INTO THE CLOUD - IAPP · Cloud Adoption and Enhancing Compliance Posture in the Cloud ......
Transcript of INTO THE CLOUD - IAPP · Cloud Adoption and Enhancing Compliance Posture in the Cloud ......
AGENDA
01. Overview of Cloud Services
02. Cloud Computing Compliance Framework
03. Cloud Adoption and Enhancing Compliance Posture in the Cloud
04. Real-World Experiences – Benefits
05. Real-World Experiences – Challenges
06. Q&A
CLOUD SERVICE MODELS
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
TERMINOLOGY AND CONCEPTS
• Financial reporting impact (ICOFR – Internal Controls Over Financial
Reporting)
• Control Objectives / Trust Principles / Criteria / Standards / Management System Standards /Annexes / Frameworks
• Certification / Attestation / Audit / Benchmarking Assessments (Consulting
Reports)
• Type 1 vs Type 2 for SOC Reports
• Backward looking / Point in Time / Forward Looking
• Accounting Standards - US / International - SSAE / AT vs ISAE
• Shelf Life – Generally Annual – Annual / 2 Year Cycle / 3 Year Cycle
• Restricted use / Restricted Distribution / Unrestricted
UNDERSTANDING COMPLIANCE NEEDS
• Cloud Service Customer
– Know customer / contractual requirements
– Know cloud service provider commitments
• Cloud Service Provider
– Know customer / contractual requirements
– Know market need
INDUSTRY SPECIFIC ASSESSMENTS
Industry Compliance Options
Healthcare HIPAA / HITECH, HITRUST
Federal FedRAMP, NIST, FISMA
Payment Card
Transactions
PCI DSS
Privacy / PII ISO 27018, Privacy Shield
CLOUD OPERATIONAL CONSIDERATION
• Traditional security infrastructure
• Business continuity/ disaster recovery operations
– Disaster Recovery v. High Availability
• Access and identity
– Nuts and bolts of connecting internal user stores
with external provider / access to internal
information by external provider
CLOUD OPERATIONAL CONSIDERATIONS
• Incident management
– Coordination and escalation with external provider
• Encryption management (if applicable)
– Key management and scalable encryption
requirements
• Technical infrastructure
– Virtualization, connectivity, bandwidth,
performance, etc.
UNDERSTANDING RESPONSIBILITY
• Outsourcing may not extend to
compliance
• Ensure clear SLAs (and continuous
monitoring of them)
• Target comprehensive coverage
• Anticipate
UNDERSTANDING RESPONSIBILITY - IAAS
Application
Hardware
Facility
Data
Network
Operating System
Controls Environment
Customer:
• Application usage and user provisioning.
• Application security
• Database security
• Operating system configuration
Provider:
• Hardware provisioning and management
• Network management
• Facilities management
UNDERSTANDING RESPONSIBILITY - PAAS
Application
Hardware
Facility
Data
Network
Operating System
Controls Environment
Customer:
• Application usage and user provisioning.
• Application development, deployment and
security
• Database management and security
Provider:
• Operating system configuration and
provisioning
• Hardware management
• Network management
• Facilities management
UNDERSTANDING RESPONSIBILITY - SAAS
Application
Hardware
Facility
Data
Network
Operating System
Controls Environment
Customer:
• Application usage and user provisioning.
Provider:
• Application, development, management and
security
• Database management and security
• Operating system configuration
• Hardware management
• Network management
• Facilities management
CLOUD COMPUTING – EXAMPLE RASCI MODEL
R Responsible "The doer" A Accountable "The buck stops here" S Supported "The Helper" C Consulted "In the loop" I Informed "Notify me"
BEFORE Cloud Provider Infrastructure Layer Customer Cloud Provider External Network & Security R A S C I Applications: Configuration & Patching R A S C I Internal Network & Security R A S C I Operating System: Updates & Patching R A S C I Vmware R A S C I Computing Hardware - "Bare Metal" R A S C I
AFTER Cloud Provider Infrastructure Layer Customer Cloud Provider External Network & Security R A C I R A S C I Applications: Configuration and Patching R A C I R A S C I Internal Network & Security I R A S C I Operating System: Updates & Patching I R A S C I Vmware I R A S C I Computing Hardware - "Bare Metal" I R A S C I
KNOW WHERE THE DATA IS
• Customers and providers may have external
obligations
• National / Regional / Local data management
requirements
• Can data be moved without customer consent
– Who can view it (subcontractors / offshore)
• Safeguarding for discovery
TAKE YOUR TIME
• Adoption is a process
• Management commitment
• Defined goals and stated objectives
• Involve all interested parties, especially
information technology / information
security
BENEFITS OF CLOUD COMPUTING
• Eliminates single points of failure
• Risk transfer to the cloud service
provider
• Allows for the use of third party
expertise
BENEFITS OF CLOUD COMPUTING
• Time savings (varies by cloud
model)
• Allows organization to concentrate
on core competencies
• Enhanced availability and
continuity
CHALLENGES OF CLOUD COMPUTING
• Relinquishing Control
– Reduced control of data as more responsibility shifts to third
parties.
• Meeting Regulations
– Regulations govern the way data must be protected. The cloud
service provider may not be heavily regulated but the
customers may be. As their trust supplier, a customer’s
requirements flow down to the cloud service provider, meaning
the cloud must have proper controls.
CHALLENGES OF CLOUD COMPUTING
• Business Interoperability
– Today’s clouds must be able to communicate with each other
and offer data portability.
• Convenience vs. Security
– Using the cloud, we want both convenient access and secure
data protection, creating a difficult balancing act.
• Management Reporting
– To meet many of today’s regulations, the ability to report
where data is and how it is protected is essential.
CHALLENGES OF CLOUD COMPUTING
• Data Integration and Transfer
– We must find a way to transfer data into the cloud in a way
that is both safe and cost effective.
• Due diligence
– Allow for a full assessment of cloud service provider prospects,
applicable to the model chosen and understanding the
boundaries of responsibility