The document discusses standards, assurance, and certification in cloud security. It begins by defining commonly used terms like standard, assurance, and certified. It then discusses who defines standards, such as occupants of a house or independent authorities. Different types of assurance are examined, including self-assessment, third-party attestation for a point in time or period of time, and perpetual validation. The document also discusses issues with multiple standards and audits for service organizations and proposes using a SOC2 report to satisfy multiple standards with one audit. Potential objections to this approach are addressed.

1. Tweet #csamtg
Cloud Security Alliance
Q1’12 Chapter Meeting
1

2. Welcome
Definition of some commonly used, but
often misunderstood terms.
Subject matter might be controversial
Please make a note of the page number,
jot down your thoughts, and hold
questions and comments for the
discussion period (Only 30 seconds per Please
slide! ). keep
clean?
OR
tweet #csamtg with slide number X
and your question or comment 2

3. Standard
stand·ard
[stan-derd] noun
1. something considered by
an authority or by general
consent as a basis of
comparison; an approved
model.
3

4. Who Defines Standards?
What does it mean to have a
clean house?
Why
Who should decide? not?
Occupants of the house
Independent authority or
general consent
4

5. Standards
“Clean” Defined by Occupant:
1. Self defined-not a standard by
definition
Bare  No clutter
Minimum
 Clean floors
 No food left on the counter
5

6. Standards
“Clean” Defined by Authority:
Get to
decide what 2. Broad objectives
this means
to you.  No clutter
 No dishes in the sink
 Clean floors
 No dust
 No food left on the counter
 Everything in its place
6

7. Standards
“Clean” Defined by Authority (cont.):
3. More detailed
 No clutter
 No clothes on the floor
 Beds must be made
 No excessive trinket collection or picture
hanging
 No dishes in the sink
 Dishes must be placed in the dishwasher
Sometimes immediately
not  Sink must be washed after use
applicable  Clean floors
 Carpeted floors must be vacuumed daily
 Tiled floors must be cleaned daily with bleach
 Baseboards must be wiped down with a rag
by hand
 No dust
 All furniture surface areas must be dusted
daily
 The inside of the refrigerator, stove, and all 7
appliances must be wiped daily

8. Standards
“Clean” Defined by Authority (cont.):
4. Hybrid – Even More Detailed in some areas, but
not applicable in others
 No clutter (In the kitchen)
 Nothing on the floor
 No counter top appliances
 Range must be electric
 All appliances must be stainless steel
 No dishes in the sink
 Sink must not be used for washing dishes
 Dishwasher must be commercial quality
 Clean floors (In the kitchen)
 Floors must be cleaned daily with bleach
 Baseboards must be wiped down with a rag by hand
 Anti-bacterial spray must be used daily
 No dust (In the kitchen)
 The outside of the refrigerator, stove, and all
appliances must be wiped daily
 The inside of the refrigerator, stove, and all
appliances must be wiped daily
 Bedrooms, living rooms, den, bathrooms, etc.
(N/A)
8

9. Assurance
as·sur·ance
[uh-shoor-uhns, -shur-] noun
1. a positive declaration
intended to give confidence:
9

10. Assurance
Really?
1. My house is clean.
What
What
about 2. His house was clean when I about
before?
inspected it. after?
What
3. His house was clean all last about
after?
How do year.
you know?
4. His house is continually clean.
10

11. Assurance
“My house is clean.”
 Self Assessment or
Management Attestation
 High risk – Low Reliability
 Requires high degree of trust
in the person making the
attestation
 Lack of accountability. Leads
to cutting corners because
no one is looking.
11

12. Assurance
“His house was clean when I
checked.”
 Third Party Attestation (Point
in Time)
 Medium Risk & Reliability
 Provides minimal if any
assurance, and still requires
trust.
 Lack of accountability. Leads
to cutting corners when no
one is looking.
12

13. Assurance
“His house was clean all last
year.”
 Third Party Attestation
(Period of Time)
 Low Risk – High Reliability
“Trust, but verify”
 Provides reasonable
assurance.
 Accountability exists - When
corners are cut, there is a
high likelihood of being
caught 13

14. Assurance
“His house is continually clean.”
• Perpetual Validation (Real
Time - Utopia)
• Little to No Risk – Very High
Reliability
• Provides near absolute
assurance, and does not
require trust
• Accountability exists. Corners
cannot be cut, or there is a
certainty of being caught
14

15. Certified
cer·ti·fied I am a
CISA.
[sur-tuh-fahyd] adjective
1. having or proved by a
certificate
Does
2. guaranteed; reliably ISACA
guarantee
endorsed: my work?
15

16. Please
tweet Which Assurance Should
answer.
“Certified” Belong To?
1. Self Assessment
2. Third Party Attestation –
Point in Time
3. Third Party Attestation –
Period of Time
4. Perpetual Validation –
Real Time Utopia
16

17. Security Standards & Assurance
Standard Standard Category Assurance
CSA STAR (CCM, CAIQ, etc.) More Detailed Self Assessment
NIST/FedRAMP More Detailed Self Assessment
COBIT Broad Objectives Self Assessment
HIPAA / HITRUST Broad Objectives Point in Time
ISO 27001 Broad Objectives Point in Time
PCI-DSS Hybrid – Focused on Point in Time
cardholder data environments
N/A – Controls Related to Self Defined AICPA SSAE 16 - SOC1
Financial Statement Accuracy (formerly SAS70)
Only Type 1 – Point in Time
Type 2 – Period of Time
Trust Services Principles & Broad Objectives AICPA SSAE 10~14 –
Criteria (TSPC) SOC2/SOC3
Type 1 – Point in Time
Type 2 – Period of Time
17

18. Issues Created for
Service Organizations
 Forced to satisfy customer’s need
for assurance with multiple
standards and audits.
 Wasting time scheduling and
supporting external auditors
from multiple firms.
 Wasting time scheduling and
supporting audits by customers
exercising their “right to audit.”
 Lack of clarity and confusion
regarding customer expectations.
18

19. Is there a “Silver Bullet”
to Satisfy Everyone?
No.
 Governing bodies will always
require their own standards and
reports- (ie VISA, Mastercard
require PCI, Federal Government
requires HIPAA compliance)
 Customers have to provide their
external auditors reports that
meet their requirements. 19

20. What can be done to reduce
the burden of compliance?
Take the best from each
available Standard and
How?
Assurance
Get Period of Time
Assurance
With
More Detailed Standards
20

21. What can be done to reduce
What? the burden of compliance?
Use SOC2 Type 2 Report as
the Assurance wrapper for:
Any or all of the following:
o ISO 27002
What good
would it do? o CSA CCM Who would
Reports come
from separate o PCI-DSS Test?
auditors. Accountants?
o HITECH
o NIST/FedRamp
21

22. SOC2 and
“Additional Subject Matter”
PCI-DSS The SOC2 Attestation
Standard (AT-101 or SSAE
TSPC 10~14) allows for inclusion
of other standards
Is this even CPA firms can partner with
allowed?
Yes…”Technical QSAs and ISO registrars to
Specialists”
AT-101 conduct testing together Is there much
eliminating testing overlap in
standards?
redundancy Yes.
22

23. SOC2 and
“Additional Subject Matter”
 At the end of the engagement,
organizations receive a SOC2
report that covers a period of
time
AND
 They receive separate reports
covering the other standards-
i.e. PCI-DSS (ROC), and / or ISO
27001 Certificate
23

24. SOC2 and
“Additional Subject Matter”
 One core set of audit work
serves as the basis for
multiple reports
 Customers receive
o Solid detail great standards like
CSA CCM provide
o Little to No Risk – Very high
reliability provided by period of
time testing
o Specific reports to satisfy
everybody
o International Acceptance
24

25. Objectors Say
 CPA firms that are not competent
to perform CSA STAR, ISO 27001,
AT-101 This knowledge
requirement may be met,
PCI-DSS, etc. testing are not
in part, through the use
of one or more specialists competent to accept the
on a particular attest
engagement if the engagement referencing SAS 73
practitioner has sufficient
knowledge of the subject as the Technical Specialist
matter (a) to
communicate to the guideline CPA firms must follow.
specialist the objectives
of the work and (b) to
evaluate the specialist's
work to determine if the
objectives were achieved.
 We say, the AICPA provided for
the use of technical specialists in
AT-101, and the standard is clear.
The use of specialists to
demonstrate competence is
allowed. 25

26. Objectors Say
 ISO 27001 is a real time
assurance because the
certificate is valid for three
years.
 We say, read the fine print.
The certificate is void if any of
the terms in the certificate
agreement are broken. See -
"Proof that ISO 27001 is a
Point-in-Time Assurance" 26

27. Objectors Say
 Period of Time assurance is no
better than Point in Time
assurance because both are
“dated”, meaning they are
irrelevant even before they are
issued.
 We say, the discipline that is
instilled in an organization, that
knows there is an increased
likelihood of being caught when
they stray, shifts culture in the
direction of better security.
27

28. Discussion & Reading
The Risk Assurance Revolution has Begun
http://riskassuranceguy.blogspot.com/2012/01/risk-assurance-revolution-has-begun.html
SOC Reports: The customer is always right
http://turnkeyit.blogspot.com/2012/01/soc-reports-customer-is-always-right.html
Standards, Audits, and Certifications: Which One is Right?
http://www.infosecisland.com/blog/show/slug/19296-Standards-Audits-and-Certifications-Which-One-is-Right/page/2.html
When I See a Can in the Road, All I Want to do is Smash It
https://www.infosecisland.com/blogview/19769-When-I-See-a-Can-in-the-Road-All-I-Want-to-do-is-Smash-It.html
Why Data Centers Don't Need SSAE 16
https://www.infosecisland.com/blogview/16080-Why-Data-Centers-Dont-Need-SSAE-16.html
Why Data Centers Need SSAE 16
https://www.infosecisland.com/blogview/16952-Why-Data-Centers-Need-SSAE-16.html
SOC 2 for Cloud Computing
https://www.infosecisland.com/blogview/17174-SOC-2-for-Cloud-Computing.html
AICPA Fumbles Audit Standards at the 5-Yard Line
http://www.datacenterknowledge.com/archives/2012/01/19/aicpa-fumbles-audit-standards-at-the-5-yard-line/
Good Reading:
http://www.schrammassurance.com/wp-content/uploads/2012/01/11-Schramm-SAS70-to-AT101-KLv4.pdf
http://cpa2biz.com/AST/Main/CPA2BIZ_Primary/AuditAttest/Standards/StandardsImplementationGuidance
CSA Atlanta Chapter Q1’12 Meeting Feedback:
http://www.linkedin.com/groupItem?view=&gid=3664160&type=member&item=91992030&qid=bd5c4379-ecac-4383-b1e8-
1a7387f86ac3&trk=group_most_recent_rich-0-b-ttl&goback=.gmr_3664160
http://www.linkedin.com/groupItem?view=&gid=3664160&type=member&item=46520870&qid=bd5c4379-ecac-4383-b1e8-
1a7387f86ac3&goback=.gmr_3664160.gde_3664160_member_91992030
LinkedIn Group on SOC Reports:
http://www.linkedin.com/groups/SOC-formerly-SAS70-Reports-4223260?
28

29. The Cloud Security Alliance Governance,
Risk, and Compliance (CSA GRC) Stack
• A suite of four integrated and reinforcing CSA initiatives (the
“stack packages”)
– The Stack Packs
• Cloud Controls Matrix
• Consensus Assessments Initiative
• Cloud Audit
• CloudTrust Protocol
• Designed to support cloud consumers and cloud providers
• Prepared to capture value from the cloud as well as support
compliance and control within the cloud
The CSA GRC V2.0 Workshop | Ron Knode 7 Oct 2011 Page 29

30. The CSA GRC Stack
Bringing the Stack Pack Together
Delivering  Stack Pack  Descri
• Common technique an
Continuous monitoring … request and receive ev
with a purpose of current cloud servic
circumstances from clo
Claims, offers, and the • Common interface and
basis for auditing service automate the Audit, As
delivery and Assurance (A6) of
Pre-audit checklists and
• Industry-accepted way
questionnaires to
inventory controls security controls exist
• Fundamental security p
The recommended The CSA GRC V2.0 Workshop | Ron Knode
specifying the overall s
7 Oct 2011 Page 30

31. CSA GRC Value Equation Contributions for Consumers and Providers
• Individually useful
What control requirements should I • Collectively powerful
have as a cloud consumer or cloud • Productive way to reclaim
provider? end-to-end information risk
management capability
How do I ask about the control
requirements that are satisfied
(consumer) or express my claim of
control response (provider)?
Static How do I announce and automate my
claims &
claims of audit support for all of the
assurances
various compliance mandates and
control obligations?
How do I know that the controls I
Dynamic need are working for me now
(continuous) (consumer)? How do I provide actual
monitoring and security and transparency of service
transparency
to all of my cloud users (provider)?
The CSA GRC V2.0 Workshop | Ron Knode 7 Oct 2011 Page 31

32. Using the GRC Stack
Making the Stack Pack Approach Work for You
• Easy to get started
• Many successful combinations
• Benefits accrue with each stack pack addition
• Multiple alternatives to application and
deployment
• Mapped across multiple compliance mandates
The CSA GRC V2.0 Workshop | Ron Knode 7 Oct 2011 Page 32

33. 2011 Recap
•GRC Stack Training Courses offered across US and Europe
•Cloud Security Alliance acquires CTP from CSC (July)
•CCM 1.2 released (August)
•CAIQ 1.1 released (September)

34. 2012
•CCM v1.3
•CAIQ and CCM migrating to database format
•More GRC Stack Training Courses (TBA)
•2012 CTP Roadmap release – Volunteer opportunities and more
details will be announced in Q1
https://cloudsecurityalliance.org/research/grc-stack/

35. https://cloudsecurityalliance.org/star/
The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible
registry that documents the security controls provided by various cloud
service providers.
It helps users assess the security of cloud providers they currently use or
are considering contracting with.
It is a simple but powerful idea, cloud providers post self assessments of
their cloud services, CSA makes these assessments publicly available and
cloud consumers can use this data to make informed purchasing decisions.
It supports CSA GRC Stack, AICPA SOC, ISO 27001, FedRAMP, etc.

36. CSA Summit 2012 at RSA-
USA
February 27 – March 2
Moscone Center - San Francisco

37. Help Us Secure Cloud Computing
– www.cloudsecurityalliance.org
– info@cloudsecurityalliance.org
– LinkedIn: www.linkedin.com/groups?gid=1864210
– Twitter: @cloudsa

38. About Us
Phil Agcaoili
@hacksec
38