INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION

AND ENSURING COMPLIANCE

INTRODUCTION

AGENDA

01. Overview of Cloud Services

02. Cloud Computing Compliance Framework

03. Cloud Adoption and Enhancing Compliance Posture in the Cloud

04. Real-World Experiences – Benefits

05. Real-World Experiences – Challenges

06. Q&A

OVERVIEW OF

CLOUD SERVICES

CLOUD SERVICE MODELS

• Software as a Service (SaaS)

• Platform as a Service (PaaS)

• Infrastructure as a Service (IaaS)

CLOUD SERVICE MODELS

CLOUD SERVICE MODELS

CLOUD DEPLOYMENT MODELS

• Public

• Private

• Hybrid

• Community

CLOUD COMPUTING

COMPLIANCE FRAMEWORK

COMPLIANCE OVERVIEW

TERMINOLOGY AND CONCEPTS

• Financial reporting impact (ICOFR – Internal Controls Over Financial

Reporting)

• Control Objectives / Trust Principles / Criteria / Standards / Management System Standards /Annexes / Frameworks

• Certification / Attestation / Audit / Benchmarking Assessments (Consulting

Reports)

• Type 1 vs Type 2 for SOC Reports

• Backward looking / Point in Time / Forward Looking

• Accounting Standards - US / International - SSAE / AT vs ISAE

• Shelf Life – Generally Annual – Annual / 2 Year Cycle / 3 Year Cycle

• Restricted use / Restricted Distribution / Unrestricted

UNDERSTANDING COMPLIANCE NEEDS

• Cloud Service Customer

– Know customer / contractual requirements

– Know cloud service provider commitments

• Cloud Service Provider

– Know customer / contractual requirements

– Know market need

GENERAL CONTROL ASSESSMENTS

• SOC 1

• SOC 2

• CSA STAR Program Level 2

• ISO 27001 / 27017

INDUSTRY SPECIFIC ASSESSMENTS

Industry Compliance Options

Healthcare HIPAA / HITECH, HITRUST

Federal FedRAMP, NIST, FISMA

Payment Card

Transactions

PCI DSS

Privacy / PII ISO 27018, Privacy Shield

CLOUD ADOPTION AND

ENHANCING COMPLIANCE

POSTURE IN THE CLOUD

CLOUD OPERATIONAL CONSIDERATION

• Traditional security infrastructure

• Business continuity/ disaster recovery operations

– Disaster Recovery v. High Availability

• Access and identity

– Nuts and bolts of connecting internal user stores

with external provider / access to internal

information by external provider

CLOUD OPERATIONAL CONSIDERATIONS

• Incident management

– Coordination and escalation with external provider

• Encryption management (if applicable)

– Key management and scalable encryption

requirements

• Technical infrastructure

– Virtualization, connectivity, bandwidth,

performance, etc.

UNDERSTANDING RESPONSIBILITY

• Outsourcing may not extend to

compliance

• Ensure clear SLAs (and continuous

monitoring of them)

• Target comprehensive coverage

• Anticipate

UNDERSTANDING RESPONSIBILITY - IAAS

Application

Hardware

Facility

Data

Network

Operating System

Controls Environment

Customer:

• Application usage and user provisioning.

• Application security

• Database security

• Operating system configuration

Provider:

• Hardware provisioning and management

• Network management

• Facilities management

UNDERSTANDING RESPONSIBILITY - PAAS

Application

Hardware

Facility

Data

Network

Operating System

Controls Environment

Customer:

• Application usage and user provisioning.

• Application development, deployment and

security

• Database management and security

Provider:

• Operating system configuration and

provisioning

• Hardware management

• Network management

• Facilities management

UNDERSTANDING RESPONSIBILITY - SAAS

Application

Hardware

Facility

Data

Network

Operating System

Controls Environment

Customer:

• Application usage and user provisioning.

Provider:

• Application, development, management and

security

• Database management and security

• Operating system configuration

• Hardware management

• Network management

• Facilities management

CLOUD COMPUTING – EXAMPLE RASCI MODEL

R Responsible "The doer" A Accountable "The buck stops here" S Supported "The Helper" C Consulted "In the loop" I Informed "Notify me"

BEFORE Cloud Provider Infrastructure Layer Customer Cloud Provider External Network & Security R A S C I Applications: Configuration & Patching R A S C I Internal Network & Security R A S C I Operating System: Updates & Patching R A S C I Vmware R A S C I Computing Hardware - "Bare Metal" R A S C I

AFTER Cloud Provider Infrastructure Layer Customer Cloud Provider External Network & Security R A C I R A S C I Applications: Configuration and Patching R A C I R A S C I Internal Network & Security I R A S C I Operating System: Updates & Patching I R A S C I Vmware I R A S C I Computing Hardware - "Bare Metal" I R A S C I

KNOW WHERE THE DATA IS

• Customers and providers may have external

obligations

• National / Regional / Local data management

requirements

• Can data be moved without customer consent

– Who can view it (subcontractors / offshore)

• Safeguarding for discovery

TAKE YOUR TIME

• Adoption is a process

• Management commitment

• Defined goals and stated objectives

• Involve all interested parties, especially

information technology / information

security

REAL-WORLD EXPERIENCES

– BENEFITS

BENEFITS OF CLOUD COMPUTING

• Eliminates single points of failure

• Risk transfer to the cloud service

provider

• Allows for the use of third party

expertise

BENEFITS OF CLOUD COMPUTING

• Time savings (varies by cloud

model)

• Allows organization to concentrate

on core competencies

• Enhanced availability and

continuity

REAL-WORLD EXPERIENCES

– CHALLENGES

CHALLENGES OF CLOUD COMPUTING

• Relinquishing Control

– Reduced control of data as more responsibility shifts to third

parties.

• Meeting Regulations

– Regulations govern the way data must be protected. The cloud

service provider may not be heavily regulated but the

customers may be. As their trust supplier, a customer’s

requirements flow down to the cloud service provider, meaning

the cloud must have proper controls.

CHALLENGES OF CLOUD COMPUTING

• Business Interoperability

– Today’s clouds must be able to communicate with each other

and offer data portability.

• Convenience vs. Security

– Using the cloud, we want both convenient access and secure

data protection, creating a difficult balancing act.

• Management Reporting

– To meet many of today’s regulations, the ability to report

where data is and how it is protected is essential.

CHALLENGES OF CLOUD COMPUTING

• Data Integration and Transfer

– We must find a way to transfer data into the cloud in a way

that is both safe and cost effective.

• Due diligence

– Allow for a full assessment of cloud service provider prospects,

applicable to the model chosen and understanding the

boundaries of responsibility

Q&A

THANK YOU!