This presentation was given to the Society of Risk Management Association in December 2012. Its purpose was to help information security and IT risk management professionals conduct risk assessments wisely on cloud service providers.
1. SIRA Webinar
CLOUD PROVIDERS
INFORMATION RISK ASSESSMENTS
1 Insights from Cloud Vendor Risk Assessments
Cary Sholer – President
2. TABLE OF CONTENTS
Topic Page
Your Role as the Information Risk Analyst 3
What Can’t Be Outsourced? 4
SIRA Webinar - Dec 13, 2012
Categories of Cloud Providers 5
Constraints with Cloud Provider Risk Assessments 6
Flexible Methodology for Cloud Provider Risk Assessments 7-8
Common “High Risk” Findings 9-11
SaaS COO’s Insights 12
PaaS VP of Engineering’s Insights 13
Healthcare CISO’s Insights 14
Bank CISO’s Insights 15
Questions and Answers 16
Available Resources 17 2
3. YOUR ROLE AS THE INFORMATION RISK ANALYST
Assess Information Risks Manage Information Risks
SIRA Webinar - Dec 13, 2012
Resolve
Identify
Classify
Manage
Manage Mitigate
Transfer
($ only)
3
4. WHAT CAN’T BE OUTSOURCED?
You can outsource architecture, design, and operational
roles, but you can’t outsource critical thinking and
decision making. This is your role.
SIRA Webinar - Dec 13, 2012
Many people can share responsibility for information
security, but only one can be accountable as the
owner, and that would most likely be you.
You can transfer financial risks via contracts and
insurance, but you can’t transfer accountability for
compliance requirements, nor fines and penalties
resulting from failing to meet compliance requirements.
4
5. CATEGORIES OF CLOUD PROVIDERS
Infrastructure as Platform as a
a Service (IaaS) Service (PaaS)
SIRA Webinar - Dec 13, 2012
Cloud
Providers
Data as a Software as a
Service (DaaS) Service (SaaS)
5
6. CONSTRAINTS TO COMPLETE CLOUD
PROVIDER INFORMATION RISK ASSESSMENTS
Internal Constraints – Business Sponsor(s)
Understanding of Business Requirements
SIRA Webinar - Dec 13, 2012
Time and Resources
Flexible IRA Methodology
Acceptance of Risk of Ownership
External Constraints – 3rd Party Cloud Provider(s)
Lack of Information 3rd Party’s information security policies and
procedures
Lack of security architecture documentation
Lack of transparency of IaaS, SaaS, DaaS, and other 4th Party cloud
providers
Lack of clarity of security controls used by 4th Party providers
6
7. ADJUST YOUR RISK ASSESSMENT INFORMATION GATHERING
STEP TO FIT THE RISK PROFILE OF CLOUD PROVIDER
Low-Cost: Comprehensive Generally, pretty good
SIRA Webinar - Dec 13, 2012
Risk Assessment Method
(long questionnaire,
Risk Check report,
Low-Cost High-
+ probing interview)
Cloud Value High-Value: Brief Risk
Provider Provider Assessment Method
(short questionnaire
Really poor and brief interview)
Unsure -
Unsure: Trust, But Verify Cloud
Risk Assessment Method Provider
(short questionnaire +
7
probing interview)
8. EXAMPLE OF A FLEXIBLE INFORMATION
RISK ASSESSMENT METHODOLOGY Timing
Brief Assessment: Ask for customer references and request the 2-4 days
list or total count of active customers.
SIRA Webinar - Dec 13, 2012
Trust, But Verify: Send simple RA questionnaire. Probe weak 1-2 wks
answers by hosting a risk assessment interview with their
designated information security manager.
Comprehensive: Request background Risk Check report, request 2-3 wks
SAS/SSAE SOC reports, send 200 - 300 questions, and host an
interview with the 3rd Party’s designated ISO.
In-Depth: send standardized set of third party questions, usually 4-8 wks
200 – 300 questions meant to cover all types of Cloud Providers.
Follow-up with an interview. Schedule and conduct a penetration
test of their platform and scan their public facing software for
8
vulnerabilities.
SIRA Webinar – Dec 13, 2012
9. HIGH RISK: LACK OF 4TH PARTY TRANSPARENCY
PaaS 3rd Party
SIRA Webinar - Dec 13, 2012
Hosting Professional
(IaaS) Services
Partner
Software
Development
(SaaS) 4th Party
4th Party
4th Party 9
SIRA Webinar – Dec 13, 2012
10. HIGH RISK: HOSTING PARTNERS (IAAS) MAY NOT
YOUR UNDERSTAND YOUR DATA REQUIREMENTS
What business data will Application
Virtual
be stored in the cloud? Location 1 • App Settings
SIRA Webinar - Dec 13, 2012
Virtual • Analytics
Location 1
• App Tables
• PII Encrypted? Where
is your
User Data data?
Virtual • Unique SA ID’s?
Hosting • Passwords Which
Location 2
Virtual
Hashed? CIA country?
Partner Location 1
• Referential
(IaaS) Tables Can you
restore
Systems Info your data?
Virtual • System
Location 3 Configuration
Virtual
• Backups?
Location 1 10
SIRA Webinar – Dec 13, 2012
11. OTHER HIGH RISKS TO ASSESS
gr
IR A
En
O
CO
ISO
ing
VP
nk
aS
S
C
Saa
HC
Ba
Pa
Risk Statement
1 1 1 1 — party cloud vendor doesn't disclose its 4th party IT relationships
3rd
SIRA Webinar - Dec 13, 2012
1 0 1 0 Backup and restore procedures of customer's data are not well documented
1 0 1 0 System migrations don't follow a documented Change Control Procedure Checklist
1 0 1 0 New
— Releases may not follow customer reviewed Change Management Procedures
1 0 1 1 Systems Admins may share login credentials
—
1 1 1 0 User passwords are not encrypted (hashed)
3rd
— Party may provide their IaaS vendor's SAS 70 or SSAE 16 SOC 1 Report, but not provide a
1 1 1 1
report representing of their risks or that of their SaaS partner
1 1 1 3rd
1 — Party cloud vendor lacks sufficient information security policies
1 1 1 1 — Party cloud vendor has no designated Information Security Officer
3rd
3rd
— Party PaaS cloud vendor lacks a Disaster Recovery (DR) and Business Continuity Plan
1 1 1 1
(BCP) that includes their IaaS and SaaS partners
3rd
— Party PaaS cloud vendor has no stated policy that requires risk assessments of their
1 1 1 1
their 4th party IaaS and SaaS vendors
1 1 1 0 — Party cloud vendor has no stated policies to disclose security breaches
3rd
0 0 1 0 —
Infrastructure may not have performance metrics to guide capacity decisions
0 0 1 1 —
Offshore Development team may use production data to test new code
11
12. SAAS COO INSIGHTS
Trust – but verify. Take them at their word, but then verify what
they say because sometimes you will get lied to. Start with trust.
It is like doing an audit, give high level questions and then if the answers are not
consistent, queue some questions and seek to understand the maturity of their
security team and security controls.
SIRA Webinar - Dec 13, 2012
Risk Questionnaires - Make Your RA Questionnaires Relevant – if
you prefer a long questionnaire.
As cloud providers, we do put much effort into responding to risk assessment
questionnaires. We do take the risk assessment process very seriously, but we
often don’t respect the questionnaire and the security person conducting the risk
assessment. We assume the security person was brought into the vendor
approval process late, and that he/she doesn’t really get it, i.e. the cloud.
Hosting a 5-10 minute interview meeting is always more productive
than responding to a canned set of questions. General questions
followed by probing questions works well.
Risk Transfer
Require your 3rd and 4th party providers to sign a Sales Agreement
containing the requirement for their company to comply to your
current and future information security policies.
Insert breach disclosure and breach indemnification clauses. 12
13. PAAS VP OF ENGINEERING INSIGHTS
SaaS Providers
Backup and restore procedures are not tested, so we failed to
understand our backups of customer's data was not well not
SIRA Webinar - Dec 13, 2012
complete.
The software engineers did not encrypt (hash) the user
passwords because we didn’t explicitly tell them to do so.
IaaS Providers
Systems migrations don't follow a documented Change Control
Checklist procedure.
Insert breach disclosure and breach indemnification clauses in
the Sales Agreement.
PaaS Providers
We really don’t have an Information Security Officer.
13
14. HEALTHCARE CISO’S INSIGHTS
High Value Cloud Providers
“We are always willing to do business with them because they
understand my business and seem to be honest and capable.”
Low Cost Cloud Providers
SIRA Webinar - Dec 13, 2012
“I will never do business with them because they scare the hell out
of me.”
Unsure Cloud Providers
“Maybe I will do business with them; but I do have some concerns.”
Low Cost and Unsure Cloud Providers
“We don't trust either because we are not comfortable that their
approach to security aligns to our approach to security.”
Risk Transfer
Append the completed risk assessment questionnaire to the sales
agreement. Insert breach disclosure and breach indemnification
clauses.
14
15. BANK CISO’S INSIGHTS
Thoroughly understand the business requirements
First conduct risk analysis of the business data
Then send the cloud vendor risk assessment questionnaire (5
SIRA Webinar - Dec 13, 2012
– 10 questions) for high value providers and (200 – 300
questions) for low cost providers
Conduct a follow-up meeting to probe weak answers
Risk Transfer
Insert breach disclosure and breach indemnification clauses to the
Sales Agreement.
Attached the completed cloud vendor risk assessment
questionnaire to the Sales Agreement.
Obtain signature of business sponsor on your RA report containing
the high risk findings and recommended risk action plan.
15
SIRA Webinar – Dec 13, 2012
16. QUESTIONS AND FOLLOW-UP
Questions
Communicate your question by speaking; or, text your
SIRA Webinar - Dec 13, 2012
question in the Webinar chat box.
Follow-Up
If we do not answer your question today, send your question
to cary.sholer@farallonrisk.com and I will do my best to reply
within 24 hours.
If you would like a copy of this presentation, send an email to
cary.sholer@farallonrisk.com and include “SIRA Webinar” in
the subject line. 16
SIRA Webinar – Dec 13, 2012
17. RECOMMENDED RESOURCES
PaaS, SaaS, DaaS Finding Your Place in the Cloud VMIX Blog
http://www.vmix.com/blog/2010/09/finding-your-place-in-the-
cloud/
SIRA Webinar - Dec 13, 2012
IaaS vs. PaaS vs. SaaS definitions
http://www.katescomment.com/iaas-paas-saas-definition/
Free Information Security Risk Assessment Tool
http://info.isutility.com/securityassessment/
Risk Checks by RDC
http://www.rdc.com/delivery/rdc-search
Shared Assessment Questionnaires
www.sharedassessments.org
17
SIRA Webinar – Dec 13, 2012
Editor's Notes
Critical thinking and decision making cannot be outsourced. This is your role and your organization will need you to always fulfill it, even as services migrate to the cloud.Many people can share responsibility, but only one can be the accountable owner. Risk accountability ownership still resides with you. Legal contracts can provide you and your organization with risk transfer coverage. You can transfer financial risks through legal contracts and insurance, but you cannot transfer compliance requirements or penalties.Even if you complete a thorough risk assessment report, and the business sponsor signed off their acceptance to the risk assessment report; in the event of a breach, you are the one called to guide the security breach response and submit a breach assessment report to the Board of Directors with Risk Management action plan to reduce chance of future similar breaches.
Most of the 300 questionnaire are oriented to software licensing model, e.g. “Do you have backdoors in the software where you could shut us down?” When you use a canned set of questions, this shows you lack understanding of the topic. When questions are irrelevant, the provider simply “checks the box”.
Flex your risk assessment methodology to fit the data risk profileDon’t settle for the 1st documents given by the cloud vendorRequest an interview meeting with their designated information security officer or designated information security engineer to probe areas of weaknessRequest customer references and either a list of active customers or the number of active customersWhen you present your assessment report, be overtly clear to the business sponsor about the “high risks” you found and supply written risk management recommendations.Request the business sponsor’s signature of understanding of the identified risks and the recommended risk management action steps contained in your 3rd Party IRA report.