Central Jersey IIA Cloud Computing: The Basics and Beyond Protecting Data in the Cloud

(1)

Central Jersey IIA Cloud Computing: The Basics and Beyond

Protecting Data in the Cloud

Dr. Yonesy F. Nuñez, CISSP, CISM, ISSAP, ISSMP, CRISC, CGEIT, MCSE, ISSPCS

(2)

General Security Advantages

Shifting public data to a external cloud reduces the exposure of the internal sensitive data

Cloud homogeneity makes security auditing/testing simpler

Clouds enable automated security management

(3)

Security Relevant Cloud Components

Cloud Provisioning Services Cloud Data Storage Services

Cloud Processing Infrastructure Cloud Support Services

Cloud Network and Perimeter Security

Elastic Elements: Storage, Processing, and Virtual Networks

(4)

Provisioning Service

Advantages

• Rapid reconstitution of services • Enables availability

- Provision in multiple data centers / multiple instances

• Advanced honey net capabilities Challenges

(5)

Data Storage Services

Advantages

• Data fragmentation and dispersal • Automated replication

• Provision of data zones (e.g., by country) • Encryption at rest and in transit

• Automated data retention

Challenges

• Isolation management / data multi-tenancy • Storage controller

(6)

Cloud Processing Infrastructure

Advantages

• Ability to secure masters and push out secure images

Challenges

• Application multi-tenancy • Reliance on hypervisors

(7)

Cloud Support Services

Advantages

• On demand security controls (e.g., authentication, logging, firewalls…) Challenges

• Additional risk when integrated with customer applications

• Needs certification and accreditation as a separate application

(8)

Cloud Network and Perimeter Security

Advantages

• Distributed denial of service protection • VLAN capabilities

• Perimeter security (IDS, firewall, authentication)

Challenges

(9)

Cloud Security Advantages Part 1

Data Fragmentation and Dispersal Dedicated Security Team

Greater Investment in Security Infrastructure Fault Tolerance and Reliability

Greater Resiliency

Hypervisor Protection Against Network Attacks Possible Reduction of C&A Activities (Access to

(10)

Simplification of Compliance Analysis

Data Held by Unbiased Party (cloud vendor assertion)

Low-Cost Disaster Recovery and Data Storage Solutions

On-Demand Security Controls

Real-Time Detection of System Tampering Rapid Re-Constitution of Services

Cloud Security Advantages Part 2

(11)

Cloud Security Challenges Part 1

Data dispersal and international privacy laws

• EU Data Protection Directive and U.S. Safe Harbor

program

• Exposure of data to foreign government and data

subpoenas

• Data retention issues

Need for isolation management Multi-tenancy

Logging challenges

(12)

Cloud Security Challenges Part 2

Dependence on secure hypervisors

Attraction to hackers (high value target) Security of virtual OSs in the cloud

Possibility for massive outages

Encryption needs for cloud computing

• Encrypting access to the cloud resource control

interface

• Encrypting administrative access to OS instances

• Encrypting access to applications

(13)

Additional Issues

Issues with moving PII and sensitive data to the cloud

• Privacy impact assessments

Using SLAs to obtain cloud security

• Suggested requirements for cloud SLAs

• Issues with cloud forensics

Contingency planning and disaster recovery for cloud implementations

Handling compliance

• FISMA

• HIPAA

(14)

The ‘Why’ and ‘How’ of Cloud Migration

There are many benefits that explain why to migrate to clouds

• Cost savings, power savings, green savings, increased agility in software deployment

Cloud security issues may drive and

define how we adopt and deploy cloud computing solutions

(15)

Balancing Threat Exposure and Cost Effectiveness

Private clouds may have less threat

exposure than community clouds which

have less threat exposure than public clouds. Massive public clouds may be more cost

effective than large community clouds

which may be more cost effective than small private clouds.

(16)

Cloud Migration and Cloud Security Architectures

Clouds typically have a single security architecture but have many customers with different demands

• Clouds should attempt to provide configurable security mechanisms

Organizations have more control over the security

architecture of private clouds followed by community and then public

(17)

Putting it Together

Most clouds will require very strong security controls

All models of cloud may be used for differing tradeoffs between threat exposure and

efficiency

There is no one “cloud”. There are many models and architectures.

(18)

Migration Paths for Cloud Adoption

Use public clouds

Develop private clouds

• Build a private cloud

• Procure an outsourced private cloud

• Migrate data centers to be private clouds (fully virtualized)

Build or procure community clouds

• Organization wide SaaS • PaaS and IaaS

(19)

What, When, How to Move to the Cloud

Identify the asset(s) for cloud deployment • Data

• Applications/Functions/Process Evaluate the asset

• Determine how important the data or function is to the org

(20)

Evaluate the Asset

How would we be harmed if

◦ the asset became widely public & widely distributed? ◦ An employee of our cloud provider accessed the asset? ◦ The process of function were manipulated by an

outsider?

◦ The process or function failed to provide expected results?

(21)

Map Asset to Models

4 Cloud Models • Public

• Private, internal, on premise • Private, external

• Community - Hybrid

Which cloud model addresses your security concerns?

(22)

Map Data Flow

Map the data flow between your

organization, cloud service, customers, other nodes

Essential to understand whether & HOW data can move in/out of the cloud

• Sketch it for each of the models • Know your risk tolerance!

(23)

Cloud Domains

Service contracts should address these 13 domains Architectural Framework

Governance, Enterprise Risk Mgt Legal, e-Discovery

Compliance & Audit

Information Lifecycle Mgt

(24)

Cloud Domains

Security, Business Continuity, Disaster Recovery

Data Center Operations Incident Response Issues Application Security

Encryption & Key Mgt Identity & Access Mgt Virtualization

(25)

Security Stack

IaaS: entire infrastructure from facilities to

HW

PaaS: application, Middleware, database,

messaging supported by IaaS

SaaS: self contained operating environment:

(26)

Security Stack Concerns

Lower down the stack the cloud vendor provides, the more security issues the consumer has to address or provide

(27)

Key Takeaways

SaaS

• Service levels, security, governance, compliance, liability expectations of the service & provider are contractually defined

PaaS, IaaS

• Customer sysadmins manage the same with

(28)

Security Pitfalls

How cloud services are provided confused with where they are provided

Well demarcated network security border is not fixed

(29)

Overall Security Concerns

Gracefully lose control while maintaining accountability even if operational

responsibility falls upon 3rd _parties

Provider, user security duties differ greatly between cloud models

(30)

Key Challenges

We aren’t moving to the cloud.. We are reinventing within the cloud

Confluence of technology and economic innovation • Disrupting technology and business relationships

• Pressure on traditional organizational boundaries

“Gold Rush” mentality, backing into 20 year platform choice Challenges traditional thinking

(31)

Thinking about Threats

Technology

• Unvetted innovations within the S-P-I stack

• Well known cloud architectures

Business

• How cloud dynamism is leveraged by customers/providers

• E.g. provisioning, elasticity, load management

Old threats reinvented: “must defend against the accumulation of all vulnerabilities ever recorded”, Dan Geer-ism

(32)

Evolving Threats 1/2

Unprotected APIs / Insecure Service Oriented Architecture Hypervisor Attacks

L1/L2 Attacks (Cache Scraping) Trojaned AMI Images

VMDK / VHD Repurposing Key Scraping

(33)

Evolving Threats 2/2

Web application (mgt interface!)

• XSRF

• XSS

• SQL Injection

Data leakage

Poor account provisioning Cloud provider insider abuse

(34)

Lots of Governance Issues

Cloud Provider going out of business Provider not achieving SLAs

Provider having poor business continuity planning Data Centers in countries with unfriendly laws

Proprietary lock-in with technology, data formats

Mistakes made by internal IT security – several orders of magnitude more serious

(35)

Governance

Identify, implement process, controls to maintain effective governance, risk mgt, compliance

Provider security governance should be assessed for sufficiency, maturity,

(36)

3rd _{Party Governance}

Request clear documents on how facility & services are assessed

Require definition of what provider considers critical services, info

Perform full contract, terms of use due

(37)

Governance & ERM

A portion of cloud cost savings must be invested into provider scrutiny

Third party transparency of cloud provider Financial viability of cloud provider.

Alignment of key performance indicators Increased frequency of 3rd _{party risk}

(38)

Legal

Plan for both an expected and unexpected termination of the relationship and an orderly return of your assets.

Find conflicts between the laws the cloud provider must comply with and those governing the cloud customer

Gain a clear expectation of the cloud provider’s response to legal requests for information.

(39)

Electronic Discovery

Cloud Computing challenges the presumption that organizations have control over the data they are legally responsible for.

Cloud providers must assure their information security systems are capable to preserve data as authentic and reliable. Metadata, log files, etc.

Mutual understanding of roles and responsibilities: litigation hold, discovery searches, expert testimony, etc.

(40)

e-Discovery

Functional: which functions & services in the Cloud have legal implications for both parties Jurisdictional: which governments administer

laws and regulations impacting services, stakeholders, data assets

(41)

e-Discovery

Both parties must understand each other’s roles

- Litigation hold, Discovery searches - Expert testimony

Provider must save primary and secondary (logs) data

Where is the data stored?

(42)

e-Discovery

Plan for unexpected contract termination and orderly return or secure disposal of assets

You should ensure you retain ownership of your data in its original form

(43)

Security Audit

- Hard to maintain with your

security/regulatory requirements, harder to demonstrate to auditors

- Right to Audit clause

- Analyze compliance scope

- Regulatory impact on data security - Evidence requirements are met

(44)

Information Management

Data security (CIA) Data Location

• All copies, backups stored only at location allowed by contract, SLA and/or

regulation

• Compliant storage (EU mandate) for storing e-health records

(45)

Information Lifecycle Management

Understand the logical segregation of information and protective controls implemented

Understand the privacy restrictions inherent in data entrusted to your company, how it impacts legality of using cloud provider.

Data retention assurance easy, data destruction may be very difficult.

Recovering true cost of a breach: penalties vs. risk transference

(46)

Portability, Interoperability

When you have to switch cloud providers Contract price increase

Provider bankruptcy

Provider service shutdown Decrease in service quality Business dispute

(47)

Portability & Interoperability

Understand and implement layers of abstraction

For Software as a Service (SaaS), perform regular data extractions and backups to a usable format

For Infrastructure as a Service (IaaS), deploy applications in runtime in a way that is abstracted from the machine image.

For Platform as a Service (PaaS), careful application development

techniques and thoughtful architecture should be followed to minimize potential lock-in for the customer. “loose coupling” using SOA

principles

Understand who the competitors are to your cloud providers and what their capabilities are to assist in migration.

(48)

Compliance & Audit

Classify data and systems to understand compliance requirements

Understand data locations, copies

Maintain a right to audit on demand Need uniformity in comprehensive

certification scoping to beef up SAS 70 II, ISO 2700X

(49)

Traditional, BCM/DR Greatest concern is insider threat

Cloud providers should adopt as a security baseline the most stringent requirements of any customer.

Compartmentalization of job duties and limit knowledge of customers.

Onsite inspections of cloud provider facilities whenever possible.

Inspect cloud provider disaster recovery and business continuity plans.

Identify physical interdependencies in provider infrastructure.

(50)

Security, Business Continuity, Disaster Recovery

Centralization of data = greater insider threat from within the provider

Require onsite inspections of provider facilities

• Disaster recovery, Business continuity, etc.

(51)

Data Center Operations

How does provider perform:

• On-demand self service • Broad network access • Resource pooling

• Rapid elasticity • Measured service

(52)

Data Center Operations

Compartmentalization of systems, networks, management, provisioning and personnel.

Know cloud provider’s other clients to assess their impact on you

Understand how resource sharing occurs within your cloud provider to understand impact during your business fluctuations.

For IaaS and PaaS, the cloud provider’s patch management policies and procedures have significant impact

Cloud provider’s technology architecture may use new and unproven methods for failover. Customer’s own BCP plans should address impacts and limitations of Cloud computing.

Test cloud provider’s customer service function regularly to determine their level of mastery in supporting the services.

(53)

Incident Response

- Cloud apps aren’t always designed with data integrity andsecurity in mind

- Does provider keep app, firewall, IDS logs?

- Does provier deliver snapshots of your virtual environment?

- Sensitive data must be encrypted for data breach regulations

(54)

Incident Response

Any data classified as private for the purpose of data breach regulations should always be encrypted to reduce the

consequences of a breach incident.

Cloud providers need application layer logging frameworks to provide granular narrowing of incidents to a specific customer. Cloud providers should construct a registry of application owners

by application interface (URL, SOA service, etc.).

(55)

Application Security

Different trust boundaries for IaaS, PaaS, SaaS

What is the provider’s web application security?

(56)

Application Security

Importance of secure software development lifecycle magnified IaaS, PaaS and SaaS create differing trust boundaries for the

software development lifecycle, which must be accounted for during the development, testing and production deployment of applications.

For IaaS, need trusted virtual machine images.

Apply best practices available to harden DMZ host systems to virtual machines.

Securing inter-host communications must be the rule, there can be no assumption of a secure channel between hosts

Understand how malicious actors are likely to adapt their attack techniques to cloud platforms

(57)

Storage

Understand the storage architecture and abstraction layers to verify that the storage subsystem does not span domain trust boundaries.

Ascertain if knowing storage geographical location is possible. Understand the cloud provider’s data search capabilities.

Understand cloud provider storage retirement processes.

Understand circumstances under which storage can be seized by a third party or government entity.

Understand how encryption is managed on multi-tenant storage. Can the cloud provider support long term archiving, will the data be

(58)

Encryption

From a risk management perspective, unencrypted data existent in the cloud may be considered “lost” by the customer.

Application providers who are not controlling backend systems should assure that data is encrypted when being stored on the backend.

Use encryption to separate data holding from data usage.

Segregate the key management from the cloud provider hosting the data, creating a chain of separation.

(59)

Encryption, Key Management

Encrypt data in transit, at rest, backup media Secure key store

• Protect encryption keys

• Ensure encryption is based on industry/government standards. - NO proprietary standard

• Limit access to key stores • Key backup & recoverability

(60)

Identity & Access Management

Must have a robust federated identity management architecture and strategy internal to the organization.

Insist upon standards enabling federation: primarily SAML, WS-Federation and Liberty ID-FF federation

Validate that cloud provider either support strong authentication natively or via delegation and support robust password policies that meet and exceed internal policies.

Understand that the current state of granular application authorization on the part of cloud providers is non-existent or proprietary.

Consider implementing Single Sign-on (SSO) for internal applications, and leveraging this architecture for cloud applications.

Using cloud-based “Identity as a Service” providers may be a useful tool for abstracting and managing complexities such as differing versions of

(61)

Identity and Access Management

Determine how provider handles: • Provisioning, de-provisioning • Authentication

• Federation

(62)

Virtualization

Virtualized operating systems should be augmented by third party security technology.

The simplicity of invoking new machine instances from a VM platform creates a risk that insecure machine images can be created. Secure by default configuration needs to be assured by following or exceeding available industry baselines.

Virtualization also contains many security advantages such as creating isolated environments and better defined memory space, which can minimize application instability and simplify recovery.

Need granular monitoring of traffic crossing VM backplanes

Provisioning, administrative access and control of virtualized operating systems is crucial

(63)

Virtualization

What type of virtualization is used by the provider?

What 3rd _{party security technology augments}

the virtual OS?

Which controls protect admin interfaces exposed to users?

(64)

(65)

Summary

There are many security implications to consider when utilizing a cloud

environment.

Keeping your mind open and understanding the issues is essential to a protecting your data in the Cloud.

(66)

Section 2

(67)

Planning Your Audit

• Defining your audit objectives

• Boundaries of review (e.g., cloud environment in-use or under consideration, types of cloud services, technical boundaries)

• Identify and document business risk associated with cloud solution • Identification of audit resources requirement

• Requisite knowledge in information governance, IT management, network,

data, contingency and encryption controls

• Proficient in risk assessment, information security components of IT

architecture, threat & vulnerabilities and internet-based data processing

• Knowledge of web services standards such as OASIS and WSS

• Define deliverables and communication (e.g. communication to various stakeholders, nature of deliverables, timing, etc.)

(68)

PwC’s Cloud Assurance Framework Cloud Governance Monitoring Cloud Architecture Technology Process

Right to Audit & Third Party Reviews

Legal Compliance & e-Discovery

Contract Terms & Escrow

Cloud Provider Management

Enterprise Risk Management Cloud Strategy &

Business Case Compliance • FISMA • SOX • GLBA • ISO • PCI Provider Continuity Portability and Interoperability Data Governance L ic_e n_s e M a_n a_g e_m e_n t Me teri ng an d Usa ge SLA M anagem ent ity Pla nning Cha_nge Man_age men D a s h b o a rd & R e p o rt in g Inc ide nt Ma na ge me nt P aa_S BPaa S Ia aS Saa S C om m un_ity Hybr id P riv ate Pub lic People Inter face Manage ment

(69)

Assessing Technical Architecture Technology Process P aa_S BP aaS Ia aS Saa S Com_m un_ity Hybr id P riv ate Pub lic People Virtualization Provisioning Application Security Data Security & Integrity

Virtualization

Identity & Access Management

Servers Storage Network

Anti Virus Patch Management Release Management Asset Management Configuration Management P F T P F T P F T P F T P F T P F T P F T P F T P F T P F T P F T P F T P F T P F T S e rv ic e De liv e ry Infrastr uctu re M a n a g e m ent uctu re

(70)

#1 – ‘Shadow Cloud’ Practices Will Surface

Audit Focus Areas

Technology Process

Contract Terms & Escrow

Cloud Provider Management

Enterprise Risk Management Cloud Strategy &

Business Case Compliance • FISMA • SOX • GLBA • ISO • PCI Provider Continuity Portability and Interoperability Data Governance L ic_e n_s e M a_n a_g e_m e_n t Me teri ng an d Usa ge SLA M anagem ent ity Pla nning Cha_nge Man_age men D a s h b o a rd & R e p o rt in g Inc ide nt Ma na ge me nt P aa_S BPaa S Ia aS Saa S C om m un_ity Hybr id P riv ate Pub lic People Inter face Manage ment

(71)

#1 – ‘Shadow Cloud’ Practices Will Surface

Risk Area Governance over Cloud Adoption

Scenario Audit Considerations

Unauthorized use of Public Cloud Services is a common problem. Client X was using over 25 different CSPs spanning across their ERP, HR, Fixed Assets, CRM, Support,

Collaboration, Ticketing System, etc. Majority of these cloud services were

procured with the knowledge and approval of IT / Procurement bypassing procedures put in place by our client to manage and maintain security and data protection.

1. Functional Implications

• Has the company establish a companywide documented policy for appropriate use of Cloud Computing Services?

• Has an information management liaison been established to manage an inventory of CSPs, evaluate policies of on/off boarding? Including backout policy considerations?

2. Information Security Collaboration

• Has an education and awareness program to communicate the risks associated with

unauthorized use of Public Cloud Services? • Has IT performed an assessment on security?

(72)

#2 – Don’t just sign on the dotted line

Risk Area Cloud Provider Contract (Terms/Conditions)

Contracts with Cloud Providers often lack key security requirements important to the organization (e.g. security

breach, location of data, service

termination). This is most prevalent when business users procure services outside of the normal channels in order to get the service up and running quickly.

1. Has all Cloud Services undergone a formal risk assessment as a preliminary step to contract negotiation?

2. Have the following been considered as part of contract negotiations -: Confidentiality, Limitation of Liability, Indemnification, Service Termination, Service Level Agreements and Non-Performance Clauses, Software Escrow, Security Incident Procedures, Ownership Changes, Privacy, Jurisdiction, Notification, and Modifications?

3. Is there a process in place to review the periodically the commitment of the Cloud Provider throughout the course of the contract?

(73)

#3 –You will need to retain Ownership for Access Roles and Permissions

Virtualization Provisioning Application Security Data Security & integrity

Virtualization

Anti Virus Patch Management Release Management Asset Management Configuration Management S e rv ic e De liv e ry Infrastr uctu re M a n a g e m ent re

(74)

#3 –You will retain ownership for Roles and Permissions

Risk Area Identity and Access Management

Access control mechanisms for Cloud Providers are typically separate from internal processes

and fall outside approved and documented methods to manage access.

Client X utilized a CSP to perform and allowed contractors to perform some day-to-day finance functions. As part of their access, the contractors were also able to see quarter-end and year-quarter-end information which should have been restricted.

1. Provisioning

• Does the current access controls of the Cloud service provider meet existing company requirements for roles and permissions? 2. Identity and Access Management

• Has the company determine if the company’s Access Control Procedures require modification to meet the needs of extending to a Cloud

Provider e.g. IAM Federation.

• How have we evaluated the complexities of auditing APIs, Hypervisors, Virtualized environments?

(75)

#4 - Moving to the Cloud Doesn’t Mean Farming Out Your IT Management Responsibilities

Virtualization Provisioning Application Security Data Security & integrity

Virtualization

Anti Virus Patch Management Release Management Asset Management Configuration Management S e rv ic e De liv e ry Infrastr uctu re M a n a g e m ent re

(76)

#4 - Moving to the Cloud Doesn’t Mean Farming Out Your IT Management Responsibilities

Risk Area Cloud Release and Configuration Management

Client X adopted a cloud based ERP solution. Change management processes have not been established for changes made to scripts and the 30 customizations they had made to their ERP. In addition, a staging

environment was not procured containing a mirror of production data was not available to conduct sufficient testing.

1. Configuration management

• Have a change management log been established that requires change board approvals?

2. Release management

• Have policies for release management been adequately established for to cloud-based ERP solution? Does a change board exists?

• Has a QA environment that contains sufficient data to conduct scenario testing is procured? 3. SOC Report

(77)

#5 – No One Will Care More About Your Data Than You

Audit Focus Areas

Technology Process

Contract Terms & Escrow Cloud Provider Management Enterprise Risk Management Information Risk Functional

Cloud Strategy & Business Case Compliance • FISMA • SOX • GLBA • ISO • PCI Provider Continuity Portability and Interoperability Data Governance L ic_e n_s e M a_n a_g e_m e_n t Me teri ng an d Usa ge SLA M anagem ent Capac ity Pla nning Cha_nge Man_age men_t D a s h b o a rd & R e p o rt in g Inc ide nt Ma na ge me nt P aa_S BPaa S Ia aS Saa S C om m un_ity Hybr id P riv ate Pub lic People Inter face Manage ment

(78)

#5 – No One Will Care More About Your Data Than You

Risk Area Data Protection and Rights to Audit

Data/information to be stored in the Cloud should adhere

to the guidance provided for

information/data protection including the risk of data being targeted by an Advanced Persistent Threat.

Client X’s legal department had moved case management to a CSP. The data is stored in a multi-tenancy environment. When

internal audit requested for assurance over controls, the SAS70 for the data center where the application is hosted was provided.

1. Data Protection Security

• Has a Data Classification scheme to data/information considered for a Cloud

Solution? Has the company evaluated the need for a Digital Rights Management (DRM) or Data Loss Prevention (DLP) solution been considered? 2. Have the contracts been reviewed by legal (rights & obligations), internal audit (rights to audit) and IT (service level agreements)?

(79)

#6 - Bad Processes Will Not Become Good Processes By Just Moving To The Cloud

Risk Area Portability and Interoperability and Data Integrity

Client X moved to a SaaS CRM solution 2 years ago as the company was growing

significantly and they realized it was difficult to manage its customer data.

Today, the company realizes that retrieval of customer data was a significantly manual process through compilation of spreadsheets given the complexity of customer hierarchy and lack of integration between its ERP.

1. Have we considered all our reporting

requirements in the context of the company prior to moving to a CSP? What about the data

architecture? Data governance and customer data dictionary?

2. Has integration and interfaces with existing systems been fully considered?

(80)

#7 – It’s like your phone bill. If you don’t review your minutes, be prepared to pay the price

Risk Area Metering and Bursting Revenue

Invoices provided by Cloud Provider for bursting revenue is in excess of what is truly consumed by the company. In addition, there isn’t a process to monitor the monthly consumption of data used to determine if a move to a higher subscription package is required.

1. Are there processes in place to monitor the data usage and any bursting charges incurred?

2. Has the company evaluated what the appropriate subscription package based on total company consumption of bandwidth?

3. Have we considered requesting an independent assessment on the data provided by the company or its internal controls?

(81)

#8 – Everybody wants to be in the cloud. It’s not that simple…

Risk Area Project Risk and Third Party Management – CSP

Client X had just completed building a successful SaaS based solution for it’s products . To meet the increased high transaction volume from this move, they decided to develop a private IaaS solution. They had engaged the CSP to help

implement the solution and after 6 months, found that while technically strong the CSP did not have the right process knowledge, change management expertise and sufficient understanding of the clients business.

1. What was the evaluation undertaken to

determine fit in-terms of experience and skill set when selecting an system integrator for a Cloud based solution? (e.g. integrations?, data

(82)

Summary - Plan for Success

Engage in the strategy for moving to the cloud

Understand your company’s rationale for adopting cloud Review impacted business activities in ‘as is’ and ‘to be’ state

Assess capabilities of existing personnel to manage transition and to perform roles in new state

Treat the move as a “process” not a project

(83)

Closing Comments – Cloud Reporting: What exists today

Cloud customers gather information through inefficient activities often led by vendor management or procurement functions:

• Provider self-assessments, typically focus on security policies • Responses to customer-prepared questionnaires

• Service level agreements (SLAs) describing the provider’s obligations

• Third-party SAS 70 (now SSAE 16) reports

• Other certifications – PCI, ISO 27002, HIPAA, FISMA, etc.

Do not address comprehensively address the service offering and the relevant compliance requirements from the perspective of the customer’s needs or expectations

(84)

Closing Comments – Cloud Reporting: Looking forward

Consideration Point

AICPA Service Organization Reports Custom Attest

SOC 1 / SSAE16 (Replacement for SAS70 6/11)

SOC2 SOC3

AICPA suggested scope Controls over financial reporting. Used in

conjunction with an audit of users’ financial statements

Controls relevant to compliance or operations, which could include (*)

Security

Availability and processing integrity Confidentiality

Privacy

Data integrity and ownership

(*) Use of AICPA Trust Principles Required

Management defined Can include controls relevant and unique to Operations, Billing, Technology Security, Privacy and beyond

Intended Audience Restricted use General Use (with public seal);

Generally restricted use but may be unrestricted

Content of Report Management’s assertion

Management’s description of service organization’s system Description of controls

Report may be Type 1 (Design only or Type 2 (Design and

Management assertion Unaudited system description PwC opinion of control Management assertion PwC opinion on control effectiveness

(85)

Stay Engaged as the Cloud Evolves

• Cloud computing is fundamentally

changing business across all industries and markets

• Keeping pace with the change and

adapting as it evolves is key for all cloud adopters, including IT compliance and audit professionals

(86)

Dr. Yonesy F. Nuñez Manager Contact Details: Phone: 646-471-6531 E-Mail: [email protected] Background:

Yonesy is a Manager in the New York Metro IT Risk and Security Assurance Practice and has 14 years of experience delivering Information Security services. Yonesy has led efforts to create and institute comprehensive information security programs for a variety of industries. He works with various clients to balance security, risk, IT operations, threat-vector landscape, and business objectives to enable efficient business decisions in preparation of and during severe crisis events. He has managed and successfully supported internal audit engagements as they relate to application security, outsourced development, network security, threat and vulnerability assessment, attack and penetration, business impact analyses, incident management, multi-tenancy cloud environments reviews, business continuance and disaster recovery plans , Data Loss Prevention, and IT Risk assessments. He is a nationally respected Speaker and Instructor for Information Security Strategy, Industry Regulations and Compliance, Cloud Computing, Data Encryption, Virtual Computing, and IT Audit. He holds numerous information security, risk, and governance certifications. He has a B.S. in Finance and Computer Information Systems from Manhattan College, an M.S. in Information Systems Engineering from The Polytechnic Institute of NYU, and a Doctorate in Computing, Information Assurance and Security from Pace University.

Relevant Projects and Experience:

• Led global efforts in IT Governance, Security and Compliance including: - Global Data Privacy / Information Security Strategy

- Global SOX ITGC Testing - Organizational Strategy

- ISO 27001:4 Control Framework - Technical Remediation

- Application security development / secure coding - Japan PPI, European Data Directives, Safe Harbor, ITAR • IT Audit

• External Audit Support

• Security Framework Development

• Threat and vulnerability / Attack and Penetration / Application Security • Disaster Recovery / Data Center Reviews

• Business Continuity Management • TPA: Cloud Computing

• FISMA

• Virtualized Environments

• Outsourcing Application Development Security

• Internet Vulnerability and Attack & Penetration Assessment

Current Certifications

• CGEIT - Certified in the Governance of Enterprise IT • CRISC - Certified in Risk and Information Systems Control • CISM - Certified Information Security Manager

• CISSP - Certified Information Systems Security Professional • ISSAP - Information Systems Security Architecture Professional

Areas of Expertise

• Security

Governance, Strategy and Compliance

• Data Privacy and

Protection • Security Frameworks and Regulatory Compliance • Security Risk Assessments • Payment Card Industry (PCI) Strategy and Compliance Readiness • Secure Network Architecture and Design • Security Information and Event Management Systems • Emerging Technologies (i.e. Mobile Devices, Cloud Computing)