Cloud Security Alliance Q1’12 Chapter Meeting

1

Tweet #csamtg

WelcomeDefinition of some commonly used, but often misunderstood terms.

Subject matter might be controversial

Please make a note of the page number, jot down your thoughts, and hold questions and comments for the discussion period (Only 30 seconds per slide! ).

ORtweet #csamtg with slide number X

and your question or comment2

Please keep

clean?

Standardstand·ard[stan-derd] noun 1. something considered by an authority or by general consent as a basis of comparison; an approved model.

3

Who Defines Standards?

What does it mean to have a clean house?

Who should decide?Occupants of the houseIndependent authority or

general consent

4

Why not?

Standards“Clean” Defined by Occupant: 1. Self defined-not a standard by

definition No clutter Clean floors No food left on the counter

5

Bare Minimum

Standards“Clean” Defined by Authority: 2. Broad objectives

No clutter No dishes in the sink Clean floors No dust No food left on the counter Everything in its place

6

Get to decide what this means to

you.

Standards“Clean” Defined by Authority (cont.): 3. More detailed

No clutter No clothes on the floor Beds must be made No excessive trinket collection or picture hanging

No dishes in the sink Dishes must be placed in the dishwasher

immediately Sink must be washed after use

Clean floors Carpeted floors must be vacuumed daily Tiled floors must be cleaned daily with bleach Baseboards must be wiped down with a rag by

hand No dust

All furniture surface areas must be dusted daily The inside of the refrigerator, stove, and all

appliances must be wiped daily7

Sometimes not

applicable

Standards“Clean” Defined by Authority (cont.): 4. Hybrid – Even More Detailed in some areas, but not

applicable in others No clutter (In the kitchen)

Nothing on the floor No counter top appliances Range must be electric All appliances must be stainless steel

No dishes in the sink Sink must not be used for washing dishes Dishwasher must be commercial quality

Clean floors (In the kitchen) Floors must be cleaned daily with bleach Baseboards must be wiped down with a rag by hand Anti-bacterial spray must be used daily

No dust (In the kitchen) The outside of the refrigerator, stove, and all appliances

must be wiped daily The inside of the refrigerator, stove, and all appliances

must be wiped daily Bedrooms, living rooms, den, bathrooms, etc. (N/A)

8

Assuranceas·sur·ance[uh-shoor-uhns, -shur-] noun 1. a positive declaration intended to give confidence:

9

Assurance1. My house is clean.

2. His house was clean when I inspected it.

3. His house was clean all last year.

4. His house is continually clean.10

What about after?

Really?

What about

before?

What about after?

How do you know?

Assurance“My house is clean.” Self Assessment or

Management Attestation High risk – Low Reliability Requires high degree of

trust in the person making the attestation

Lack of accountability. Leads to cutting corners because no one is looking.

11

Assurance“His house was clean when I checked.” Third Party Attestation (Point

in Time) Medium Risk & Reliability Provides minimal if any

assurance, and still requires trust.

Lack of accountability. Leads to cutting corners when no one is looking.

12

Assurance“His house was clean all last year.” Third Party Attestation (Period

of Time)Low Risk – High Reliability

“Trust, but verify”Provides reasonable assurance.

Accountability exists - When

corners are cut, there is a high likelihood of being caught

13

Assurance“His house is continually clean.”• Perpetual Validation (Real Time -

Utopia)• Little to No Risk – Very High

Reliability• Provides near absolute

assurance, and does not require trust

• Accountability exists. Corners cannot be cut, or there is a certainty of being caught 14

Certifiedcer·ti·fied[sur-tuh-fahyd] adjective 1. having or proved by a certificate 2. guaranteed; reliably endorsed:

15

I am a CISA.

Does ISACA

guarantee my work?

Which Assurance Should “Certified” Belong To?

1. Self Assessment2. Third Party Attestation –

Point in Time3. Third Party Attestation –

Period of Time4. Perpetual Validation –

Real Time Utopia

16

Please tweet

answer.

Security Standards & AssuranceStandard Standard Category Assurance

CSA STAR (CCM, CAIQ, etc.) More Detailed Self Assessment

NIST/FedRAMP More Detailed Self Assessment

COBIT Broad Objectives Self Assessment

HIPAA / HITRUST Broad Objectives Point in Time

ISO 27001 Broad Objectives Point in Time

PCI-DSS Hybrid – Focused on cardholder data environments

Point in Time

N/A – Controls Related to Financial Statement Accuracy Only

Self Defined AICPA SSAE 16 - SOC1 (formerly SAS70)Type 1 – Point in TimeType 2 – Period of Time

Trust Services Principles & Criteria (TSPC)

Broad Objectives AICPA SSAE 10~14 – SOC2/SOC3Type 1 – Point in TimeType 2 – Period of Time

17

Issues Created for Service Organizations

Forced to satisfy customer’s need for assurance with multiple standards and audits.

Wasting time scheduling and supporting external auditors from multiple firms.

Wasting time scheduling and supporting audits by customers exercising their “right to audit.”

Lack of clarity and confusion regarding customer expectations. 18

Is there a “Silver Bullet” to Satisfy Everyone?

No.

Governing bodies will always require their own standards and reports- (ie VISA, Mastercard require PCI, Federal Government requires HIPAA compliance)

Customers have to provide their external auditors reports that meet their requirements.

19

What can be done to reduce the burden of compliance?

Take the best from each available Standard and Assurance

Get Period of Time Assurance With

More Detailed Standards

20

How?

What can be done to reduce the burden of compliance?

Use SOC2 Type 2 Report as the Assurance wrapper for:

Any or all of the following:o ISO 27002o CSA CCMo PCI-DSSo HITECHo NIST/FedRamp

21

What?

Who would Test?

Accountants?

What good would it do? Reports come from separate

auditors.

SOC2 and “Additional Subject Matter”

The SOC2 Attestation Standard (AT-101 or SSAE 10~14) allows for inclusion of other standards

CPA firms can partner with QSAs and ISO registrars to conduct testing together eliminating testing redundancy

22

Is this even allowed?

Yes…”Technical Specialists”

AT-101Is there much

overlap in standards?

Yes.

PCI-DSS

 

TSPC

SOC2 and “Additional Subject Matter”

At the end of the engagement, organizations receive a SOC2 report that covers a period of time

AND They receive separate reports

covering the other standards-i.e. PCI-DSS (ROC), and / or ISO 27001 Certificate

23

SOC2 and “Additional Subject Matter”

One core set of audit work serves as the basis for multiple reports

Customers receive o Solid detail great standards like

CSA CCM provideo Little to No Risk – Very high

reliability provided by period of time testing

o Specific reports to satisfy everybody

o International Acceptance24

Objectors Say

CPA firms that are not competent to perform CSA STAR, ISO 27001, PCI-DSS, etc. testing are not competent to accept the engagement referencing SAS 73 as the Technical Specialist guideline CPA firms must follow.

We say, the AICPA provided for the use of technical specialists in AT-101, and the standard is clear. The use of specialists to demonstrate competence is allowed. 25

AT-101 This knowledge requirement may be met, in part, through the use of one or more specialists on a particular attest engagement if the practitioner has sufficient knowledge of the subject matter (a) to communicate to the specialist the objectives of the work and (b) to evaluate the specialist's work to determine if the objectives were achieved.

Objectors Say

ISO 27001 is a real time assurance because the certificate is valid for three years.

We say, read the fine print. The certificate is void if any of the terms in the certificate agreement are broken. See - "Proof that ISO 27001 is a Point-in-Time Assurance"

26

Objectors Say

Period of Time assurance is no better than Point in Time assurance because both are “dated”, meaning they are irrelevant even before they are issued.

We say, the discipline that is instilled in an organization, that knows there is an increased likelihood of being caught when they stray, shifts culture in the direction of better security. 27

Discussion & Reading

28

The Risk Assurance Revolution has Begunhttp://riskassuranceguy.blogspot.com/2012/01/risk-assurance-revolution-has-begun.html

SOC Reports: The customer is always righthttp://turnkeyit.blogspot.com/2012/01/soc-reports-customer-is-always-right.html

Standards, Audits, and Certifications: Which One is Right?http://www.infosecisland.com/blog/show/slug/19296-Standards-Audits-and-Certifications-Which-One-is-Right/page/2.html

When I See a Can in the Road, All I Want to do is Smash Ithttps://www.infosecisland.com/blogview/19769-When-I-See-a-Can-in-the-Road-All-I-Want-to-do-is-Smash-It.html

Why Data Centers Don't Need SSAE 16https://www.infosecisland.com/blogview/16080-Why-Data-Centers-Dont-Need-SSAE-16.html

Why Data Centers Need SSAE 16https://www.infosecisland.com/blogview/16952-Why-Data-Centers-Need-SSAE-16.html

SOC 2 for Cloud Computinghttps://www.infosecisland.com/blogview/17174-SOC-2-for-Cloud-Computing.html

AICPA Fumbles Audit Standards at the 5-Yard Linehttp://www.datacenterknowledge.com/archives/2012/01/19/aicpa-fumbles-audit-standards-at-the-5-yard-line/

Good Reading:http://www.schrammassurance.com/wp-content/uploads/2012/01/11-Schramm-SAS70-to-AT101-KLv4.pdf http://cpa2biz.com/AST/Main/CPA2BIZ_Primary/AuditAttest/Standards/StandardsImplementationGuidance

CSA Atlanta Chapter Q1’12 Meeting Feedback:http://www.linkedin.com/groupItem?view=&gid=3664160&type=member&item=91992030&qid=bd5c4379-ecac-4383-b1e8-1a7387f86ac3&trk=group_most_recent_rich-0-b-ttl&goback=.gmr_3664160http://www.linkedin.com/groupItem?view=&gid=3664160&type=member&item=46520870&qid=bd5c4379-ecac-4383-b1e8-1a7387f86ac3&goback=.gmr_3664160.gde_3664160_member_91992030

LinkedIn Group on SOC Reports:http://www.linkedin.com/groups/SOC-formerly-SAS70-Reports-4223260?

The Cloud Security Alliance Governance, Risk, and Compliance (CSA GRC)

Stack• A suite of four integrated and reinforcing CSA initiatives (the “stack packages”)– The Stack Packs

• Cloud Controls Matrix• Consensus Assessments Initiative• Cloud Audit• CloudTrust Protocol

• Designed to support cloud consumers and cloud providers• Prepared to capture value from the cloud as well as support

compliance and control within the cloud

7 Oct 2011 Page 29The CSA GRC V2.0 Workshop | Ron Knode

The CSA GRC StackBringing the Stack Pack TogetherDelivering Stack Pack Description

Continuous monitoring … with a purpose

• Common technique and nomenclature to request and receive evidence and affirmation of current cloud service operating circumstances from cloud providers

Claims, offers, and the basis for auditing service

delivery

• Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments

Pre-audit checklists and questionnaires to inventory controls

• Industry-accepted ways to document what security controls exist

The recommended foundations for controls

• Fundamental security principles in specifying the overall security needs of a cloud consumers and assessing the overall security risk of a cloud provider

7 Oct 2011 Page 30The CSA GRC V2.0 Workshop | Ron Knode

CSA GRC Value Equation Contributions for Consumers and Providers

What control requirements should I have as a cloud consumer or cloud provider?

How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)?

How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations?

How do I know that the controls I need are working for me now (consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)?

• Individually useful• Collectively powerful • Productive way to

reclaim end-to-end information risk management capability

• Individually useful• Collectively powerful • Productive way to

reclaim end-to-end information risk management capability

Static claims & assurances

Dynamic (continuous) monitoring and transparency

7 Oct 2011 Page 31The CSA GRC V2.0 Workshop | Ron Knode

Using the GRC StackMaking the Stack Pack Approach Work for You

• Easy to get started• Many successful combinations• Benefits accrue with each stack pack addition• Multiple alternatives to application and

deployment• Mapped across multiple compliance mandates

7 Oct 2011 Page 32The CSA GRC V2.0 Workshop | Ron Knode

GRC Stack

2011 Recap•GRC Stack Training Courses offered across US and Europe•Cloud Security Alliance acquires CTP from CSC (July)•CCM 1.2 released (August)•CAIQ 1.1 released (September)

GRC Stack

2012•CCM v1.3•CAIQ and CCM migrating to database format•More GRC Stack Training Courses (TBA)•2012 CTP Roadmap release – Volunteer opportunities and more details will be announced in Q1https://cloudsecurityalliance.org/research/grc-stack/

Also New for 2012

https://cloudsecurityalliance.org/star/

The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud service providers.It helps users assess the security of cloud providers they currently use or are considering contracting with. It is a simple but powerful idea, cloud providers post self assessments of their cloud services, CSA makes these assessments publicly available and cloud consumers can use this data to make informed purchasing decisions. It supports CSA GRC Stack, AICPA SOC, ISO 27001, FedRAMP, etc.

2012 CSA Conferences

CSA Summit 2012 at RSA-USA February 27 – March 2Moscone Center - San Francisco

ContactHelp Us Secure Cloud Computing

– www.cloudsecurityalliance.org– info@cloudsecurityalliance.org– LinkedIn: www.linkedin.com/groups?gid=1864210– Twitter: @cloudsa

About Us

38

Phil Agcaoili@hacksec