This presentation was given to the Society of Risk Management Association in December 2012. Its purpose was to help information security and IT risk management professionals conduct risk assessments wisely on cloud service providers.
Critical thinking and decision making cannot be outsourced. This is your role and your organization will need you to always fulfill it, even as services migrate to the cloud.Many people can share responsibility, but only one can be the accountable owner. Risk accountability ownership still resides with you. Legal contracts can provide you and your organization with risk transfer coverage. You can transfer financial risks through legal contracts and insurance, but you cannot transfer compliance requirements or penalties.Even if you complete a thorough risk assessment report, and the business sponsor signed off their acceptance to the risk assessment report; in the event of a breach, you are the one called to guide the security breach response and submit a breach assessment report to the Board of Directors with Risk Management action plan to reduce chance of future similar breaches.
Most of the 300 questionnaire are oriented to software licensing model, e.g. “Do you have backdoors in the software where you could shut us down?” When you use a canned set of questions, this shows you lack understanding of the topic. When questions are irrelevant, the provider simply “checks the box”.
Flex your risk assessment methodology to fit the data risk profileDon’t settle for the 1st documents given by the cloud vendorRequest an interview meeting with their designated information security officer or designated information security engineer to probe areas of weaknessRequest customer references and either a list of active customers or the number of active customersWhen you present your assessment report, be overtly clear to the business sponsor about the “high risks” you found and supply written risk management recommendations.Request the business sponsor’s signature of understanding of the identified risks and the recommended risk management action steps contained in your 3rd Party IRA report.
Sira insights from cloud vendor risk assessments
SIRA Webinar CLOUD PROVIDERS INFORMATION RISK ASSESSMENTS1 Insights from Cloud Vendor Risk Assessments Cary Sholer – President
TABLE OF CONTENTSTopic PageYour Role as the Information Risk Analyst 3What Can’t Be Outsourced? 4 SIRA Webinar - Dec 13, 2012Categories of Cloud Providers 5Constraints with Cloud Provider Risk Assessments 6Flexible Methodology for Cloud Provider Risk Assessments 7-8Common “High Risk” Findings 9-11SaaS COO’s Insights 12PaaS VP of Engineering’s Insights 13Healthcare CISO’s Insights 14Bank CISO’s Insights 15Questions and Answers 16Available Resources 17 2
YOUR ROLE AS THE INFORMATION RISK ANALYSTAssess Information Risks Manage Information Risks SIRA Webinar - Dec 13, 2012 Resolve Identify Classify Manage Manage Mitigate Transfer ($ only) 3
WHAT CAN’T BE OUTSOURCED? You can outsource architecture, design, and operational roles, but you can’t outsource critical thinking and decision making. This is your role. SIRA Webinar - Dec 13, 2012 Many people can share responsibility for information security, but only one can be accountable as the owner, and that would most likely be you. You can transfer financial risks via contracts and insurance, but you can’t transfer accountability for compliance requirements, nor fines and penalties resulting from failing to meet compliance requirements. 4
CATEGORIES OF CLOUD PROVIDERS Infrastructure as Platform as a a Service (IaaS) Service (PaaS) SIRA Webinar - Dec 13, 2012 Cloud Providers Data as a Software as a Service (DaaS) Service (SaaS) 5
CONSTRAINTS TO COMPLETE CLOUDPROVIDER INFORMATION RISK ASSESSMENTS Internal Constraints – Business Sponsor(s) Understanding of Business Requirements SIRA Webinar - Dec 13, 2012 Time and Resources Flexible IRA Methodology Acceptance of Risk of Ownership External Constraints – 3rd Party Cloud Provider(s) Lack of Information 3rd Party’s information security policies and procedures Lack of security architecture documentation Lack of transparency of IaaS, SaaS, DaaS, and other 4th Party cloud providers Lack of clarity of security controls used by 4th Party providers 6
ADJUST YOUR RISK ASSESSMENT INFORMATION GATHERING STEP TO FIT THE RISK PROFILE OF CLOUD PROVIDERLow-Cost: Comprehensive Generally, pretty good SIRA Webinar - Dec 13, 2012Risk Assessment Method(long questionnaire,Risk Check report, Low-Cost High-+ probing interview) Cloud Value High-Value: Brief Risk Provider Provider Assessment Method (short questionnaire Really poor and brief interview) Unsure -Unsure: Trust, But Verify CloudRisk Assessment Method Provider(short questionnaire + 7probing interview)
EXAMPLE OF A FLEXIBLE INFORMATIONRISK ASSESSMENT METHODOLOGY Timing Brief Assessment: Ask for customer references and request the 2-4 days list or total count of active customers. SIRA Webinar - Dec 13, 2012 Trust, But Verify: Send simple RA questionnaire. Probe weak 1-2 wks answers by hosting a risk assessment interview with their designated information security manager. Comprehensive: Request background Risk Check report, request 2-3 wks SAS/SSAE SOC reports, send 200 - 300 questions, and host an interview with the 3rd Party’s designated ISO. In-Depth: send standardized set of third party questions, usually 4-8 wks 200 – 300 questions meant to cover all types of Cloud Providers. Follow-up with an interview. Schedule and conduct a penetration test of their platform and scan their public facing software for 8 vulnerabilities. SIRA Webinar – Dec 13, 2012
HIGH RISK: LACK OF 4TH PARTY TRANSPARENCY PaaS 3rd Party SIRA Webinar - Dec 13, 2012 Hosting Professional (IaaS) Services Partner Software Development (SaaS) 4th Party 4th Party 4th Party 9 SIRA Webinar – Dec 13, 2012
HIGH RISK: HOSTING PARTNERS (IAAS) MAY NOT YOUR UNDERSTAND YOUR DATA REQUIREMENTSWhat business data will Application Virtualbe stored in the cloud? Location 1 • App Settings SIRA Webinar - Dec 13, 2012 Virtual • Analytics Location 1 • App Tables • PII Encrypted? Where is your User Data data? Virtual • Unique SA ID’s? Hosting • Passwords Which Location 2 Virtual Hashed? CIA country? Partner Location 1 • Referential (IaaS) Tables Can you restore Systems Info your data? Virtual • System Location 3 Configuration Virtual • Backups? Location 1 10 SIRA Webinar – Dec 13, 2012
OTHER HIGH RISKS TO ASSESS gr IR A En O CO ISO ing VP nk aS S C Saa HCBa Pa Risk Statement 1 1 1 1 — party cloud vendor doesnt disclose its 4th party IT relationships 3rd SIRA Webinar - Dec 13, 2012 1 0 1 0 Backup and restore procedures of customers data are not well documented 1 0 1 0 System migrations dont follow a documented Change Control Procedure Checklist 1 0 1 0 New — Releases may not follow customer reviewed Change Management Procedures 1 0 1 1 Systems Admins may share login credentials — 1 1 1 0 User passwords are not encrypted (hashed) 3rd — Party may provide their IaaS vendors SAS 70 or SSAE 16 SOC 1 Report, but not provide a 1 1 1 1 report representing of their risks or that of their SaaS partner 1 1 1 3rd 1 — Party cloud vendor lacks sufficient information security policies 1 1 1 1 — Party cloud vendor has no designated Information Security Officer 3rd 3rd — Party PaaS cloud vendor lacks a Disaster Recovery (DR) and Business Continuity Plan 1 1 1 1 (BCP) that includes their IaaS and SaaS partners 3rd — Party PaaS cloud vendor has no stated policy that requires risk assessments of their 1 1 1 1 their 4th party IaaS and SaaS vendors 1 1 1 0 — Party cloud vendor has no stated policies to disclose security breaches 3rd 0 0 1 0 — Infrastructure may not have performance metrics to guide capacity decisions 0 0 1 1 — Offshore Development team may use production data to test new code 11
SAAS COO INSIGHTS Trust – but verify. Take them at their word, but then verify what they say because sometimes you will get lied to. Start with trust. It is like doing an audit, give high level questions and then if the answers are not consistent, queue some questions and seek to understand the maturity of their security team and security controls. SIRA Webinar - Dec 13, 2012 Risk Questionnaires - Make Your RA Questionnaires Relevant – if you prefer a long questionnaire. As cloud providers, we do put much effort into responding to risk assessment questionnaires. We do take the risk assessment process very seriously, but we often don’t respect the questionnaire and the security person conducting the risk assessment. We assume the security person was brought into the vendor approval process late, and that he/she doesn’t really get it, i.e. the cloud. Hosting a 5-10 minute interview meeting is always more productive than responding to a canned set of questions. General questions followed by probing questions works well. Risk Transfer Require your 3rd and 4th party providers to sign a Sales Agreement containing the requirement for their company to comply to your current and future information security policies. Insert breach disclosure and breach indemnification clauses. 12
PAAS VP OF ENGINEERING INSIGHTS SaaS Providers Backup and restore procedures are not tested, so we failed to understand our backups of customers data was not well not SIRA Webinar - Dec 13, 2012 complete. The software engineers did not encrypt (hash) the user passwords because we didn’t explicitly tell them to do so. IaaS Providers Systems migrations dont follow a documented Change Control Checklist procedure. Insert breach disclosure and breach indemnification clauses in the Sales Agreement. PaaS Providers We really don’t have an Information Security Officer. 13
HEALTHCARE CISO’S INSIGHTS High Value Cloud Providers “We are always willing to do business with them because they understand my business and seem to be honest and capable.” Low Cost Cloud Providers SIRA Webinar - Dec 13, 2012 “I will never do business with them because they scare the hell out of me.” Unsure Cloud Providers “Maybe I will do business with them; but I do have some concerns.” Low Cost and Unsure Cloud Providers “We dont trust either because we are not comfortable that their approach to security aligns to our approach to security.” Risk Transfer Append the completed risk assessment questionnaire to the sales agreement. Insert breach disclosure and breach indemnification clauses. 14
BANK CISO’S INSIGHTS Thoroughly understand the business requirements First conduct risk analysis of the business data Then send the cloud vendor risk assessment questionnaire (5 SIRA Webinar - Dec 13, 2012 – 10 questions) for high value providers and (200 – 300 questions) for low cost providers Conduct a follow-up meeting to probe weak answers Risk Transfer Insert breach disclosure and breach indemnification clauses to the Sales Agreement. Attached the completed cloud vendor risk assessment questionnaire to the Sales Agreement. Obtain signature of business sponsor on your RA report containing the high risk findings and recommended risk action plan. 15 SIRA Webinar – Dec 13, 2012
QUESTIONS AND FOLLOW-UPQuestions Communicate your question by speaking; or, text your SIRA Webinar - Dec 13, 2012 question in the Webinar chat box.Follow-Up If we do not answer your question today, send your question to email@example.com and I will do my best to reply within 24 hours. If you would like a copy of this presentation, send an email to firstname.lastname@example.org and include “SIRA Webinar” in the subject line. 16 SIRA Webinar – Dec 13, 2012
RECOMMENDED RESOURCES PaaS, SaaS, DaaS Finding Your Place in the Cloud VMIX Blog http://www.vmix.com/blog/2010/09/finding-your-place-in-the- cloud/ SIRA Webinar - Dec 13, 2012 IaaS vs. PaaS vs. SaaS definitions http://www.katescomment.com/iaas-paas-saas-definition/ Free Information Security Risk Assessment Tool http://info.isutility.com/securityassessment/ Risk Checks by RDC http://www.rdc.com/delivery/rdc-search Shared Assessment Questionnaires www.sharedassessments.org 17 SIRA Webinar – Dec 13, 2012