Cloud Security Assurance for the International Association of Privacy Professionals

1. 1
IAPP Atlanta Chapter
February 22, 2013
Cloud Assurance Basics
Phil Agcaoili
CISO, Cox Communications
Founding Member, Cloud Security Alliance (CSA)
Co-Founder and Co-Author, CSA Cloud Controls Matrix (CCM)
Co-Founder Security, Trust, & Assurance Registry (STAR) and GRC Stack

2. 2
agenda
• Intro to cloud computing
• Legal and privacy concerns to consider
• Latest developments of cloud security and
assurance standards

3. 3
Intro to cloud computing

4. What Is Cloud Computing?
4
• The “cloud” is a metaphor for the Internet
– Leverages the connectivity of the Internet to optimize the utility of
computing
• It is not new!
– Search is a cloud application (Google, Yahoo, Altavista)
– Internet-based email services are cloud applications (Gmail, Yahoo!
Mail, Hotmail, AOL Mail)
– Social networking sites are cloud applications (Facebook, MySpace,
Forums)
– Similar to time-sharing and service bureau services from the mainframe
days, or ASP’s from the 90’s
• Accessible anywhere with Internet access
– There are public, private, managed and hybrid clouds

5. The Consumer’s View of Cloud
5
...Everything is
Cloud
Presentation_ID2008 Cisco Systems, Inc. All rights reserved. Confidential
© Cisco

6. Evolution Over The Years
6
Cloud Computing with pay
as you go model, leveraging
virtualization for data center
efficiencies and faster
networks
Software as a Service
(SaaS) model with multi-
Adoption
tenant hosting of
applications
ASP (Application Service
John McCarthy Provider) model with
proposed 'computer time- single tenant hosting of
sharing technology' to be applications
sold through utility
business model (like
electricity) in a lecture at
MIT
1961 Mid 90’s Early 00’s Late 00’s
Time

7. The Technical View of Cloud 7
Presentation_ID2008 Cisco Systems, Inc. All rights reserved. Confidential
© Cisco

8. NIST Cloud Deployment Models
8
Application Applications at Scale
(SaaS) (End users)
Platform Execution Platforms at
as a Scale
Service (Developers)
Infrastructu Infrastructure at Scale
re (System Administrators)
as a Service
Enabling Cloud Service Delivery at
Technology Scale
(Public / Private Cloud
Providers)
Presentation_ID2008 Cisco Systems, Inc. All rights reserved. Confidential
© Cisco

9. Cloud Model :: Infrastructure as a Service (IaaS)
9

10. Cloud Model :: Platform as a Service (PaaS)
10

11. Cloud Model :: Software as a Service (SaaS)
11

12. NIST Cloud Deployment Models
12
Cloud infrastructure made
Public
available to the general
Cloud
public.
Cloud infrastructure operated
Private solely for an organization.
Cloud
Cloud infrastructure composed
Hybrid of two or more clouds that
Cloud interoperate or federate
through technology
Cloud infrastructure shared by
Community several organizations and
Cloud supporting a specific community
… and one other
Cloud services that simulate
Virtual the private cloud experience in
Private public cloud infrastructure
Cloud
Presentation_ID2008 Cisco Systems, Inc. All rights reserved. Confidential
© Cisco

13. Enterprise Deployment Models
Distinguishing Between Ownership and 13
Control
Internal Resources External Resources
All cloud All cloud
Ownership resources resources
owned by or owned by
dedicated to Cloud
Hybrid providers;
enterprise used by many
Interoperabil customers
ity and
portability
Private Cloud Public Cloud
among Public
and/or
Cloud Private Cloud Cloud
Control definition/systems definition/
governance governance
controlled controlled
by by provider
enterprise
Presentation_ID2008 Cisco Systems, Inc. All rights reserved. Confidential
© Cisco

14. What This Means To Security
14
The lower down the stack the
Salesforce - Cloud provider stops, the
SaaS more security you are
tactically responsible for
implementing & managing
yourself.
Google AppEngine - PaaS
Amazon EC2 - IaaS

15. 15
Legal and privacy
concerns to consider

16. Be Prepared for Change
16
• Cloud industry is immature and growing rapidly
• New players will rapidly emerge to fill new market niches
• Consolidation of the industry at some point is inevitable
– You may not be as comfortable with new entity
• Google, Amazon, IBM, Microsoft, Dell, HP, Cisco, CSC, and Verizon
all active in this area
– Big players will create standards for security and governance
• Cloud computing is disruptive to existing business
models and IT practices
– Disruptive technologies attract players who may not be around
for the long term

17. Types of Issues
17
• Location (where is your data; what law governs?)
• Operational (including service levels and security)
• Legislation/Regulatory (including privacy)
• Third-party contractual limitations on use of cloud
• Security
• Investigative/Litigation (eDiscovery)
• Risk allocation/risk mitigation/insurance

18. Location Issues
18
• Where will your data be located?
– The cloud may be the ultimate form of globalization
• What law governs?
– You may or may not be able to control this by contract as the law
in some countries can trump contractual provisions
– State law is becoming increasingly relevant
– Complying with a patchwork of federal and state privacy laws
• Storing data in certain regions may not be acceptable to
your customers, especially the government

19. Operational Issues
19
• Vendor lock-in issues
– Will you be bound to a certain application; platform; operating
system?
– Some critics, such as Richard Stallman, have called it “a trap
aimed at forcing more people to buy into locked, proprietary
systems that will cost them more and more over time”
• Can you transfer data and applications to and from the
cloud?

20. Operational Issues
20
• Backup/data restoration
• Disaster recovery
• Acceptable service levels
• What do you do if the Internet crashes?
– How is that risk allocated by contract?
• Data retention issues
– There many legal and tax reasons that company must retain
data longer than cloud vendor is prepared to do so

21. Regulatory/Governance Issues
21
• The more of these issues you have, the slower you will
move to cloud computing
– Early growth in cloud computing will come from small and
medium sized businesses and give them a competitive
advantage
– Portion of cost savings will have to be reinvested into increased
scrutiny of security capabilities of cloud providers
• Some regions, such as the EU, have stringent rules
concerning moving certain types of data across borders
• Cloud computing not regulated –yet

22. Regulatory/Governance Issues
22
• Patriot Act/UK Regulation of Investigatory Powers Act
• Stored Communications Act (part of ECPA)
• National Security Letters (may not even know of
investigation)
• PCI (credit card information)
• HIPAA (health-related information)
• GLB (financial services industry)
• FTC and state privacy laws
• ITARS, EARS, other export or trade restrictions will
impact where data can be stored and who can store it
• Video rental records
• Fair Credit Reporting Act
• Violence Against Women Act
• Cable company customer records

23. Contracts Will Be The Key
Legal Enforcement Mechanism 23
• Privileged user access
– Who has access to data and their backgrounds
• Regulatory compliance
– Vendor must be willing to undergo audits and security
certifications
• Data location
– Can you control the physical location of your data?
• Security
– Implementation is a technical matter; responsibility is a legal one

24. Key Contractual Issues
24
• Data segregation
– Use of encryption to protect data –a sometimes tricky issue
• Recovery
– What happens to your data and apps in the event of a disaster?
– You should have test procedures in place
• Long-term viability
– What happens to data and apps if company goes out of
business?
• Investigative support
– Will vendor investigate illegal or inappropriate activity?
• What happens in the event of a security breach?

25. Security Issues
25
• Physical security
– Physical location of data centers; protection of data centers
against disaster and intrusion
• Operational security
– Who has access to facilities/applications/data?
– Will you get a “private cloud” or a service delivered more on a
“utility” model?
• Programmatic security
– Software controls that limit vendor and other access to data and
applications (firewalls; encryption; access and rights
management)
– Encryption accidents can make data unusable

26. Investigative/Litigation Issues
26
• Third party access
– Subpoenas
• You may not even know about them if vendor gets the subpoena
– Criminal/national security investigations
– Search warrants; possible seizures
• eDiscovery
– How are document holds enforced; metadata protected;
information searched for and retrieved?
• You must have clear understanding of what cloud
provider will do in response to legal requests for
information

27. Intellectual Property Issues
27
• The big issue is trade secret protection
– If third parties have access to trade secret information, that could
destroy the legal protection of trade secrets
– This can be ameliorated by appropriate contractual non-
disclosure provisions
• Same concern for attorney-client privileged information

28. Risk Allocation/Management
• No benchmarks today for service levels 28
• No cloud vendor can offer a 100% guarantee
– The most trusted and reliable vendor can still fail
– Should replicate data and application availability at multiple sites
– Should you escrow data or application code?
• A premium will be charged based on the degree of accountability
demanded
• Responsibility of customer to determine if it is comfortable with risk
of putting service in the cloud
• Many publicly available cloud computing contracts limit liability of
hosting provider to a level that is not in line with the potential risk
• Cloud computing contracts resemble typical software licenses,
although potential risk is much higher

29. Insurance
29
• Will business interruption insurance provide coverage if
your business goes down because of problem at cloud
vendor?
• Do Commercial General Liability (CGL) or other types of
liability coverage handle claims that arise from privacy
breaches or other events at the cloud level?
• Are you covered if your cloud vendor gets hacked?

30. Checklist of Things to Consider
30
• Financial viability of cloud provider
• Plan for bankruptcy or unexpected termination of the
relationship and orderly return of disposal of
data/applications
– Vendor will want right to dispose of your data if you don’t pay
• Contract should include agreement as to desired service
level and ability to monitor it
• Negotiate restrictions on secondary uses of data and
who at the vendor has access to sensitive data
• Understand cloud provider’s information security
management systems

31. Checklist of Things to Consider
• Negotiate roles for response to eDiscovery requests
31
• Ensure that you have ability to audit on demand and
regulatory and business needs require
– Companies subject to information security standards such as
ISO 27001, must pass to subs same obligation
• Make sure that cloud provider policies and processes for
data retention and destruction are acceptable
• Provide for regular backup and recovery tests
• Consider data portability application lock-in concerns
• Understand roles and notification responsibilities in event
of a breach

32. Checklist of Things to Consider
32
• Data encryption is very good for security, but potentially
risky; make sure you understand it
– Will you still be able to de-crypt data years later?
• Understand and negotiate where your data will be
stored, what law controls and possible restrictions on
cross-border transfers
• Third-party access issues
• Consider legal and practical liability for force majeure
events
– Must be part of disaster recovery and business continuity plan
• There is no substitute for careful due diligence

33. 33
Latest developments in
cloud security assurance
CSA Cloud Controls Matrix (CCM)
AICPA SOC Reports
CSA Open Certification Framework (OCF)

34. 34

35. 35
Our research includes
fundamental projects
needed to define and
implement trust within the
future of information
technology
CSA continues to be
aggressive in producing
critical research, education
and tools
22 Active Work Groups and
10 in the pipeline
Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Copyright © 2012 Cloud Security Alliance

36. 36
GRC Stack
Family of 4 research
projects
Cloud Controls Matrix (CCM)
Consensus Assessments Initiative
(CAI)
Cloud Audit
Cloud Trust Protocol (CTP)
Private,
Private,
Community &
Community &
Control Public Clouds
Public Clouds Provider
Requirement Assertion
s s

37. 37
• Controls derived from
guidance
• Mapped to familiar
frameworks: ISO 27001,
COBIT, PCI, HIPAA, FISMA,
FedRAMP, etc.
• Rated as applicable to S-P-I
• Customer vs. Provider role
• Help bridge the “cloud gap”
for IT & IT auditors

38. 38
• Research tools and processes to
perform shared assessments of cloud
providers
• Integrated with Controls Matrix
• Version 1 CAI Questionnaire released
Oct 2010, approximately 140
provider questions to identify
presence of security controls or
practices
• Use to assess cloud providers today,
procurement negotiation, contract
inclusion, quantify SLAs

39. 39
• CSA STAR
(Security,
Trust and Assurance Registry)
– Public Registry of Cloud Provider self assessments
– Based on Consensus Assessments Initiative
Questionnaire
• Provider may substitute documented Cloud Controls Matrix
compliance
– Voluntary industry action promoting transparency
– Free market competition to provide quality
assessments
• Provider may elect to provide assessments from third parties

40. Security Assurance - A Better Way
CSA Open Certification Framework (OCF)
40
The CSA Open Certification Framework is an industry initiative to allow
global, accredited, trusted certification of cloud providers.
The CSA Open Certification Framework is a program for flexible,
incremental and multi-layered cloud provider certification according to the
Cloud Security Alliance’s industry leading security guidance and control
objectives.
The program will integrate with popular third-party assessment and
attestation statements developed within the public accounting community to
avoid duplication of effort and cost.
~Jim Reavis & Daniele Catteddu; CSA~
Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.o

41. Security Assurance - A Better Way
CSA Open Certification Framework (OCF)
OCF Level 1: CSA STAR Registry 41
CSA STAR (Security, Trust and Assurance Registry)
Public Registry of Cloud Provider self assessments
Based on Consensus Assessments Initiative Questionnaire (CAIQ)
Provider may substitute documented Cloud Controls Matrix
compliance
Voluntary industry action promoting transparency
Free market competition to provide quality assessments
Provider may elect to provide assessments from third parties
Available since October 2011
Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.or

42. OCF: The structure
42
The open certification framework is structured on 3 LEVELs of TRUST,
each one of them providing an incremental
level of visibility and transparency into the operations of the Cloud
Service Provider and a higher level of assurance to the Cloud
consumer.
Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.o

43. 43
Service Organization Control Reports (SOC)

44. AICPA SAS No. 70, Service Organizations
44
•A standard for reporting on a service
organization’s controls affecting user entities'
financial statements.
•Only for use by service organization
management, existing user entities, and their
auditors.
•Replaced by SSAE 16 SOC 1 in 2011

45. SAS No. 70, Service Organizations
45
Misuse:
•“SAS 70 Certified” or “SAS 70 Compliant”
•Controls related to subject matter other than
internal control over financial reporting
•Made report public

46. Other Service Organization Control
Reports (SOC) 46
Marketplace demand for detailed
report on controls on subject
matter other than internal control
over financial reporting include:
 Security
 Availability
 Processing integrity
 Confidentiality
 Privacy

47. How the AICPA Addressed Issues
47

48. Service Organization Control (SOC) Reports
48

49. SOC Report Logos
49
For CPAs who provide the
services that result in a SOC 1,
SOC 2 or SOC 3 report
For service organizations that
had a SOC 1, SOC 2 or SOC 3
engagement within the past
year

50. New Standards and Names
50
Trust Services Principles and Criteria

51. SOC 1 Report (restricted use)
51
• Report on controls at a service
organization relevant to a user
entity’s internal control over
financial reporting

52. SOC 2 Report (use determined by auditor)
52
• Report on controls at a
service organization relevant to
security, availability, processing
integrity, confidentiality or privacy

53. SOC 2 Reports – Type 1 and Type 2
53
• Both report on management’s
description of a service
organization’s system, and…
 Type 1 also reports on suitability of design of
controls
 Type 2 also reports on suitability of design
and operating effectiveness of controls

54. Security Assurance - A Better Way
AICPA SOC 2 Type 2 with the CSA CCM
54
•The SOC 2 Type 2 Attestation Standard (AT-101) allows for inclusion of
other standards
•Use SOC 2 Report as the Assurance wrapper for any or all of the following:
–Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
–ISO27001
–PCI-DSS
–HITECH
–NIST/FedRamp
•One core set of audit work serves as the basis for multiple reports
Recommendation:
The Cloud Security Alliance has determined that for most cloud providers, a
SOC 2 Type 2 attestation examination conducted in accordance with AICPA
standard AT Section 101 (AT 101) utilizing the CSA Cloud Controls Matrix
(CCM) as additional suitable criteria is likely to meet the assurance and
reporting needs of the majority of users of cloud services.
*This conclusion is supported by the AICPA Technical Practice Aid titled “TIS Section 9530:
Service Organization Controls Reports” published in November 2011.

55. About the Cloud Security Alliance
55
Global, not-for-profit organisation
Over 40,000 individual members, more than 160 corporate
members, over 60 chapters
Building best practices and a trusted cloud ecosystem
Agile philosophy, rapid development of applied research
GRC: Balance compliance with risk management
Reference models: build using existing standards
Identity: a key foundation of a functioning cloud economy
Champion interoperability
Enable innovation
Advocacy of prudent public policy
“To promote the use of best practices for providing security assurance within Cloud
Computing, and provide education on the uses of Cloud Computing to help secure
all other forms of computing.”
Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.o

56. Questions & Answers 56
Thank you.
Phil Agcaoili
phil.agcaoili@cox.com
Twitter @hacksec
www.cloudsecurityalliance.org
http://www.aicpa.org
Promoting Privacy