Rob kloots auditoutsourcedit


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Rob kloots auditoutsourcedit

  1. 1. How to Audit Outsourced ITEnvironments?• What are the challenges when auditing outsourced IT environments?• How to include outsourced IT environments in your audit? Rob Kloots – CISA CISM CRISC, Owner, TrustingtheCloud CSA-BE volunteer Berlin, June 2012
  2. 2. TopicsKey Cloud Security ProblemsThe GRC StackCSA Guidance ResearchTransparancyCloud Controls Matrix (CCM)CCM – 98 ControlsGuidanceThe CAI QuestionnaireCloudAudit Objectives & Alignment Berlin, June 2012 2
  3. 3. Key Cloud Security ProblemsFrom CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance, and the capture of real value Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks Berlin, June 2012 3
  4. 4. 4The GRC StackProvides trust in the Cloud GRC Stack Needs and Evidence and Payoffs and Claims Assurance Protection Security Security Compliance Requirements and Transparency and Capabilities and Visibility Trust Delivering evidence-based confidence… with compliance-supporting data & artifacts. Berlin, June 2012 4
  5. 5. A Complete Cloud Security Governance,Risk, and Compliance (GRC) Stack Delivering  Stack Pack  Description • Common technique and nomenclature to Continuous monitoring … request and receive evidence and affirmation with a purpose of current cloud service operating circumstances from cloud providers Claims, offers, and the • Common interface and namespace to basis for auditing service automate the Audit, Assertion, Assessment, delivery and Assurance (A6) of cloud environments Pre-audit checklists and • Industry-accepted ways to document what questionnaires to security controls exist inventory controls • Fundamental security principles in specifying The recommended the overall security needs of a cloud foundations for controls consumers and assessing the overall security risk of a cloud provider Berlin, June 2012 5
  6. 6. A Headstart for Control and ComplianceForged by the Global Marketplace; Ready for All Professional Government Commercial Legend  In place  Offered • Common technique and Continuous monitoring … nomenclature to request and ??? with a purpose receive evidence and affirmation of controls from cloud providers • Common interface and namespace Claims, offers, and the to automate the Audit, Assertion, ??? basis for auditing service delivery Assessment, and Assurance (A6) of cloud environments  FedRAMP Pre-audit checklists and • Industry-accepted ways to  DIACAP questionnaires to document what security controls inventory controls exist  Other C&A standards NIST 800-53, HITRUST CSF, SSAE SOC2 control ISO 27001/27002, ISACA • Fundamental security principles in A recommended assessment COBIT, PCI, HIPAA, SOX, assessing the overall security risk foundations for controls criteria GLBA, STIG, NIST 800-144, of a cloud provider SAS 70, … Berlin, June 2012 6
  7. 7. CSA Guidance Research Cloud Architecture Popular best Governance and Enterprise Risk Management Governing the Legal and Electronic Discovery practices for Cloud Compliance and Audit securing cloud Information Lifecycle Management Portability and Interoperability computing T c n e a p n a y s r r 14 Domains of Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations concern Incident Response, Notification, Remediation Application Security governing & Encryption and Key Management operating groupings Identity and Access Management Virtualization Berlin, June 2012 7
  8. 8. Transparancy TransparencySource: NIST SP500-291-v1.0, p. 42, Figure 12 Berlin, June 2012 8
  9. 9. Cloud Controls Matrix (CCM)Leadership TeamBecky Swain – EKKO ConsultingPhilip Agcaoili – Cox CommunicationsMarlin Pohlman – EMC, RSAKip Boyle – CSAV1.0 (Apr 2010), v1.1 (Dec 2010, v1.2 (Aug 2011),V2.0 (2012)Controls baselined and mapped to:COBIT BITS Shared AssessmentsHIPAA/HITECH Act Jericho ForumISO/IEC 27001-2005 NERC CIPNISTSP800-53FedRAMPPCI DSSv2.0 Berlin, June 2012 9
  10. 10. CCM – 98 Controls Berlin, June 2012 10
  11. 11. CCM – 98 Controls (cont.) Berlin, June 2012 11
  12. 12. CCM – 98 Controls (cont.) Berlin, June 2012 12
  13. 13. CCM – 98 Controls (cont.) Berlin, June 2012 13
  14. 14. Control Matrix >> Guidance >> ISO Berlin, June 2012 14
  15. 15. The CAI Questionnaire Berlin, June 2012 15
  16. 16. Sample Questions to VendorsCompliance - CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 orIndependent Audits similar third party audit reports? CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request?Data Governance - DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadataClassification (ex. Tags can be used to limit guest operating systems from booting/instanciating/transporting data in the wrong country, etc.?) DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)? DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenant’s data upon request? DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation? Berlin, June 2012 16
  17. 17. CloudAudit Objectives  Provide a common interface and namespace that allows cloud computing providers to automate collection of Audit, Assertion, Assessment, and Assurance Artifacts (A6) of their operating environments  Allow authorized consumers of services and concerned parties to do likewise via an open, extensible and secure interface and methodology. Berlin, June 2012 17
  18. 18. Aligned to CSA Control Matrix Officially folded CloudAudit under the Cloud Security Alliance in October, 2010 First efforts aligned to compliance frameworks as established by CSA Control Matrix:  PCI DSS  NIST 800-53  HIPAA  COBIT  ISO 27002 Incorporate CSA’s CAI and additional CompliancePacks Expand alignment to “infrastructure” and “operations” -centric views also Berlin, June 2012 18
  19. 19. Holistic approach aroundcontrols… Berlin, June 2012 19
  20. 20. … and Architecture best practices Berlin, June 2012 20
  21. 21. Any Questions?Rob Kloots – CISA CISM CRISC,Owner, TrustingtheCloudvolunteer CSA-BEM +32.499-374713 e Berlin, June 2012 21