Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sira insights from cloud vendor risk assessments


Published on

This presentation was given to the Society of Risk Management Association in December 2012. Its purpose was to help information security and IT risk management professionals conduct risk assessments wisely on cloud service providers.

  • Be the first to comment

Sira insights from cloud vendor risk assessments

  1. 1. SIRA Webinar CLOUD PROVIDERS INFORMATION RISK ASSESSMENTS1 Insights from Cloud Vendor Risk Assessments Cary Sholer – President
  2. 2. TABLE OF CONTENTSTopic PageYour Role as the Information Risk Analyst 3What Can’t Be Outsourced? 4 SIRA Webinar - Dec 13, 2012Categories of Cloud Providers 5Constraints with Cloud Provider Risk Assessments 6Flexible Methodology for Cloud Provider Risk Assessments 7-8Common “High Risk” Findings 9-11SaaS COO’s Insights 12PaaS VP of Engineering’s Insights 13Healthcare CISO’s Insights 14Bank CISO’s Insights 15Questions and Answers 16Available Resources 17 2
  3. 3. YOUR ROLE AS THE INFORMATION RISK ANALYSTAssess Information Risks Manage Information Risks SIRA Webinar - Dec 13, 2012 Resolve Identify Classify Manage Manage Mitigate Transfer ($ only) 3
  4. 4. WHAT CAN’T BE OUTSOURCED? You can outsource architecture, design, and operational roles, but you can’t outsource critical thinking and decision making. This is your role. SIRA Webinar - Dec 13, 2012 Many people can share responsibility for information security, but only one can be accountable as the owner, and that would most likely be you. You can transfer financial risks via contracts and insurance, but you can’t transfer accountability for compliance requirements, nor fines and penalties resulting from failing to meet compliance requirements. 4
  5. 5. CATEGORIES OF CLOUD PROVIDERS Infrastructure as Platform as a a Service (IaaS) Service (PaaS) SIRA Webinar - Dec 13, 2012 Cloud Providers Data as a Software as a Service (DaaS) Service (SaaS) 5
  6. 6. CONSTRAINTS TO COMPLETE CLOUDPROVIDER INFORMATION RISK ASSESSMENTS Internal Constraints – Business Sponsor(s)  Understanding of Business Requirements SIRA Webinar - Dec 13, 2012  Time and Resources  Flexible IRA Methodology  Acceptance of Risk of Ownership External Constraints – 3rd Party Cloud Provider(s)  Lack of Information 3rd Party’s information security policies and procedures  Lack of security architecture documentation  Lack of transparency of IaaS, SaaS, DaaS, and other 4th Party cloud providers  Lack of clarity of security controls used by 4th Party providers 6
  7. 7. ADJUST YOUR RISK ASSESSMENT INFORMATION GATHERING STEP TO FIT THE RISK PROFILE OF CLOUD PROVIDERLow-Cost: Comprehensive Generally, pretty good SIRA Webinar - Dec 13, 2012Risk Assessment Method(long questionnaire,Risk Check report, Low-Cost High-+ probing interview) Cloud Value High-Value: Brief Risk Provider Provider Assessment Method (short questionnaire Really poor and brief interview) Unsure -Unsure: Trust, But Verify CloudRisk Assessment Method Provider(short questionnaire + 7probing interview)
  8. 8. EXAMPLE OF A FLEXIBLE INFORMATIONRISK ASSESSMENT METHODOLOGY Timing Brief Assessment: Ask for customer references and request the 2-4 days list or total count of active customers. SIRA Webinar - Dec 13, 2012 Trust, But Verify: Send simple RA questionnaire. Probe weak 1-2 wks answers by hosting a risk assessment interview with their designated information security manager. Comprehensive: Request background Risk Check report, request 2-3 wks SAS/SSAE SOC reports, send 200 - 300 questions, and host an interview with the 3rd Party’s designated ISO. In-Depth: send standardized set of third party questions, usually 4-8 wks 200 – 300 questions meant to cover all types of Cloud Providers. Follow-up with an interview. Schedule and conduct a penetration test of their platform and scan their public facing software for 8 vulnerabilities. SIRA Webinar – Dec 13, 2012
  9. 9. HIGH RISK: LACK OF 4TH PARTY TRANSPARENCY PaaS 3rd Party SIRA Webinar - Dec 13, 2012 Hosting Professional (IaaS) Services Partner Software Development (SaaS) 4th Party 4th Party 4th Party 9 SIRA Webinar – Dec 13, 2012
  10. 10. HIGH RISK: HOSTING PARTNERS (IAAS) MAY NOT YOUR UNDERSTAND YOUR DATA REQUIREMENTSWhat business data will Application Virtualbe stored in the cloud? Location 1 • App Settings SIRA Webinar - Dec 13, 2012 Virtual • Analytics Location 1 • App Tables • PII Encrypted? Where is your User Data data? Virtual • Unique SA ID’s? Hosting • Passwords Which Location 2 Virtual Hashed? CIA country? Partner Location 1 • Referential (IaaS) Tables Can you restore Systems Info your data? Virtual • System Location 3 Configuration Virtual • Backups? Location 1 10 SIRA Webinar – Dec 13, 2012
  11. 11. OTHER HIGH RISKS TO ASSESS gr IR A En O CO ISO ing VP nk aS S C Saa HCBa Pa Risk Statement 1 1 1 1 — party cloud vendor doesnt disclose its 4th party IT relationships 3rd SIRA Webinar - Dec 13, 2012 1 0 1 0 Backup and restore procedures of customers data are not well documented 1 0 1 0 System migrations dont follow a documented Change Control Procedure Checklist 1 0 1 0 New — Releases may not follow customer reviewed Change Management Procedures 1 0 1 1 Systems Admins may share login credentials — 1 1 1 0 User passwords are not encrypted (hashed) 3rd — Party may provide their IaaS vendors SAS 70 or SSAE 16 SOC 1 Report, but not provide a 1 1 1 1 report representing of their risks or that of their SaaS partner 1 1 1 3rd 1 — Party cloud vendor lacks sufficient information security policies 1 1 1 1 — Party cloud vendor has no designated Information Security Officer 3rd 3rd — Party PaaS cloud vendor lacks a Disaster Recovery (DR) and Business Continuity Plan 1 1 1 1 (BCP) that includes their IaaS and SaaS partners 3rd — Party PaaS cloud vendor has no stated policy that requires risk assessments of their 1 1 1 1 their 4th party IaaS and SaaS vendors 1 1 1 0 — Party cloud vendor has no stated policies to disclose security breaches 3rd 0 0 1 0 — Infrastructure may not have performance metrics to guide capacity decisions 0 0 1 1 — Offshore Development team may use production data to test new code 11
  12. 12. SAAS COO INSIGHTS Trust – but verify. Take them at their word, but then verify what they say because sometimes you will get lied to. Start with trust.  It is like doing an audit, give high level questions and then if the answers are not consistent, queue some questions and seek to understand the maturity of their security team and security controls. SIRA Webinar - Dec 13, 2012 Risk Questionnaires - Make Your RA Questionnaires Relevant – if you prefer a long questionnaire.  As cloud providers, we do put much effort into responding to risk assessment questionnaires. We do take the risk assessment process very seriously, but we often don’t respect the questionnaire and the security person conducting the risk assessment. We assume the security person was brought into the vendor approval process late, and that he/she doesn’t really get it, i.e. the cloud.  Hosting a 5-10 minute interview meeting is always more productive than responding to a canned set of questions. General questions followed by probing questions works well. Risk Transfer  Require your 3rd and 4th party providers to sign a Sales Agreement containing the requirement for their company to comply to your current and future information security policies.  Insert breach disclosure and breach indemnification clauses. 12
  13. 13. PAAS VP OF ENGINEERING INSIGHTS SaaS Providers  Backup and restore procedures are not tested, so we failed to understand our backups of customers data was not well not SIRA Webinar - Dec 13, 2012 complete.  The software engineers did not encrypt (hash) the user passwords because we didn’t explicitly tell them to do so. IaaS Providers  Systems migrations dont follow a documented Change Control Checklist procedure.  Insert breach disclosure and breach indemnification clauses in the Sales Agreement. PaaS Providers  We really don’t have an Information Security Officer. 13
  14. 14. HEALTHCARE CISO’S INSIGHTS High Value Cloud Providers  “We are always willing to do business with them because they understand my business and seem to be honest and capable.” Low Cost Cloud Providers SIRA Webinar - Dec 13, 2012  “I will never do business with them because they scare the hell out of me.” Unsure Cloud Providers  “Maybe I will do business with them; but I do have some concerns.” Low Cost and Unsure Cloud Providers  “We dont trust either because we are not comfortable that their approach to security aligns to our approach to security.” Risk Transfer  Append the completed risk assessment questionnaire to the sales agreement. Insert breach disclosure and breach indemnification clauses. 14
  15. 15. BANK CISO’S INSIGHTS Thoroughly understand the business requirements First conduct risk analysis of the business data Then send the cloud vendor risk assessment questionnaire (5 SIRA Webinar - Dec 13, 2012 – 10 questions) for high value providers and (200 – 300 questions) for low cost providers Conduct a follow-up meeting to probe weak answers Risk Transfer  Insert breach disclosure and breach indemnification clauses to the Sales Agreement.  Attached the completed cloud vendor risk assessment questionnaire to the Sales Agreement.  Obtain signature of business sponsor on your RA report containing the high risk findings and recommended risk action plan. 15 SIRA Webinar – Dec 13, 2012
  16. 16. QUESTIONS AND FOLLOW-UPQuestions  Communicate your question by speaking; or, text your SIRA Webinar - Dec 13, 2012 question in the Webinar chat box.Follow-Up  If we do not answer your question today, send your question to and I will do my best to reply within 24 hours.  If you would like a copy of this presentation, send an email to and include “SIRA Webinar” in the subject line. 16 SIRA Webinar – Dec 13, 2012
  17. 17. RECOMMENDED RESOURCES PaaS, SaaS, DaaS Finding Your Place in the Cloud VMIX Blog  cloud/ SIRA Webinar - Dec 13, 2012 IaaS vs. PaaS vs. SaaS definitions  Free Information Security Risk Assessment Tool  Risk Checks by RDC  Shared Assessment Questionnaires  17 SIRA Webinar – Dec 13, 2012