SIRA Webinar - Cloud Provider Risk Assessments

SIRA Webinar

CLOUD PROVIDERS
INFORMATION RISK ASSESSMENTS

1 Insights from Cloud Vendor Risk Assessments
Cary Sholer – President

TABLE OF CONTENTS
Topic Page
Your Role as the Information Risk Analyst 3
What Can’t Be Outsourced? 4

SIRA Webinar - Dec 13, 2012
Categories of Cloud Providers 5
Constraints with Cloud Provider Risk Assessments 6
Flexible Methodology for Cloud Provider Risk Assessments 7-8
Common “High Risk” Findings 9-11
SaaS COO’s Insights 12
PaaS VP of Engineering’s Insights 13
Healthcare CISO’s Insights 14
Bank CISO’s Insights 15
Questions and Answers 16
Available Resources 17 2

YOUR ROLE AS THE INFORMATION RISK ANALYST

Assess Information Risks Manage Information Risks

Resolve
Identify

Classify
Manage

Manage Mitigate
Transfer
($ only)
3

WHAT CAN’T BE OUTSOURCED?
 You can outsource architecture, design, and operational
roles, but you can’t outsource critical thinking and
decision making. This is your role.

 Many people can share responsibility for information
security, but only one can be accountable as the
owner, and that would most likely be you.

 You can transfer financial risks via contracts and
insurance, but you can’t transfer accountability for
compliance requirements, nor fines and penalties
resulting from failing to meet compliance requirements.
4

CATEGORIES OF CLOUD PROVIDERS

Infrastructure as Platform as a
a Service (IaaS) Service (PaaS)

Cloud
Providers

Data as a Software as a
Service (DaaS) Service (SaaS)
5

CONSTRAINTS TO COMPLETE CLOUD
PROVIDER INFORMATION RISK ASSESSMENTS
 Internal Constraints – Business Sponsor(s)
 Understanding of Business Requirements

 Time and Resources
 Flexible IRA Methodology
 Acceptance of Risk of Ownership

 External Constraints – 3rd Party Cloud Provider(s)
 Lack of Information 3rd Party’s information security policies and
procedures
 Lack of security architecture documentation
 Lack of transparency of IaaS, SaaS, DaaS, and other 4th Party cloud
providers
 Lack of clarity of security controls used by 4th Party providers
6

ADJUST YOUR RISK ASSESSMENT INFORMATION GATHERING
STEP TO FIT THE RISK PROFILE OF CLOUD PROVIDER

Low-Cost: Comprehensive Generally, pretty good

Risk Assessment Method
(long questionnaire,
Risk Check report,
Low-Cost High-
+ probing interview)
Cloud Value High-Value: Brief Risk
Provider Provider Assessment Method
(short questionnaire
Really poor and brief interview)

Unsure -
Unsure: Trust, But Verify Cloud
Risk Assessment Method Provider
(short questionnaire +
7
probing interview)

EXAMPLE OF A FLEXIBLE INFORMATION
RISK ASSESSMENT METHODOLOGY Timing
 Brief Assessment: Ask for customer references and request the 2-4 days
list or total count of active customers.

 Trust, But Verify: Send simple RA questionnaire. Probe weak 1-2 wks
answers by hosting a risk assessment interview with their
designated information security manager.

 Comprehensive: Request background Risk Check report, request 2-3 wks
SAS/SSAE SOC reports, send 200 - 300 questions, and host an
interview with the 3rd Party’s designated ISO.

 In-Depth: send standardized set of third party questions, usually 4-8 wks
200 – 300 questions meant to cover all types of Cloud Providers.
Follow-up with an interview. Schedule and conduct a penetration
test of their platform and scan their public facing software for
8
vulnerabilities.
SIRA Webinar – Dec 13, 2012

HIGH RISK: LACK OF 4TH PARTY TRANSPARENCY

PaaS 3rd Party

Hosting Professional
(IaaS) Services
Partner
Software
Development
(SaaS) 4th Party
4th Party

4th Party 9


HIGH RISK: HOSTING PARTNERS (IAAS) MAY NOT
YOUR UNDERSTAND YOUR DATA REQUIREMENTS

What business data will Application
Virtual
be stored in the cloud? Location 1 • App Settings

Virtual • Analytics
Location 1
• App Tables
• PII Encrypted? Where
is your
User Data data?
Virtual • Unique SA ID’s?
Hosting • Passwords Which
Location 2
Virtual
Hashed? CIA country?
Partner Location 1
• Referential
(IaaS) Tables Can you
restore
Systems Info your data?
Virtual • System
Location 3 Configuration
Virtual
• Backups?
Location 1 10


OTHER HIGH RISKS TO ASSESS

gr
IR A

En

O
CO
ISO
ing

VP
nk

aS

S
C

Saa
HC
Ba

Pa

Risk Statement
1 1 1 1 — party cloud vendor doesn't disclose its 4th party IT relationships
3rd

1 0 1 0 Backup and restore procedures of customer's data are not well documented
1 0 1 0 System migrations don't follow a documented Change Control Procedure Checklist
1 0 1 0 New
— Releases may not follow customer reviewed Change Management Procedures
1 0 1 1 Systems Admins may share login credentials
—
1 1 1 0 User passwords are not encrypted (hashed)
3rd
— Party may provide their IaaS vendor's SAS 70 or SSAE 16 SOC 1 Report, but not provide a
1 1 1 1
report representing of their risks or that of their SaaS partner
1 1 1 3rd
1 — Party cloud vendor lacks sufficient information security policies
1 1 1 1 — Party cloud vendor has no designated Information Security Officer
3rd
3rd
— Party PaaS cloud vendor lacks a Disaster Recovery (DR) and Business Continuity Plan
1 1 1 1
(BCP) that includes their IaaS and SaaS partners
3rd
— Party PaaS cloud vendor has no stated policy that requires risk assessments of their
1 1 1 1
their 4th party IaaS and SaaS vendors
1 1 1 0 — Party cloud vendor has no stated policies to disclose security breaches
3rd
0 0 1 0 —
Infrastructure may not have performance metrics to guide capacity decisions
0 0 1 1 —
Offshore Development team may use production data to test new code
11

SAAS COO INSIGHTS
 Trust – but verify. Take them at their word, but then verify what
they say because sometimes you will get lied to. Start with trust.
 It is like doing an audit, give high level questions and then if the answers are not
consistent, queue some questions and seek to understand the maturity of their
security team and security controls.

 Risk Questionnaires - Make Your RA Questionnaires Relevant – if
you prefer a long questionnaire.
 As cloud providers, we do put much effort into responding to risk assessment
questionnaires. We do take the risk assessment process very seriously, but we
often don’t respect the questionnaire and the security person conducting the risk
assessment. We assume the security person was brought into the vendor
approval process late, and that he/she doesn’t really get it, i.e. the cloud.
 Hosting a 5-10 minute interview meeting is always more productive
than responding to a canned set of questions. General questions
followed by probing questions works well.
 Risk Transfer
 Require your 3rd and 4th party providers to sign a Sales Agreement
containing the requirement for their company to comply to your
current and future information security policies.
 Insert breach disclosure and breach indemnification clauses. 12

PAAS VP OF ENGINEERING INSIGHTS
 SaaS Providers
 Backup and restore procedures are not tested, so we failed to
understand our backups of customer's data was not well not

complete.
 The software engineers did not encrypt (hash) the user
passwords because we didn’t explicitly tell them to do so.
 IaaS Providers
 Systems migrations don't follow a documented Change Control
Checklist procedure.
 Insert breach disclosure and breach indemnification clauses in
the Sales Agreement.
 PaaS Providers
 We really don’t have an Information Security Officer.
13

HEALTHCARE CISO’S INSIGHTS
 High Value Cloud Providers
 “We are always willing to do business with them because they
understand my business and seem to be honest and capable.”
 Low Cost Cloud Providers

 “I will never do business with them because they scare the hell out
of me.”
 Unsure Cloud Providers
 “Maybe I will do business with them; but I do have some concerns.”
 Low Cost and Unsure Cloud Providers
 “We don't trust either because we are not comfortable that their
approach to security aligns to our approach to security.”
 Risk Transfer
 Append the completed risk assessment questionnaire to the sales
agreement. Insert breach disclosure and breach indemnification
clauses.
14

BANK CISO’S INSIGHTS
 Thoroughly understand the business requirements
 First conduct risk analysis of the business data
 Then send the cloud vendor risk assessment questionnaire (5

– 10 questions) for high value providers and (200 – 300
questions) for low cost providers
 Conduct a follow-up meeting to probe weak answers
 Risk Transfer
 Insert breach disclosure and breach indemnification clauses to the
Sales Agreement.
 Attached the completed cloud vendor risk assessment
questionnaire to the Sales Agreement.
 Obtain signature of business sponsor on your RA report containing
the high risk findings and recommended risk action plan.
15


QUESTIONS AND FOLLOW-UP
Questions
 Communicate your question by speaking; or, text your

question in the Webinar chat box.

Follow-Up
 If we do not answer your question today, send your question
to cary.sholer@farallonrisk.com and I will do my best to reply
within 24 hours.
 If you would like a copy of this presentation, send an email to
cary.sholer@farallonrisk.com and include “SIRA Webinar” in
the subject line. 16


RECOMMENDED RESOURCES
 PaaS, SaaS, DaaS Finding Your Place in the Cloud VMIX Blog
 http://www.vmix.com/blog/2010/09/finding-your-place-in-the-
cloud/

 IaaS vs. PaaS vs. SaaS definitions
 http://www.katescomment.com/iaas-paas-saas-definition/
 Free Information Security Risk Assessment Tool
 http://info.isutility.com/securityassessment/
 Risk Checks by RDC
 http://www.rdc.com/delivery/rdc-search

 Shared Assessment Questionnaires
 www.sharedassessments.org
17


SIRA Webinar - Cloud Provider Risk Assessments

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to SIRA Webinar - Cloud Provider Risk Assessments

Similar to SIRA Webinar - Cloud Provider Risk Assessments (20)

SIRA Webinar - Cloud Provider Risk Assessments

Editor's Notes