Trusted Data Assurance in the Cloud

7/31/2019 Trusted Data Assurance in the Cloud

1/241 Back to table o contents

CHAPTER TWO Cloud ControlMounting a Strong Deense with Inormation Security and Complianc

EVault Ebook

Trusted Data Assurance in the Cloud

By Felix A. Santos, CISA, CISM


2/24

Trusted Data Assurance in the Cloud 2011 i365, Inc. All Rights Reserved.

This book is protected under the copyright laws o the United States o America, and other applicable international, ederal, state, andlocal laws. No part of this document may be reproduced or transmitted in any form, by any means, without the prior written permission ofi365 and the author.

Nothing in this book is intended to replace legal or other professional services.


3/24

TABLE OF CONTE NTS

05 Chapter 01: The Path to Trusted Data Assurance in the Cloud

12 Chapter 02: Cloud ControlMounting a Strong Deense with Inormation Security and Compliance

20 Chapter 03: Evaluating Trusted Cloud Providers


4/244

Felix A. Santos, CISA, CISM is responsible or

inormation security and compliance or i365 andEVault

worldwide data centers. In this role, Felix

oversees all acets o IT governance including

inormation security programs, policy enorcement,

and data center security audits and compliance.

Felix has direct reporting responsibility to the president

and general manager o i365, and security reportingresponsibility to the chie inormation security ofcer

(CISO) at Seagate Technology.

In his early career, Felix was a senior scientist or

the U.S. Department o Energy at the National

Laboratories and served as a technical advisor in

Advanced Computing to the Ofce o Arms Control

and Non-Prolieration. Since leaving ederal service,

Felix has served as chie security ofcer (CSO) and CISO

in high-tech and fnancial industries in the Bay Area.

ABOUT THE AUTHOR



CHAPTER ONE

The Path to Trusted Data Assurance in the Cloud

Cloud computing has been around since at least the 1990s. A number

o early adopters were able to develop a basic ramework o distributed

computing services that evolved into the cloud concept by the late 1990s.

These early services had to build in controls and eatures by client demand

to demonstrate the same level o assurance that traditional on-premise

sotware applications. An example o a successul cloud SaaS (Sotware as

a Service) provider is salesorce.com. Today, consumers use these cloud

services anywhere rom contact management to post-sales customer

engagement. Why? Salesorce.com oered the rst cloud-based blue

ocean strategyoering pay-as-you-go, low-cost services and most

importantly, garnering trust with consumers or cloud-based services.

But many potential cloud consumerspeople or organizations that maintaina business relationship with, or use services rom, cloud providersstruggle

with the decision or adopting cloud-based services. As cloud services

continue to mature, client requirements are raising the bar or cloud providers

to give them a higher level o trusted data assurance.

Today, key drivers continue pushing consumers toward cloud computing

most notably, legal and regulatory drivers. In the 2011 Global Inormation

Security Survey1, Mark Lobel, principal security proessional or Pricewater-

Trusted data assurance can

be achieved by adherence to

best practices, but its going

to take some work or both

cloud consumers and cloud

providers.



CHAPTER ONE The Path to Trusted Data Assurance in the Cloud

houseCoopers (PwC), says The risk environment has increased and elevat-

ed the role o inormation security. Cost-reduction eorts make achieving

security a little more dicult. Clients are pushing harder or security, tellingus that their companys product or service is put at a competitive disadvan-

tage i security is not built in. Its all about the data. Increase the ocus on

protecting the data.

Data protection methods have trusted standard rameworks available today.

Unortunately, key eatures o the data protection rameworks are obscured

in a cloud environment. The basic concept o providing a high level o assur-

ance within an open ramework is dened by testing best practices against

controls at the data service layer. This is the denition o Trusted Data As-

surance (TDA). This high level o trusted data assurance can be achieved byadherence to best practices, but its going to take some work or both cloud

consumers and cloud providers.

To Cloud or Not to Cloud

Whos clouding now? Forrester Research2, a technology and research

rm, breaks down the top IT priorities or this year. About hal o all mid-size

companies are either pursuing cloud-based services as part o their busi-

ness practices, or theyre in their near-term implementation. Why? Realized

benets are clear: reduced inrastructure costs, pay-as-you-go services,

fexibility, agility, and signicantly reduced IT management and oversight.

Survey results conducted by the Ponemon Institute3, an independent re-

search rm on data privacy, includes an interesting diversity o cloud de-

ployment models in use today. Sixty-ve percent o cloud providers deploy

a variety o services or consumer use in public cloudsprimarily or han-

dling static content, including email, collaboration, and community-based

services. Eighteen percent o consumers have applications and private data

they want to keep protected in private clouds and take the necessary steps

to ensure reliance on trusted service providers. Another deployment model

gaining momentum in the market is the hybrid model. Eighteen percent o

consumers use a hybrid approach or maintaining business continuity

combining on-premise and cloud-based capabilities in a single solution.

But the outlook continues to be partly cloudy when it comes to data owner-

ship, data privacy, data location, and cloud IT governance oversight. Poten-

tial business clients oten ask me, Do I own my data in the cloud? Who is

responsible or protecting my data? How can providers saeguard my data

rom ending up across the globe? And who is actually providing oversight?

This is an area where data privacy and location become a top issue.

About hal o all mid-size

companies are either pursuing

cloud-based services as part

o their business practices,

or theyre in their near-term

implementation. Why?

Realized benets are clear:

reduced inrastructure costs,

pay-as-you-go services, fex-

ibility, agili ty, and signicantly

reduced IT management and

oversight.



CHAPTER ONE Security issues acing the cloud.

7

CHAPTER ONE Security issues acing the cloud.

Data PrivacyYour Bill o Rights

The bottom line is that consumers have inormation privacy rights regarding

their data. Its the consumers bill o rights, so to speak, and well document-

ed in ederal privacy regulations and the Sae Harbor Act.

Understanding data privacy rights will help regulated consumers dene re-

quirements or saeguarding personal health inormation, personal identiableinormation, nonpublic inormation, and credit-card payment inormation.

Federal data protection lawssuch as the Gramm-Leach-Bliley Act (GLBA),

a privacy act or nancial communitiesand a dozen or so ederal laws

require industries to protect inormation associated with data privacy laws.

State regulations go even deeper. For example, in Caliornia, under SB

1386, service providers must notiy customers as well as the state i privacy

data is compromised. Furthermore, CA AB 1950 mandates service providers

submit inormation showing they are using best practices to ensure protec-

tion o consumer inormation.

Between U.S. and European Union (EU) overseas authorities, the Sae

Harbor Actoperated and managed through the U.S. Department o

Commerceassists U.S. companies with sel-assessments and attesta-

tion, dening the minimum protection o privacy data they are saeguarding.

And, i anything goes wrong, companies have to essentially prove theyre in

compliance with established guidelines.

Eighteen percent o consum-

ers have applications and

private data they want to keep

protected in private clouds

and take the necessary steps

to ensure reliance on trusted

service providers.r

7




Overall, data stewardship is complexessentially aecting most areas o

ederal, state, and international laws and regulations. I suggest you become

amiliar with these laws and regulations. To do business with the EU, youwill need to ll out the sel-assessment. I will discuss more about the im-

portance o data location and regulations later on. The big question to be

answered: how do cloud providers give consumers trusted data assurance?

Trusted Data Assurance Goals

The only reasonable method or garnering assurances o trust is through a

completed and updated audit report o your providers environment. You

can always trust, but you also need to veriy.

Cloud consumers and cloud providers have an intimate partnership. Cloudconsumers own their data, and expect their provider to act as a steward,

maintaining the same level o protection they expect rom themselves. To

achieve trusted data assurance, third-party cloud auditors conduct con-

trolled audits o cloud-provider data centers and issue a report on whether

the provider has the proper controls in place and is ollowing best practices

to protect consumer inormation.

There are a ew dierent approaches or conducting cloud provider audits.

The most common audit is the Statement on Auditing Standards 70 (SAS 70),

developed by the American Institute o Certied Public Accountants (AICPA).

Alternatives include BITS Agreed Upon Procedures (BITS.org consortium o -

nancial services) or shared assessments, ISO 27001 certication, and Federal

Inormation Security Management Act (FISMA) compliance certication.

Traditionally, SAS 70 was used or auditing nancial and reporting controls

or state and public nancial organizations. Until June 2011, SAS 70 was

also the standard or auditing cloud providers.

New Audit Standards Emerge or Service Organizations

In June 2010, a more comprehensive auditing standard, Statement on

Standards or Attestation Engagements No. 16 (SSAE 16), was developed

by AICPA to target service organizations. Unlike SAS 70, which ocuses

on nancial controls, SSAE 16 is systems-based with trust guidelines and

principles encompassing trusted controls or data security, condentiality,

integrity, availability, and privacy. For cloud providers, these ve controls will

be analyzed to ensure the protection o consumer data.

The bottom line is that

consumers have inormation

privacy rights regarding their

data. Its the consumers bill o

rights, so to speak, and well

documented in ederal privacy

regulations and the Sae Har-

bor Act.
http://www.bits.org/http://www.bits.org/



SSAE 16 audits now require attestationa written assertion by the cloud

provider stating control objectives have been suitably met or SSAE 16 Type

I and are operating eectively or SSAE 16 Type IIwith supporting inorma-tion about risk actors.

Service Organization Control 1 (SOC 1) reports are restricted to existing

cloud providers with SAS 70 Type I and Type II compliance or eective peri-

ods beginning on or ater June 15, 2011.

SOC 2 audits are both a general- and restricted-use report describing tests,

audit results, and the auditors opinion or compliance to trust services and

guiding principles.

SOC 3 audits are a general-use report containing minimum inormation. I

one or more trust services are met, cloud providers are permitted to use an

SOC 3 SysTrust seal on their website.

Use this inormation about SSAE to establish a dialog with current or po-

tential providers. Its an excellent way to get inormation about their SSAE

migration plans over the next several months. For more inormation about

SSAE, download the ree report, Service Organization Controls: Managing

Risks by Obtaining a Service Auditors Report at aicpa.org.


SSAE 16 is systems-based

with trust guidelines and prin-

ciples encompassing trusted

controls or data security,

condentiality, integrity, avail-

ability, and privacy. For cloud

providers, these ve controls

will be analyzed to ensure the

protection o consumer data.

SSAE 16 audits now require

attestationa written asser-

tion by the cloud provider

stating control objectives have

been suitably met or SSAE

16 Type I and are operatingeectively or SSAE 16 Type

IIwith supporting inorma-

tion about risk actors.

For more inormation about

SSAE, download the ree

report, Service Organization

Controls: Managing Risks by

Obtaining a Service Auditors

Report at aicpa.org.
http://www.aicpa.org/http://www.aicpa.org/http://www.aicpa.org/http://www.aicpa.org/




My advice or cloud providers using SAS 70 auditsthe astest and easiest

transition or the remainder o 2011is to move to SOC 1 since its essen-

tially a SAS 70 Type I. Otherwise, regulated consumers will be orced to lookelsewhere or services because they will all out o compliance when their

auditors pay a visit.

My best advice or cloud providers: I you can, make the transition now di-

rectly to SOC 2 to give consumers the most comprehensive audit controls or

cloud data protection. It will also help you grow your services business. For

web-based cloud services, the SOC 3 with SysTrust Seal can be published

on the website.

The Rise o Cloud StandardsIn support o maturing cloud compliance and IT governance programs,

ederal standards under the National Institute o Standards and Technology

(NIST)and Cloud Security Alliance (CSA) within the private sectorare

bearing the burden o establishing new IT controls and best practices or

cloud computing.

NIST provides ederal government and legal entities with a new roadmap

or cloud computing standards, cloud nomenclature denitions, and basic

cloud services and how they work. A new architecture reerence model is

now available with contributions rom ederal and private industries, ensur-

ing that all acets associated with cloud computing are addressed. Theyve

also released a synopsis o best-practices recommendations or cloud

service providers with specic guidelines on how security and privacy is

expected to be maintained in public cloud computing. Their nomenclature

denitions alone will help ensure youre on the same page with your cloud

providers. For more inormation, visit nist.gov.

For organizations in the private sector, CSA ocuses on detailing critical

areas o cloud computing rom services development to management o

cloud-based services. CSA is an open alliance organization with member-

ships rom corporations such as eBay, security vendors such as RSA rom

EMC and CA, and nancial institutions such as American Express and

Citibank, security associations such as ISACA and the Distributed Manage-

ment Task Force (DMTF), and cloud providers such as salesorce.com and

Google. All members collaborate and contribute to a common knowledge-

base ensuring new cloud controls are well understood and documented.

My best advice or cloud

providers: I you can, make the

transition now directly to SOC

2 to give consumers the most

comprehensive audit controls

or cloud data protection. It

will also help you grow your

services business.

Cloud Services Standards

Organizations

The National Institute o Stan-

dards and Technology www.

nist.gov is an agency o the

U.S. Department o Commerce

that makes measurements andsets standards by industry or

government programs such as

the Federal Inormation Secu-

rity Management Act (FISMA).

Cloud Security Alliance (CSA)

promotes the use o best

practices or providing secu-

rity assurance within cloud

computing. For more inorma-

tion, visit www.cloudsecurity-

alliance.org.
http://www.nist.gov/index.htmlhttp://www.cloudsecurityalliance.org./http://www.cloudsecurityalliance.org./http://www.nist.gov/index.htmlhttp://www.cloudsecurityalliance.org./http://www.cloudsecurityalliance.org./




Whats impressive about the olks rom CSA and their aliated community

members is their shared denition o new, standard IT controls or cloud

providers. In traditional on-premise environments, inormation security

controls require organizations to dene and classiy their inormation assets.

In contrast, when operating in a cloud environment, currently dened IT

controls do not necessarily provide the level o coverage required by a cloud

providers role as steward or data protection.

New denitions require providers to look at consumer dataobjects con-

taining data, and assignment o classication based on data type, jurisdic-

tion o origin, jurisdiction domiciled, context, legal constraints, contractual

constraints, value, sensitivity, criticality to the organization, and third-party

obligation or retention and prevention o unauthorized disclosure or misuse.

There are about a hundred o these new cloud-control objectives dened

in version 1.2 o the new Cloud Controls Matrix (CCM). I encourage you to

read the CCM version 1.2 to become amiliar with the new cloud controlsand to help guide conversations with current or potential cloud service

providers. Download the spreadsheets rom cloudsecurityalliance.org.

1 2011 Global Inormation Security Survey; Mark Lobel, PricewaterhouseCoopers, CSO Security

Standard Conerence; Brooklyn, New York, September 29, 2010

2 Business Continuity and Disaster Recovery Are Top IT Priorities or 2010 and 2011; Forrester

Research, Inc., September 2, 2011

3 Security o Cloud Computing Providers Study, Ponemon Institute, April 2011

The National Institute o

Standards and Technology

(NIST)and Cloud Security

Alliance (CSA) within the pri-

vate sectorare bearing the

burden o establishing new IT

controls and best practices

or cloud computing.
https://cloudsecurityalliance.org/https://cloudsecurityalliance.org/



CHAPTER TWO

Cloud ControlMounting a Strong Deense withInormation Security and Compliance

Inormation Security (INFOSEC) basically protects everywhere data such

as texts, instant messages, email, contracts, hard copies, transaction data,

and verbal communications rom unauthorized access, misuse, disclosure,

disruption, modication, or destruction. The philosophy behind INFOSEC is

to take a holistic approach that encompasses people, processes, and tech-

nology to protect data. This approach embodies the basic trust principals

o security, condentiality, integrity, availability, and privacy.

I am always surprised by the number o people who view INFOSEC as

a single ocus on one or more components o technology. For example,

perimeter security, such as rewalls or intrusion detection systems, pro-

vides the security solution, and some organizations dont have an incidentresponse process to address critical breaches. And, some business owners

think theyre secure because they trust their IT administrator; ater all, thats

who set up the rewall. But heres the reality: inormation security or

achieving compliance is complexespecially in the cloud.

Trusted data assurance can

be achieved by adherence tobest practices, but its going

to take some work or both

cloud consumers and cloud

providers.



An organizations security posture is characterized by the maturity, eective-

ness, and completeness o risk-adjusted IT controls. The INFOSEC deense

concept can be represented in the Sphere o Protection4 (above).

Protection in depth is a layered process rom the perimeter into the pro-

tected inormation core. It is implemented by people with dened processes

and utilizes technology to put it into eect.

IT controls are implemented in multiple layersrom Internet and network

security to applications, systems, and physical security. Access controls

are intimately connected to people and technology to be properly secured

and managed.

Ultimately, you want to get to the point where you can say, I am properly

protecting the environment because Im now measuring the condential-

ity o systems and data inormation, maintaining its integrity, and making it

available as well as protected rom any attack.

For security awareness and education programs, people will continually

need education and training to understand applicable policies, laws, and

regulations to help guide their behavior or protecting data.

Sphere o Protection

People

Technology People

Information

Internet

Networks

Systems

Policy and law

Education and training

Security planning

(IR, DR, BC)

RedundancyMonitoring systems

Patches and upgrades

Host IDS

Firewalls

Network IDS

Proxy servers

Encryption

Backups

Access controls

An organizations security

posture is characterized by

the maturity, eectiveness,

and completeness o risk-

adjusted IT controls.




For cloud providers, a strict code o ethics, regulatory controls, and internal

operational guidelines mandate the behavior o data center proessionals.

You wont nd any external communications with the public in a controlled,data center environment. And social networking is absolutely prohibited.

The highest level o protocols and procedures should be in place, and must

be ollowed to protect both consumers and providers.

INFOSEC plans provide detailed guidance on how to handle incident response,

disaster recovery (DR), and business continuity (BC)and must be maintained

and tested regularly to accommodate environmental and technological changes.

From the let side o the sphere, many technology layers address protection

o inormation located in the nucleus. Each layer may have a different series of

components including access controls across all layers, implementation of bestpractices, change management, and periodic testing of IT controls.

INFOSEC Standards or Regulatory Compliance

Regulatory compliance can be complex. To reduce maintenance costs or

achieving regulatory compliance while signicantly improving overall ecien-

cies, organizations eliminate redundant and overlapping regulatory controls by

implementing standard rameworks that map across multiple regulations.

To demonstrate this methodology, Ill use three examples o key regulations.

Sarbanes-Oxley (SOX) targets compliance or all public entities. Sarbanes-Oxley mandates assurances by demonstrating the appropriate level o con-

trols to protect nancial inormation, and reporting to the Security and Ex-

change Commission. However, Sarbanes-Oxley doesnt provide the how

o achieving such assurances. Since the Control Objectives or IT (CoBIT)

standards ramework was developed in support o SOX, you can see in the

example, below a one-to-one mapping across most domains or both SOX

and CoBIT. Privacy protection is addressed in CoBIT version 5.

For health care providers, the Health Insurance Portability and Account

ability Act (HIPAA) regulates protection o public health inormation. ISO

To reduce maintenance costs

or achieving regulatory

compliance while signicantly

improving overall eciencies,

organizations eliminate redun-

dant and overlapping regula-

tory controls by implementing

standard rameworks that map

across multiple regulations.



ISO 27001 standards map across all domains to ensure privacy protection is

accounted or and controlled.

And last, the Gramm-Leach-Bliley Act protects nonpublic inormation or

nancial services. Both ISO and CoBIT standards, or the most part, support

GLBA mandates. CoBIT version 5 is currently in early adoption.

My best-practices recommendations or cloud consumers is to look at cloud

providers that oer trusted data assurance and understand all acets o

regulatory requirements, and to implement ISO 27000, CoBIT, or new cloud

IT control standards to help you make an inormed decision. You may even

want to consult your auditor or recommendations.

Preparing or the CloudYour Roles and Responsibilities

To help prepare you or data protection in the cloud, there are specic

elements that cloud consumers own that are included in the cloud controls

matrix rom CSA.

Heres the bottom line: You cant just give cloud services to a cloud provider.

There are some simple, ree best practices that you need to do. Following

are some key activities and valuable inormation you need or making the

right decisions or your organization.

Write an INFOSEC Policy

A written INFOSEC policy is a simple document thats necessary or engag-

ing with a cloud provider. It should include the inormation being protected,

how the security environment will be monitored, who will be held account-

able or the security environment, who is authorized to engage in INFOSEC

activities, and basic policies and procedures that should be well under-

stoodacross the company.

This is where security awareness programs become paramount or helping

organizations understand their INFOSEC policy, and or executives to

conduct a concerted arrangement when bad things occur. Inormation

security policies serve as the communication platorm or cloud providers

and, most important, they help to quickly determine whether a cloud provider

can meet your dened objectives.

Sarbanes-Oxley mandates

assurances by demonstrat-

ing the appropriate level o

controls to protect nancial

inormation, and reporting to

the Security and Exchange

Commission. However,

Sarbanes-Oxley doesnt

provide the how o achieving

such assurances.

For health care providers, the

Health Insurance Portabil-

ity and Account ability Act

(HIPAA) regulates protection o

public health inormation. ISO27001 standards map across

all domains to ensure privacy

protection is accounted or

and controlled.

My best-practices recommen-

dations or cloud consumers

is to look at cloud providers

that oer trusted data assur-

ance and understand all acets

o regulatory requirements,

and to implement ISO 27000,

CoBIT, or new cloud IT controlstandards to help you make an

inormed decision.





There are plenty o websites that oer inormation security policy templates

or download. ISO 27001 is a good program standard or dening inorma-

tion security programs. In addition, or specic details, download actualsecurity policiesthen you can simply ll in the blanksrom the SANS

Institute at sans.org.

You will nd that ollowing my best-practices recommendations will put you

in the best position or saeguarding your company.

Classiy Inormation Assets

Once youve written your inormation security policy, the next crucial step is

dening your assets. Determine all locations o critical data and the protec-

tion levels or saeguarding each data set. By taking the time to dene where

sensitive and critical inormation is locatedand who and what applications

need access to each data setyoure well on your way to the cloud.

Data location is o primary importance or business consumers concerned

about outsourcing data to a cloud provider. As mentioned beore, cloud

consumers are ultimately responsible or their data. Trust your cloud pro-

vider to be a steward o your data, but only i the provider ully understands

data location requirements and can prevent your data rom going some-

where it shouldnt. Garner that trusted data assurance through an updated

audit report. And dene your requirements and regulations associated with

each data set as well as specic data location requirements.

One example I oten share with clients regards customers with encrypted

logical inormation or intellectual property. Encrypted inormation or intel-lectual property alls under the ederal regulations o controlling encrypted

material under export controls. You run into a boundary o places to which

you can actually export this type o data. And i your data is sitting in the

cloud, you have to veriy its not going to end up in a pariah country. This is

one o the reasons why data classication is crucial or data protection in

the cloud. Trust but veriyits that simple.

Data location requirements can sometimes confict with regulatory controls.

One regulation that can confict with data location boundaries is Basel II. In

the EU theres a disaster recovery requirement or nancial organizations.

To replicate their data, organizations must place it in a dierent geographi-

cal risk zone. But there are privacy inormation controls mandating that data

cant leave the country. In these cases, cloud providers need to be able

to tell you how theyre going to eectively deal with international issues to

ensure your data is protected.

I you dont have policies in place to address data regulatory controls, you

cant hold your cloud provider accountable i something goes wrong. Policy

and prosecution go hand in hand in both domestic and internationally con-

trolled environments.

Heres the bottom line: You

cant just give cloud services

to a cloud provider. There are

some simple, ree best prac-

tices that you need to do.

Trust your cloud provider to

be a steward o your data, but

only i the provider ully under-

stands data location require-

ments and can prevent your

data rom going somewhere it

shouldnt. Garner that trusted

data assurance through an up-

dated audit report. And dene

your requirements and regula-tions associated with each

data set as well as specic

data location requirements.
http://www.sans.org/http://www.sans.org/



I you dont have policies in

place to address data regula-

tory controls, you cant hold

your cloud provider account-

able i something goes wrong.

Policy and prosecution go

hand in hand in both domestic

and internationally controlled

environments.

Asset management is by ar the most important subcomponent o an INFO-

SEC policy. Data classication includes rating your data based on public,

private, condential, top-secret, sensitivity, integrity, availability, location,and regulatory requirements. Assess your data center, oce, laptops,

servers, and so on, and classiy data sets based on your requirements. One

o the most comprehensive schemes is the Federal Inormation Processing

Standards (FIPS) 199. Other simplied schemes use some components o

this ederal standard. Keep it simple by using appropriate standards or your

regulated industry.

Last, dene how soon your data needs to come back in cases o loss or

disaster. Dene objective points based on availability. Objectives commonly

used or data sets that require operations to remain resilient are RecoveryTime Objectives (RTO) and Recovery Point Objectives (RPO). Determine

which sets are not aected by outages and prioritize them accordingly. Cloud

providers will need to ensure they can meet both dened and written criteria.

Defne Backup, Recovery, Disaster Recovery, and Business Continuity

Policies

Whether or not youre considering outsourcing some o your data sets to the

cloud, you need to dene backup, recovery, disaster recovery, and business

continuity policies. Its a crucial element o the risk-assessment process.

Write down backup and recovery policies and procedures with an inventory o

data that resides on critical systemsincluding executive laptops! Determine

how long you can wait beore your data is recovered. Use several disaster

scenarios in your policy. For example, beore hurricane season arrives every-

one needs to be conscious about the next potential food, its location, and

whether or not your data storage is actually going to be protected during this

event. I these scenarios ever present themselves, you actually have a docu-

mented plan in placeand you have a cloud provider to help you test sce-

narios to demonstrate you are actually implementing best practices. Painul

as it may seem, DR plans require testingeven i its a small portion o your

environment. I you dont test it, you have no idea i your backup tapes you

sent to a vault somewhere in Kentucky are actually going to be recoverable.

Its crucial that you document your data protection plan. Use it to serve up

the service-level agreement (SLA) with your cloud provider. And i things go

wrong, your service provider can be held accountable.

I you have dierent types o outsourcing initiativesand your backups are

on tapelook at having an electronic replication with another service





Determining risk is a busi-

ness practice that sits at the

highest level o the company.

Without executive support,

youre most likely placing the

company at risk. Its worth-

while to make sure executives

know the service providers

youre using and how they are

protecting company inorma-

tion, and that these service

providers will be held account-

able i something goes wrong.

Make sure assessments are

well documented.

provider or saeguarding the backup to your backup. You should always

keep alternatives. I one provider doesnt work, go to a second provider.

Cloud-based disaster recovery services are key services contracted to-

dayespecially with businesses that have already been aected by natural

disasters. Consider developing a cloud DR and BC plan to maintain your

continuity o operations in cases o data loss or natural disaster. Its abso-

lutely worth its weight in goldwithout the costs o rebuilding this crucial

component o your business.

Perorm a Risk Assessment

The nal step to help you prepare or cloud adoption is to conduct an internal

risk assessment. Determine the business practices you need to continue tooperate. Look or items that could potentially threaten your organizations data.

I your budget allows, you may need to consult a third party to assist you

with writing guidelines on how to dene your risk assessmentand to actu-

ally perorm the assessment. I you perorm the assessment internally to

save costs, make sure you do it regularly so youre prepared or any new

threats that may pop up.

Determining risk is a business practice that sits at the highest level o the

company. Without executive support, youre most likely placing the compa-

ny at risk. Its worthwhile to make sure executives know the service provid-

ers youre using and how they are protecting company inormation, and that

these service providers will be held accountable i something goes wrong.

Make sure assessments are well documented.

My guidance applies to the budget-minded consumer as well. I understand

the needs o small and mid-size organizations that cant aord to outsource

a risk assessment. There are many ree consortiums on the Internet that

provide guidelines or perorming your own risk assessment. When you

present your assessment to a cloud provider, make sure you also present

your inormation security and data protection plans outlined above.

Next up: When things dont always go as planned.

Incident e-Discovery and Investigation

One o the less-palatable activities in cloud data protection is when bad

things happensuch as litigation, or when law enorcement ocers show

up on your doorstep asking questions.



Agencies may wish to ast-

track the e-discovery process

by requesting your cloud pro-

vider essentially dump all data

that you own, but they should

actually start with you, not the

provider. Providers dont hold

your encryption keysyou do.

Its as simple as that.

One o the key control methods used to protect clients rom data expo-

sure or leakage is data encryption and key managementespecially when

data leaves the company. Consumers should be in complete control o allencryption keys. Losing access to encryption keys can actually expose

consumers to potential, unknown threats. In the event o litigation, lack o

encryption management does not hold up well in a court o law.

When a signicant breach occurs within the consumers domain, e-discov-

ery typically begins when the judicial system warrants the discovery process

and law enorcement agencies are engaged. In these cases, e-discovery

should begin at the site o the cloud consumer.

Agencies may wish to ast-track the e-discovery process by requesting

your cloud provider to essentially dump all data that you own. But they should

actually start with you, not the provider. Providers dont hold your encryption

keysyou do. Its as simple as that.

To exemplify what consumer data looks like in a multitenant cloud environ-

ment, I will use EVault as an example. Cloud consumer data is dedupli-

cated and encryptedrom its original sourceand remains encrypted

throughout its lietime in one or more vaults. I someone looks at the data,

it is just a series o data blocks o ones and zerosonly to be decrypted

by consumer access to the encryption keys. Essentially, EVault can provide

law enorcement with the data blocks and vault inormationbut only in itsle orm as a copy. We do not have access to actually assist with urther

e-discovery activities.

Im oten asked by our cloudconsumer customers what would happeni they suddenly had an issue with law enorcement during an incident o

breach, or when law enorcement agencies are just looking or a copy o

their backups. The answer is that we are required by ederal law to protect

all consumer inormation in our data centers. It is crucial that physical ac-

cess is limited.

Agencies should exhaust all avenues o investigation at the consumersiteor else possibly suer ederal consequences, imposing e-discovery

on cloud providers without an arguable due cause. Because mistakes in the

past have caused agencies to shut down cloud providers during their matu-

ration phase, legal agencies should be cognizant o cloud consumer data

protection laws, and help enorce consumer data protection assurances in

the cloud.

4 Business Risk o Sotware in the Cloud; Deloitte Development LLC, AndrewMurren, March 2, 2011



20/2420 Back to table of contents

CHAPTER THREE

Evaluating Trusted Cloud Providers

To put together your cloud-provider short list, you frst need to question

its IT controls.

The BITS Standard Inormation Gathering (SIG) questionnaire is a standardset o shared audit procedures. Questions have been mapped tightly to the

ISO domains, resulting in a cloud provider standard request or inormation.

Use either the BITS ull or lite questionnaire to evaluate cloud providers.

You can fnd the BITS questionnaires by visiting sharedassessments.org.

Once you have your SIG questionnaire, youre ready to match vendor

service delivery models with your business and security objectives.

Whos Who in the Cloud

Not all cloud providers should be treated equally. The simplifed Cloud

Computing Stratosphere (see next page) illustrates three service delivery

models and key vendors.

Communications and Social Applications reside above the three service

delivery models or layers, since they are quite pervasive on top o, and

through, some o these layers. A great example is Twitter.

The BITS Standard Inormation

Gathering (SIG) questionnaire

is a standard set o shared

audit procedures. Questions

have been mapped tightly tothe ISO domains, resulting

in a cloud provider standard

request or inormation. Use

either the BITS ull or lite

questionnaire to evaluate cloud

providers. You can fnd the

BITS questionnaires by visiting

sharedassessments.org.
http://www.sharedassessments.org/http://www.sharedassessments.org/http://www.sharedassessments.org/http://www.sharedassessments.org/



CHAPTER THREE Evaluating Trusted Cloud Providers

Sotware as a Service (SaaS)

SaaS is the capability or cloud consumers to use applications and re-

sources rom a cloud provider. And cloud application resources are typicallyaccessible rom a web browser. SaaS is crowded with providers bringing

in online services rom initial email servicesrom Google, Microsot, and

Yahooto expanded services such as oce and collaborative applications,

marketing, and data protection services including backup, disaster recovery,

and replication services.

Platorm as a Service (PaaS)

PaaS is aimed at cloud developers that want to use the providers cloud

operating environment, development tools, and programming languages

Windows, .NET, Linux, and J2EE to create SaaS-based applications oruse by cloud consumers.

Inrastructure as a Service (IaaS)

IaaS is the capability or cloud providers to provision undamental comput-

ing resources such as storage, networks, and processing power to cloud

consumers. The consumer can oten be other cloud providers. For example,

EVault services use Microsot Azure cloud services or provisioning storage

and endpoint protection services to consumers. And the company part-

ners with other cloud providers, managed service providers, and resellers

that want to host data-protection and other value-added services to their

consumers powered by the EVault inrastructure and partner SaaS-based

service oerings. These types o partner services are typically coined as

downstream or aggregator services.

Down the StackCloud Provider Security Responsibilities

As mentioned in Chapter One, new trends in consumer requirements are

pushing providers to implement better IT controls over their data centers to

gain parity with traditional on-premise solutions. This stems rom the abstrac-

tion o inrastructure and lack o visibility and capability to integrate many

amiliar security controlsespecially at the network and virtualization layers.

It is important to understand that security responsibilities o cloud providers

and cloud consumers dier among service delivery models. For example,

Amazons EC2 inrastructure is responsible or security up to the hypervisor

level to include physical, environmental, and virtualization security. Cloud

consumers are responsible or systems, applications, and data security.

For cloud providers oering services that span the entire stack (IaaS, PaaS,

SaaS), security becomes the responsibility o the provider including

It is important to understand

that security responsibilities

o cloud providers and cloud

consumers dier among ser-

vice delivery models.

e Cloud Computing Stratosphere,

rn Group, www.horngroup.com
http://www.horngroup.com/http://www.horngroup.com/




physical, environmental, inrastructure, applications, and data security. For

example, my company is responsible or all levels o security since our

infrastructure and cloud services cut across all three service-delivery layers.

Trusted Data Assurance rom EVault

Directly distributed EVault data centers are located throughout the United

States and Canada, with a presence in the European Union. Since 1997, EVault

security programs have been ounded on ISO standards and best practices

that have been updated and maintained. EVault meets the ISO 27001:2005

Inormation Security Program Standard and sel-attestation or PCI DSS v.2

compliance. Since my firm is a wholly owned subsidiary o the publicly held

company Seagate Technology (NASDAQ: STX), we ulll Seagate internal

audit activities and controls or data privacy, PCI compliance, and generalcontrols practices. Weve maintained yearly audits or SAS 70 Type II, and

were currently in our SSAE 16 audit or SOC 2, expecting our SSAE 16 at-

testation to be completed by December 2011. We continue raising the bar

on trusted data assurance.

Summary

Cloud-based services are here to stay. Costly maintenance o meeting regula-

tory requirements is driving consumers to ultimately shit to the cloudespe-

cially or those organizations lacking the budget, or or organizations that can

no longer enjoy inormation security and compliance budgets rom the past.

But it certainly can be a scary place or potential consumers that havent yet

made that leap. I you do your homeworkand you select the right, trusted

cloud provideryou will enjoy low-cost services with trusted data assur-

ances to help you ocus on your core business and maintain protability.

Hopeully, Ive dispelled some o the myths about data privacy and protec-

tion. You own your data and you have ederal privacy laws that protect your

rights. Your service provider is there to steward and saeguard your data,

and ensure your privacy rights are protected, with the right people, process,

and technology.

As the cloud services industry matures, new cloud denitions and initiatives

are there or public-sector and ederal consumers to ensure cloud provid-

ers ollow shared best practices. And new and long overdue SSAE audit

standards now provide systems-based and trusted data controls or audit-

ing service organizationsgiving consumers that verication o trusted data

assurance. Ater all, a little TDA does go a long way!

It certainly can be a scary

place or potential consum-

ers that havent yet made

that leap. I you do your

homeworkand you select

the right, trusted cloud pro-

videryou will enjoy low-cost

services with trusted data

assurances to help you ocus

on your core business and

maintain protability.


23/2423 Back to table of contents


When it comes to inormation security and compliance, always account or

change. Maintaining a state o compliance is not a static process. It is a

continuous process o improvement. Trusted cloud providers will continueto improve governance o their IT inrastructure and show you evidence that

theyre actually doing it.

Make sure you receive that trusted data assurance rom your cloud provider.

And remember, you can trustbut always veriy.

List of Resources

1.American Institute o Public Accountants, aicpa.org

2. Control Objectives or IT, isaca.org

3.BITS Agreed Upon Procedures, bits.org

4.BITS SIG, sharedassessments.org

5.Cloud Security Alliance, cloudsecurityalliance.org

6. 2011 Global Inormation Security Survey; Mark Lobel, Pricewaterhouse

Coopers, CSO Security Standard Conerence; Brooklyn, New York,

September 29, 2010 csoonline.com

7.National Institute o Standards and Technology, nist.gov

8. Security o Cloud Computing Providers Study, Ponemon Institute LLC,

April 2011, ponemon.org

9. The SANS Institute, sans.org
http://www.aicpa.org/http://www.aicpa.org/https://www.isaca.org/Pages/default.aspxhttp://www.bits.org/http://www.bits.org/http://www.bits.org/http://sharedassessments.org/http://sharedassessments.org/https://cloudsecurityalliance.org/https://cloudsecurityalliance.org/http://www.csoonline.com/http://www.nist.gov/index.htmlhttp://www.nist.gov/index.htmlhttp://www.ponemon.org/index.phphttp://www.sans.org/http://www.ponemon.org/index.phphttp://www.sans.org/http://www.nist.gov/index.htmlhttp://www.csoonline.com/https://cloudsecurityalliance.org/http://sharedassessments.org/http://www.bits.org/https://www.isaca.org/Pages/default.aspxhttp://www.aicpa.org/

Documents

Trusted Data Assurance in the Cloud