Cyber Security for Local Gov SAMFOG

Editor's Notes

• #18: With a risk-based audit approach it is important to understand that there are two areas of concern when evaluating the control environment. There is a financial reporting control environment and an overlapping information technology control environment . This overlap can become larger when the complexity and sophistication of the IT environment increases and when the reliance on the IT controls is greater. This overlapping area creates a potential for the lack of IT controls or IT control failure to increase the risk of material misstatement (RMM).
• #21: http://sco.ca.gov/Files-AUD/2015_internal_control_guidelines.pdf
• #26: What is Cloud Computing? The “Cloud” Buzz word Overused cliché Ill defined Many different definitions Marketing term All hype The “unknown path” Service provider “____-as-a-service” Nebulous Image: NASA
• #27: Definition “..[a] model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, services) that can be provisioned and released with minimal management effort or service provider interactions.” NIST & Cloud Security Alliance A utility model of technology delivery. Photo by Donald E. Hester all rights reserved NIST SP 800-145
• #28: DoDI 8510.01
• #29: Reasons “Cloud First policy. This policy is intended to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments.” “…to be more efficient, agile, and innovative through more effective use of IT investments…” Federal Cloud Computing Strategy, February 2011
• #30: Cloud Provider Benefits (NIST SP 800-144)
• #31: Cloud Risks Where’s My Data? The Bad Divorce Trust but Verify “I thought you knew” I didn’t think of that Clarify Consider Expectations, Put it in Writing Compatibility Can you think of some risks not mentioned?
• #32: Where’s My Data? In the information age your key asset is information. Some information requires protection (Credit Card Data, Student Records, SSN, etc…) Your information could be anywhere in the world You may loss access to your data (availability) ISP failure Service provider failure Failure to pay (service provider stops access) Image: Microsoft Clip Art
• #33: The Bad Divorce “Vendor Lock” All relationships come to an end Let you down, had a breach, SLA performance etc… The company fails/gets sold Introductory pricing or it goes up over time Transition to new vendor or in-source How will you get your data back? Lack of Portability between PaaS Clouds Example, something built for Google won’t work for SharePoint or Amazon Get a prenup – get it in the contract up front Image: Microsoft Clip Art
• #34: Trust but Verify Assurance How do you know they are protecting your data? Not everyone is treated the same by service providers Disclosure concerning security posture 3rd party independent verification (audit/assessment) SAS 70 / SSAE 16 SysTrust / WebTrust ISO 27001 Certification Audit / Assessment MOU/MOA & ISA Image: Microsoft Clip Art
• #35: “I thought you knew” Cloud systems are typically more complex This may create a larger attack surface Breach Notification When do you want to know about a data breach? (Data that you are legal obligated to protect) Typical contracts give wide latitude for service providers Actual verses possible breach Timeliness of notification Image: Microsoft Clip Art
• #36: I didn’t think of that Dependencies Infrastructure – Internet Authentication management (SSO) Operational budget Greater dependency on 3rd parties Other considerations Complex legal issues Multi-tenancy Transborder data flow Jurisdiction and Regulation Support for Forensics Image: Microsoft Clip Art
• #37: Clarify What do they mean by “Cloud” Establish clear responsibilities and accountability Your expectations Cost of compensating controls What will happen with billing disputes Will your data be in a multi-tenant environment What controls will you have Image: Microsoft Clip Art
• #38: Consider The reputation of the service provider Track record of issues Large or small, likelihood of change Vendor ‘supply chain management’ issues The reliability of the service or technology Is the technology time tested Competency of cloud provider Typically you have no control over upgrades and changes Training for staff Image: Microsoft Clip Art
• #39: Compatibility When will they upgrade their service? Will they be ready when you are ready for an upgrade of dependent software Will you be ready when they are ready to upgrade Browser-based Risks and Risk Remediation What software will be required on the client side? Java Flash Active-X Silverlight HTML 5
• #40: New attack vectors Hypervisor complexity Data leakage (multi-tenant environment) Man in the Middle Browser vulnerabilities Mobile device vulnerabilities
• #41: Service Agreements Service Level Agreement (SLA) Some are predefined and non-negotiable Some are negotiable (typically cost more) Terms of Service May cover privacy Breach notification Licensing Acceptable use (What you can and can’t do) Limitations on liability (Typically in the favor of the service provider) Modifications of the terms of service (Do you want this?) Data ownership
• #42: Traditional risks no matter where you go Insider threat, Instead of your staff it is their staff Access control How can you control and monitor? Authentication Another logon or SSO Data sanitation Is your data really deleted? Others????
• #44: What to do? Careful planning before engagement Understand the technical aspects of the solution Make sure it will meet your needs (security and privacy) Maintain accountability Define data location restrictions Ensure laws and regulations are met Make sure they can support electronic discovery and forensics Follow NIST and Cloud Security Alliance guidance
• #45: Resources Cloud Security Alliance cloudsecurityalliance.org ISACA: Cloud Computing Management Audit/Assurance Program, 2010 NIST SP 800-144 (draft) NIST SP 800-145 NIST SP 800-146 (draft) Federal Cloud Computing Strategy, February 2011 CIO.gov Above the Clouds managing Risk in the World of Cloud Computing by McDonald (978-1-84928-031-0) Cloud Computing, Implementation, Management, and Security by Rittinghouse and Ransome (978-1-4398-0680-7) Image: Microsoft Clip Art