4. What Is Cloud Computing?
4
• The “cloud” is a metaphor for the Internet
– Leverages the connectivity of the Internet to optimize the utility of
computing
• It is not new!
– Search is a cloud application (Google, Yahoo, Altavista)
– Internet-based email services are cloud applications (Gmail, Yahoo!
Mail, Hotmail, AOL Mail)
– Social networking sites are cloud applications (Facebook, MySpace,
Forums)
– Similar to time-sharing and service bureau services from the mainframe
days, or ASP’s from the 90’s
• Accessible anywhere with Internet access
– There are public, private, managed and hybrid clouds
6. Evolution Over The Years
6
Cloud Computing with pay
as you go model, leveraging
virtualization for data center
efficiencies and faster
networks
Software as a Service
(SaaS) model with multi-
Adoption
tenant hosting of
applications
ASP (Application Service
John McCarthy Provider) model with
proposed 'computer time- single tenant hosting of
sharing technology' to be applications
sold through utility
business model (like
electricity) in a lecture at
MIT
1961 Mid 90’s Early 00’s Late 00’s
Time
14. What This Means To Security
14
The lower down the stack the
Salesforce - Cloud provider stops, the
SaaS more security you are
tactically responsible for
implementing & managing
yourself.
Google AppEngine - PaaS
Amazon EC2 - IaaS
16. Be Prepared for Change
16
• Cloud industry is immature and growing rapidly
• New players will rapidly emerge to fill new market niches
• Consolidation of the industry at some point is inevitable
– You may not be as comfortable with new entity
• Google, Amazon, IBM, Microsoft, Dell, HP, Cisco, CSC, and Verizon
all active in this area
– Big players will create standards for security and governance
• Cloud computing is disruptive to existing business
models and IT practices
– Disruptive technologies attract players who may not be around
for the long term
17. Types of Issues
17
• Location (where is your data; what law governs?)
• Operational (including service levels and security)
• Legislation/Regulatory (including privacy)
• Third-party contractual limitations on use of cloud
• Security
• Investigative/Litigation (eDiscovery)
• Risk allocation/risk mitigation/insurance
18. Location Issues
18
• Where will your data be located?
– The cloud may be the ultimate form of globalization
• What law governs?
– You may or may not be able to control this by contract as the law
in some countries can trump contractual provisions
– State law is becoming increasingly relevant
– Complying with a patchwork of federal and state privacy laws
• Storing data in certain regions may not be acceptable to
your customers, especially the government
19. Operational Issues
19
• Vendor lock-in issues
– Will you be bound to a certain application; platform; operating
system?
– Some critics, such as Richard Stallman, have called it “a trap
aimed at forcing more people to buy into locked, proprietary
systems that will cost them more and more over time”
• Can you transfer data and applications to and from the
cloud?
20. Operational Issues
20
• Backup/data restoration
• Disaster recovery
• Acceptable service levels
• What do you do if the Internet crashes?
– How is that risk allocated by contract?
• Data retention issues
– There many legal and tax reasons that company must retain
data longer than cloud vendor is prepared to do so
21. Regulatory/Governance Issues
21
• The more of these issues you have, the slower you will
move to cloud computing
– Early growth in cloud computing will come from small and
medium sized businesses and give them a competitive
advantage
– Portion of cost savings will have to be reinvested into increased
scrutiny of security capabilities of cloud providers
• Some regions, such as the EU, have stringent rules
concerning moving certain types of data across borders
• Cloud computing not regulated –yet
22. Regulatory/Governance Issues
22
• Patriot Act/UK Regulation of Investigatory Powers Act
• Stored Communications Act (part of ECPA)
• National Security Letters (may not even know of
investigation)
• PCI (credit card information)
• HIPAA (health-related information)
• GLB (financial services industry)
• FTC and state privacy laws
• ITARS, EARS, other export or trade restrictions will
impact where data can be stored and who can store it
• Video rental records
• Fair Credit Reporting Act
• Violence Against Women Act
• Cable company customer records
23. Contracts Will Be The Key
Legal Enforcement Mechanism 23
• Privileged user access
– Who has access to data and their backgrounds
• Regulatory compliance
– Vendor must be willing to undergo audits and security
certifications
• Data location
– Can you control the physical location of your data?
• Security
– Implementation is a technical matter; responsibility is a legal one
24. Key Contractual Issues
24
• Data segregation
– Use of encryption to protect data –a sometimes tricky issue
• Recovery
– What happens to your data and apps in the event of a disaster?
– You should have test procedures in place
• Long-term viability
– What happens to data and apps if company goes out of
business?
• Investigative support
– Will vendor investigate illegal or inappropriate activity?
• What happens in the event of a security breach?
25. Security Issues
25
• Physical security
– Physical location of data centers; protection of data centers
against disaster and intrusion
• Operational security
– Who has access to facilities/applications/data?
– Will you get a “private cloud” or a service delivered more on a
“utility” model?
• Programmatic security
– Software controls that limit vendor and other access to data and
applications (firewalls; encryption; access and rights
management)
– Encryption accidents can make data unusable
26. Investigative/Litigation Issues
26
• Third party access
– Subpoenas
• You may not even know about them if vendor gets the subpoena
– Criminal/national security investigations
– Search warrants; possible seizures
• eDiscovery
– How are document holds enforced; metadata protected;
information searched for and retrieved?
• You must have clear understanding of what cloud
provider will do in response to legal requests for
information
27. Intellectual Property Issues
27
• The big issue is trade secret protection
– If third parties have access to trade secret information, that could
destroy the legal protection of trade secrets
– This can be ameliorated by appropriate contractual non-
disclosure provisions
• Same concern for attorney-client privileged information
28. Risk Allocation/Management
• No benchmarks today for service levels 28
• No cloud vendor can offer a 100% guarantee
– The most trusted and reliable vendor can still fail
– Should replicate data and application availability at multiple sites
– Should you escrow data or application code?
• A premium will be charged based on the degree of accountability
demanded
• Responsibility of customer to determine if it is comfortable with risk
of putting service in the cloud
• Many publicly available cloud computing contracts limit liability of
hosting provider to a level that is not in line with the potential risk
• Cloud computing contracts resemble typical software licenses,
although potential risk is much higher
29. Insurance
29
• Will business interruption insurance provide coverage if
your business goes down because of problem at cloud
vendor?
• Do Commercial General Liability (CGL) or other types of
liability coverage handle claims that arise from privacy
breaches or other events at the cloud level?
• Are you covered if your cloud vendor gets hacked?
30. Checklist of Things to Consider
30
• Financial viability of cloud provider
• Plan for bankruptcy or unexpected termination of the
relationship and orderly return of disposal of
data/applications
– Vendor will want right to dispose of your data if you don’t pay
• Contract should include agreement as to desired service
level and ability to monitor it
• Negotiate restrictions on secondary uses of data and
who at the vendor has access to sensitive data
• Understand cloud provider’s information security
management systems
31. Checklist of Things to Consider
• Negotiate roles for response to eDiscovery requests
31
• Ensure that you have ability to audit on demand and
regulatory and business needs require
– Companies subject to information security standards such as
ISO 27001, must pass to subs same obligation
• Make sure that cloud provider policies and processes for
data retention and destruction are acceptable
• Provide for regular backup and recovery tests
• Consider data portability application lock-in concerns
• Understand roles and notification responsibilities in event
of a breach
32. Checklist of Things to Consider
32
• Data encryption is very good for security, but potentially
risky; make sure you understand it
– Will you still be able to de-crypt data years later?
• Understand and negotiate where your data will be
stored, what law controls and possible restrictions on
cross-border transfers
• Third-party access issues
• Consider legal and practical liability for force majeure
events
– Must be part of disaster recovery and business continuity plan
• There is no substitute for careful due diligence
36. 36
GRC Stack
Family of 4 research
projects
Cloud Controls Matrix (CCM)
Consensus Assessments Initiative
(CAI)
Cloud Audit
Cloud Trust Protocol (CTP)
Private,
Private,
Community &
Community &
Control Public Clouds
Public Clouds Provider
Requirement Assertion
s s
37. 37
• Controls derived from
guidance
• Mapped to familiar
frameworks: ISO 27001,
COBIT, PCI, HIPAA, FISMA,
FedRAMP, etc.
• Rated as applicable to S-P-I
• Customer vs. Provider role
• Help bridge the “cloud gap”
for IT & IT auditors
38. 38
• Research tools and processes to
perform shared assessments of cloud
providers
• Integrated with Controls Matrix
• Version 1 CAI Questionnaire released
Oct 2010, approximately 140
provider questions to identify
presence of security controls or
practices
• Use to assess cloud providers today,
procurement negotiation, contract
inclusion, quantify SLAs
39. 39
• CSA STAR
(Security,
Trust and Assurance Registry)
– Public Registry of Cloud Provider self assessments
– Based on Consensus Assessments Initiative
Questionnaire
• Provider may substitute documented Cloud Controls Matrix
compliance
– Voluntary industry action promoting transparency
– Free market competition to provide quality
assessments
• Provider may elect to provide assessments from third parties
44. AICPA SAS No. 70, Service Organizations
44
•A standard for reporting on a service
organization’s controls affecting user entities'
financial statements.
•Only for use by service organization
management, existing user entities, and their
auditors.
•Replaced by SSAE 16 SOC 1 in 2011
45. SAS No. 70, Service Organizations
45
Misuse:
•“SAS 70 Certified” or “SAS 70 Compliant”
•Controls related to subject matter other than
internal control over financial reporting
•Made report public
46. Other Service Organization Control
Reports (SOC) 46
Marketplace demand for detailed
report on controls on subject
matter other than internal control
over financial reporting include:
Security
Availability
Processing integrity
Confidentiality
Privacy
49. SOC Report Logos
49
For CPAs who provide the
services that result in a SOC 1,
SOC 2 or SOC 3 report
For service organizations that
had a SOC 1, SOC 2 or SOC 3
engagement within the past
year
51. SOC 1 Report (restricted use)
51
• Report on controls at a service
organization relevant to a user
entity’s internal control over
financial reporting
52. SOC 2 Report (use determined by auditor)
52
• Report on controls at a
service organization relevant to
security, availability, processing
integrity, confidentiality or privacy
53. SOC 2 Reports – Type 1 and Type 2
53
• Both report on management’s
description of a service
organization’s system, and…
Type 1 also reports on suitability of design of
controls
Type 2 also reports on suitability of design
and operating effectiveness of controls
54. Security Assurance - A Better Way
AICPA SOC 2 Type 2 with the CSA CCM
54
•The SOC 2 Type 2 Attestation Standard (AT-101) allows for inclusion of
other standards
•Use SOC 2 Report as the Assurance wrapper for any or all of the following:
–Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
–ISO27001
–PCI-DSS
–HITECH
–NIST/FedRamp
•One core set of audit work serves as the basis for multiple reports
Recommendation:
The Cloud Security Alliance has determined that for most cloud providers, a
SOC 2 Type 2 attestation examination conducted in accordance with AICPA
standard AT Section 101 (AT 101) utilizing the CSA Cloud Controls Matrix
(CCM) as additional suitable criteria is likely to meet the assurance and
reporting needs of the majority of users of cloud services.
*This conclusion is supported by the AICPA Technical Practice Aid titled “TIS Section 9530:
Service Organization Controls Reports” published in November 2011.
There are 4 major categories in the Cloud Computing value chain. These are the target workloads and user base for each category The first category is Software as a Service : This is Applications services delivered over the network on a subscription basis. Cisco WebEx, Salesforce, Microsoft and Google are perhaps the biggest providers here Then there is Platform as a Service which is Software development frameworks and components delivered over the network on a pay-as-you-go basis. Examples of this are; Google Apps Engine, Amazon Web Services and Microsoft Azure The next category is Infrastructure as a Service where compute, network and storage delivered over the network on a pay-as-you-go basis. Amazon pioneered this with AWS (Amazon Web Service) and now IBM and most of the managed hosting market are entrants here also. The approach we are taking is to enable service providers to move into this area—we are not building our own Infrastructure as a Service offering for the general market. And of course, there is an IT foundation that has to keep all this going—Cisco intends to be the leading provider of enabling technology to both the service provider and enterprise markets
The NIST also breaks down cloud computing deployment models with four categories: Public clouds deliver computing services (SaaS, PaaS or IaaS) to the general market over the Internet. These are services where you can browse to a web site, enter a payment method, and begin using the service through your browser, along with all of the other customers of the service. Generally the cloud provider defines the user interfaces and architectures for these clouds. Private clouds deliver the NIST essential characteristics to a single organization, usually through either wholly owned or dedicated leased infrastructure. Hybrid clouds federate two or more cloud environments together, usually through both management and network interfaces. Virtual private cloud is actually a mechanism by which a private cloud can be simulated in public cloud infrastructure. Often, this looks like VPN connectivity from the corporate network into the public cloud providers’ data centers.
Ultimately, however, Cisco believes that these distinctions will be blurred by technologies that allow interoperability, federation and portability between combinations of public and private cloud environments. These combined clouds are typically known as “Hybrid Clouds”
Under Statement on Auditing Standard (SAS) 70 , published in 1992, CPAs were able to produce a report that would be an auditor-to-auditor communication (as well as one used by management of the service organization, existing user entities and their auditors) on either the design or design and effectiveness of a user organization’s financial statement controls that have been outsourced to a service organization. With the growth in new technologies , global business opportunities and increased outsourcing , SAS 70 quickly attracted marketplace attention . 09/12/2012
Unfortunately, some organizations misinterpreted SAS 70 and tried to expand its use to indicate that they had been “SAS 70 certified” or were “SAS 70 compliant.” While SAS 70 focused only on financial controls at outsourced operations that have an impact on a company’s financial statements, organizations used these terms incorrectly to imply that controls over non-financial subject matters also were covered. In addition, some service organizations mistakenly made the report available to the public – particularly potential customers – when it was never meant for that purpose . 09/12/2012
Based on these misuses of SAS70 reports, it became clear that there was a need for a detailed report that was based on an examination of subject matter other than internal control over financial reporting. The emergence and growth of cloud computing , increased outsourcing of certain functions, and privacy concerns only further elevated this issue. The subjects identified , which are considered part of compliance and operations , were a service organization’s security, availability, processing integrity, confidentiality and privacy. We will discuss these areas in more detail later. 09/12/2012
So, how did the AICPA address the marketplace demand? 1. Split SAS70 and replaced with 2 new standards , Statement on Standards for Attestation Engagements (SSAE) 16 for service auditors , which is effective now, and a new SAS for user auditors (i.e. how to use a SOC report) , which is effective for calendar year 2012 financial statement audits. This User Auditor standard is now incorporated into the Clarified Auditing Standards and can be found in AU-C 402 (Audit Considerations Relating to an Entity Using a Service Organization). Although written for auditors of entities that use 3 rd party service providers, the considerations in this standard are a relevant reference for Management as they oversee vendor relationships on their own internal control environment. SSAE 16 , Reporting on Controls at a Service Organization, applies when an entity outsources a business task or function to another entity (usually one that specializes in that task or function) and the data resulting from that task or function is incorporated into that entity’s financial statements . This relates to internal controls over financial reporting . ( Essentially the replacement for the old SAS 70). Examples of outsourced tasks that would fall under SSAE16 (payroll, benefit plans, payment processing) Because of the extensive misunderstanding of SAS 70, the AICPA has developed a framework of reports to help prevent misunderstanding of SSAE 16 and to explain the additional levels of assurance now available. In particular, with the growth of cloud computing , the increase in outsourcing , and the proliferation of data breaches , service organizations are seeking some kind of “assurance” over controls other than internal control over financial reporting so their customers know that they have met a level of reliability and trust . The new SOC framework makes that assurance possible. 09/12/2012
There are 3 types of “SOC” reports , which h as opened up reporting from traditional third-party service provides (e.g. ADP, Benefit Plans, etc.) to a larger number of companies (e.g. cloud providers, data centers, event planners) You would work with your CPA to determine which type of report is appropriate. As an added benefit to service organizations, for a year after the engagement on its controls , the service organization can use a specially designed logo in its marketing and on its website. You’ll see that on the next slide. CPAs, service organizations and users can find out about what the reports mean, how they can be used and other information on a special webpage. 09/12/2012
Here you see the two SOC logos. They are used for marketing purposes to promote the SOC brand. The logo on the top is for use by CPAs who provide the assurance engagements that result in a SOC 1, 2 or 3 report. The logo on the bottom is a marketing tool that service organizations can use in promotional material or display on their websites to show that they had one or more of the three SOC engagements performed within the year . Note that this is NOT a seal , which is only provided on SOC 3 engagements and is administered by the Canadian Institute of Chartered Accountants (CICA). 09/12/2012
Here is a good summary of the three SOC reports. Notice SOC 2 & 3 based on Trust Service Principles and Criteria – more on that later Now I’ll go into more detail on each. 09/12/2012
The new SSAE 16 retains the original purpose of SAS 70 . This option has been rebranded as an SOC 1 report (some call it an SSAE16 report) – SOC 1 is easier to say. 09/12/2012
One or more of these areas may be addressed in single report. Door open for other potential areas (e.g. compliance – HIPAA, Red Flag Rules, Dodd Frank Conflict Minerals, etc.). Report helps user organization management carry out its responsibility for monitoring the services it receives , including the operating effectiveness of a service organization’s controls over those services. Security. The system is protected against unauthorized access (both physical and logical). Availability. The system is available for operation and use as committed or agreed (SLA). Processing integrity. System processing is complete, accurate, timely, and authorized. Confidentiality. Information designated as confidential is protected as committed or agreed. Privacy. Thoughts on how privacy might differ from confidentiality? Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA (found in appendix D [paragraph .48]). Unlike personal information, which is defined by regulation in a number of countries worldwide and is subject to the privacy principles, there is no widely recognized definition of what constitutes confidential information. (Eg, IP, M&A) Guesses at most common criteria used? Security, Privacy. Can’t we just combine a SOC 1 and SOC 2 report by including SOC 2 criteria in a SOC 1 report? Because of the similarities between SOC 1 and SOC 2 reports, our clients may assume that SOC 2 reports, or portions thereof, provide assurance over their ICFR. However, as noted above, controls associated with SOC 2 reports are generally not relevant to a user entity’s ICFR and, as such, SOC 2 reports are not intended for use in financial statement or ICFR audits . If you receive a SOC 2 report from your vendor, you are encouraged to contact the vendor to request a SOC 1 report. IT is biggest area of confusion. Some overlap with IT controls in a SOC 1 and a SOC 2 (Esp. Security and Process Integrity) – SOC 1 focuses on controls over ICFR (IT General Controls - Access to Programs and Data, Program Changes, Program Development, and Computer Operations). 09/12/2012
Similar to SOC 1 - Type 1 reports cover suitability of control design, while Type 2 reports also cover control operating effectiveness. Type 1 – point in time Type 2 – over reporting period 09/12/2012