Is the Cloud Trustworthy?
Which Cloud Risks concern you?
Managing the Cloud
Cloud Auditing and Assurance
Summary
3
Agenda
© Kuppinger Cole 2012
IS THE CLOUD TRUSTWORTHY?
4 © Kuppinger Cole 2012
…strive to deliver products that are “as available, reliable and secure as standard services such as electricity, water services and telephony.” … Bill Gates email Jan 12, 2002
Secure – approved for the transmission of patient data. Government accredited to 'RESTRICTED' status.
Resilient - based in two data centres - disaster recovery design has been fully tested and proved.
Available - via secured encrypted devices. It is available over the NHS N3 network and the internet.
5
Is this a Cloud Service?
© Kuppinger Cole 2012
http://www.connectingforhealth.nhs.uk/systemsandservices/nhsmail
Does this make the Cloud Trustworthy?
What does this report mean?
Does it cover what your organization needs?
How does this provider measure up against best practice?
How does this provider compare with others?
6
https://trust.salesforce.com/trust/assets/pdf/Misc_SysTrust.pdf
© Kuppinger Cole 2012
WHICH RISKS IN THE CLOUD CONCERN YOU?
© Kuppinger Cole 2012
Cloud security issues (84.4%) and Cloud privacy and compliance issues (84.9%) are
the major inhibitors preventing organizations from moving to a private
Cloud.
KuppingerCole Survey
Cloud Risks
Policy and Organizational
Compliance
Loss of Governance
Reputation
Lock in
Cloud service termination failure or acquistion
Technical
Insider abuse of privilege
Management interface compromise
Identity and access management
Insecure or ineffective data deletion
Data leakage/interception
Economic denial of service
Monitoring/Logging Risks
Legal
Take it or leave it contract
Data Protection
Jurisdiction
Supoena, e-Discoveryand legal access to data
Is your organization already using the Cloud? You only need a credit card
– Is there a process for getting the Cloud?
9
Loss of Governance
© Kuppinger Cole 2012
Risk Probability Very High
Impact High
Business Continuity Risk
Probability Low
Impact High
Lightning Strike in Dublin Downs Amazon, Microsoft Clouds http://www.pcworld.com/businesscenter/article/237476/lightning_strike_in_dublin_downs_amazon_microsoft_clouds.html/ August 8th, 2011
A lightning strike in Dublin on August 8th caused a power failure in data centers belonging to Amazon and Microsoft, causing the companies' cloud services to go offline. Lightning struck a transformer, sparking an explosion and fire which caused the power outage at 10:41 AM PDT, according to preliminary information, Amazon wrote on its Service Health Dashboard. Under normal circumstances, backup generators would seamlessly kick in, but the explosion also managed to knock out some of those generators. By 1:56 PM PDT, power to the majority of network devices had been restored, allowing Amazon to focus on bringing EC2 (Elastic Compute Cloud) instances and EBS (Elastic Block Storage) volumes back online. But progress was slower than expected, Amazon said a couple of hours later.
© Kuppinger Cole 2012 10
Legal Risk - Contract
In General - Outsourcing Contracts are negotiated SLAs
Cloud Provider Contracts are – Largely “take it or leave it”
– May have less onerous obligations on provider
– Almost total exclusion of liability
© Kuppinger Cole 2011 11
Risk Probability Very High
Impact High
Legal Considerations Cloud computing contracts, Kristof de Vulder, DLA Piper LLP http://www.isaca.org/Groups/Professional-English/cloud-computing/GroupDocuments/DLA_Cloudcomputing%20legal%20considerations.pdf
MANAGING THE CLOUD
© Kuppinger Cole 2012
Adopting the Cloud means moving from direct management to indirect governance. Taking a good governance approach is the
key to safely getting benefits from the Cloud.
Cloud Governance
13
Assure Delivery of Cloud Service
Assess Risk Probability and Impact and Risk Response
Specify Service to meet business needs
Identify Business Requirements
© Kuppinger Cole 2012
Specify Service Required
Service Require-ments
Compliance
Location of Data
Security of Data
Business Continuity
Identity and Access
Privilege
Monitoring
© Kuppinger Cole 2012 14
Assess Risk and Choose Response
15
Risk Scenarios
Assets
Threats
Likelihood
Impact
Risk Tolerance
Risk Analysis
Avoid
Share/ Transfer
Reduce/ Mitigate
Accept
Risk Response
© Kuppinger Cole 2012
Service Model
IaaS
PaaS
SaaS
Deployment Model
Private
Community
Public
Hybrid
Management
Governance
Security
Integration
Orchestration
16
Choose the Right Cloud
Define Responsibilities - Compliance
Data protection and privacy should be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses.
ISO 27001 Control 15.1.4:
17 © Kuppinger Cole 2012
Customer
Responsibility
Classify data and identify
any legal and regulatory
requirements.
Provider
Responsibility
Hold and process data in
accordance with legal and
regulatory requirements.
Define Responsibilities - BC
A business continuity management process should be implemented to minimize the impact on the organization and recover from loss of information assets to an acceptable level.
ISO 27001 Control 14:
18 © Kuppinger Cole 2012
Customer
Responsibility
Prepare and test business
continuity plan for business
need.
Provider
Responsibility
Prepare and test service
continuity plans for hosted
services.
Define Responsibilities - Data Return
All employees, contractors and third party users should return all of the organization’s assets in their possession upon termination of their employment, contract or agreement.
ISO 27001 Control 8.3.2
19 © Kuppinger Cole 2012
Customer
Responsibility
Ensure that the service contract
specifies data ownership and
return
Provider
Responsibility
Provide mechanisms for customer
to upload and download data to
and from hosted systems.
Monitor against Requirements
Key Goal Indicators measure what needs to be achieved.
Key Performance Indicators measure how well the process is performing.
Mapping allows process performance to be judged against goals.
© Kuppinger Cole 2012 20
Perform
ance
Cloud Service
Goal Compliance with EU Privacy
Laws
Information Classification
Legal Processing Clauses
Geographic Location
Data Security Measures
Req
uir
emen
t
CLOUD AUDITING AND ASSURANCE
© Kuppinger Cole 2012
What is needed is a common standard against which to measure Cloud
services that is useable by both the customer and the provider.
Many Assurance Frameworks – COBIT
– ISO/IEC 27001-27005
– AICPA Service Organization Control Reports
– AICPA/CICA Trust Services (SysTrust and WebTrust)
– Cloud Security Alliance Controls Matrix
– BITS Shared Assessment Program
– Jericho Forum® Self-Assessment Scheme (SAS)
– CSA Shared Assessments
– ENISA Procuresecure
– German BSI Security Recommendations for Cloud Computing Providers.
22
What do we have now?
© Kuppinger Cole 2012
23
Governance Frameworks Used
© Kuppinger Cole 2012
0
10
20
30
40
50
60
70
80
ISO 2700x COBIT ITIL TOGAF Other CustomFrameworks
None
Governance Frameworks and Security Standards Used
ENISA Survey of SLAs across EU Public Sector, Dec 2011
Yes, 22%
Yes, some, 46%
No, 19%
Don't know, 13%
Are your IT service providers obliged to adhere to these standards too?
24
Provider Standards
© Kuppinger Cole 2012
ENISA Survey of SLAs across EU Public Sector, Dec 2011
Service Level Agreements
Security Relevant Service Parameters
Service availability Incident response Service elasticity and load
tolerance Data life-cycle management Technical compliance and
vulnerability management Change management Data isolation Log management and
forensics
How to measure them
What to measure. – Which parameters of the service
should be monitored throughout the contract.
How to measure them. – How the data can be collected in
practice.
How to get independent measurements. – Which features of the service can
be monitored independently from the provider and how.
25
ENISA Procuresecure, April 2nd, 2012
© Kuppinger Cole 2012
CSA Cloud Controls Matrix
CCM - 98 Controls Maps relevance to:
– SaaS, PaaS, IaaS – Provider, Tenant
Mapping to standards: – COBIT 4.1 – HIPAA – ISO/IEC 27001-27007 – NIST SP800-53 R3 – PCI DSS v2.0 – BITS Shared Assessments
SIG v6.0 – BITS Shared Assessments
AUP v5.0
© Kuppinger Cole 2012 26
https://cloudsecurityalliance.org/research/initiatives/cloud-controls-matrix/
Service Organization Auditing
SAS (Statement on Auditing Standards)
SAS 70: Service Organizations – Standard since 1992
– Covers financial as well as other aspects
– Auditor to Auditor
– Now being split into 2 parts
SSAE (Statement on Standards for Attestation Engagements)
SSAE 16 – Reporting on Controls at a Service Organization – Standard June 15th, 2011
– Aligns with ISAE no. 3402, Assurance Reports on Controls at a Service Organization
Organization being Audited provides description of risks and controls.
27
http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx
© Kuppinger Cole 2012
SSAE 16 Reports
Type 1 Report
Auditor opinion: – Description is fairly
presented. (i.e. Describes what exists)
– Whether controls are suitably designed. (i.e. Controls are able to achieve described objectives)
Type 2 Report
Auditor opinion: – As type 1 plus:
– Whether Controls were operating effectively. (i.e.do achieve control objectives)
– Describes auditors tests and results
28 © Kuppinger Cole 2012
SOC 1 Attestation: Control Objectives Attested: – Security Organization
– Amazon Employee Lifecycle
– Logical Security
– Secure Data Handling
– Physical Security
– Environmental Safeguards
– Change Management
– Data Integrity, Availability and Redundancy
– Incident Handling
29
Example AWS
© Kuppinger Cole 2012
http://aws.amazon.com/security/
Criteria established by AICPA for use when providing attestation services on following areas of systems:
– Security Principle and Criteria
– Availability Principle and Criteria
– Processing Integrity Principle and Criteria
– Confidentiality Principle and Criteria
– Privacy Principles and Criteria
30
AICPA Trust Services Coverage
© Kuppinger Cole 2012
http://www.webtrust.org/principles-and-criteria/item27818.pdf
Principles and Criteria for each area:
– Policies: The entity defines and documents its policies for the area.
– Communications: The entity communicates its defined policies.
– Procedures: The entity uses procedures to achieve its documented objectives in accordance with its defined policies.
– Monitoring: The entity monitors the system and takes action to maintain compliance with its defined policies.
31
AICPA Trust Services Principles
© Kuppinger Cole 2012
http://www.webtrust.org/principles-and-criteria/item27818.pdf
Example SalesForce.com
Example based on AICPA/CICA Trust Services principles and criteria for:
– Confidentiality,
– Availability and
– Security.
32
https://trust.salesforce.com/trust/assets/pdf/Misc_SysTrust.pdf
© Kuppinger Cole 2012
ISO/IEC 27002
Code of practice for information security management
134 Controls covering: – Organization and Information Security
– Asset Management
– Human Resources Security
– Physical and Environmental Security
– Communications and Operations Management
– Access Control
– Information Systems Acquisition, Maintenance and Control
– Information Security Incident Management
– Business Continuity Management
http://www.iso.ch
© Kuppinger Cole 2012 33
Confidentiality
Availability Integrity
Information
Example Microsoft Azure
Confidentiality assured by: – Identity and access
management
– Isolation – logical and physical containers
– Encryption of internal channels
– User must encrypt own data
– Destruction of storage media
Integrity – Fabric protected from
unauthorized change
– Secure Development Lifecycle
Availability – Worldwide data centres
– Data triplication
Compliance – ISO 27001 certification of parts
of infrastructure
– Safe Harbor signatory
– Choice data being located within EU
– New contracts for Office 365 customers in Germany to end uncertainty about the Patriot Act.
© Kuppinger Cole 2012 34
http://www.globalfoundationservices.com/security/
EXAMPLE CLOUD METRICS BASED ON ISO/IEC 27002
© Kuppinger Cole 2012
If you can’t measure it you can’t manage it.
Measurements should be relevant, simple to understand and apply to the Cloud as well
as other service delivery models.
Lock in – Data Return
All employees, contractors and third party users should return all of the organization’s assets in their possession upon termination of their employment, contract or agreement.
Metrics/SLA Checklist – DG-01 Data Ownership/Stewardship
– Customer owned data clearly identified. *
– Contract specifies ownership of data. *
– Time and cost to return data on termination. *
– Data returned in useable format. *
ISO 27001 Control 8.3.2
36 © Kuppinger Cole 2012
CCM Control references
Star Rating
Compliance – Data Processing
Data protection and privacy should be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses.
Metrics/SLA Checklist – CO-01 to CO-03 Cloud Provider provides evidence of
meeting compliance requirements.
– Geographic Location of data and Cloud Provider Infrastructure: EU, US Safe Harbor, *.
– Cloud provider does not use other companies whose infrastructure is located outside that of the cloud provider. *
– Cloud provider’s services are not subcontracted or outsourced.*
ISO 27001 Control 15.1.4:
37 © Kuppinger Cole 2012
Business Continuity
Metrics/SLA Checklist – RS-01 to RS-04 Resiliency Management
– Business continuity requirements specified. *
– SLA details availability measurement and metrics. *
– SLA details data backup and restore requirements *
– SLA details how technical changes are managed *
– Business continuity processes exist to ensure timely resumption. *
– Customer activities included in plans. *
ISO 27001 Control 14:
38 © Kuppinger Cole 2012
Trust in the Cloud depends upon your needs, provider processes and independent assurance.
– Choose the right Cloud based on business need and risk appetite.
– Cloud IT services are no longer under direct control.
– Specify clearly the service and responsibilities
– Specify the controls and monitor them. Frameworks help.
– Understand what independent certifications and audit
reports mean
40
Summary
© Kuppinger Cole 2012
For More Information
Mike Small CEng, FBCS, CITP Senior Analyst, KuppingerCole www.kuppingercole.com Email: [email protected] Email: [email protected] Mobile: +44 7777 697 300
41 © Kuppinger Cole 2012
Information Sources
ISACA: – IT Control Objectives for Cloud Computing
– COBIT 5 – http://www.isaca.org/
ENISA – Cloud Computing: Benefits, risks and recommendations for information
security. – http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
– Procure Secure: A guide to monitoring of security service levels in cloud contracts.
– http://www.enisa.europa.eu/activities/application-security/test/procure-secure-a-guide-to-monitoring-of-security-service-levels-in-cloud-contracts
Cloud Security Alliance: – Security Guidance for Critical Areas of Focus in Cloud Computing – http://www.cloudsecurityalliance.org/guidance/csaguide.pdf
© Kuppinger Cole 2012 42
Information Sources
ISO 27001 – Code of practice for information security management – http://www.iso.ch
AICPA – Statement on Standards for Attestation Engagements – http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx
Systrust/WebTrust: – Principles and Criteria – http://www.webtrust.org/principles-and-criteria/item27818.pdf
International Standards for Assurance Engagements – (ISAE) No. 3402 – http://isae3402.com/
BITS Shared Assessments – Evaluating Cloud Risk for the Enterprise – http://www.sharedassessments.org/media/pdf-EnterpriseCloud-SA.pdf
© Kuppinger Cole 2012 43
Top Related