SlideShare uma empresa Scribd logo

Rob kloots auditoutsourcedit

Robert Kloots
Robert Kloots
1 de 21
Baixar para ler offline
How to Audit Outsourced IT Environments? • What are the challenges when auditing outsourced IT environments? • How to include outsourced IT environments in your audit? Rob Kloots – CISA CISM CRISC, Owner, TrustingtheCloud CSA-BE volunteer Berlin, June 2012
Topics Key Cloud Security Problems The GRC Stack CSA Guidance Research Transparancy Cloud Controls Matrix (CCM) CCM – 98 Controls Guidance The CAI Questionnaire CloudAudit Objectives & Alignment Berlin, June 2012 2
Key Cloud Security Problems From CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance, and the capture of real value Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks Berlin, June 2012 3
4 The GRC Stack Provides trust in the Cloud GRC Stack Needs and Evidence and Payoffs and Claims Assurance Protection Security Security Compliance Requirements and Transparency and Capabilities and Visibility Trust Delivering evidence-based confidence… with compliance-supporting data & artifacts. Berlin, June 2012 4
A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack Delivering  Stack Pack  Description • Common technique and nomenclature to Continuous monitoring … request and receive evidence and affirmation with a purpose of current cloud service operating circumstances from cloud providers Claims, offers, and the • Common interface and namespace to basis for auditing service automate the Audit, Assertion, Assessment, delivery and Assurance (A6) of cloud environments Pre-audit checklists and • Industry-accepted ways to document what questionnaires to security controls exist inventory controls • Fundamental security principles in specifying The recommended the overall security needs of a cloud foundations for controls consumers and assessing the overall security risk of a cloud provider Berlin, June 2012 5
A Headstart for Control and Compliance Forged by the Global Marketplace; Ready for All Professional Government Commercial Legend  In place  Offered • Common technique and Continuous monitoring … nomenclature to request and ??? with a purpose receive evidence and affirmation of controls from cloud providers • Common interface and namespace Claims, offers, and the to automate the Audit, Assertion, ??? basis for auditing service delivery Assessment, and Assurance (A6) of cloud environments  FedRAMP Pre-audit checklists and • Industry-accepted ways to  DIACAP questionnaires to document what security controls inventory controls exist  Other C&A standards NIST 800-53, HITRUST CSF, SSAE SOC2 control ISO 27001/27002, ISACA • Fundamental security principles in A recommended assessment COBIT, PCI, HIPAA, SOX, assessing the overall security risk foundations for controls criteria GLBA, STIG, NIST 800-144, of a cloud provider SAS 70, … Berlin, June 2012 6
CSA Guidance Research Cloud Architecture Popular best Governance and Enterprise Risk Management Governing the Legal and Electronic Discovery practices for Cloud Compliance and Audit securing cloud Information Lifecycle Management Portability and Interoperability computing T c n e a p n a y s r r 14 Domains of Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations concern Incident Response, Notification, Remediation Application Security governing & Encryption and Key Management operating groupings Identity and Access Management Virtualization Berlin, June 2012 7
Transparancy Transparency Source: NIST SP500-291-v1.0, p. 42, Figure 12 Berlin, June 2012 8
Cloud Controls Matrix (CCM) Leadership Team Becky Swain – EKKO Consulting Philip Agcaoili – Cox Communications Marlin Pohlman – EMC, RSA Kip Boyle – CSA V1.0 (Apr 2010), v1.1 (Dec 2010, v1.2 (Aug 2011), V2.0 (2012) Controls baselined and mapped to: COBIT BITS Shared Assessments HIPAA/HITECH Act Jericho Forum ISO/IEC 27001-2005 NERC CIP NISTSP800-53 FedRAMP PCI DSSv2.0 Berlin, June 2012 9
CCM – 98 Controls Berlin, June 2012 10
CCM – 98 Controls (cont.) Berlin, June 2012 11
CCM – 98 Controls (cont.) Berlin, June 2012 12
CCM – 98 Controls (cont.) Berlin, June 2012 13
Control Matrix >> Guidance >> ISO Berlin, June 2012 14
The CAI Questionnaire Berlin, June 2012 15
Sample Questions to Vendors Compliance - CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or Independent Audits similar third party audit reports? CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request? Data Governance - DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata Classification (ex. Tags can be used to limit guest operating systems from booting/instanciating/transporting data in the wrong country, etc.?) DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)? DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenant’s data upon request? DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation? Berlin, June 2012 16
CloudAudit Objectives  Provide a common interface and namespace that allows cloud computing providers to automate collection of Audit, Assertion, Assessment, and Assurance Artifacts (A6) of their operating environments  Allow authorized consumers of services and concerned parties to do likewise via an open, extensible and secure interface and methodology. Berlin, June 2012 17
Aligned to CSA Control Matrix  Officially folded CloudAudit under the Cloud Security Alliance in October, 2010  First efforts aligned to compliance frameworks as established by CSA Control Matrix:  PCI DSS  NIST 800-53  HIPAA  COBIT  ISO 27002  Incorporate CSA’s CAI and additional CompliancePacks  Expand alignment to “infrastructure” and “operations” -centric views also Berlin, June 2012 18
Holistic approach around controls… https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/ Berlin, June 2012 19
… and Architecture best practices https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/ Berlin, June 2012 20
Any Questions? Rob Kloots – CISA CISM CRISC, Owner, TrustingtheCloud volunteer CSA-BE M +32.499-374713 e rob.kloots@trustingthecloud.eu Berlin, June 2012 21

Recomendados

Cloud Whitepaper - Telco sp Cloud Market - Challenges
Cloud Whitepaper - Telco sp Cloud Market - ChallengesCloud Whitepaper - Telco sp Cloud Market - Challenges
Cloud Whitepaper - Telco sp Cloud Market - Challenges
The World Bank
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, Indonesia
Wise Pacific Venture
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
NJVC, LLC
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overview
Peter HJ van Eijk
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
Hi-Tech College
 
Cloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. ModelCloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. Model
Vishal Sharma
 
Ariel Litvin - CCSK
Ariel Litvin - CCSKAriel Litvin - CCSK
Ariel Litvin - CCSK
CSAIsrael
 
Cloud security and adoption
Cloud security and adoptionCloud security and adoption
Cloud security and adoption
Sudsanguan Ngamsuriyaroj
 

Recomendados

Cloud Whitepaper - Telco sp Cloud Market - Challenges
Cloud Whitepaper - Telco sp Cloud Market - ChallengesCloud Whitepaper - Telco sp Cloud Market - Challenges
Cloud Whitepaper - Telco sp Cloud Market - Challenges
The World Bank
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, Indonesia
Wise Pacific Venture
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
NJVC, LLC
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overview
Peter HJ van Eijk
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
Hi-Tech College
 
Cloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. ModelCloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. Model
Vishal Sharma
 
Ariel Litvin - CCSK
Ariel Litvin - CCSKAriel Litvin - CCSK
Ariel Litvin - CCSK
CSAIsrael
 
Cloud security and adoption
Cloud security and adoptionCloud security and adoption
Cloud security and adoption
Sudsanguan Ngamsuriyaroj
 
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Project
 
Citrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guideCitrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guide
Alejandro Daricz
 
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationGetting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
ITpreneurs
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
RightScale
 
Cloud Security (Domain1- 5)
Cloud Security (Domain1- 5)Cloud Security (Domain1- 5)
Cloud Security (Domain1- 5)
Maganathin Veeraragaloo
 
Cloud security (domain6 10)
Cloud security (domain6 10)Cloud security (domain6 10)
Cloud security (domain6 10)
Maganathin Veeraragaloo
 
Security as a Service Model for Cloud Environment
Security as a Service Model for Cloud EnvironmentSecurity as a Service Model for Cloud Environment
Security as a Service Model for Cloud Environment
KaashivInfoTech Company
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
Jim Geovedi
 
SecRBAC: Secure data in the Clouds
SecRBAC: Secure data in the CloudsSecRBAC: Secure data in the Clouds
SecRBAC: Secure data in the Clouds
Nexgen Technology
 
Value Journal - September 2020
Value Journal - September 2020Value Journal - September 2020
Value Journal - September 2020
Redington Value Distribution
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and management
Shamsundar Machale (CISSP, CEH)
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Venkateswar Reddy Melachervu
 
Security issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwariSecurity issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwari
bhanu krishna
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
Wen-Pai Lu
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
Rochester Security Summit
 
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEM
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEMTWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEM
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEM
Nexgen Technology
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
Dr. Sunil Kr. Pandey
 
Global Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingGlobal Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud Computing
CloudSecurityAllianceAustralia
 
Brighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud SecurityBrighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud Security
guestc416cd26
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
CloudHesive
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
Ajay Rathi
 
Intel Cloud Summit ODCA - NAB Customer presentation
Intel Cloud Summit ODCA - NAB Customer presentationIntel Cloud Summit ODCA - NAB Customer presentation
Intel Cloud Summit ODCA - NAB Customer presentation
IntelAPAC
 

Mais conteúdo relacionado

Mais procurados

Citrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guideCitrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guide
Alejandro Daricz
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
RightScale
 
Security as a Service Model for Cloud Environment
Security as a Service Model for Cloud EnvironmentSecurity as a Service Model for Cloud Environment
Security as a Service Model for Cloud Environment
KaashivInfoTech Company
 
Value Journal - September 2020
Value Journal - September 2020Value Journal - September 2020
Value Journal - September 2020
Redington Value Distribution
 

Mais procurados (20)

PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by Design
 
Citrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guideCitrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guide
 
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationGetting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
Cloud Security (Domain1- 5)
Cloud Security (Domain1- 5)Cloud Security (Domain1- 5)
Cloud Security (Domain1- 5)
 
Cloud security (domain6 10)
Cloud security (domain6 10)Cloud security (domain6 10)
Cloud security (domain6 10)
 
Security as a Service Model for Cloud Environment
Security as a Service Model for Cloud EnvironmentSecurity as a Service Model for Cloud Environment
Security as a Service Model for Cloud Environment
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
SecRBAC: Secure data in the Clouds
SecRBAC: Secure data in the CloudsSecRBAC: Secure data in the Clouds
SecRBAC: Secure data in the Clouds
 
Value Journal - September 2020
Value Journal - September 2020Value Journal - September 2020
Value Journal - September 2020
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and management
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
 
Security issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwariSecurity issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwari
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
 
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEM
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEMTWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEM
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEM
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
Global Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingGlobal Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud Computing
 
Brighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud SecurityBrighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud Security
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 

Semelhante a Rob kloots auditoutsourcedit

security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
Ajay Rathi
 
Intel Cloud Summit ODCA - NAB Customer presentation
Intel Cloud Summit ODCA - NAB Customer presentationIntel Cloud Summit ODCA - NAB Customer presentation
Intel Cloud Summit ODCA - NAB Customer presentation
IntelAPAC
 
Intel Cloud Summit 2012 ODCA + NAB
Intel Cloud Summit 2012 ODCA + NABIntel Cloud Summit 2012 ODCA + NAB
Intel Cloud Summit 2012 ODCA + NAB
IntelAPAC
 
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
IndicThreads
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)
GovCloud Network
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
HyTrust
 
PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference Architecture
HyTrust
 
Cloud computing in south africa reality or fantasy
Cloud computing in south africa reality or fantasyCloud computing in south africa reality or fantasy
Cloud computing in south africa reality or fantasy
Samantha James
 

Semelhante a Rob kloots auditoutsourcedit (20)

security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
 
Intel Cloud Summit ODCA - NAB Customer presentation
Intel Cloud Summit ODCA - NAB Customer presentationIntel Cloud Summit ODCA - NAB Customer presentation
Intel Cloud Summit ODCA - NAB Customer presentation
 
Intel Cloud Summit 2012 ODCA + NAB
Intel Cloud Summit 2012 ODCA + NABIntel Cloud Summit 2012 ODCA + NAB
Intel Cloud Summit 2012 ODCA + NAB
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS Reality
 
Security Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing EnvironmentsSecurity Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing Environments
 
Accelerating the Speed of Innovation - Jason Waxman, Intel
Accelerating the Speed of Innovation - Jason Waxman, IntelAccelerating the Speed of Innovation - Jason Waxman, Intel
Accelerating the Speed of Innovation - Jason Waxman, Intel
 
Why the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureWhy the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and Secure
 
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
 
AWS Partner Presentation - CSS Corp
AWS Partner Presentation - CSS CorpAWS Partner Presentation - CSS Corp
AWS Partner Presentation - CSS Corp
 
null Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Securitynull Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Security
 
Migrating To Cloud & Security @ FOBE 2011
Migrating To Cloud & Security @ FOBE 2011Migrating To Cloud & Security @ FOBE 2011
Migrating To Cloud & Security @ FOBE 2011
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
 
2012-01 How to Secure a Cloud Identity Roadmap
2012-01 How to Secure a Cloud Identity Roadmap2012-01 How to Secure a Cloud Identity Roadmap
2012-01 How to Secure a Cloud Identity Roadmap
 
Why the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureWhy the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and Secure
 
Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls Matrix
 
PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference Architecture
 
Making of a Successful Cloud Business
Making of a Successful Cloud BusinessMaking of a Successful Cloud Business
Making of a Successful Cloud Business
 
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...
 
Cloud computing in south africa reality or fantasy
Cloud computing in south africa reality or fantasyCloud computing in south africa reality or fantasy
Cloud computing in south africa reality or fantasy
 

Mais de Robert Kloots

Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcm
Robert Kloots
 
Rob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRob kloots presentation_issa_spain
Rob kloots presentation_issa_spain
Robert Kloots
 

Mais de Robert Kloots (6)

Cyber object types and controls.pdf
Cyber object types and controls.pdfCyber object types and controls.pdf
Cyber object types and controls.pdf
 
Cyber Security Management.pdf
Cyber Security Management.pdfCyber Security Management.pdf
Cyber Security Management.pdf
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcm
 
Csa dlp
Csa dlpCsa dlp
Csa dlp
 
Rob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRob kloots presentation_issa_spain
Rob kloots presentation_issa_spain
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLP
 

Rob kloots auditoutsourcedit

  • 1. How to Audit Outsourced IT Environments? • What are the challenges when auditing outsourced IT environments? • How to include outsourced IT environments in your audit? Rob Kloots – CISA CISM CRISC, Owner, TrustingtheCloud CSA-BE volunteer Berlin, June 2012
  • 2. Topics Key Cloud Security Problems The GRC Stack CSA Guidance Research Transparancy Cloud Controls Matrix (CCM) CCM – 98 Controls Guidance The CAI Questionnaire CloudAudit Objectives & Alignment Berlin, June 2012 2
  • 3. Key Cloud Security Problems From CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance, and the capture of real value Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks Berlin, June 2012 3
  • 4. 4 The GRC Stack Provides trust in the Cloud GRC Stack Needs and Evidence and Payoffs and Claims Assurance Protection Security Security Compliance Requirements and Transparency and Capabilities and Visibility Trust Delivering evidence-based confidence… with compliance-supporting data & artifacts. Berlin, June 2012 4
  • 5. A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack Delivering  Stack Pack  Description • Common technique and nomenclature to Continuous monitoring … request and receive evidence and affirmation with a purpose of current cloud service operating circumstances from cloud providers Claims, offers, and the • Common interface and namespace to basis for auditing service automate the Audit, Assertion, Assessment, delivery and Assurance (A6) of cloud environments Pre-audit checklists and • Industry-accepted ways to document what questionnaires to security controls exist inventory controls • Fundamental security principles in specifying The recommended the overall security needs of a cloud foundations for controls consumers and assessing the overall security risk of a cloud provider Berlin, June 2012 5
  • 6. A Headstart for Control and Compliance Forged by the Global Marketplace; Ready for All Professional Government Commercial Legend  In place  Offered • Common technique and Continuous monitoring … nomenclature to request and ??? with a purpose receive evidence and affirmation of controls from cloud providers • Common interface and namespace Claims, offers, and the to automate the Audit, Assertion, ??? basis for auditing service delivery Assessment, and Assurance (A6) of cloud environments  FedRAMP Pre-audit checklists and • Industry-accepted ways to  DIACAP questionnaires to document what security controls inventory controls exist  Other C&A standards NIST 800-53, HITRUST CSF, SSAE SOC2 control ISO 27001/27002, ISACA • Fundamental security principles in A recommended assessment COBIT, PCI, HIPAA, SOX, assessing the overall security risk foundations for controls criteria GLBA, STIG, NIST 800-144, of a cloud provider SAS 70, … Berlin, June 2012 6
  • 7. CSA Guidance Research Cloud Architecture Popular best Governance and Enterprise Risk Management Governing the Legal and Electronic Discovery practices for Cloud Compliance and Audit securing cloud Information Lifecycle Management Portability and Interoperability computing T c n e a p n a y s r r 14 Domains of Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations concern Incident Response, Notification, Remediation Application Security governing & Encryption and Key Management operating groupings Identity and Access Management Virtualization Berlin, June 2012 7
  • 8. Transparancy Transparency Source: NIST SP500-291-v1.0, p. 42, Figure 12 Berlin, June 2012 8
  • 9. Cloud Controls Matrix (CCM) Leadership Team Becky Swain – EKKO Consulting Philip Agcaoili – Cox Communications Marlin Pohlman – EMC, RSA Kip Boyle – CSA V1.0 (Apr 2010), v1.1 (Dec 2010, v1.2 (Aug 2011), V2.0 (2012) Controls baselined and mapped to: COBIT BITS Shared Assessments HIPAA/HITECH Act Jericho Forum ISO/IEC 27001-2005 NERC CIP NISTSP800-53 FedRAMP PCI DSSv2.0 Berlin, June 2012 9
  • 10. CCM – 98 Controls Berlin, June 2012 10
  • 11. CCM – 98 Controls (cont.) Berlin, June 2012 11
  • 12. CCM – 98 Controls (cont.) Berlin, June 2012 12
  • 13. CCM – 98 Controls (cont.) Berlin, June 2012 13
  • 14. Control Matrix >> Guidance >> ISO Berlin, June 2012 14
  • 15. The CAI Questionnaire Berlin, June 2012 15
  • 16. Sample Questions to Vendors Compliance - CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or Independent Audits similar third party audit reports? CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request? Data Governance - DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata Classification (ex. Tags can be used to limit guest operating systems from booting/instanciating/transporting data in the wrong country, etc.?) DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)? DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenant’s data upon request? DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation? Berlin, June 2012 16
  • 17. CloudAudit Objectives  Provide a common interface and namespace that allows cloud computing providers to automate collection of Audit, Assertion, Assessment, and Assurance Artifacts (A6) of their operating environments  Allow authorized consumers of services and concerned parties to do likewise via an open, extensible and secure interface and methodology. Berlin, June 2012 17
  • 18. Aligned to CSA Control Matrix  Officially folded CloudAudit under the Cloud Security Alliance in October, 2010  First efforts aligned to compliance frameworks as established by CSA Control Matrix:  PCI DSS  NIST 800-53  HIPAA  COBIT  ISO 27002  Incorporate CSA’s CAI and additional CompliancePacks  Expand alignment to “infrastructure” and “operations” -centric views also Berlin, June 2012 18
  • 19. Holistic approach around controls… https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/ Berlin, June 2012 19
  • 20. … and Architecture best practices https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/ Berlin, June 2012 20
  • 21. Any Questions? Rob Kloots – CISA CISM CRISC, Owner, TrustingtheCloud volunteer CSA-BE M +32.499-374713 e rob.kloots@trustingthecloud.eu Berlin, June 2012 21