1. How to Audit Outsourced ITEnvironments? What are the challenges when auditing outsourced IT environments? How to include outsourced IT environments in your audit? Rob Kloots CISA CISM CRISC, Owner, TrustingtheCloud CSA-BE volunteer Berlin, June 2012

2. TopicsKey Cloud Security ProblemsThe GRC StackCSA Guidance ResearchTransparancyCloud Controls Matrix (CCM)CCM 98 ControlsGuidanceThe CAI QuestionnaireCloudAudit Objectives & AlignmentBerlin, June 2012 2 3. Key Cloud Security ProblemsFrom CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance,Risk Management, Compliance, and the capture of real value Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks Berlin, June 20123 4. 4The GRC StackProvides trust in the Cloud GRC StackNeeds and Evidence and Payoffs and ClaimsAssurance ProtectionSecuritySecurityComplianceRequirementsand Transparency and Capabilities and VisibilityTrustDelivering evidence-based confidence with compliance-supporting data & artifacts.Berlin, June 2012 4 5. A Complete Cloud Security Governance,Risk, and Compliance (GRC) StackDelivering Stack Pack Description Common technique and nomenclature to Continuous monitoring request and receive evidence and affirmationwith a purposeof current cloud service operatingcircumstances from cloud providersClaims, offers, and the Common interface and namespace to basis for auditing service automate the Audit, Assertion, Assessment,deliveryand Assurance (A6) of cloud environments Pre-audit checklists and Industry-accepted ways to document whatquestionnaires tosecurity controls exist inventory controls Fundamental security principles in specifying The recommendedthe overall security needs of a cloud foundations for controls consumers and assessing the overall securityrisk of a cloud providerBerlin, June 20125 6. A Headstart for Control and ComplianceForged by the Global Marketplace; Ready for All ProfessionalGovernment CommercialLegend In place Offered Common technique andContinuous monitoring nomenclature to request and??? with a purposereceive evidence and affirmation of controls from cloud providers Common interface and namespace Claims, offers, and the to automate the Audit, Assertion,??? basis for auditing service deliveryAssessment, and Assurance (A6) of cloud environments FedRAMPPre-audit checklists and Industry-accepted ways to DIACAP questionnaires to document what security controlsinventory controls exist Other C&A standardsNIST 800-53, HITRUST CSF, SSAE SOC2 controlISO 27001/27002, ISACA Fundamental security principles in A recommended assessment COBIT, PCI, HIPAA, SOX,assessing the overall security riskfoundations for controls criteria GLBA, STIG, NIST 800-144,of a cloud providerSAS 70, Berlin, June 20126 7. CSA Guidance ResearchCloud Architecture Popular best Governance and Enterprise Risk ManagementGoverning theLegal and Electronic Discovery practices for CloudCompliance and Audit securing cloud Information Lifecycle ManagementPortability and Interoperability computingTcneapnaysrr 14 Domains ofSecurity, Bus. Cont,, and Disaster RecoveryOperating in the Cloud Data Center Operations concern Incident Response, Notification, Remediation Application Security governing & Encryption and Key Management operating groupings Identity and Access Management VirtualizationBerlin, June 20127 8. TransparancyTransparencySource: NIST SP500-291-v1.0, p. 42, Figure 12Berlin, June 2012 8 9. Cloud Controls Matrix (CCM)Leadership TeamBecky Swain EKKO ConsultingPhilip Agcaoili Cox CommunicationsMarlin Pohlman EMC, RSAKip Boyle CSAV1.0 (Apr 2010), v1.1 (Dec 2010, v1.2 (Aug 2011),V2.0 (2012)Controls baselined and mapped to:COBIT BITS Shared AssessmentsHIPAA/HITECH ActJericho ForumISO/IEC 27001-2005 NERC CIPNISTSP800-53FedRAMPPCI DSSv2.0 Berlin, June 2012 9 10. CCM 98 Controls Berlin, June 2012 10 11. CCM 98 Controls (cont.)Berlin, June 2012 11 12. CCM 98 Controls (cont.)Berlin, June 2012 12 13. CCM 98 Controls (cont.)Berlin, June 2012 13 14. Control Matrix >> Guidance >> ISO Berlin, June 2012 14 15. The CAI QuestionnaireBerlin, June 2012 15 16. Sample Questions to VendorsCompliance - CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 orIndependent Audits similar third party audit reports? CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request?Data Governance -DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadataClassification (ex. Tags can be used to limit guest operating systems from booting/instanciating/transporting data in the wrong country, etc.?) DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)? DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenants data upon request? DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?Berlin, June 201216 17. CloudAudit ObjectivesProvide a common interface andnamespace that allows cloud computingproviders to automate collection ofAudit, Assertion, Assessment, andAssurance Artifacts (A6) of theiroperating environmentsAllow authorized consumers of servicesand concerned parties to do likewise viaan open, extensible and secure interfaceand methodology.Berlin, June 201217 18. Aligned to CSA Control MatrixOfficially folded CloudAudit under the Cloud Security Alliance in October,2010First efforts aligned to compliance frameworks as established by CSAControl Matrix: PCI DSS NIST 800-53 HIPAA COBIT ISO 27002Incorporate CSAs CAI and additional CompliancePacksExpand alignment to infrastructure and operations-centric views also Berlin, June 201218 19. Holistic approach aroundcontrolshttps://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/Berlin, June 2012 19 20. and Architecture bestpracticeshttps://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/Berlin, June 201220 21. Any Questions?Rob Kloots CISA CISM CRISC,Owner, TrustingtheCloudvolunteer CSA-BEM +32.499-374713e rob.kloots@trustingthecloud.euBerlin, June 201221