IAPP Atlanta Chapter Meeting 2013 February


Published on

Cloud Security Assurance for the International Association of Privacy Professionals

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • There are 4 major categories in the Cloud Computing value chain. These are the target workloads and user base for each category The first category is Software as a Service : This is Applications services delivered over the network on a subscription basis. Cisco WebEx, Salesforce, Microsoft and Google are perhaps the biggest providers here Then there is Platform as a Service which is Software development frameworks and components delivered over the network on a pay-as-you-go basis. Examples of this are; Google Apps Engine, Amazon Web Services and Microsoft Azure The next category is Infrastructure as a Service where compute, network and storage delivered over the network on a pay-as-you-go basis. Amazon pioneered this with AWS (Amazon Web Service) and now IBM and most of the managed hosting market are entrants here also. The approach we are taking is to enable service providers to move into this area—we are not building our own Infrastructure as a Service offering for the general market. And of course, there is an IT foundation that has to keep all this going—Cisco intends to be the leading provider of enabling technology to both the service provider and enterprise markets
  • The NIST also breaks down cloud computing deployment models with four categories: Public clouds deliver computing services (SaaS, PaaS or IaaS) to the general market over the Internet. These are services where you can browse to a web site, enter a payment method, and begin using the service through your browser, along with all of the other customers of the service. Generally the cloud provider defines the user interfaces and architectures for these clouds. Private clouds deliver the NIST essential characteristics to a single organization, usually through either wholly owned or dedicated leased infrastructure. Hybrid clouds federate two or more cloud environments together, usually through both management and network interfaces. Virtual private cloud is actually a mechanism by which a private cloud can be simulated in public cloud infrastructure. Often, this looks like VPN connectivity from the corporate network into the public cloud providers’ data centers.
  • Ultimately, however, Cisco believes that these distinctions will be blurred by technologies that allow interoperability, federation and portability between combinations of public and private cloud environments. These combined clouds are typically known as “Hybrid Clouds”
  • Under Statement on Auditing Standard (SAS) 70 , published in 1992, CPAs were able to produce a report that would be an auditor-to-auditor communication (as well as one used by management of the service organization, existing user entities and their auditors) on either the design or design and effectiveness of a user organization’s financial statement controls that have been outsourced to a service organization. With the growth in new technologies , global business opportunities and increased outsourcing , SAS 70 quickly attracted marketplace attention . 09/12/2012
  • Unfortunately, some organizations misinterpreted SAS 70 and tried to expand its use to indicate that they had been “SAS 70 certified” or were “SAS 70 compliant.” While SAS 70 focused only on financial controls at outsourced operations that have an impact on a company’s financial statements, organizations used these terms incorrectly to imply that controls over non-financial subject matters also were covered. In addition, some service organizations mistakenly made the report available to the public – particularly potential customers – when it was never meant for that purpose . 09/12/2012
  • Based on these misuses of SAS70 reports, it became clear that there was a need for a detailed report that was based on an examination of subject matter other than internal control over financial reporting. The emergence and growth of cloud computing , increased outsourcing of certain functions, and privacy concerns only further elevated this issue. The subjects identified , which are considered part of compliance and operations , were a service organization’s security, availability, processing integrity, confidentiality and privacy. We will discuss these areas in more detail later. 09/12/2012
  • So, how did the AICPA address the marketplace demand? 1. Split SAS70 and replaced with 2 new standards , Statement on Standards for Attestation Engagements (SSAE) 16 for service auditors , which is effective now, and a new SAS for user auditors (i.e. how to use a SOC report) , which is effective for calendar year 2012 financial statement audits. This User Auditor standard is now incorporated into the Clarified Auditing Standards and can be found in AU-C 402 (Audit Considerations Relating to an Entity Using a Service Organization). Although written for auditors of entities that use 3 rd party service providers, the considerations in this standard are a relevant reference for Management as they oversee vendor relationships on their own internal control environment. SSAE 16 , Reporting on Controls at a Service Organization, applies when an entity outsources a business task or function to another entity (usually one that specializes in that task or function) and the data resulting from that task or function is incorporated into that entity’s financial statements . This relates to internal controls over financial reporting . ( Essentially the replacement for the old SAS 70). Examples of outsourced tasks that would fall under SSAE16 (payroll, benefit plans, payment processing) Because of the extensive misunderstanding of SAS 70, the AICPA has developed a framework of reports to help prevent misunderstanding of SSAE 16 and to explain the additional levels of assurance now available. In particular, with the growth of cloud computing , the increase in outsourcing , and the proliferation of data breaches , service organizations are seeking some kind of “assurance” over controls other than internal control over financial reporting so their customers know that they have met a level of reliability and trust . The new SOC framework makes that assurance possible. 09/12/2012
  • There are 3 types of “SOC” reports , which h as opened up reporting from traditional third-party service provides (e.g. ADP, Benefit Plans, etc.) to a larger number of companies (e.g. cloud providers, data centers, event planners) You would work with your CPA to determine which type of report is appropriate. As an added benefit to service organizations, for a year after the engagement on its controls , the service organization can use a specially designed logo in its marketing and on its website. You’ll see that on the next slide. CPAs, service organizations and users can find out about what the reports mean, how they can be used and other information on a special webpage. 09/12/2012
  • Here you see the two SOC logos. They are used for marketing purposes to promote the SOC brand.  The logo on the top is for use by CPAs who provide the assurance engagements that result in a SOC 1, 2 or 3 report. The logo on the bottom is a marketing tool that service organizations can use in promotional material or display on their websites to show that they had one or more of the three SOC engagements performed within the year . Note that this is NOT a seal , which is only provided on SOC 3 engagements and is administered by the Canadian Institute of Chartered Accountants (CICA).   09/12/2012
  • Here is a good summary of the three SOC reports. Notice SOC 2 & 3 based on Trust Service Principles and Criteria – more on that later Now I’ll go into more detail on each. 09/12/2012
  • The new SSAE 16 retains the original purpose of SAS 70 . This option has been rebranded as an SOC 1 report (some call it an SSAE16 report) – SOC 1 is easier to say. 09/12/2012
  • One or more of these areas may be addressed in single report. Door open for other potential areas (e.g. compliance – HIPAA, Red Flag Rules, Dodd Frank Conflict Minerals, etc.). Report helps user organization management carry out its responsibility for monitoring the services it receives , including the operating effectiveness of a service organization’s controls over those services. Security. The system is protected against unauthorized access (both physical and logical). Availability. The system is available for operation and use as committed or agreed (SLA). Processing integrity. System processing is complete, accurate, timely, and authorized. Confidentiality. Information designated as confidential is protected as committed or agreed. Privacy. Thoughts on how privacy might differ from confidentiality? Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA (found in appendix D [paragraph .48]). Unlike personal information, which is defined by regulation in a number of countries worldwide and is subject to the privacy principles, there is no widely recognized definition of what constitutes confidential information. (Eg, IP, M&A) Guesses at most common criteria used? Security, Privacy. Can’t we just combine a SOC 1 and SOC 2 report by including SOC 2 criteria in a SOC 1 report? Because of the similarities between SOC 1 and SOC 2 reports, our clients may assume that SOC 2 reports, or portions thereof, provide assurance over their ICFR. However, as noted above, controls associated with SOC 2 reports are generally not relevant to a user entity’s ICFR and, as such, SOC 2 reports are not intended for use in financial statement or ICFR audits . If you receive a SOC 2 report from your vendor, you are encouraged to contact the vendor to request a SOC 1 report. IT is biggest area of confusion. Some overlap with IT controls in a SOC 1 and a SOC 2 (Esp. Security and Process Integrity) – SOC 1 focuses on controls over ICFR (IT General Controls - Access to Programs and Data, Program Changes, Program Development, and Computer Operations). 09/12/2012
  • Similar to SOC 1 - Type 1 reports cover suitability of control design, while Type 2 reports also cover control operating effectiveness. Type 1 – point in time Type 2 – over reporting period 09/12/2012
  • IAPP Atlanta Chapter Meeting 2013 February

    1. 1. 1 IAPP Atlanta Chapter February 22, 2013Cloud Assurance BasicsPhil AgcaoiliCISO, Cox CommunicationsFounding Member, Cloud Security Alliance (CSA)Co-Founder and Co-Author, CSA Cloud Controls Matrix (CCM)Co-Founder Security, Trust, & Assurance Registry (STAR) and GRC Stack
    2. 2. 2agenda• Intro to cloud computing• Legal and privacy concerns to consider• Latest developments of cloud security and assurance standards
    3. 3. 3Intro to cloud computing
    4. 4. What Is Cloud Computing? 4• The “cloud” is a metaphor for the Internet – Leverages the connectivity of the Internet to optimize the utility of computing• It is not new! – Search is a cloud application (Google, Yahoo, Altavista) – Internet-based email services are cloud applications (Gmail, Yahoo! Mail, Hotmail, AOL Mail) – Social networking sites are cloud applications (Facebook, MySpace, Forums) – Similar to time-sharing and service bureau services from the mainframe days, or ASP’s from the 90’s• Accessible anywhere with Internet access – There are public, private, managed and hybrid clouds
    5. 5. The Consumer’s View of Cloud 5 ...Everything is CloudPresentation_ID2008 Cisco Systems, Inc. All rights reserved. Confidential © Cisco
    6. 6. Evolution Over The Years 6 Cloud Computing with pay as you go model, leveraging virtualization for data center efficiencies and faster networks Software as a Service (SaaS) model with multi-Adoption tenant hosting of applications ASP (Application Service John McCarthy Provider) model with proposed computer time- single tenant hosting of sharing technology to be applications sold through utility business model (like electricity) in a lecture at MIT 1961 Mid 90’s Early 00’s Late 00’s Time
    7. 7. The Technical View of Cloud 7Presentation_ID2008 Cisco Systems, Inc. All rights reserved. Confidential © Cisco
    8. 8. NIST Cloud Deployment Models 8 Application Applications at Scale (SaaS) (End users) Platform Execution Platforms at as a Scale Service (Developers) Infrastructu Infrastructure at Scale re (System Administrators) as a Service Enabling Cloud Service Delivery at Technology Scale (Public / Private Cloud Providers)Presentation_ID2008 Cisco Systems, Inc. All rights reserved. Confidential © Cisco
    9. 9. Cloud Model :: Infrastructure as a Service (IaaS) 9
    10. 10. Cloud Model :: Platform as a Service (PaaS) 10
    11. 11. Cloud Model :: Software as a Service (SaaS) 11
    12. 12. NIST Cloud Deployment Models 12 Cloud infrastructure made Public available to the general Cloud public. Cloud infrastructure operated Private solely for an organization. Cloud Cloud infrastructure composed Hybrid of two or more clouds that Cloud interoperate or federate through technology Cloud infrastructure shared by Community several organizations and Cloud supporting a specific community … and one other Cloud services that simulate Virtual the private cloud experience in Private public cloud infrastructure CloudPresentation_ID2008 Cisco Systems, Inc. All rights reserved. Confidential © Cisco
    13. 13. Enterprise Deployment Models Distinguishing Between Ownership and 13 Control Internal Resources External Resources All cloud All cloud Ownership resources resources owned by or owned by dedicated to Cloud Hybrid providers; enterprise used by many Interoperabil customers ity and portability Private Cloud Public Cloud among Public and/or Cloud Private Cloud Cloud Control definition/systems definition/ governance governance controlled controlled by by provider enterprisePresentation_ID2008 Cisco Systems, Inc. All rights reserved. Confidential © Cisco
    14. 14. What This Means To Security 14 The lower down the stack theSalesforce - Cloud provider stops, the SaaS more security you are tactically responsible for implementing & managing yourself. Google AppEngine - PaaS Amazon EC2 - IaaS
    15. 15. 15Legal and privacyconcerns to consider
    16. 16. Be Prepared for Change 16• Cloud industry is immature and growing rapidly• New players will rapidly emerge to fill new market niches• Consolidation of the industry at some point is inevitable – You may not be as comfortable with new entity • Google, Amazon, IBM, Microsoft, Dell, HP, Cisco, CSC, and Verizon all active in this area – Big players will create standards for security and governance• Cloud computing is disruptive to existing business models and IT practices – Disruptive technologies attract players who may not be around for the long term
    17. 17. Types of Issues 17• Location (where is your data; what law governs?)• Operational (including service levels and security)• Legislation/Regulatory (including privacy)• Third-party contractual limitations on use of cloud• Security• Investigative/Litigation (eDiscovery)• Risk allocation/risk mitigation/insurance
    18. 18. Location Issues 18• Where will your data be located? – The cloud may be the ultimate form of globalization• What law governs? – You may or may not be able to control this by contract as the law in some countries can trump contractual provisions – State law is becoming increasingly relevant – Complying with a patchwork of federal and state privacy laws• Storing data in certain regions may not be acceptable to your customers, especially the government
    19. 19. Operational Issues 19• Vendor lock-in issues – Will you be bound to a certain application; platform; operating system? – Some critics, such as Richard Stallman, have called it “a trap aimed at forcing more people to buy into locked, proprietary systems that will cost them more and more over time”• Can you transfer data and applications to and from the cloud?
    20. 20. Operational Issues 20• Backup/data restoration• Disaster recovery• Acceptable service levels• What do you do if the Internet crashes? – How is that risk allocated by contract?• Data retention issues – There many legal and tax reasons that company must retain data longer than cloud vendor is prepared to do so
    21. 21. Regulatory/Governance Issues 21• The more of these issues you have, the slower you will move to cloud computing – Early growth in cloud computing will come from small and medium sized businesses and give them a competitive advantage – Portion of cost savings will have to be reinvested into increased scrutiny of security capabilities of cloud providers• Some regions, such as the EU, have stringent rules concerning moving certain types of data across borders• Cloud computing not regulated –yet
    22. 22. Regulatory/Governance Issues 22• Patriot Act/UK Regulation of Investigatory Powers Act• Stored Communications Act (part of ECPA)• National Security Letters (may not even know of investigation)• PCI (credit card information)• HIPAA (health-related information)• GLB (financial services industry)• FTC and state privacy laws• ITARS, EARS, other export or trade restrictions will impact where data can be stored and who can store it• Video rental records• Fair Credit Reporting Act• Violence Against Women Act• Cable company customer records
    23. 23. Contracts Will Be The KeyLegal Enforcement Mechanism 23• Privileged user access – Who has access to data and their backgrounds• Regulatory compliance – Vendor must be willing to undergo audits and security certifications• Data location – Can you control the physical location of your data?• Security – Implementation is a technical matter; responsibility is a legal one
    24. 24. Key Contractual Issues 24• Data segregation – Use of encryption to protect data –a sometimes tricky issue• Recovery – What happens to your data and apps in the event of a disaster? – You should have test procedures in place• Long-term viability – What happens to data and apps if company goes out of business?• Investigative support – Will vendor investigate illegal or inappropriate activity?• What happens in the event of a security breach?
    25. 25. Security Issues 25• Physical security – Physical location of data centers; protection of data centers against disaster and intrusion• Operational security – Who has access to facilities/applications/data? – Will you get a “private cloud” or a service delivered more on a “utility” model?• Programmatic security – Software controls that limit vendor and other access to data and applications (firewalls; encryption; access and rights management) – Encryption accidents can make data unusable
    26. 26. Investigative/Litigation Issues 26• Third party access – Subpoenas • You may not even know about them if vendor gets the subpoena – Criminal/national security investigations – Search warrants; possible seizures• eDiscovery – How are document holds enforced; metadata protected; information searched for and retrieved?• You must have clear understanding of what cloud provider will do in response to legal requests for information
    27. 27. Intellectual Property Issues 27• The big issue is trade secret protection – If third parties have access to trade secret information, that could destroy the legal protection of trade secrets – This can be ameliorated by appropriate contractual non- disclosure provisions• Same concern for attorney-client privileged information
    28. 28. Risk Allocation/Management• No benchmarks today for service levels 28• No cloud vendor can offer a 100% guarantee – The most trusted and reliable vendor can still fail – Should replicate data and application availability at multiple sites – Should you escrow data or application code?• A premium will be charged based on the degree of accountability demanded• Responsibility of customer to determine if it is comfortable with risk of putting service in the cloud• Many publicly available cloud computing contracts limit liability of hosting provider to a level that is not in line with the potential risk• Cloud computing contracts resemble typical software licenses, although potential risk is much higher
    29. 29. Insurance 29• Will business interruption insurance provide coverage if your business goes down because of problem at cloud vendor?• Do Commercial General Liability (CGL) or other types of liability coverage handle claims that arise from privacy breaches or other events at the cloud level?• Are you covered if your cloud vendor gets hacked?
    30. 30. Checklist of Things to Consider 30• Financial viability of cloud provider• Plan for bankruptcy or unexpected termination of the relationship and orderly return of disposal of data/applications – Vendor will want right to dispose of your data if you don’t pay• Contract should include agreement as to desired service level and ability to monitor it• Negotiate restrictions on secondary uses of data and who at the vendor has access to sensitive data• Understand cloud provider’s information security management systems
    31. 31. Checklist of Things to Consider• Negotiate roles for response to eDiscovery requests 31• Ensure that you have ability to audit on demand and regulatory and business needs require – Companies subject to information security standards such as ISO 27001, must pass to subs same obligation• Make sure that cloud provider policies and processes for data retention and destruction are acceptable• Provide for regular backup and recovery tests• Consider data portability application lock-in concerns• Understand roles and notification responsibilities in event of a breach
    32. 32. Checklist of Things to Consider 32• Data encryption is very good for security, but potentially risky; make sure you understand it – Will you still be able to de-crypt data years later?• Understand and negotiate where your data will be stored, what law controls and possible restrictions on cross-border transfers• Third-party access issues• Consider legal and practical liability for force majeure events – Must be part of disaster recovery and business continuity plan• There is no substitute for careful due diligence
    33. 33. 33Latest developments incloud security assuranceCSA Cloud Controls Matrix (CCM)AICPA SOC ReportsCSA Open Certification Framework (OCF)
    34. 34. 34
    35. 35. 35Our research includesfundamental projectsneeded to define andimplement trust within thefuture of informationtechnologyCSA continues to beaggressive in producingcritical research, educationand tools22 Active Work Groups and10 in the pipeline Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
    36. 36. 36GRC Stack Family of 4 research projects Cloud Controls Matrix (CCM) Consensus Assessments Initiative (CAI) Cloud Audit Cloud Trust Protocol (CTP) Private, Private, Community & Community & Control Public Clouds Public Clouds Provider Requirement Assertion s s
    37. 37. 37• Controls derived from guidance• Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP, etc.• Rated as applicable to S-P-I• Customer vs. Provider role• Help bridge the “cloud gap” for IT & IT auditors
    38. 38. 38• Research tools and processes to perform shared assessments of cloud providers• Integrated with Controls Matrix• Version 1 CAI Questionnaire released Oct 2010, approximately 140 provider questions to identify presence of security controls or practices• Use to assess cloud providers today, procurement negotiation, contract inclusion, quantify SLAs
    39. 39. 39• CSA STAR (Security, Trust and Assurance Registry) – Public Registry of Cloud Provider self assessments – Based on Consensus Assessments Initiative Questionnaire • Provider may substitute documented Cloud Controls Matrix compliance – Voluntary industry action promoting transparency – Free market competition to provide quality assessments • Provider may elect to provide assessments from third parties
    40. 40. Security Assurance - A Better WayCSA Open Certification Framework (OCF) 40 The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers. The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives. The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost. ~Jim Reavis & Daniele Catteddu; CSA~ Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.o
    41. 41. Security Assurance - A Better Way CSA Open Certification Framework (OCF) OCF Level 1: CSA STAR Registry 41CSA STAR (Security, Trust and Assurance Registry)Public Registry of Cloud Provider self assessmentsBased on Consensus Assessments Initiative Questionnaire (CAIQ) Provider may substitute documented Cloud Controls Matrix complianceVoluntary industry action promoting transparencyFree market competition to provide quality assessments Provider may elect to provide assessments from third partiesAvailable since October 2011 Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.or
    42. 42. OCF: The structure 42 The open certification framework is structured on 3 LEVELs of TRUST, each one of them providing an incremental level of visibility and transparency into the operations of the Cloud Service Provider and a higher level of assurance to the Cloud consumer. Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.o
    43. 43. 43Service Organization Control Reports (SOC)
    44. 44. AICPA SAS No. 70, Service Organizations 44•A standard for reporting on a serviceorganization’s controls affecting user entitiesfinancial statements.•Only for use by service organizationmanagement, existing user entities, and theirauditors.•Replaced by SSAE 16 SOC 1 in 2011
    45. 45. SAS No. 70, Service Organizations 45Misuse:•“SAS 70 Certified” or “SAS 70 Compliant”•Controls related to subject matter other thaninternal control over financial reporting•Made report public
    46. 46. Other Service Organization ControlReports (SOC) 46Marketplace demand for detailedreport on controls on subjectmatter other than internal controlover financial reporting include:  Security  Availability  Processing integrity  Confidentiality  Privacy
    47. 47. How the AICPA Addressed Issues 47
    48. 48. Service Organization Control (SOC) Reports 48
    49. 49. SOC Report Logos 49For CPAs who provide theservices that result in a SOC 1,SOC 2 or SOC 3 reportFor service organizations thathad a SOC 1, SOC 2 or SOC 3engagement within the pastyear
    50. 50. New Standards and Names 50 Trust Services Principles and Criteria
    51. 51. SOC 1 Report (restricted use) 51 • Report on controls at a service organization relevant to a user entity’s internal control over financial reporting
    52. 52. SOC 2 Report (use determined by auditor) 52• Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy
    53. 53. SOC 2 Reports – Type 1 and Type 2 53• Both report on management’s description of a service organization’s system, and…  Type 1 also reports on suitability of design of controls  Type 2 also reports on suitability of design and operating effectiveness of controls
    54. 54. Security Assurance - A Better WayAICPA SOC 2 Type 2 with the CSA CCM 54•The SOC 2 Type 2 Attestation Standard (AT-101) allows for inclusion ofother standards•Use SOC 2 Report as the Assurance wrapper for any or all of the following: –Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) –ISO27001 –PCI-DSS –HITECH –NIST/FedRamp•One core set of audit work serves as the basis for multiple reportsRecommendation:The Cloud Security Alliance has determined that for most cloud providers, aSOC 2 Type 2 attestation examination conducted in accordance with AICPAstandard AT Section 101 (AT 101) utilizing the CSA Cloud Controls Matrix(CCM) as additional suitable criteria is likely to meet the assurance andreporting needs of the majority of users of cloud services. *This conclusion is supported by the AICPA Technical Practice Aid titled “TIS Section 9530: Service Organization Controls Reports” published in November 2011.
    55. 55. About the Cloud Security Alliance 55Global, not-for-profit organisationOver 40,000 individual members, more than 160 corporatemembers, over 60 chaptersBuilding best practices and a trusted cloud ecosystemAgile philosophy, rapid development of applied research GRC: Balance compliance with risk management Reference models: build using existing standards Identity: a key foundation of a functioning cloud economy Champion interoperability Enable innovation Advocacy of prudent public policy“To promote the use of best practices for providing security assurance within CloudComputing, and provide education on the uses of Cloud Computing to help secureall other forms of computing.” Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.o
    56. 56. Questions & Answers 56Thank you.Phil Agcaoiliphil.agcaoili@cox.comTwitter @hacksec www.cloudsecurityalliance.org http://www.aicpa.org Promoting Privacy