Post on 12-Apr-2018
AGENDA
01. Overview of Cloud Services
02. Cloud Computing Compliance Framework
03. Cloud Adoption and Enhancing Compliance Posture in the Cloud
04. Real-World Experiences – Benefits
05. Real-World Experiences – Challenges
06. Q&A
CLOUD SERVICE MODELS
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
TERMINOLOGY AND CONCEPTS
• Financial reporting impact (ICOFR – Internal Controls Over Financial
Reporting)
• Control Objectives / Trust Principles / Criteria / Standards / Management System Standards /Annexes / Frameworks
• Certification / Attestation / Audit / Benchmarking Assessments (Consulting
Reports)
• Type 1 vs Type 2 for SOC Reports
• Backward looking / Point in Time / Forward Looking
• Accounting Standards - US / International - SSAE / AT vs ISAE
• Shelf Life – Generally Annual – Annual / 2 Year Cycle / 3 Year Cycle
• Restricted use / Restricted Distribution / Unrestricted
UNDERSTANDING COMPLIANCE NEEDS
• Cloud Service Customer
– Know customer / contractual requirements
– Know cloud service provider commitments
• Cloud Service Provider
– Know customer / contractual requirements
– Know market need
INDUSTRY SPECIFIC ASSESSMENTS
Industry Compliance Options
Healthcare HIPAA / HITECH, HITRUST
Federal FedRAMP, NIST, FISMA
Payment Card
Transactions
PCI DSS
Privacy / PII ISO 27018, Privacy Shield
CLOUD OPERATIONAL CONSIDERATION
• Traditional security infrastructure
• Business continuity/ disaster recovery operations
– Disaster Recovery v. High Availability
• Access and identity
– Nuts and bolts of connecting internal user stores
with external provider / access to internal
information by external provider
CLOUD OPERATIONAL CONSIDERATIONS
• Incident management
– Coordination and escalation with external provider
• Encryption management (if applicable)
– Key management and scalable encryption
requirements
• Technical infrastructure
– Virtualization, connectivity, bandwidth,
performance, etc.
UNDERSTANDING RESPONSIBILITY
• Outsourcing may not extend to
compliance
• Ensure clear SLAs (and continuous
monitoring of them)
• Target comprehensive coverage
• Anticipate
UNDERSTANDING RESPONSIBILITY - IAAS
Application
Hardware
Facility
Data
Network
Operating System
Controls Environment
Customer:
• Application usage and user provisioning.
• Application security
• Database security
• Operating system configuration
Provider:
• Hardware provisioning and management
• Network management
• Facilities management
UNDERSTANDING RESPONSIBILITY - PAAS
Application
Hardware
Facility
Data
Network
Operating System
Controls Environment
Customer:
• Application usage and user provisioning.
• Application development, deployment and
security
• Database management and security
Provider:
• Operating system configuration and
provisioning
• Hardware management
• Network management
• Facilities management
UNDERSTANDING RESPONSIBILITY - SAAS
Application
Hardware
Facility
Data
Network
Operating System
Controls Environment
Customer:
• Application usage and user provisioning.
Provider:
• Application, development, management and
security
• Database management and security
• Operating system configuration
• Hardware management
• Network management
• Facilities management
CLOUD COMPUTING – EXAMPLE RASCI MODEL
R Responsible "The doer" A Accountable "The buck stops here" S Supported "The Helper" C Consulted "In the loop" I Informed "Notify me"
BEFORE Cloud Provider Infrastructure Layer Customer Cloud Provider External Network & Security R A S C I Applications: Configuration & Patching R A S C I Internal Network & Security R A S C I Operating System: Updates & Patching R A S C I Vmware R A S C I Computing Hardware - "Bare Metal" R A S C I
AFTER Cloud Provider Infrastructure Layer Customer Cloud Provider External Network & Security R A C I R A S C I Applications: Configuration and Patching R A C I R A S C I Internal Network & Security I R A S C I Operating System: Updates & Patching I R A S C I Vmware I R A S C I Computing Hardware - "Bare Metal" I R A S C I
KNOW WHERE THE DATA IS
• Customers and providers may have external
obligations
• National / Regional / Local data management
requirements
• Can data be moved without customer consent
– Who can view it (subcontractors / offshore)
• Safeguarding for discovery
TAKE YOUR TIME
• Adoption is a process
• Management commitment
• Defined goals and stated objectives
• Involve all interested parties, especially
information technology / information
security
BENEFITS OF CLOUD COMPUTING
• Eliminates single points of failure
• Risk transfer to the cloud service
provider
• Allows for the use of third party
expertise
BENEFITS OF CLOUD COMPUTING
• Time savings (varies by cloud
model)
• Allows organization to concentrate
on core competencies
• Enhanced availability and
continuity
CHALLENGES OF CLOUD COMPUTING
• Relinquishing Control
– Reduced control of data as more responsibility shifts to third
parties.
• Meeting Regulations
– Regulations govern the way data must be protected. The cloud
service provider may not be heavily regulated but the
customers may be. As their trust supplier, a customer’s
requirements flow down to the cloud service provider, meaning
the cloud must have proper controls.
CHALLENGES OF CLOUD COMPUTING
• Business Interoperability
– Today’s clouds must be able to communicate with each other
and offer data portability.
• Convenience vs. Security
– Using the cloud, we want both convenient access and secure
data protection, creating a difficult balancing act.
• Management Reporting
– To meet many of today’s regulations, the ability to report
where data is and how it is protected is essential.
CHALLENGES OF CLOUD COMPUTING
• Data Integration and Transfer
– We must find a way to transfer data into the cloud in a way
that is both safe and cost effective.
• Due diligence
– Allow for a full assessment of cloud service provider prospects,
applicable to the model chosen and understanding the
boundaries of responsibility