SlideShare a Scribd company logo

The Art of Cloud Auditing - ISACA ID

Eryk Budi Pratama
Eryk Budi Pratama

Presented at ISACA Indonesia Monthly Technical Meeting, 11 Dec 2019 at Telkom Landmark. Key takeaways from my presentation: 1. Cloud customers have to understand the share responsibilities between customer and cloud provider 2. Different cloud service model (IaaS, PaaS, SaaS) has different audit methodology 3. Customer’s IT Auditor have to be trained to have the skills needed to audit the cloud service 4. Understanding IAM in Cloud is very important. Each Cloud Service Provider has different IAM mechanism 5. Understanding different type of audit logs in cloud platform is important for IT Auditor

Technology
1 of 38
11 THE ART OF CLOUD AUDITING Eryk Budi Pratama CSX Team ISACA Indonesia Chapter 11 December 2019
About Me ❑CSX Team Member, ISACA ID ❑Cyber Security & IT Advisory Professional ❑Community Enthusiast ❑Blogger / Writer ❑Knowledge Hunter ❑Do some “magic” ❑https://medium.com/@proferyk ❑https://www.slideshare.net/proferyk https://www.linkedin.com/in/erykbudipratama/
ISACA Indonesia Chapter (Join Us ☺) http://www.isaca.or.id The chapter was established in 1993. We have been and continue organizing various talks, seminars, conference, forums and other activities to keep our members informed of the latest audit, security and control issues which members can attend at concession rates. Growing number of members of more than 700, with 400++ ISACA certified members from various industry https://www.isaca.org
Setup the Context Industry, Geography, Sector, Market, Regulatory Environment Management, Funding, Staffing Levels & Competencies, Strategy & Initiatives Procure to Pay, HR, Operations, Revenue & Receivables, SG&A, Marketing, Legal SaaS, On-Premise (tied to lines of business and processes) App Code, Databases, OS, Hypervisors, Compute, Networks (SAN, Backup, WAN/LAN) Business Processes Application Infrastructure Micro Macro Know how each layer impacts the others What should not go to the cloud? Why? How does this broader context affect your perspective of cloud services ? Common IT focus
Cloud Risk & Security
Deployment Model Service Model Essential Characteristics 6 Cloud Computing – Know the Basic Cloud computing is a very clearly defined computing model with essential characteristics On-demand self service Broad access network Resource pooling Rapid elasticity Measured service Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Public Private Hybrid Community
7 Common Cloud Risk Questions What do you believe to be the most common cloud risks? Account lock-out / resource hijacking • Who has administrative control over the service or account? Misconfiguration leading to a breach • How can we assess the security and appropriateness of configurations? Loss of control • How are we defining control in the context of the cloud? Asymmetries between the provider and customer • Who has greater power in negotiations (T&Cs / Pricing)? Multi-tenancy • What are the impact of multi-tenancy? Jurisdictional • How does the location of services impact legal / compliance requirements?
Shared Responsibilities for Cloud Risk & Security The adoption of cloud introduces a shared responsibility model for security. Consumers have the most responsibility with IaaS and least with SaaS cloud models. Organizations should clearly define cloud security roles and responsibilities and ensure cloud vendor contracts, cloud vendor implementations, and control operations address gaps. Infrastructure as a Service Physical Hosting Network Infrastructure Storage Infrastructure Compute Infrastructure Platform Application Software as a Service Physical Hosting Network Infrastructure Storage Infrastructure Compute Infrastructure Platform Application Shared Shared Shared Platform as a Service Physical Hosting Network Infrastructure Storage Infrastructure Compute Infrastructure Platform Application Physical Hosting Network Infrastructure Storage Infrastructure Compute Infrastructure Platform Application On-Premise Service Demarcation: SLAs and Roles & Responsibilities Security, Monitoring & Governance: Critical Foundation Client Cloud Provider
Cloud Risk per Cloud Service Model Infrastructure as a Service Platform as a Service Software as a Service ▪ Virtual Server Images ✓ Controls for how a virtual server images are created/destroyed ✓ Controls for maintaining the integrity of server images ▪ Virtual Server Inventory ✓ IaaS servers should have an audit record for when they were started and ended ▪ Security Policy ✓ The use of consistent automated tools ✓ Who will manage the kernels ▪ Application Development ✓ Specific requirements and controls are in place to filter or detect unwanted code/malicious code ▪ Environment Separation ✓ Separation from other applications ▪ Software Development Life Cycle (SDLC) ✓ New risks may exist as Cloud Computing can expand and shorten the SDLC cycle ▪ Licensing ✓ Examine tools used for usage tracking and licensing ✓ Examine accuracy of reporting ▪ Environment Separation ✓ Separation from other applications ▪ Software Development Life Cycle ✓ New risks may exist as Cloud Computing can expand and shorten the SDLC cycle ▪ Management of Software Dependencies ✓ Due to technical architecture complexity and potentially restrictions by the cloud provider, replicating data back to the enterprise or to another provider may be difficult
10 Critical Areas of Focus in Cloud Computing The domains are divided into two broad categories: Governance and Operations. The governance domains are broad and address strategic and policy issues within a cloud computing environment, while the operational domains focus on more tactical security concerns and implementation within the architecture. Governance and Enterprise Risk Management Legal Issues: Contracts and Electronic Discovery Compliance and Audit Management Information Governance Management Plane and Business Continuity Infrastructure Security Virtualization and Containers Incident Response, Notification and Remediation Application Security Data Security and Encryption Identity, Entitlement, and Access Management Security as a Service Related Technologies
11 Top Cloud Security Risks based on ENISA Top Cloud Risk Loss of Governance Lock-In Data Protection Compliance Risk Isolation Failure Management Interface Compromise In using cloud infrastructures, the client necessarily hand over control to the Cloud Provider (CP) on a number of issues which may affect security. At the same time SLAs may not offer a commitment to provide such services on the part of the cloud provider, thus leaving a gap in security defenses There is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment Cloud computing poses several data protection risks for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. investment in achieving certification (e.g., industry standard or regulatory requirements) may be put at risk by migration to the cloud: (1) IF the CP cannot provide evidence of their own compliance with the relevant requirements or (2) IF the CP does not permit audit by the cloud customer (CC) This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so- called guest-hopping attacks). Customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk
Auditing the Cloud
13 The Future of Audit The issues that will have the greatest impact on the audit profession over the next three to five years Source: https://images.forbes.com/forbesinsights/StudyPDFs/KPMG-AFocusOnChange-REPORT.pdf
14 Typical Audit Plan ▪ Internal Controls ▪ Regulatory Requirements ▪ Vendor Management Requirements (Second/Third Party Audit) ▪ Policy Procedures ▪ Business Processes ▪ Functions ▪ Applications ▪ Infrastructure ▪ Vendors / Cloud Provider(s) Some basic questions when building cloud audit plan:Audit Objectives Audit Scope Cloud Audit Context Is the service or application authorized to be in the cloud? What is the role of the application or service? What type of information or data is used by the application? Do we have the right skills, competencies and staff to operate in the cloud? Have risks changed given the use of cloud services be they SaaS or IaaS?
15 Auditing Challenges with Cloud Computing A disruptive technology, like cloud computing, can impact “how” to audit ❑ Understanding the scope of the cloud computing environment ✓ Do you use the same matrix for public clouds as for private clouds? (internal vs external) ✓ The concept of a perimeter in a multi-tenant environment doesn’t make sense anymore ❑ Can your current risk assessment capture the risks correctly? ❑ Sample selection ✓ What is the universal population from which to pick a sample from? ✓ What would your sample selection methodology be in a highly dynamic environment? ✓ A snapshot in time may depend if it’s a high or low peak point in time ❑ Audit trails ✓ How do you “test” historical data if there was no audit trail? ❑ Other ✓ Educating the audit committee ✓ Overcoming internal barriers restricting the early involvement of internal audit as a ‘risk advisor’ to the business and IT
16 Standards applicable to cloud security auditing Standard Type Strength Sponsoring Organization Service Organization Control 2 Audit for outsourced service Technology neutral AICPA ISO 27001 & 27002 Traditional security audit Technology neutral ISO NIST SP800-53 rev 4 Federal Government audit Technology neutral NIST Cloud Security Alliance Cloud-specific audit Dedicated to cloud security auditing CSA PCI DSS PCI Qualified Security Assessor cloud supplement Cloud specific and provide guidance PCI DSS
17 Auditing the Cloud Service Organization Control (SOC) ▪ Service Organization are replacing traditional in-house functions (payroll processing, medical claims processing, human resources, document, workflow, and tax processing) ▪ SOC for Service Organizations reports help service providers build trust and confidence in their services and controls ▪ SOC 1 Pertains to financial controls ▪ SOC 2 Pertains to trust services (Security, Availability, Confidentiality, Process Integrity, and Privacy) ▪ SOC 3 Also pertains to trust services (Security, Availability, Confidentiality, Process Integrity, and Privacy) ▪ SOC for Cybersecurity - To provide intended users with information about an entity’s cybersecurity risk management program for making informed decisions ▪ SOC Type I & II Internal and External Audit Customer and Cloud Service Provider
18 SOC Comparison SOC Type Who Uses the Audit Info Why What the Audit Reports On SOC 1 Users’ controller’s office and users’ auditors Audits of financial statements Internal controls over financial statements SOC 2 Internal management, regulators ▪ GRC programs ▪ Oversight ▪ Due Diligence Security, availability, processing integrity and privacy controls SOC 3 General public ▪ Marketing Purposes ▪ Detail not required General customer assurance, marketing SOC Cybersecurity Senior management, board of directors, analysts, investors, business partners To provide intended users with information about an entity’s cybersecurity risk management program for making informed decisions Enterprise-wide cybersecurity risk management program
19 Service Organization Controls - SOC 2 and 3 AICPA guidance — Footnote 1 of TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids), contains the following definition of a system: ▪ Infrastructure — The physical and hardware components of a system (facilities, equipment, and networks) ▪ Software — The programs and operating software of a system (systems, applications, and utilities) ▪ People — The personnel involved in the operation and use of a system (developers, operators, users, and managers) ▪ Procedures — The automated and manual procedures involved in the operation of a system ▪ Data — The information used and supported by a system (transaction streams, files, databases, and tables) Criteria for evaluating and reporting on controls related to security, availability, processing integrity, confidentiality, and privacy: ▪ Security — The system is protected against unauthorized access (both physical and logical). ▪ Availability — The system is available for operation and use as committed or agreed. ▪ Processing integrity — System processing is complete, accurate, timely, and authorized. ▪ Confidentiality — Information designated as confidential is protected as committed or agreed. ▪ Privacy — Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP)
20 SOC 2 Applicability Considerations of where SOC2 reports may be applicable for your organization, SOC 2 Reports are applicable when an entity outsources the collection, processing, transmission, storing, organizing, maintenance or disposal of the entity’s information. Here are some examples where a SOC 2 report should be obtained: Cloud Service Providers Fintech Intellectual Property Protection Sales Force Automation HealthCare Providers and Payers, HIPAA Data Center Hosting Service Providers
21 Service Organization Controls - SOC 2/3 Security ▪ IT security policy ▪ Security awareness and communication ▪ Risk assessment ▪ Physical access ▪ Environmental controls ▪ Security monitoring (breaches) ▪ User authentication ▪ Incident management ▪ Asset classification and management ▪ Systems development and maintenance ▪ Logical access ▪ Configuration management Availability Confidentiality Processing Integrity Privacy ▪ Availability policy ▪ Backup and restoration ▪ Disaster recovery ▪ Confidentiality policy ▪ Confidentiality of inputs ▪ Confidentiality of data processing ▪ Confidentiality of outputs ▪ Information disclosures (including third parties) ▪ Confidentiality of Information in systems development ▪ System processing integrity policies ▪ Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs ▪ Information tracing from source to disposition ▪ Notice ▪ Choice ▪ Access ▪ Security ▪ Data Integrity ▪ Training and Awareness ▪ Enforcement and Compliance
22 Cloud Security Alliance - Cloud Controls Matrix The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. ▪ It provides a controls framework is aligned to the Cloud Security Alliance guidance in 16 domains. ▪ The foundations rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP ▪ It will augment or provide internal control direction for SOC attestations provided by cloud providers.
23 Cloud Security Alliance - Cloud Controls Matrix The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) domains. 1. Application & Interface Security 2. Audit Assurance & Compliance 3. Business Continuity Management & Operational Resilience 4. Change Control & Configuration Management 5. Data Security & Information Lifecycle Management 6. Datacenter Security 7. Encryption & Key Management 8. Governance and Risk Management 9. Human Resources 10. Identity & Access Management 11. Infrastructure & Virtualization Security 12. Interoperability & Portability 13. Mobile Security 14. Security Incident Management, E-Discovery & Cloud Forensics 15. Supply Chain Management, Transparency and Accountability 16. Threat and Vulnerability Management
24 CSA CCM Working Paper Service Model Cloud Provider vs Customer
25 CSA CCM Working Paper Mapping to AICPA Trust Service Criteria
Cloud Audit Implementation - Example Disclaimer: Because of time limitation to present the material, for example purpose, this section will cover the overview of Google Cloud features which support audit function as the speaker experience is on GCP platform.
27 Identity and Access Management in GCP Source: https://cloud.google.com/iam/docs/overview Policy is set on a resource, and each policy contains a set of: ▪ Roles ▪ Role members Resources inherit policies from parent: ▪ Resource policies are a union of parent and resource. If parent policy is less restrictive, it overrides a more restrictive resource policy Understanding IAM in Cloud is very important !!!
28 Permissions Management in GCP Source: https://cloud.google.com/iam/docs/overview
29 Audit Logs in GCP Cloud Audit Logs returns three types of logs: Log Entry Type Description Operations (sample) Retention Period Admin Activity Contains log entries for operations that modify the configuration or metadata of a Compute Engine resource. Any API call that modifies a resource such as creation, deletion, updating, or modifying a resource using a custom verb fall into this category ▪ Creating resources ▪ Updating/patching resources ▪ Setting/changing metadata ▪ Setting/changing tags ▪ Setting/changing labels ▪ Setting/changing permissions 400 days System Event Contains log entries for system maintenance operations on Compute Engine resources ▪ On host maintenance ▪ Instance preemption ▪ Automatic restart ▪ Instance reset 400 days Data Access Contains log entries for operations that perform read-only operations that don't modify any data, such as get, list, and aggregated list methods. (ADMIN_READ and DATA_READ) ▪ Getting information about a resource ▪ Listing resources ▪ Listing resources across scope (aggregated list requests) 30 days Understanding different type of audit logs is important !!!
30 Groups vs Label vs Tags Source: https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources Labels -> billing / cost transparency Tags -> manage network traffic Security Marks -> resource grouping
31 Scenario - Monitoring and Logging for Cloud Functions
32 Scenario - Logging the Kubernetes Engine
33 Scenario - Logging with Kubernetes Engine
34 Cloud Audit Logs Best Practices Cloud Audit Logs is a powerful tool that can help you manage and troubleshoot your GCP environment, as well as demonstrate compliance. Here are some best practices to keep in mind: ❑ Use a test project to validate the configuration of your data-access audit collection before propagating to developer and production projects ❑ Be sure you’ve applied appropriate IAM controls to restrict who can access the audit logs ❑ Determine whether you need to export logs for longer-term retention ❑ Design aggregated exports on which your organization can filter and export the data for future analysis ❑ Configure log sinks before you start receiving logs ❑ Follow the best practices for common logging export scenarios ❑ Make sure to use exclusion filters to exclude logging data that isn’t useful.
35 See the difference between “IT Auditor” and “Engineer Auditor” ? General Control Specific Controlvs Surrounding environment Specific Resources
36 KEY TAKEAWAYS Cloud customers have to understand the share responsibilities between customer and cloud provider Different cloud service model (IaaS, PaaS, SaaS) has different audit methodology Customer’s IT Auditor have to be trained to have the skills needed to audit the cloud service Understanding IAM in Cloud is very important. Each Cloud Service Provider has different IAM mechanism Understanding different type of audit logs in cloud platform is important for IT Auditor
Case Studies Notes: Contact me directly for further discussion ☺
Thank You ☺

Recommended

Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxAdityaChawan4
 
Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and ComplianceQuadrisk
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 

Recommended

Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxAdityaChawan4
 
Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and ComplianceQuadrisk
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture Maganathin Veeraragaloo
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and ComplianceAmazon Web Services
 
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaCloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaEdureka!
 
Cloud security
Cloud security Cloud security
Cloud security n|u - The Open Security Community
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsViresh Suri
 
CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityHome
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptxSandeepK707540
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Iftikhar Ali Iqbal
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architectureBirendra Negi ☁️
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
2014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v012014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v01promediakw
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it securityEast Midlands Cyber Security Forum
 

More Related Content

What's hot

Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaCloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaEdureka!
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsViresh Suri
 
CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityHome
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptxSandeepK707540
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Iftikhar Ali Iqbal
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architectureBirendra Negi ☁️
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 

What's hot (20)

Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations Center
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
 
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaCloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
 
Cloud security
Cloud security Cloud security
Cloud security
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
 
CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurity
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 

Similar to The Art of Cloud Auditing - ISACA ID

2014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v012014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v01promediakw
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
Why CCSK with InfosecTrain (1).pdf
Why CCSK with InfosecTrain (1).pdfWhy CCSK with InfosecTrain (1).pdf
Why CCSK with InfosecTrain (1).pdfinfosec train
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Tudor Damian
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
Checklist for Competent Cloud Security Management
Checklist for Competent Cloud Security ManagementChecklist for Competent Cloud Security Management
Checklist for Competent Cloud Security ManagementCloud Credential Council
 
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...IRJET Journal
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloudScalar Decisions
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloudpatmisasi
 

Similar to The Art of Cloud Auditing - ISACA ID (20)

2014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v012014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v01
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
Why CCSK with InfosecTrain (1).pdf
Why CCSK with InfosecTrain (1).pdfWhy CCSK with InfosecTrain (1).pdf
Why CCSK with InfosecTrain (1).pdf
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David Ross
 
Introduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossIntroduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David Ross
 
Compliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA FrameworkCompliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA Framework
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overview
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
 
cloud Resilience
cloud Resilience cloud Resilience
cloud Resilience
 
Checklist for Competent Cloud Security Management
Checklist for Competent Cloud Security ManagementChecklist for Competent Cloud Security Management
Checklist for Competent Cloud Security Management
 
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
 

More from Eryk Budi Pratama

Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIRingkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIEryk Budi Pratama
 
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Eryk Budi Pratama
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityEryk Budi Pratama
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in IndonesiaEryk Budi Pratama
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiEryk Budi Pratama
 
Modern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaModern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaEryk Budi Pratama
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarEryk Budi Pratama
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykEryk Budi Pratama
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykEryk Budi Pratama
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEryk Budi Pratama
 
Blockchain for Accounting & Assurance
Blockchain for Accounting & AssuranceBlockchain for Accounting & Assurance
Blockchain for Accounting & AssuranceEryk Budi Pratama
 
Guardians of Trust: Building Trust in Data & Analytics
Guardians of Trust: Building Trust in Data & AnalyticsGuardians of Trust: Building Trust in Data & Analytics
Guardians of Trust: Building Trust in Data & AnalyticsEryk Budi Pratama
 
Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0Eryk Budi Pratama
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsEryk Budi Pratama
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyEryk Budi Pratama
 
Industry 4.0 : How to Build Relevant IT Skills
Industry 4.0 : How to Build Relevant IT SkillsIndustry 4.0 : How to Build Relevant IT Skills
Industry 4.0 : How to Build Relevant IT SkillsEryk Budi Pratama
 
Web Application Hacking - The Art of Exploiting Vulnerable Web Application
Web Application Hacking - The Art of Exploiting Vulnerable Web ApplicationWeb Application Hacking - The Art of Exploiting Vulnerable Web Application
Web Application Hacking - The Art of Exploiting Vulnerable Web ApplicationEryk Budi Pratama
 

More from Eryk Budi Pratama (20)

Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIRingkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
 
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data Pribadi
 
Modern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaModern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL Indonesia
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - Eryk
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
 
Blockchain for Accounting & Assurance
Blockchain for Accounting & AssuranceBlockchain for Accounting & Assurance
Blockchain for Accounting & Assurance
 
Guardians of Trust: Building Trust in Data & Analytics
Guardians of Trust: Building Trust in Data & AnalyticsGuardians of Trust: Building Trust in Data & Analytics
Guardians of Trust: Building Trust in Data & Analytics
 
Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0Cybersecurity Skills in Industry 4.0
Cybersecurity Skills in Industry 4.0
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOps
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas Company
 
Industry 4.0 : How to Build Relevant IT Skills
Industry 4.0 : How to Build Relevant IT SkillsIndustry 4.0 : How to Build Relevant IT Skills
Industry 4.0 : How to Build Relevant IT Skills
 
Web Application Hacking - The Art of Exploiting Vulnerable Web Application
Web Application Hacking - The Art of Exploiting Vulnerable Web ApplicationWeb Application Hacking - The Art of Exploiting Vulnerable Web Application
Web Application Hacking - The Art of Exploiting Vulnerable Web Application
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

The Art of Cloud Auditing - ISACA ID

  • 1. 11 THE ART OF CLOUD AUDITING Eryk Budi Pratama CSX Team ISACA Indonesia Chapter 11 December 2019
  • 2. About Me ❑CSX Team Member, ISACA ID ❑Cyber Security & IT Advisory Professional ❑Community Enthusiast ❑Blogger / Writer ❑Knowledge Hunter ❑Do some “magic” ❑https://medium.com/@proferyk ❑https://www.slideshare.net/proferyk https://www.linkedin.com/in/erykbudipratama/
  • 3. ISACA Indonesia Chapter (Join Us ☺) http://www.isaca.or.id The chapter was established in 1993. We have been and continue organizing various talks, seminars, conference, forums and other activities to keep our members informed of the latest audit, security and control issues which members can attend at concession rates. Growing number of members of more than 700, with 400++ ISACA certified members from various industry https://www.isaca.org
  • 4. Setup the Context Industry, Geography, Sector, Market, Regulatory Environment Management, Funding, Staffing Levels & Competencies, Strategy & Initiatives Procure to Pay, HR, Operations, Revenue & Receivables, SG&A, Marketing, Legal SaaS, On-Premise (tied to lines of business and processes) App Code, Databases, OS, Hypervisors, Compute, Networks (SAN, Backup, WAN/LAN) Business Processes Application Infrastructure Micro Macro Know how each layer impacts the others What should not go to the cloud? Why? How does this broader context affect your perspective of cloud services ? Common IT focus
  • 5. Cloud Risk & Security
  • 6. Deployment Model Service Model Essential Characteristics 6 Cloud Computing – Know the Basic Cloud computing is a very clearly defined computing model with essential characteristics On-demand self service Broad access network Resource pooling Rapid elasticity Measured service Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Public Private Hybrid Community
  • 7. 7 Common Cloud Risk Questions What do you believe to be the most common cloud risks? Account lock-out / resource hijacking • Who has administrative control over the service or account? Misconfiguration leading to a breach • How can we assess the security and appropriateness of configurations? Loss of control • How are we defining control in the context of the cloud? Asymmetries between the provider and customer • Who has greater power in negotiations (T&Cs / Pricing)? Multi-tenancy • What are the impact of multi-tenancy? Jurisdictional • How does the location of services impact legal / compliance requirements?
  • 8. Shared Responsibilities for Cloud Risk & Security The adoption of cloud introduces a shared responsibility model for security. Consumers have the most responsibility with IaaS and least with SaaS cloud models. Organizations should clearly define cloud security roles and responsibilities and ensure cloud vendor contracts, cloud vendor implementations, and control operations address gaps. Infrastructure as a Service Physical Hosting Network Infrastructure Storage Infrastructure Compute Infrastructure Platform Application Software as a Service Physical Hosting Network Infrastructure Storage Infrastructure Compute Infrastructure Platform Application Shared Shared Shared Platform as a Service Physical Hosting Network Infrastructure Storage Infrastructure Compute Infrastructure Platform Application Physical Hosting Network Infrastructure Storage Infrastructure Compute Infrastructure Platform Application On-Premise Service Demarcation: SLAs and Roles & Responsibilities Security, Monitoring & Governance: Critical Foundation Client Cloud Provider
  • 9. Cloud Risk per Cloud Service Model Infrastructure as a Service Platform as a Service Software as a Service ▪ Virtual Server Images ✓ Controls for how a virtual server images are created/destroyed ✓ Controls for maintaining the integrity of server images ▪ Virtual Server Inventory ✓ IaaS servers should have an audit record for when they were started and ended ▪ Security Policy ✓ The use of consistent automated tools ✓ Who will manage the kernels ▪ Application Development ✓ Specific requirements and controls are in place to filter or detect unwanted code/malicious code ▪ Environment Separation ✓ Separation from other applications ▪ Software Development Life Cycle (SDLC) ✓ New risks may exist as Cloud Computing can expand and shorten the SDLC cycle ▪ Licensing ✓ Examine tools used for usage tracking and licensing ✓ Examine accuracy of reporting ▪ Environment Separation ✓ Separation from other applications ▪ Software Development Life Cycle ✓ New risks may exist as Cloud Computing can expand and shorten the SDLC cycle ▪ Management of Software Dependencies ✓ Due to technical architecture complexity and potentially restrictions by the cloud provider, replicating data back to the enterprise or to another provider may be difficult
  • 10. 10 Critical Areas of Focus in Cloud Computing The domains are divided into two broad categories: Governance and Operations. The governance domains are broad and address strategic and policy issues within a cloud computing environment, while the operational domains focus on more tactical security concerns and implementation within the architecture. Governance and Enterprise Risk Management Legal Issues: Contracts and Electronic Discovery Compliance and Audit Management Information Governance Management Plane and Business Continuity Infrastructure Security Virtualization and Containers Incident Response, Notification and Remediation Application Security Data Security and Encryption Identity, Entitlement, and Access Management Security as a Service Related Technologies
  • 11. 11 Top Cloud Security Risks based on ENISA Top Cloud Risk Loss of Governance Lock-In Data Protection Compliance Risk Isolation Failure Management Interface Compromise In using cloud infrastructures, the client necessarily hand over control to the Cloud Provider (CP) on a number of issues which may affect security. At the same time SLAs may not offer a commitment to provide such services on the part of the cloud provider, thus leaving a gap in security defenses There is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment Cloud computing poses several data protection risks for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. investment in achieving certification (e.g., industry standard or regulatory requirements) may be put at risk by migration to the cloud: (1) IF the CP cannot provide evidence of their own compliance with the relevant requirements or (2) IF the CP does not permit audit by the cloud customer (CC) This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so- called guest-hopping attacks). Customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk
  • 13. 13 The Future of Audit The issues that will have the greatest impact on the audit profession over the next three to five years Source: https://images.forbes.com/forbesinsights/StudyPDFs/KPMG-AFocusOnChange-REPORT.pdf
  • 14. 14 Typical Audit Plan ▪ Internal Controls ▪ Regulatory Requirements ▪ Vendor Management Requirements (Second/Third Party Audit) ▪ Policy Procedures ▪ Business Processes ▪ Functions ▪ Applications ▪ Infrastructure ▪ Vendors / Cloud Provider(s) Some basic questions when building cloud audit plan:Audit Objectives Audit Scope Cloud Audit Context Is the service or application authorized to be in the cloud? What is the role of the application or service? What type of information or data is used by the application? Do we have the right skills, competencies and staff to operate in the cloud? Have risks changed given the use of cloud services be they SaaS or IaaS?
  • 15. 15 Auditing Challenges with Cloud Computing A disruptive technology, like cloud computing, can impact “how” to audit ❑ Understanding the scope of the cloud computing environment ✓ Do you use the same matrix for public clouds as for private clouds? (internal vs external) ✓ The concept of a perimeter in a multi-tenant environment doesn’t make sense anymore ❑ Can your current risk assessment capture the risks correctly? ❑ Sample selection ✓ What is the universal population from which to pick a sample from? ✓ What would your sample selection methodology be in a highly dynamic environment? ✓ A snapshot in time may depend if it’s a high or low peak point in time ❑ Audit trails ✓ How do you “test” historical data if there was no audit trail? ❑ Other ✓ Educating the audit committee ✓ Overcoming internal barriers restricting the early involvement of internal audit as a ‘risk advisor’ to the business and IT
  • 16. 16 Standards applicable to cloud security auditing Standard Type Strength Sponsoring Organization Service Organization Control 2 Audit for outsourced service Technology neutral AICPA ISO 27001 & 27002 Traditional security audit Technology neutral ISO NIST SP800-53 rev 4 Federal Government audit Technology neutral NIST Cloud Security Alliance Cloud-specific audit Dedicated to cloud security auditing CSA PCI DSS PCI Qualified Security Assessor cloud supplement Cloud specific and provide guidance PCI DSS
  • 17. 17 Auditing the Cloud Service Organization Control (SOC) ▪ Service Organization are replacing traditional in-house functions (payroll processing, medical claims processing, human resources, document, workflow, and tax processing) ▪ SOC for Service Organizations reports help service providers build trust and confidence in their services and controls ▪ SOC 1 Pertains to financial controls ▪ SOC 2 Pertains to trust services (Security, Availability, Confidentiality, Process Integrity, and Privacy) ▪ SOC 3 Also pertains to trust services (Security, Availability, Confidentiality, Process Integrity, and Privacy) ▪ SOC for Cybersecurity - To provide intended users with information about an entity’s cybersecurity risk management program for making informed decisions ▪ SOC Type I & II Internal and External Audit Customer and Cloud Service Provider
  • 18. 18 SOC Comparison SOC Type Who Uses the Audit Info Why What the Audit Reports On SOC 1 Users’ controller’s office and users’ auditors Audits of financial statements Internal controls over financial statements SOC 2 Internal management, regulators ▪ GRC programs ▪ Oversight ▪ Due Diligence Security, availability, processing integrity and privacy controls SOC 3 General public ▪ Marketing Purposes ▪ Detail not required General customer assurance, marketing SOC Cybersecurity Senior management, board of directors, analysts, investors, business partners To provide intended users with information about an entity’s cybersecurity risk management program for making informed decisions Enterprise-wide cybersecurity risk management program
  • 19. 19 Service Organization Controls - SOC 2 and 3 AICPA guidance — Footnote 1 of TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids), contains the following definition of a system: ▪ Infrastructure — The physical and hardware components of a system (facilities, equipment, and networks) ▪ Software — The programs and operating software of a system (systems, applications, and utilities) ▪ People — The personnel involved in the operation and use of a system (developers, operators, users, and managers) ▪ Procedures — The automated and manual procedures involved in the operation of a system ▪ Data — The information used and supported by a system (transaction streams, files, databases, and tables) Criteria for evaluating and reporting on controls related to security, availability, processing integrity, confidentiality, and privacy: ▪ Security — The system is protected against unauthorized access (both physical and logical). ▪ Availability — The system is available for operation and use as committed or agreed. ▪ Processing integrity — System processing is complete, accurate, timely, and authorized. ▪ Confidentiality — Information designated as confidential is protected as committed or agreed. ▪ Privacy — Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP)
  • 20. 20 SOC 2 Applicability Considerations of where SOC2 reports may be applicable for your organization, SOC 2 Reports are applicable when an entity outsources the collection, processing, transmission, storing, organizing, maintenance or disposal of the entity’s information. Here are some examples where a SOC 2 report should be obtained: Cloud Service Providers Fintech Intellectual Property Protection Sales Force Automation HealthCare Providers and Payers, HIPAA Data Center Hosting Service Providers
  • 21. 21 Service Organization Controls - SOC 2/3 Security ▪ IT security policy ▪ Security awareness and communication ▪ Risk assessment ▪ Physical access ▪ Environmental controls ▪ Security monitoring (breaches) ▪ User authentication ▪ Incident management ▪ Asset classification and management ▪ Systems development and maintenance ▪ Logical access ▪ Configuration management Availability Confidentiality Processing Integrity Privacy ▪ Availability policy ▪ Backup and restoration ▪ Disaster recovery ▪ Confidentiality policy ▪ Confidentiality of inputs ▪ Confidentiality of data processing ▪ Confidentiality of outputs ▪ Information disclosures (including third parties) ▪ Confidentiality of Information in systems development ▪ System processing integrity policies ▪ Completeness, accuracy, timeliness, and authorization of inputs, system processing, and outputs ▪ Information tracing from source to disposition ▪ Notice ▪ Choice ▪ Access ▪ Security ▪ Data Integrity ▪ Training and Awareness ▪ Enforcement and Compliance
  • 22. 22 Cloud Security Alliance - Cloud Controls Matrix The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. ▪ It provides a controls framework is aligned to the Cloud Security Alliance guidance in 16 domains. ▪ The foundations rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP ▪ It will augment or provide internal control direction for SOC attestations provided by cloud providers.
  • 23. 23 Cloud Security Alliance - Cloud Controls Matrix The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) domains. 1. Application & Interface Security 2. Audit Assurance & Compliance 3. Business Continuity Management & Operational Resilience 4. Change Control & Configuration Management 5. Data Security & Information Lifecycle Management 6. Datacenter Security 7. Encryption & Key Management 8. Governance and Risk Management 9. Human Resources 10. Identity & Access Management 11. Infrastructure & Virtualization Security 12. Interoperability & Portability 13. Mobile Security 14. Security Incident Management, E-Discovery & Cloud Forensics 15. Supply Chain Management, Transparency and Accountability 16. Threat and Vulnerability Management
  • 24. 24 CSA CCM Working Paper Service Model Cloud Provider vs Customer
  • 25. 25 CSA CCM Working Paper Mapping to AICPA Trust Service Criteria
  • 26. Cloud Audit Implementation - Example Disclaimer: Because of time limitation to present the material, for example purpose, this section will cover the overview of Google Cloud features which support audit function as the speaker experience is on GCP platform.
  • 27. 27 Identity and Access Management in GCP Source: https://cloud.google.com/iam/docs/overview Policy is set on a resource, and each policy contains a set of: ▪ Roles ▪ Role members Resources inherit policies from parent: ▪ Resource policies are a union of parent and resource. If parent policy is less restrictive, it overrides a more restrictive resource policy Understanding IAM in Cloud is very important !!!
  • 28. 28 Permissions Management in GCP Source: https://cloud.google.com/iam/docs/overview
  • 29. 29 Audit Logs in GCP Cloud Audit Logs returns three types of logs: Log Entry Type Description Operations (sample) Retention Period Admin Activity Contains log entries for operations that modify the configuration or metadata of a Compute Engine resource. Any API call that modifies a resource such as creation, deletion, updating, or modifying a resource using a custom verb fall into this category ▪ Creating resources ▪ Updating/patching resources ▪ Setting/changing metadata ▪ Setting/changing tags ▪ Setting/changing labels ▪ Setting/changing permissions 400 days System Event Contains log entries for system maintenance operations on Compute Engine resources ▪ On host maintenance ▪ Instance preemption ▪ Automatic restart ▪ Instance reset 400 days Data Access Contains log entries for operations that perform read-only operations that don't modify any data, such as get, list, and aggregated list methods. (ADMIN_READ and DATA_READ) ▪ Getting information about a resource ▪ Listing resources ▪ Listing resources across scope (aggregated list requests) 30 days Understanding different type of audit logs is important !!!
  • 30. 30 Groups vs Label vs Tags Source: https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources Labels -> billing / cost transparency Tags -> manage network traffic Security Marks -> resource grouping
  • 31. 31 Scenario - Monitoring and Logging for Cloud Functions
  • 32. 32 Scenario - Logging the Kubernetes Engine
  • 33. 33 Scenario - Logging with Kubernetes Engine
  • 34. 34 Cloud Audit Logs Best Practices Cloud Audit Logs is a powerful tool that can help you manage and troubleshoot your GCP environment, as well as demonstrate compliance. Here are some best practices to keep in mind: ❑ Use a test project to validate the configuration of your data-access audit collection before propagating to developer and production projects ❑ Be sure you’ve applied appropriate IAM controls to restrict who can access the audit logs ❑ Determine whether you need to export logs for longer-term retention ❑ Design aggregated exports on which your organization can filter and export the data for future analysis ❑ Configure log sinks before you start receiving logs ❑ Follow the best practices for common logging export scenarios ❑ Make sure to use exclusion filters to exclude logging data that isn’t useful.
  • 35. 35 See the difference between “IT Auditor” and “Engineer Auditor” ? General Control Specific Controlvs Surrounding environment Specific Resources
  • 36. 36 KEY TAKEAWAYS Cloud customers have to understand the share responsibilities between customer and cloud provider Different cloud service model (IaaS, PaaS, SaaS) has different audit methodology Customer’s IT Auditor have to be trained to have the skills needed to audit the cloud service Understanding IAM in Cloud is very important. Each Cloud Service Provider has different IAM mechanism Understanding different type of audit logs in cloud platform is important for IT Auditor
  • 37. Case Studies Notes: Contact me directly for further discussion ☺