Trusted Data Assurance in the Cloud
-
Upload
elesha-may -
Category
Documents
-
view
221 -
download
0
Transcript of Trusted Data Assurance in the Cloud
-
7/31/2019 Trusted Data Assurance in the Cloud
1/241 Back to table o contents
CHAPTER TWO Cloud ControlMounting a Strong Deense with Inormation Security and Complianc
EVault Ebook
Trusted Data Assurance in the Cloud
By Felix A. Santos, CISA, CISM
-
7/31/2019 Trusted Data Assurance in the Cloud
2/24
Trusted Data Assurance in the Cloud 2011 i365, Inc. All Rights Reserved.
This book is protected under the copyright laws o the United States o America, and other applicable international, ederal, state, andlocal laws. No part of this document may be reproduced or transmitted in any form, by any means, without the prior written permission ofi365 and the author.
Nothing in this book is intended to replace legal or other professional services.
-
7/31/2019 Trusted Data Assurance in the Cloud
3/24
TABLE OF CONTE NTS
05 Chapter 01: The Path to Trusted Data Assurance in the Cloud
12 Chapter 02: Cloud ControlMounting a Strong Deense with Inormation Security and Compliance
20 Chapter 03: Evaluating Trusted Cloud Providers
-
7/31/2019 Trusted Data Assurance in the Cloud
4/244
Felix A. Santos, CISA, CISM is responsible or
inormation security and compliance or i365 andEVault
worldwide data centers. In this role, Felix
oversees all acets o IT governance including
inormation security programs, policy enorcement,
and data center security audits and compliance.
Felix has direct reporting responsibility to the president
and general manager o i365, and security reportingresponsibility to the chie inormation security ofcer
(CISO) at Seagate Technology.
In his early career, Felix was a senior scientist or
the U.S. Department o Energy at the National
Laboratories and served as a technical advisor in
Advanced Computing to the Ofce o Arms Control
and Non-Prolieration. Since leaving ederal service,
Felix has served as chie security ofcer (CSO) and CISO
in high-tech and fnancial industries in the Bay Area.
ABOUT THE AUTHOR
-
7/31/2019 Trusted Data Assurance in the Cloud
5/245 Back to table o contents
CHAPTER ONE
The Path to Trusted Data Assurance in the Cloud
Cloud computing has been around since at least the 1990s. A number
o early adopters were able to develop a basic ramework o distributed
computing services that evolved into the cloud concept by the late 1990s.
These early services had to build in controls and eatures by client demand
to demonstrate the same level o assurance that traditional on-premise
sotware applications. An example o a successul cloud SaaS (Sotware as
a Service) provider is salesorce.com. Today, consumers use these cloud
services anywhere rom contact management to post-sales customer
engagement. Why? Salesorce.com oered the rst cloud-based blue
ocean strategyoering pay-as-you-go, low-cost services and most
importantly, garnering trust with consumers or cloud-based services.
But many potential cloud consumerspeople or organizations that maintaina business relationship with, or use services rom, cloud providersstruggle
with the decision or adopting cloud-based services. As cloud services
continue to mature, client requirements are raising the bar or cloud providers
to give them a higher level o trusted data assurance.
Today, key drivers continue pushing consumers toward cloud computing
most notably, legal and regulatory drivers. In the 2011 Global Inormation
Security Survey1, Mark Lobel, principal security proessional or Pricewater-
Trusted data assurance can
be achieved by adherence to
best practices, but its going
to take some work or both
cloud consumers and cloud
providers.
-
7/31/2019 Trusted Data Assurance in the Cloud
6/246 Back to table o contents
CHAPTER ONE The Path to Trusted Data Assurance in the Cloud
houseCoopers (PwC), says The risk environment has increased and elevat-
ed the role o inormation security. Cost-reduction eorts make achieving
security a little more dicult. Clients are pushing harder or security, tellingus that their companys product or service is put at a competitive disadvan-
tage i security is not built in. Its all about the data. Increase the ocus on
protecting the data.
Data protection methods have trusted standard rameworks available today.
Unortunately, key eatures o the data protection rameworks are obscured
in a cloud environment. The basic concept o providing a high level o assur-
ance within an open ramework is dened by testing best practices against
controls at the data service layer. This is the denition o Trusted Data As-
surance (TDA). This high level o trusted data assurance can be achieved byadherence to best practices, but its going to take some work or both cloud
consumers and cloud providers.
To Cloud or Not to Cloud
Whos clouding now? Forrester Research2, a technology and research
rm, breaks down the top IT priorities or this year. About hal o all mid-size
companies are either pursuing cloud-based services as part o their busi-
ness practices, or theyre in their near-term implementation. Why? Realized
benets are clear: reduced inrastructure costs, pay-as-you-go services,
fexibility, agility, and signicantly reduced IT management and oversight.
Survey results conducted by the Ponemon Institute3, an independent re-
search rm on data privacy, includes an interesting diversity o cloud de-
ployment models in use today. Sixty-ve percent o cloud providers deploy
a variety o services or consumer use in public cloudsprimarily or han-
dling static content, including email, collaboration, and community-based
services. Eighteen percent o consumers have applications and private data
they want to keep protected in private clouds and take the necessary steps
to ensure reliance on trusted service providers. Another deployment model
gaining momentum in the market is the hybrid model. Eighteen percent o
consumers use a hybrid approach or maintaining business continuity
combining on-premise and cloud-based capabilities in a single solution.
But the outlook continues to be partly cloudy when it comes to data owner-
ship, data privacy, data location, and cloud IT governance oversight. Poten-
tial business clients oten ask me, Do I own my data in the cloud? Who is
responsible or protecting my data? How can providers saeguard my data
rom ending up across the globe? And who is actually providing oversight?
This is an area where data privacy and location become a top issue.
About hal o all mid-size
companies are either pursuing
cloud-based services as part
o their business practices,
or theyre in their near-term
implementation. Why?
Realized benets are clear:
reduced inrastructure costs,
pay-as-you-go services, fex-
ibility, agili ty, and signicantly
reduced IT management and
oversight.
-
7/31/2019 Trusted Data Assurance in the Cloud
7/247 Back to table o contents
CHAPTER ONE Security issues acing the cloud.
7
CHAPTER ONE Security issues acing the cloud.
Data PrivacyYour Bill o Rights
The bottom line is that consumers have inormation privacy rights regarding
their data. Its the consumers bill o rights, so to speak, and well document-
ed in ederal privacy regulations and the Sae Harbor Act.
Understanding data privacy rights will help regulated consumers dene re-
quirements or saeguarding personal health inormation, personal identiableinormation, nonpublic inormation, and credit-card payment inormation.
Federal data protection lawssuch as the Gramm-Leach-Bliley Act (GLBA),
a privacy act or nancial communitiesand a dozen or so ederal laws
require industries to protect inormation associated with data privacy laws.
State regulations go even deeper. For example, in Caliornia, under SB
1386, service providers must notiy customers as well as the state i privacy
data is compromised. Furthermore, CA AB 1950 mandates service providers
submit inormation showing they are using best practices to ensure protec-
tion o consumer inormation.
Between U.S. and European Union (EU) overseas authorities, the Sae
Harbor Actoperated and managed through the U.S. Department o
Commerceassists U.S. companies with sel-assessments and attesta-
tion, dening the minimum protection o privacy data they are saeguarding.
And, i anything goes wrong, companies have to essentially prove theyre in
compliance with established guidelines.
Eighteen percent o consum-
ers have applications and
private data they want to keep
protected in private clouds
and take the necessary steps
to ensure reliance on trusted
service providers.r
7
-
7/31/2019 Trusted Data Assurance in the Cloud
8/248 Back to table o contents
CHAPTER ONE The Path to Trusted Data Assurance in the Cloud
Overall, data stewardship is complexessentially aecting most areas o
ederal, state, and international laws and regulations. I suggest you become
amiliar with these laws and regulations. To do business with the EU, youwill need to ll out the sel-assessment. I will discuss more about the im-
portance o data location and regulations later on. The big question to be
answered: how do cloud providers give consumers trusted data assurance?
Trusted Data Assurance Goals
The only reasonable method or garnering assurances o trust is through a
completed and updated audit report o your providers environment. You
can always trust, but you also need to veriy.
Cloud consumers and cloud providers have an intimate partnership. Cloudconsumers own their data, and expect their provider to act as a steward,
maintaining the same level o protection they expect rom themselves. To
achieve trusted data assurance, third-party cloud auditors conduct con-
trolled audits o cloud-provider data centers and issue a report on whether
the provider has the proper controls in place and is ollowing best practices
to protect consumer inormation.
There are a ew dierent approaches or conducting cloud provider audits.
The most common audit is the Statement on Auditing Standards 70 (SAS 70),
developed by the American Institute o Certied Public Accountants (AICPA).
Alternatives include BITS Agreed Upon Procedures (BITS.org consortium o -
nancial services) or shared assessments, ISO 27001 certication, and Federal
Inormation Security Management Act (FISMA) compliance certication.
Traditionally, SAS 70 was used or auditing nancial and reporting controls
or state and public nancial organizations. Until June 2011, SAS 70 was
also the standard or auditing cloud providers.
New Audit Standards Emerge or Service Organizations
In June 2010, a more comprehensive auditing standard, Statement on
Standards or Attestation Engagements No. 16 (SSAE 16), was developed
by AICPA to target service organizations. Unlike SAS 70, which ocuses
on nancial controls, SSAE 16 is systems-based with trust guidelines and
principles encompassing trusted controls or data security, condentiality,
integrity, availability, and privacy. For cloud providers, these ve controls will
be analyzed to ensure the protection o consumer data.
The bottom line is that
consumers have inormation
privacy rights regarding their
data. Its the consumers bill o
rights, so to speak, and well
documented in ederal privacy
regulations and the Sae Har-
bor Act.
http://www.bits.org/http://www.bits.org/ -
7/31/2019 Trusted Data Assurance in the Cloud
9/249 Back to table o contents
SSAE 16 audits now require attestationa written assertion by the cloud
provider stating control objectives have been suitably met or SSAE 16 Type
I and are operating eectively or SSAE 16 Type IIwith supporting inorma-tion about risk actors.
Service Organization Control 1 (SOC 1) reports are restricted to existing
cloud providers with SAS 70 Type I and Type II compliance or eective peri-
ods beginning on or ater June 15, 2011.
SOC 2 audits are both a general- and restricted-use report describing tests,
audit results, and the auditors opinion or compliance to trust services and
guiding principles.
SOC 3 audits are a general-use report containing minimum inormation. I
one or more trust services are met, cloud providers are permitted to use an
SOC 3 SysTrust seal on their website.
Use this inormation about SSAE to establish a dialog with current or po-
tential providers. Its an excellent way to get inormation about their SSAE
migration plans over the next several months. For more inormation about
SSAE, download the ree report, Service Organization Controls: Managing
Risks by Obtaining a Service Auditors Report at aicpa.org.
CHAPTER ONE The Path to Trusted Data Assurance in the Cloud
SSAE 16 is systems-based
with trust guidelines and prin-
ciples encompassing trusted
controls or data security,
condentiality, integrity, avail-
ability, and privacy. For cloud
providers, these ve controls
will be analyzed to ensure the
protection o consumer data.
SSAE 16 audits now require
attestationa written asser-
tion by the cloud provider
stating control objectives have
been suitably met or SSAE
16 Type I and are operatingeectively or SSAE 16 Type
IIwith supporting inorma-
tion about risk actors.
For more inormation about
SSAE, download the ree
report, Service Organization
Controls: Managing Risks by
Obtaining a Service Auditors
Report at aicpa.org.
http://www.aicpa.org/http://www.aicpa.org/http://www.aicpa.org/http://www.aicpa.org/ -
7/31/2019 Trusted Data Assurance in the Cloud
10/2410 Back to table o contents
CHAPTER ONE The Path to Trusted Data Assurance in the Cloud
My advice or cloud providers using SAS 70 auditsthe astest and easiest
transition or the remainder o 2011is to move to SOC 1 since its essen-
tially a SAS 70 Type I. Otherwise, regulated consumers will be orced to lookelsewhere or services because they will all out o compliance when their
auditors pay a visit.
My best advice or cloud providers: I you can, make the transition now di-
rectly to SOC 2 to give consumers the most comprehensive audit controls or
cloud data protection. It will also help you grow your services business. For
web-based cloud services, the SOC 3 with SysTrust Seal can be published
on the website.
The Rise o Cloud StandardsIn support o maturing cloud compliance and IT governance programs,
ederal standards under the National Institute o Standards and Technology
(NIST)and Cloud Security Alliance (CSA) within the private sectorare
bearing the burden o establishing new IT controls and best practices or
cloud computing.
NIST provides ederal government and legal entities with a new roadmap
or cloud computing standards, cloud nomenclature denitions, and basic
cloud services and how they work. A new architecture reerence model is
now available with contributions rom ederal and private industries, ensur-
ing that all acets associated with cloud computing are addressed. Theyve
also released a synopsis o best-practices recommendations or cloud
service providers with specic guidelines on how security and privacy is
expected to be maintained in public cloud computing. Their nomenclature
denitions alone will help ensure youre on the same page with your cloud
providers. For more inormation, visit nist.gov.
For organizations in the private sector, CSA ocuses on detailing critical
areas o cloud computing rom services development to management o
cloud-based services. CSA is an open alliance organization with member-
ships rom corporations such as eBay, security vendors such as RSA rom
EMC and CA, and nancial institutions such as American Express and
Citibank, security associations such as ISACA and the Distributed Manage-
ment Task Force (DMTF), and cloud providers such as salesorce.com and
Google. All members collaborate and contribute to a common knowledge-
base ensuring new cloud controls are well understood and documented.
My best advice or cloud
providers: I you can, make the
transition now directly to SOC
2 to give consumers the most
comprehensive audit controls
or cloud data protection. It
will also help you grow your
services business.
Cloud Services Standards
Organizations
The National Institute o Stan-
dards and Technology www.
nist.gov is an agency o the
U.S. Department o Commerce
that makes measurements andsets standards by industry or
government programs such as
the Federal Inormation Secu-
rity Management Act (FISMA).
Cloud Security Alliance (CSA)
promotes the use o best
practices or providing secu-
rity assurance within cloud
computing. For more inorma-
tion, visit www.cloudsecurity-
alliance.org.
http://www.nist.gov/index.htmlhttp://www.cloudsecurityalliance.org./http://www.cloudsecurityalliance.org./http://www.nist.gov/index.htmlhttp://www.cloudsecurityalliance.org./http://www.cloudsecurityalliance.org./ -
7/31/2019 Trusted Data Assurance in the Cloud
11/2411 Back to table o contents
CHAPTER TWO Cloud ControlMounting a Strong Deense with Inormation Security and Complianc
Whats impressive about the olks rom CSA and their aliated community
members is their shared denition o new, standard IT controls or cloud
providers. In traditional on-premise environments, inormation security
controls require organizations to dene and classiy their inormation assets.
In contrast, when operating in a cloud environment, currently dened IT
controls do not necessarily provide the level o coverage required by a cloud
providers role as steward or data protection.
New denitions require providers to look at consumer dataobjects con-
taining data, and assignment o classication based on data type, jurisdic-
tion o origin, jurisdiction domiciled, context, legal constraints, contractual
constraints, value, sensitivity, criticality to the organization, and third-party
obligation or retention and prevention o unauthorized disclosure or misuse.
There are about a hundred o these new cloud-control objectives dened
in version 1.2 o the new Cloud Controls Matrix (CCM). I encourage you to
read the CCM version 1.2 to become amiliar with the new cloud controlsand to help guide conversations with current or potential cloud service
providers. Download the spreadsheets rom cloudsecurityalliance.org.
1 2011 Global Inormation Security Survey; Mark Lobel, PricewaterhouseCoopers, CSO Security
Standard Conerence; Brooklyn, New York, September 29, 2010
2 Business Continuity and Disaster Recovery Are Top IT Priorities or 2010 and 2011; Forrester
Research, Inc., September 2, 2011
3 Security o Cloud Computing Providers Study, Ponemon Institute, April 2011
The National Institute o
Standards and Technology
(NIST)and Cloud Security
Alliance (CSA) within the pri-
vate sectorare bearing the
burden o establishing new IT
controls and best practices
or cloud computing.
https://cloudsecurityalliance.org/https://cloudsecurityalliance.org/ -
7/31/2019 Trusted Data Assurance in the Cloud
12/2412 Back to table o contents
CHAPTER TWO
Cloud ControlMounting a Strong Deense withInormation Security and Compliance
Inormation Security (INFOSEC) basically protects everywhere data such
as texts, instant messages, email, contracts, hard copies, transaction data,
and verbal communications rom unauthorized access, misuse, disclosure,
disruption, modication, or destruction. The philosophy behind INFOSEC is
to take a holistic approach that encompasses people, processes, and tech-
nology to protect data. This approach embodies the basic trust principals
o security, condentiality, integrity, availability, and privacy.
I am always surprised by the number o people who view INFOSEC as
a single ocus on one or more components o technology. For example,
perimeter security, such as rewalls or intrusion detection systems, pro-
vides the security solution, and some organizations dont have an incidentresponse process to address critical breaches. And, some business owners
think theyre secure because they trust their IT administrator; ater all, thats
who set up the rewall. But heres the reality: inormation security or
achieving compliance is complexespecially in the cloud.
Trusted data assurance can
be achieved by adherence tobest practices, but its going
to take some work or both
cloud consumers and cloud
providers.
-
7/31/2019 Trusted Data Assurance in the Cloud
13/2413 Back to table o contents
An organizations security posture is characterized by the maturity, eective-
ness, and completeness o risk-adjusted IT controls. The INFOSEC deense
concept can be represented in the Sphere o Protection4 (above).
Protection in depth is a layered process rom the perimeter into the pro-
tected inormation core. It is implemented by people with dened processes
and utilizes technology to put it into eect.
IT controls are implemented in multiple layersrom Internet and network
security to applications, systems, and physical security. Access controls
are intimately connected to people and technology to be properly secured
and managed.
Ultimately, you want to get to the point where you can say, I am properly
protecting the environment because Im now measuring the condential-
ity o systems and data inormation, maintaining its integrity, and making it
available as well as protected rom any attack.
For security awareness and education programs, people will continually
need education and training to understand applicable policies, laws, and
regulations to help guide their behavior or protecting data.
Sphere o Protection
People
Technology People
Information
Internet
Networks
Systems
Policy and law
Education and training
Security planning
(IR, DR, BC)
RedundancyMonitoring systems
Patches and upgrades
Host IDS
Firewalls
Network IDS
Proxy servers
Encryption
Backups
Access controls
An organizations security
posture is characterized by
the maturity, eectiveness,
and completeness o risk-
adjusted IT controls.
-
7/31/2019 Trusted Data Assurance in the Cloud
14/2414 Back to table o contents
CHAPTER TWO Cloud ControlMounting a Strong Deense with Inormation Security and Complianc
For cloud providers, a strict code o ethics, regulatory controls, and internal
operational guidelines mandate the behavior o data center proessionals.
You wont nd any external communications with the public in a controlled,data center environment. And social networking is absolutely prohibited.
The highest level o protocols and procedures should be in place, and must
be ollowed to protect both consumers and providers.
INFOSEC plans provide detailed guidance on how to handle incident response,
disaster recovery (DR), and business continuity (BC)and must be maintained
and tested regularly to accommodate environmental and technological changes.
From the let side o the sphere, many technology layers address protection
o inormation located in the nucleus. Each layer may have a different series of
components including access controls across all layers, implementation of bestpractices, change management, and periodic testing of IT controls.
INFOSEC Standards or Regulatory Compliance
Regulatory compliance can be complex. To reduce maintenance costs or
achieving regulatory compliance while signicantly improving overall ecien-
cies, organizations eliminate redundant and overlapping regulatory controls by
implementing standard rameworks that map across multiple regulations.
To demonstrate this methodology, Ill use three examples o key regulations.
Sarbanes-Oxley (SOX) targets compliance or all public entities. Sarbanes-Oxley mandates assurances by demonstrating the appropriate level o con-
trols to protect nancial inormation, and reporting to the Security and Ex-
change Commission. However, Sarbanes-Oxley doesnt provide the how
o achieving such assurances. Since the Control Objectives or IT (CoBIT)
standards ramework was developed in support o SOX, you can see in the
example, below a one-to-one mapping across most domains or both SOX
and CoBIT. Privacy protection is addressed in CoBIT version 5.
For health care providers, the Health Insurance Portability and Account
ability Act (HIPAA) regulates protection o public health inormation. ISO
To reduce maintenance costs
or achieving regulatory
compliance while signicantly
improving overall eciencies,
organizations eliminate redun-
dant and overlapping regula-
tory controls by implementing
standard rameworks that map
across multiple regulations.
-
7/31/2019 Trusted Data Assurance in the Cloud
15/2415 Back to table o contents
ISO 27001 standards map across all domains to ensure privacy protection is
accounted or and controlled.
And last, the Gramm-Leach-Bliley Act protects nonpublic inormation or
nancial services. Both ISO and CoBIT standards, or the most part, support
GLBA mandates. CoBIT version 5 is currently in early adoption.
My best-practices recommendations or cloud consumers is to look at cloud
providers that oer trusted data assurance and understand all acets o
regulatory requirements, and to implement ISO 27000, CoBIT, or new cloud
IT control standards to help you make an inormed decision. You may even
want to consult your auditor or recommendations.
Preparing or the CloudYour Roles and Responsibilities
To help prepare you or data protection in the cloud, there are specic
elements that cloud consumers own that are included in the cloud controls
matrix rom CSA.
Heres the bottom line: You cant just give cloud services to a cloud provider.
There are some simple, ree best practices that you need to do. Following
are some key activities and valuable inormation you need or making the
right decisions or your organization.
Write an INFOSEC Policy
A written INFOSEC policy is a simple document thats necessary or engag-
ing with a cloud provider. It should include the inormation being protected,
how the security environment will be monitored, who will be held account-
able or the security environment, who is authorized to engage in INFOSEC
activities, and basic policies and procedures that should be well under-
stoodacross the company.
This is where security awareness programs become paramount or helping
organizations understand their INFOSEC policy, and or executives to
conduct a concerted arrangement when bad things occur. Inormation
security policies serve as the communication platorm or cloud providers
and, most important, they help to quickly determine whether a cloud provider
can meet your dened objectives.
Sarbanes-Oxley mandates
assurances by demonstrat-
ing the appropriate level o
controls to protect nancial
inormation, and reporting to
the Security and Exchange
Commission. However,
Sarbanes-Oxley doesnt
provide the how o achieving
such assurances.
For health care providers, the
Health Insurance Portabil-
ity and Account ability Act
(HIPAA) regulates protection o
public health inormation. ISO27001 standards map across
all domains to ensure privacy
protection is accounted or
and controlled.
My best-practices recommen-
dations or cloud consumers
is to look at cloud providers
that oer trusted data assur-
ance and understand all acets
o regulatory requirements,
and to implement ISO 27000,
CoBIT, or new cloud IT controlstandards to help you make an
inormed decision.
CHAPTER TWO Cloud ControlMounting a Strong Deense with Inormation Security and Complianc
-
7/31/2019 Trusted Data Assurance in the Cloud
16/2416 Back to table o contents
CHAPTER TWO Cloud ControlMounting a Strong Deense with Inormation Security and Complianc
There are plenty o websites that oer inormation security policy templates
or download. ISO 27001 is a good program standard or dening inorma-
tion security programs. In addition, or specic details, download actualsecurity policiesthen you can simply ll in the blanksrom the SANS
Institute at sans.org.
You will nd that ollowing my best-practices recommendations will put you
in the best position or saeguarding your company.
Classiy Inormation Assets
Once youve written your inormation security policy, the next crucial step is
dening your assets. Determine all locations o critical data and the protec-
tion levels or saeguarding each data set. By taking the time to dene where
sensitive and critical inormation is locatedand who and what applications
need access to each data setyoure well on your way to the cloud.
Data location is o primary importance or business consumers concerned
about outsourcing data to a cloud provider. As mentioned beore, cloud
consumers are ultimately responsible or their data. Trust your cloud pro-
vider to be a steward o your data, but only i the provider ully understands
data location requirements and can prevent your data rom going some-
where it shouldnt. Garner that trusted data assurance through an updated
audit report. And dene your requirements and regulations associated with
each data set as well as specic data location requirements.
One example I oten share with clients regards customers with encrypted
logical inormation or intellectual property. Encrypted inormation or intel-lectual property alls under the ederal regulations o controlling encrypted
material under export controls. You run into a boundary o places to which
you can actually export this type o data. And i your data is sitting in the
cloud, you have to veriy its not going to end up in a pariah country. This is
one o the reasons why data classication is crucial or data protection in
the cloud. Trust but veriyits that simple.
Data location requirements can sometimes confict with regulatory controls.
One regulation that can confict with data location boundaries is Basel II. In
the EU theres a disaster recovery requirement or nancial organizations.
To replicate their data, organizations must place it in a dierent geographi-
cal risk zone. But there are privacy inormation controls mandating that data
cant leave the country. In these cases, cloud providers need to be able
to tell you how theyre going to eectively deal with international issues to
ensure your data is protected.
I you dont have policies in place to address data regulatory controls, you
cant hold your cloud provider accountable i something goes wrong. Policy
and prosecution go hand in hand in both domestic and internationally con-
trolled environments.
Heres the bottom line: You
cant just give cloud services
to a cloud provider. There are
some simple, ree best prac-
tices that you need to do.
Trust your cloud provider to
be a steward o your data, but
only i the provider ully under-
stands data location require-
ments and can prevent your
data rom going somewhere it
shouldnt. Garner that trusted
data assurance through an up-
dated audit report. And dene
your requirements and regula-tions associated with each
data set as well as specic
data location requirements.
http://www.sans.org/http://www.sans.org/ -
7/31/2019 Trusted Data Assurance in the Cloud
17/2417 Back to table o contents
I you dont have policies in
place to address data regula-
tory controls, you cant hold
your cloud provider account-
able i something goes wrong.
Policy and prosecution go
hand in hand in both domestic
and internationally controlled
environments.
Asset management is by ar the most important subcomponent o an INFO-
SEC policy. Data classication includes rating your data based on public,
private, condential, top-secret, sensitivity, integrity, availability, location,and regulatory requirements. Assess your data center, oce, laptops,
servers, and so on, and classiy data sets based on your requirements. One
o the most comprehensive schemes is the Federal Inormation Processing
Standards (FIPS) 199. Other simplied schemes use some components o
this ederal standard. Keep it simple by using appropriate standards or your
regulated industry.
Last, dene how soon your data needs to come back in cases o loss or
disaster. Dene objective points based on availability. Objectives commonly
used or data sets that require operations to remain resilient are RecoveryTime Objectives (RTO) and Recovery Point Objectives (RPO). Determine
which sets are not aected by outages and prioritize them accordingly. Cloud
providers will need to ensure they can meet both dened and written criteria.
Defne Backup, Recovery, Disaster Recovery, and Business Continuity
Policies
Whether or not youre considering outsourcing some o your data sets to the
cloud, you need to dene backup, recovery, disaster recovery, and business
continuity policies. Its a crucial element o the risk-assessment process.
Write down backup and recovery policies and procedures with an inventory o
data that resides on critical systemsincluding executive laptops! Determine
how long you can wait beore your data is recovered. Use several disaster
scenarios in your policy. For example, beore hurricane season arrives every-
one needs to be conscious about the next potential food, its location, and
whether or not your data storage is actually going to be protected during this
event. I these scenarios ever present themselves, you actually have a docu-
mented plan in placeand you have a cloud provider to help you test sce-
narios to demonstrate you are actually implementing best practices. Painul
as it may seem, DR plans require testingeven i its a small portion o your
environment. I you dont test it, you have no idea i your backup tapes you
sent to a vault somewhere in Kentucky are actually going to be recoverable.
Its crucial that you document your data protection plan. Use it to serve up
the service-level agreement (SLA) with your cloud provider. And i things go
wrong, your service provider can be held accountable.
I you have dierent types o outsourcing initiativesand your backups are
on tapelook at having an electronic replication with another service
CHAPTER TWO Cloud ControlMounting a Strong Deense with Inormation Security and Complianc
-
7/31/2019 Trusted Data Assurance in the Cloud
18/2418 Back to table o contents
CHAPTER TWO Cloud ControlMounting a Strong Deense with Inormation Security and Complianc
Determining risk is a busi-
ness practice that sits at the
highest level o the company.
Without executive support,
youre most likely placing the
company at risk. Its worth-
while to make sure executives
know the service providers
youre using and how they are
protecting company inorma-
tion, and that these service
providers will be held account-
able i something goes wrong.
Make sure assessments are
well documented.
provider or saeguarding the backup to your backup. You should always
keep alternatives. I one provider doesnt work, go to a second provider.
Cloud-based disaster recovery services are key services contracted to-
dayespecially with businesses that have already been aected by natural
disasters. Consider developing a cloud DR and BC plan to maintain your
continuity o operations in cases o data loss or natural disaster. Its abso-
lutely worth its weight in goldwithout the costs o rebuilding this crucial
component o your business.
Perorm a Risk Assessment
The nal step to help you prepare or cloud adoption is to conduct an internal
risk assessment. Determine the business practices you need to continue tooperate. Look or items that could potentially threaten your organizations data.
I your budget allows, you may need to consult a third party to assist you
with writing guidelines on how to dene your risk assessmentand to actu-
ally perorm the assessment. I you perorm the assessment internally to
save costs, make sure you do it regularly so youre prepared or any new
threats that may pop up.
Determining risk is a business practice that sits at the highest level o the
company. Without executive support, youre most likely placing the compa-
ny at risk. Its worthwhile to make sure executives know the service provid-
ers youre using and how they are protecting company inormation, and that
these service providers will be held accountable i something goes wrong.
Make sure assessments are well documented.
My guidance applies to the budget-minded consumer as well. I understand
the needs o small and mid-size organizations that cant aord to outsource
a risk assessment. There are many ree consortiums on the Internet that
provide guidelines or perorming your own risk assessment. When you
present your assessment to a cloud provider, make sure you also present
your inormation security and data protection plans outlined above.
Next up: When things dont always go as planned.
Incident e-Discovery and Investigation
One o the less-palatable activities in cloud data protection is when bad
things happensuch as litigation, or when law enorcement ocers show
up on your doorstep asking questions.
-
7/31/2019 Trusted Data Assurance in the Cloud
19/2419 Back to table o contents
Agencies may wish to ast-
track the e-discovery process
by requesting your cloud pro-
vider essentially dump all data
that you own, but they should
actually start with you, not the
provider. Providers dont hold
your encryption keysyou do.
Its as simple as that.
One o the key control methods used to protect clients rom data expo-
sure or leakage is data encryption and key managementespecially when
data leaves the company. Consumers should be in complete control o allencryption keys. Losing access to encryption keys can actually expose
consumers to potential, unknown threats. In the event o litigation, lack o
encryption management does not hold up well in a court o law.
When a signicant breach occurs within the consumers domain, e-discov-
ery typically begins when the judicial system warrants the discovery process
and law enorcement agencies are engaged. In these cases, e-discovery
should begin at the site o the cloud consumer.
Agencies may wish to ast-track the e-discovery process by requesting
your cloud provider to essentially dump all data that you own. But they should
actually start with you, not the provider. Providers dont hold your encryption
keysyou do. Its as simple as that.
To exemplify what consumer data looks like in a multitenant cloud environ-
ment, I will use EVault as an example. Cloud consumer data is dedupli-
cated and encryptedrom its original sourceand remains encrypted
throughout its lietime in one or more vaults. I someone looks at the data,
it is just a series o data blocks o ones and zerosonly to be decrypted
by consumer access to the encryption keys. Essentially, EVault can provide
law enorcement with the data blocks and vault inormationbut only in itsle orm as a copy. We do not have access to actually assist with urther
e-discovery activities.
Im oten asked by our cloudconsumer customers what would happeni they suddenly had an issue with law enorcement during an incident o
breach, or when law enorcement agencies are just looking or a copy o
their backups. The answer is that we are required by ederal law to protect
all consumer inormation in our data centers. It is crucial that physical ac-
cess is limited.
Agencies should exhaust all avenues o investigation at the consumersiteor else possibly suer ederal consequences, imposing e-discovery
on cloud providers without an arguable due cause. Because mistakes in the
past have caused agencies to shut down cloud providers during their matu-
ration phase, legal agencies should be cognizant o cloud consumer data
protection laws, and help enorce consumer data protection assurances in
the cloud.
4 Business Risk o Sotware in the Cloud; Deloitte Development LLC, AndrewMurren, March 2, 2011
CHAPTER TWO Cloud ControlMounting a Strong Deense with Inormation Security and Complianc
-
7/31/2019 Trusted Data Assurance in the Cloud
20/2420 Back to table of contents
CHAPTER THREE
Evaluating Trusted Cloud Providers
To put together your cloud-provider short list, you frst need to question
its IT controls.
The BITS Standard Inormation Gathering (SIG) questionnaire is a standardset o shared audit procedures. Questions have been mapped tightly to the
ISO domains, resulting in a cloud provider standard request or inormation.
Use either the BITS ull or lite questionnaire to evaluate cloud providers.
You can fnd the BITS questionnaires by visiting sharedassessments.org.
Once you have your SIG questionnaire, youre ready to match vendor
service delivery models with your business and security objectives.
Whos Who in the Cloud
Not all cloud providers should be treated equally. The simplifed Cloud
Computing Stratosphere (see next page) illustrates three service delivery
models and key vendors.
Communications and Social Applications reside above the three service
delivery models or layers, since they are quite pervasive on top o, and
through, some o these layers. A great example is Twitter.
The BITS Standard Inormation
Gathering (SIG) questionnaire
is a standard set o shared
audit procedures. Questions
have been mapped tightly tothe ISO domains, resulting
in a cloud provider standard
request or inormation. Use
either the BITS ull or lite
questionnaire to evaluate cloud
providers. You can fnd the
BITS questionnaires by visiting
sharedassessments.org.
http://www.sharedassessments.org/http://www.sharedassessments.org/http://www.sharedassessments.org/http://www.sharedassessments.org/ -
7/31/2019 Trusted Data Assurance in the Cloud
21/2421 Back to table o contents
CHAPTER THREE Evaluating Trusted Cloud Providers
Sotware as a Service (SaaS)
SaaS is the capability or cloud consumers to use applications and re-
sources rom a cloud provider. And cloud application resources are typicallyaccessible rom a web browser. SaaS is crowded with providers bringing
in online services rom initial email servicesrom Google, Microsot, and
Yahooto expanded services such as oce and collaborative applications,
marketing, and data protection services including backup, disaster recovery,
and replication services.
Platorm as a Service (PaaS)
PaaS is aimed at cloud developers that want to use the providers cloud
operating environment, development tools, and programming languages
Windows, .NET, Linux, and J2EE to create SaaS-based applications oruse by cloud consumers.
Inrastructure as a Service (IaaS)
IaaS is the capability or cloud providers to provision undamental comput-
ing resources such as storage, networks, and processing power to cloud
consumers. The consumer can oten be other cloud providers. For example,
EVault services use Microsot Azure cloud services or provisioning storage
and endpoint protection services to consumers. And the company part-
ners with other cloud providers, managed service providers, and resellers
that want to host data-protection and other value-added services to their
consumers powered by the EVault inrastructure and partner SaaS-based
service oerings. These types o partner services are typically coined as
downstream or aggregator services.
Down the StackCloud Provider Security Responsibilities
As mentioned in Chapter One, new trends in consumer requirements are
pushing providers to implement better IT controls over their data centers to
gain parity with traditional on-premise solutions. This stems rom the abstrac-
tion o inrastructure and lack o visibility and capability to integrate many
amiliar security controlsespecially at the network and virtualization layers.
It is important to understand that security responsibilities o cloud providers
and cloud consumers dier among service delivery models. For example,
Amazons EC2 inrastructure is responsible or security up to the hypervisor
level to include physical, environmental, and virtualization security. Cloud
consumers are responsible or systems, applications, and data security.
For cloud providers oering services that span the entire stack (IaaS, PaaS,
SaaS), security becomes the responsibility o the provider including
It is important to understand
that security responsibilities
o cloud providers and cloud
consumers dier among ser-
vice delivery models.
e Cloud Computing Stratosphere,
rn Group, www.horngroup.com
http://www.horngroup.com/http://www.horngroup.com/ -
7/31/2019 Trusted Data Assurance in the Cloud
22/2422 Back to table o contents
CHAPTER THREE Evaluating Trusted Cloud Providers
physical, environmental, inrastructure, applications, and data security. For
example, my company is responsible or all levels o security since our
infrastructure and cloud services cut across all three service-delivery layers.
Trusted Data Assurance rom EVault
Directly distributed EVault data centers are located throughout the United
States and Canada, with a presence in the European Union. Since 1997, EVault
security programs have been ounded on ISO standards and best practices
that have been updated and maintained. EVault meets the ISO 27001:2005
Inormation Security Program Standard and sel-attestation or PCI DSS v.2
compliance. Since my firm is a wholly owned subsidiary o the publicly held
company Seagate Technology (NASDAQ: STX), we ulll Seagate internal
audit activities and controls or data privacy, PCI compliance, and generalcontrols practices. Weve maintained yearly audits or SAS 70 Type II, and
were currently in our SSAE 16 audit or SOC 2, expecting our SSAE 16 at-
testation to be completed by December 2011. We continue raising the bar
on trusted data assurance.
Summary
Cloud-based services are here to stay. Costly maintenance o meeting regula-
tory requirements is driving consumers to ultimately shit to the cloudespe-
cially or those organizations lacking the budget, or or organizations that can
no longer enjoy inormation security and compliance budgets rom the past.
But it certainly can be a scary place or potential consumers that havent yet
made that leap. I you do your homeworkand you select the right, trusted
cloud provideryou will enjoy low-cost services with trusted data assur-
ances to help you ocus on your core business and maintain protability.
Hopeully, Ive dispelled some o the myths about data privacy and protec-
tion. You own your data and you have ederal privacy laws that protect your
rights. Your service provider is there to steward and saeguard your data,
and ensure your privacy rights are protected, with the right people, process,
and technology.
As the cloud services industry matures, new cloud denitions and initiatives
are there or public-sector and ederal consumers to ensure cloud provid-
ers ollow shared best practices. And new and long overdue SSAE audit
standards now provide systems-based and trusted data controls or audit-
ing service organizationsgiving consumers that verication o trusted data
assurance. Ater all, a little TDA does go a long way!
It certainly can be a scary
place or potential consum-
ers that havent yet made
that leap. I you do your
homeworkand you select
the right, trusted cloud pro-
videryou will enjoy low-cost
services with trusted data
assurances to help you ocus
on your core business and
maintain protability.
-
7/31/2019 Trusted Data Assurance in the Cloud
23/2423 Back to table of contents
CHAPTER THREE Evaluating Trusted Cloud Providers
When it comes to inormation security and compliance, always account or
change. Maintaining a state o compliance is not a static process. It is a
continuous process o improvement. Trusted cloud providers will continueto improve governance o their IT inrastructure and show you evidence that
theyre actually doing it.
Make sure you receive that trusted data assurance rom your cloud provider.
And remember, you can trustbut always veriy.
List of Resources
1.American Institute o Public Accountants, aicpa.org
2. Control Objectives or IT, isaca.org
3.BITS Agreed Upon Procedures, bits.org
4.BITS SIG, sharedassessments.org
5.Cloud Security Alliance, cloudsecurityalliance.org
6. 2011 Global Inormation Security Survey; Mark Lobel, Pricewaterhouse
Coopers, CSO Security Standard Conerence; Brooklyn, New York,
September 29, 2010 csoonline.com
7.National Institute o Standards and Technology, nist.gov
8. Security o Cloud Computing Providers Study, Ponemon Institute LLC,
April 2011, ponemon.org
9. The SANS Institute, sans.org
http://www.aicpa.org/http://www.aicpa.org/https://www.isaca.org/Pages/default.aspxhttp://www.bits.org/http://www.bits.org/http://www.bits.org/http://sharedassessments.org/http://sharedassessments.org/https://cloudsecurityalliance.org/https://cloudsecurityalliance.org/http://www.csoonline.com/http://www.nist.gov/index.htmlhttp://www.nist.gov/index.htmlhttp://www.ponemon.org/index.phphttp://www.sans.org/http://www.ponemon.org/index.phphttp://www.sans.org/http://www.nist.gov/index.htmlhttp://www.csoonline.com/https://cloudsecurityalliance.org/http://sharedassessments.org/http://www.bits.org/https://www.isaca.org/Pages/default.aspxhttp://www.aicpa.org/ -
7/31/2019 Trusted Data Assurance in the Cloud
24/24
CHAPTER TWO Cloud ControlMounting a Strong Defense with Information Security and Complianc
Headquarters| 3101 Jay Street, Suite 110 | Santa Clara, CA 95054 | 877.901.DATA (3282) | www.i365.comFrance | +33 (0) 1 55 27 35 24 Germany | +49 (0) 89 28890 434 Netherlands | +31 (0) 73 648 1400 UK | +44 (0) 1932 445 370