What the auditor need to know about cloud computing
1 like262 views
The document discusses cloud security and the roles of various stakeholders in ensuring safe cloud computing practices. It emphasizes the importance of understanding the shared responsibility model, evaluating cloud service providers, and implementing proper governance, data classification, and security measures. Additionally, it outlines the need for continuous monitoring and auditing of cloud services to maintain compliance and security.
More Related Content
Similar to What the auditor need to know about cloud computing (20)
What the auditor need to know about cloud computing
- 1. Cloud Security For auditors Moshe Ferber, CCSK, CCSP, CCAK Onlinecloudsec.com When the winds of change blow, some people build walls and others build windmills. - Chinese Proverb
- 2. #About Information security professional for over 20 years Founder, partner and investor at various cyber initiatives and startups Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more) Co-hosting the Silverlining podcast – lean about security engineering Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification Member of the board at Macshava Tova – Narrowing societal gaps Chairman of the Board, Cloud Security Alliance, Israeli Chapter Cloud Security Course Schedule can be found at: http://www.onlinecloudsec.com/course-schedule
- 3. So, what is cloud computing?
- 4. Actually, cloud does have a definition…
- 5. Cloud characteristics: • Cloud computing characteristics distinguish cloud from other forms of compute (i.e. hosting, outsourcing , static virtualization) • Mostly relevant for certain regulations
- 6. מזה זה שונים מאוד הענן שירותי .... SaaS PaaS IaaS Private Hybrid Public
- 7. The Share responsibility model Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility
- 8. The CISO Challenge SaaS PaaS IaaS Gain the expertise for building secure applications Evaluate providers correctly Very hard to provide best practices
- 11. Building a cloud strategy: relevant steps Guidelines for which data/app can migrate Threats & Risks to consider Identifying key Stakeholders Evaluating the provider maturity and security controls. Additional controls that should be implemented in the service.
- 12. Cloud Policy: Balancing the requirements Laws (i.e. Privacy laws) Regulations (sector specific) Standards (PCI, ISO) Contracts
- 13. Data classification is mandatory Data that can be migrated Data that can not be migrated Data that can only migrate to certain providers Data that can only migrated to certain jurisdiction Data that can only migrated if encrypted / anonymized UK gov data classification: • Official • Secret • Top secret Official is allowed at public cloud
- 14. Dealing with risk and threats
- 15. Identifying key stakeholders Internal stakeholder • IT department • Business owners • R&D department • Legal Department • GRC Department • Procurement department External Stakeholder • Integration & Implementation partners • Brokers • Software development companies • Auditors • Security consultant Often internal stakeholder will form sort of Cloud Computing Center of Excellence
- 16. Stakeholder responsibilities •Monitor Shadow IT •Authorized providers list •Budget management - IaaS/PaaS •SaaS license management Procurement •Building cloud architecture •Integrating new tools •Vision and roadmap Architecture •Guidelines for compliance program •Provider screening process •Specific controls GRC/CRO •Automation •Monitoring •Security (secdevops) Operations/devops
- 17. Specific controls examples Cloud migration committee Mandatory provider certifications MFA usage Data encryption at rest Security assessments
- 18. Evaluating providers (cloud assessments)
- 19. Hi diversity in the market (specially in SaaS) • Could you do an audit? • Should you do an audit? In many cases you must settle for 3rd party attestation. Cloud provider A Cloud provider B
- 20. Provider evaluation Is the service adequate? How mature is the provider? Are the provider responsibilities clear? Are customer responsibilities clear? Are there gaps?
- 21. Provider evaluation – what do I really looking for? Trust Accountability Is the provider accountable for his responsibilities? Transparency Is the information I am receiving accurate and actionable? Assurance Wil the provider perform as planned?
- 22. Provider evaluation (mostly on SaaS) Reviewing security policy Evaluating the provider Evaluating the service Evaluating the supply chain Analyzing gaps Setting special requirements Contract signing Ongoing monitoring
- 23. Tools for provider evaluation https://cloudsecurityalliance.org/star/registry/
- 24. SaaS services – security foundation Encryption • Encrypting data at the cloud provider (who has the keys)? Identity Management • Who control the user store? • Who is responsible for authentication? Governance & Audit • Who does what? • Suspicious events detection
- 25. IaaS/PaaS – performing security testing Security assessment • Usually assessing the cloud infrastructure • Require knowledge in the cloud platform • Usually made against a checklist • Evaluating the security posture of the environment Penetration testing • Usually cover the application layer • Mostly black box • Require coordination with the provider • Assessing the application resilience
- 26. Assessing with a security framework Security framework (non cloud specific) • ISO27001 • SOC 2/3 • COBIT • EU-Sec Security framework (cloud specific) • ISO27017 / 27018 (Cloud Security & privacy) • CSA STAR • BSI C5 • NIST 800-53 • PCI DSS cloud guidelines • CIS benchmark Considuration: Cloud Native vs. Migrated to the cloud
- 27. Contract management Usually made from 3 parts: • Agreement • SLA • ToS Usually not negotiable Must address the shared responsibility model Must address sub- processors Cloud specific • Location of services • Conflict resolution • Breach notification Must address end-of- service and migration
- 28. Privacy considerations Data privacy laws are turning the world into privacy islands Important topics: • Data residency • Processor vs. controller roles • Data subject's rights • Breach notifications Check put the CSA Privacy Level Agreement: https://cloudsecurityalliance.org/research/working-groups/privacy-level-agreement/
- 29. Summary The word cloud describes many different types of services, with different security considerations. Pick your battles – • Large mature IaaS/PaaS providers – focus on customer maturity • SaaS services – Choose your partners wisely • Practical cloud policy is the place to begin, everything else will follow Cloud Security Course Schedule can be found at: ty Course http://www.onlinecloudsec.com/course-schedule
- 30. KEEP IN TOUCH Cloud Security Course Schedule can be found at: http://www.onlinecloudsec.com/course-schedule
- 31. Questions?