Closing Comments – Cloud Reporting: What exists today Cloud customers gather information through inefficient activities often
led by vendor management or procurement functions:
• Provider self-assessments, typically focus on security policies
• Responses to customer-prepared questionnaires
• Service level agreements (SLAs) describing the provider’s obligations
• Third-party SAS 70 (now SSAE 16) reports
• Other certifications – PCI, ISO 27002, HIPAA, FISMA, etc.
Do not address comprehensively address the service offering and the relevant compliance requirements from the perspective of the customer’s needs or expectations
Closing Comments – Cloud Reporting: Looking forward
Consideration Point
AICPA Service Organization Reports Custom Attest
SOC 1 / SSAE16 (Replacement for SAS70 6/11)
SOC2 SOC3
AICPA suggested scope Controls over financial reporting. Used in
conjunction with an audit of users’ financial statements
Controls relevant to compliance or operations, which could include (*)
Security
Availability and processing integrity Confidentiality
Privacy
Data integrity and ownership
(*) Use of AICPA Trust Principles Required
Management defined Can include controls relevant and unique to Operations, Intended Audience Restricted use General Use (with public
seal);
Generally restricted use but may be unrestricted Content of Report Management’s assertion
Management’s description of service organization’s system Description of controls
Report may be Type 1 (Design only or Type 2 (Design and
Management assertion Unaudited system description
PwC opinion of control
Management assertion PwC opinion on control effectiveness
No globally recognized framework exists and may not for the foreseeable future
Stay Engaged as the Cloud Evolves
• Cloud computing is fundamentally
changing business across all industries and markets
• Keeping pace with the change and
adapting as it evolves is key for all cloud adopters, including IT compliance and audit professionals
More resources
Dr. Yonesy F. Nuñez Manager
Contact Details:
Phone: 646-471-6531
E-Mail: [email protected] Background:
Yonesy is a Manager in the New York Metro IT Risk and Security Assurance Practice and has 14 years of experience delivering Information Security services. Yonesy has led efforts to create and institute comprehensive information security programs for a variety of industries. He works with various clients to balance security, risk, IT operations, threat-vector landscape, and business objectives to enable efficient business decisions in preparation of and during severe crisis events. He has managed and successfully supported internal audit engagements as they relate to application security, outsourced development, network security, threat and vulnerability assessment, attack and penetration, business impact analyses, incident management, multi-tenancy cloud environments reviews, business continuance and disaster recovery plans , Data Loss Prevention, and IT Risk assessments. He is a nationally respected Speaker and Instructor for Information Security Strategy, Industry Regulations and Compliance, Cloud Computing, Data Encryption, Virtual Computing, and IT Audit. He holds numerous information security, risk, and governance certifications. He has a B.S. in Finance and Computer Information Systems from Manhattan College, an M.S. in Information Systems Engineering from The Polytechnic Institute of NYU, and a Doctorate in Computing, Information Assurance and Security from Pace University.
Relevant Projects and Experience:
• Led global efforts in IT Governance, Security and Compliance including:
- Global Data Privacy / Information Security Strategy - Global SOX ITGC Testing
- Organizational Strategy
- ISO 27001:4 Control Framework - Technical Remediation
- Application security development / secure coding - Japan PPI, European Data Directives, Safe Harbor, ITAR
• IT Audit
• External Audit Support
• Security Framework Development
• Threat and vulnerability / Attack and Penetration / Application Security
• Disaster Recovery / Data Center Reviews
• Business Continuity Management
• TPA: Cloud Computing
• FISMA
• Virtualized Environments
• Outsourcing Application Development Security
• Internet Vulnerability and Attack & Penetration Assessment Current Certifications
• CGEIT - Certified in the Governance of Enterprise IT
• CRISC - Certified in Risk and Information Systems Control
• CISM - Certified Information Security Manager
• CISSP - Certified Information Systems Security Professional
• ISSAP - Information Systems Security Architecture Professional Areas of Expertise
• Security Governance, Strategy and Compliance
• Data Privacy and Protection
• Security
Frameworks and Regulatory Compliance
• Security Risk Assessments
• Payment Card Industry (PCI) Strategy and Compliance Readiness
• Secure Network Architecture and Design
• Security
Information and Event Management Systems
• Emerging
Technologies (i.e.
Mobile Devices, Cloud Computing)