Session 136
Auditing Cloud Computing and
g
p
g
Outsourced Operations
Monday, May 7, 2012
3:30 PM – 5:00 PM
3:30 PM 5:00 PM
Mike Schiller
Director of Sales & Marketing IT, Texas Instruments Co‐Author, ‘IT Auditing: Using Controls to Protect Information Assets’S
PEAKER
B
IOGRAPHY
Mike Schiller, CISA, is the director of global server, database, and storage infrastructure at Texas Instruments (TI) and is the co-author of IT Auditing:
Using Controls to Protect Information Assets (2011, McGraw-Hill). He has more
than 15 years of experience in the IT audit field, including as the worldwide IT audit manager at TI and as the IT audit manager at Sabre. He is an active
speaker on IT auditing, including conferences such as CACS, InfoSec World, and ASUG, and has been an instructor of IT audit curriculum at Southern
Methodist University. Schiller has held numerous IT leadership positions at TI, including as the director of user support, data centers, and asset management and manager of support for TI’s web applications and infrastructure.
Agenda
• The Basics
• Vendor selection controls
• Items to include in vendor contracts • Data security requirements
• Operational concernsOperational concerns
• Legal concerns and regulatory compliance • Additional resources
The Basics
The Basics
The Basics
Why outsource IT services?
Why outsource IT services?
• Reduce costs
Reduce costs
The Basics
Two Categories of IT Outsourcing
• IT Systems and Infrastructure OutsourcingIT Systems and Infrastructure Outsourcing
• Hiring another company to provide your IT environment
• e.g. data center, servers, operating systems, applications • Two sub-categories:
Clo d comp ting • Cloud computing • Dedicated hosting • IT Service Outsourcingg
• Hiring another company to perform your IT operations functions (people and processes)
• e.g. help desk, PC support • Two sub categories
• Two sub-categories • On-site
• Off-site
The Basics
Cloud Computing Definitions
• Gartner: “a style of computing that provides scalable and elastic, IT-enabled capabilities ‘as a service’ to external customers via Internet technologies.”
• NIST: “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers storage applications and services) that can be rapidly
servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or service provider interaction.”
• Bottom line:
• Cloud computing provides IT services over the Internet in such a way that the end user doesn’t have to worry about where the data y y is being stored, where the infrastructure is located, and so on.
The Basics
Characteristics of Cloud Computing
(NIST)• On-Demand Self-Service
• Broad Network Access
• Broad Network Access
• Resource Pooling
• Rapid Elasticity
• Measured Service
The Basics
Cloud Computing Models
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Platform as a Service (PaaS)
The Basics
Software as a Service (SaaS)
• Access the cloud provider’s applications, which are
p
pp
,
running on a cloud infrastructure.
Company 1 Company 2 Company 3 Company 4
Dedicated Data Data Data Data
Application DBMS Shared DBMS Middleware OS Network Physical Physical
The Basics
Platform as a Service (PaaS)
• Deploy applications you created or acquired onto the
p y pp
y
q
provider’s cloud infrastructure, using programming
languages and tools supported by the cloud provider.
Company 1 Company 2 Company 3 Company 4
Data Data Data Data
Application Application Application Application Dedicated DBMS Shared Network Physical DBMS Middleware OS Physical
The Basics
Infrastructure as a Service (IaaS)
• Deploy and run arbitrary software, which can include
p y
y
,
operating systems and applications.
Company 1 Company 2 Company 3 Company 4
Data Data Data Data
Application Application Application Application
DBMS DBMS DBMS DBMS
Dedicated
Middleware Middleware Middleware Middleware
OS OS OS OS
Network
Shared
Physicaly
The Basics
Dedicated Hosting
• Dedicated infrastructure provided by a third party.
p
y
p
y
• Examples: co-lo data center, ASP
Company 1 Company 2 Company 3 Company 4
Data Data Data Data
Application Application Application Application
DBMS DBMS DBMS DBMS
Dedicated
Middleware Middleware Middleware Middleware
OS OS OS OS
Network Network Network Network
Shared
Dedicated
Physical
Shared Physical
The Basics
IT Systems and Infrastructure Outsourcing Model Comparisons
Hosting IaaS PaaS SaaS
Data Dedicated Dedicated Dedicated Dedicated
Application Dedicated Dedicated Dedicated Shared
DBMS Dedicated Dedicated Shared Shared
Middleware Dedicated Dedicated Shared Shared
OS Dedicated Dedicated Shared Shared
Network / Servers Dedicated Shared Shared Shared
Physical ‐ Data Center Shared Shared Shared Shared
The Basics
IT Service Outsourcing Models O it
• On-site • Off-site
Other Considerations for IT Services Sourcing Other Considerations for IT Services Sourcing • Supplemental Labor
The Basics
IT Service Sourcing Models I t l l l • Internal employees only
• Internal employees plus supplemental labor • Outsourced: on-site
• Outsourced: off site • Outsourced: off-site
• Outsourced: on-site/off-site mix
For each of these models you can deploy For each of these models, you can deploy • Onshore
• Offshore
The Basics
SAS 70 Reports
• Provided a standard by which service organizations (such as those that • Provided a standard by which service organizations (such as those that
provide IT services) could demonstrate the effectiveness of their internal controls without having to allow each of their customers to come in and perform their own audit.
• Focused on internal controls over financial reporting • Performed by certified independent service auditorPerformed by certified independent service auditor
• Type 1: Description of and opinion on the design of the service organization’s internal controls at a point in time
• Type 2: Also contains the results of testing regarding whether the controls were operating effectively during the period under review
The Basics
Service Organization Control (SOC) Reports
• SOC 1 – essentially replaces SAS 70 reports (focuses on financial controls),SOC 1 essentially replaces SAS 70 reports (focuses on financial controls), complete with Type 1 and Type 2 reports. Performed under SSAE 16
guidance.
SOC 2 for non financial controls restricted se for se bet een a ditors • SOC 2 – for non-financial controls – restricted use – for use between auditors
of a service provider and their clients. Can be Type 1 or Type 2.
• SOC 3 – for non-financial controls – general use – can be used by service g y provider to provide assurance to potential clients and for marketing purposes • SOC 2 and 3 use predefined control criteria related to security, availability,
processing integrity confidentiality and privacy of a system and its processing integrity, confidentiality, and privacy of a system and its information
Test Steps
Test Steps
Test Steps
Categories:
• Preliminary
• Vendor Selection and Contracts
• Vendor Selection and Contracts
• Data Security
• Operations
• Legal Concerns and Regulatory Compliance
• Catch-all
Preliminary
Preliminary
Preliminary Test Steps
1. Request and review independent assessments (e.g. SOC reports, ISO 27001, web security certifications)
• Reduces your need to audit (and may in fact be all you’re allowed to access) • Reduces your need to audit (and may in fact be all you re allowed to access) • Include subcontracted functions (e.g. SaaS vendor using a co-lo data center) • Review scope of assessment
• Review scope of assessment
• Identify gaps between your control objectives and those covered by assessment
• Review results and remediation plans
• Validate qualifications of certifying company
• Validate relevance of time period covered by assessment • If assessments don’t exist, attempt to perform your own
• Depends on the rights, influence, and relationship you have with your supplier (contract is key)
Vendor Selection and
Vendor Selection and
Vendor Selection and Contracts Test Steps
1. Review contracts
• Your only true fallback mechanism
• Ensure they identify all pertinent deliverables, requirements, and responsibilities
• Early involvement is key here
This step is applicable to all forms of outsourcing This step is applicable to all forms of outsourcing
Vendor Selection and Contracts Test Steps
1. Review contracts (continued): Key elements
• SLA’s
• Availability, performance, support coverage, MTTR, other key y p pp g y performance indicators
• SLA’s for security
• Encryption, access to your data, data retention and destruction, security training and background checks business continuity security training and background checks, business continuity, support for investigations, control frameworks
• Compliance / third-party assessments • SAS 70, HIPAA, PCI
• Penalties for non-performance / conditions for terminating • Right to audit clause
• Subcontracting relationships • Right of denialRight of denial
• Access to subcontractor’s SAS 70 • NDA’s
• Evidence of procurement and legal involvement A thi l b t!
Vendor Selection and Contracts Test Steps
2. Review the vendor selection process• Key elements:
• Competitive bidding • Competitive bidding • Predefined criteria
• Vendor financial stability
• Vendor experience and technical support capabilities • Involvement
• Involvement
• Procurement, operations, legal • Cost analysis (TCO)
• Startup activities
• Hardware and related power cooling and maintenance • Hardware and related power, cooling and maintenance • Software and maintenance
• Storage
• Support (labor) • Early involvement is key here
Data Security
Data Security
Data Security Test Steps
1. Determine how your data is segregated from other customers’ • Protection from other customers
• Protection from collateral damage (breaches and viruses) • Controls depend on type of technology and outsourcing
• Segmented networks (dedicated hosting) • Segregated databases (SaaS)
This step is most applicable to cloud computing and dedicated hosting This step is most applicable to cloud computing and dedicated hosting
Data Security Test Steps
2. Evaluate usage of encryption
• Reduces risk of a breach impacting confidentiality or integrity of your data
• Review encryption in transit (e.g. SSL) and at rest • Specify algorithm and key length in contract
• Determine how key management is performed
• Ideally performed either by your company or by a separate vendor (providing SOD)
vendor (providing SOD)
Data Security Test Steps
3. Determine how vendor employee access to your systems and data is controlled
is controlled
• Approval process
• Minimum necessary access • SOD
• Processes for hiring and screening employees • Security training
Third party relationships and interfaces • Third-party relationships and interfaces
Data Security Test Steps
4. Evaluate processes for controlling non-employee logical access to your internal network and internal systems
your internal network and internal systems • Policies for approval and sponsorship • Communication of company policies • Removal of access upon termination
Data Security Test Steps
5. Ensure that data stored at vendor locations is being protected in accordance with your internal policies
accordance with your internal policies
• No matter where you store your data, it is still subject to your internal policies and you still have responsibility for its protection • Ensure compliance with your data classification policy
• Encryption helps here
Data Security Test Steps
6. Review controls to prevent, detect, and react to attacks • Intrusion DetectionIntrusion Detection
• Intrusion Prevention • Incident Response
• Discovering and Remediating Vulnerabilities • Logging
Patching • Patching
• Protection from Viruses and Other Malware
Data Security Test Steps
7. Determine how identity management is performed• Users can end up with accounts with multiple cloud providers, each requiring a unique ID p p p q g q and password
• Déjà vu
• Leads to poor governance
• Risk of account sharing, inconsistent password controls, poor account cleanup, employees with unnecessary access
employees with unnecessary access
• Look for usage of federated identity management
• Your vendor trusts your assertion that your user has been properly authenticated. • Allows you to use your enterprise ID and provides benefits of centralized identity
management
• Allows you to avoid storing user credentials with vendor
• If used, ensure your internal credential data isn’t made directly available to the vendor and is encrypted
is encrypted
• If not used, review the identity management controls over your outsourced systems to ensure they meet your policy requirements
This step is most applicable to cloud computing particularly SaaS and dedicated hosting particularly of purchased applications This step is most applicable to cloud computing, particularly SaaS, and dedicated hosting, particularly of purchased applications.
Data Security Test Steps
8. Review data retention and destruction practices • Should comply with internal policy
• Look for requirements regarding • How long data should be active
• When and how long data should be archived • When data should be destroyed
• Review evidence that lifecycle requirements have been implemented • Concentrate especially on evidence that your vendor has
destroyed data per your requirements destroyed data per your requirements
This step is most applicable to clo d comp ting dedicated hosting and offsite ser ice o tso rcing (if the s pplier is This step is most applicable to cloud computing, dedicated hosting, and offsite service outsourcing (if the supplier is
Data Security Test Steps
9. Review and evaluate the vendor’s physical security
• Physical access can override logical access controls • Review controls such as
• Badge readers and/or biometric scanners • Security cameras
• Security guards • Fences
• Lighting
• Locks and sensors
Processes for granting physical access • Processes for granting physical access
Operations
Operations
Operations Test Steps
1. Evaluate processes for monitoring the quality of outsourced operations
• Determine how compliance with SLAs and other contractual requirements are monitored
• Availability • Performance
• Vendor response time to support requests • Issue resolution time
• Security and compliance requirements
• Other key metrics and performance indicators
If you don’t monitor you won’t know if the vendor is delivering • If you don t monitor, you won t know if the vendor is delivering
per your contract
• Review metrics slides from operations reviews corrective action plansReview metrics, slides from operations reviews, corrective action plans
Operations Test Steps
2. Ensure adequate disaster recovery processes are in place • Two angles to review:Two angles to review:
• The vendor’s disaster recovery procedures
• Expect your vendor to follow sound DR practices (offsite
backups, documented recovery procedures, periodic testing, HW redundancy, etc.)
• Documented procedures for how your company would • Documented procedures for how your company would
recover in the event of a disaster at your vendor • Notification and escalation procedures
• Hand-offs between you and vendor during recoverya d o s bet ee you a d e do du g eco e y • Manual workarounds while waiting for recovery
• Contingency plans if the vendor can’t recover for extended period (or ever)
Operations Test Steps
3. Review governance over engagement of new cloud services
• Cloud computing makes it easy to outsource without engagingCloud computing makes it easy to outsource without engaging with IT, legal, procurement, etc.
• Potential to bypass all of the governance processes normally in place to ensure proper security of company data,
interoperability of systems, appropriate support capabilities • Review policies, awareness, and enforcement practices
Operations Test Steps
4. Review plans to be used in the event of termination of the outsourcing relationship
• Should address expected or unexpected termination • Avoid vendor lock-in
• Retain leverage to influence price and service quality • Portability of systems and data is key
• Documented plan for bringing function in-house (or moving to another vendor)
• Identification of alternate vendors
Interim contingency plans for keeping the business running • Interim contingency plans for keeping the business running • Return of your data and assets
• Data delivered periodically in predefined format • Code in escrowCode in escrow
Operations Test Steps
5. Review the vendor’s processes for ensuring quality of staff and minimizing the impact of turnover
• Documented job descriptions and minimum qualifications for each position • Documented job descriptions and minimum qualifications for each position • Employee screening process / background checks
• Turnover protection pipeline and cross training • Turnover protection – pipeline and cross-training
• Processes to maintain employee skills (training programs) • Attendance monitoring
• Attendance monitoring • If offshore:
• Language training
• Hand off / status meetings • Hand-off / status meetings
• Extra emphasis on attendance monitoring • Local employee for monitoring and oversight
Legal Concerns and
Legal Concerns and
Legal and Regulatory Test Steps
1. Review your ability to obtain data needed to support investigations • May be needed for e-discovery or internal investigations
• You’re legally responsible for your information, regardless of where it’s stored
• Review the contract for • Log requirements
• Requirements for response time to requests
D fi d ibili i ( h i ibl f d i • Defined responsibilities (who is responsible for conducting
searches, freezing data, providing expert testimony)
Legal and Regulatory Test Steps
2. Review requirements for security breach notifications • Definition of what constitutes a breach
• When and how you should be notified by vendor
• Clearly defined internal processes when notified of breachClearly defined internal processes when notified of breach • Contractual penalties for costs incurred
Legal and Regulatory Test Steps
3. Determine how compliance with applicable privacy laws and other regulations is ensured
• You are responsible no matter where your data is stored
• Contractual requirements for compliance with PCI, HIPAA, etc. and for external certification of compliance
external certification of compliance
• Internal process for obtaining reports, reviewing results, and tracking issues
• Contractual language specifying who is liable in the event of noncompliance
This step is most applicable to cloud computing and dedicated hosting This step is most applicable to cloud computing and dedicated hosting
Legal and Regulatory Test Steps
4. Review processes for ensuring software license compliance
• Consider software hosted offsite or used by non-employees • Inventory of entitlements and deployments
• Process for investigating and addressing discrepanciesProcess for investigating and addressing discrepancies
This step is applicable to all forms of outsourcing This step is applicable to all forms of outsourcing
Catch‐all
Catch‐all
Catch‐all Test Steps
1. Perform audit steps from ‘normal’ internal audits as applicable
• The risks present for an insourced function are also present for an outsourced function
• Examples:
• Data center physical security and environmental controlsData center physical security and environmental controls
• Application controls (access controls, change controls, data input controls)
• Operating system security
D b i
• Database security • Pick your battles
• You won’t have the same level of access as you would for anYou won t have the same level of access as you would for an internal system
• Depends on the rights, influence, and relationship you have with your supplier (contract is key)
This step is applicable to all forms of outsourcing This step is applicable to all forms of outsourcing
Resources
Resources
Resources
• The National Institute of Standards and Technology (NIST) • http://csrc.nist.gov/groups/SNS/cloud-computing/
• Definitions and standards related to cloud computing • Definitions and standards related to cloud computing • Guidance for secure usage.
• The Cloud Security Alliance (CSA) • www cloudsecurityalliance org
• www.cloudsecurityalliance.org
• Promotes best practices for security with cloud computing • ISACA
• http://isaca org/
• http://isaca.org/
• White paper on cloud computing security • The cloud security blog
• http://cloudsecurity org/
• http://cloudsecurity.org/
• “IT Auditing: Using Controls to Protect Information Assets, Second Edition” by Chris Davis and Mike Schiller
