close-up on cloud security audit - international ... · ©2014 brightline cpas & associates,...
TRANSCRIPT
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 1 ©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 1
Close-Up on Cloud Security Audit
Douglas W. Barbin
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 2
About Me • “Partner” at BrightLine
• 17 years experience in security, assessments, forensics, and product management
• Previously at PwC, Guardent, and VeriSign
• Roles included auditor and “auditee”
• CPA, CISSP, QSA, ISO 27001 Lead Auditor, & CCSK!
• Participant in CSA including CCM and CloudAudit
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 3
Key Themes
• Auditing a cloud starts with understanding cloud providers
• Controls are where audits and compliance come together, not requirements
• Organization and preparation is key
• Evidence collection and analysis adjustments must be made
• Want to audit cloud? Better use it.
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 4
Setting the Stage
• Acme Analytics Cloud
• SaaS-based data analytics provider that includes financial and health care clients
• Hosted at Amazon
• Clients requires SOC 2 w/ CSA STAR Attestation, PCI, and HIPAA assessments
• ISO and FedRAMP potential future initiatives
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 5
Understanding Cloud: More than *aaS
Source: PCI Standards Council Cloud Computing Information Supplement (2013)
Auditors must understand the delivery model
in-depth prior to showing up onsite
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 6
Understanding Cloud: The New
Architectures
Dude… Where’s my DMZ?
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 7
Planning: Scoping • The architecture review should happen
during the sales/SOW process not kickoff
• Key elements:
– Operational locations
– Use of subservice organizations i.e. AWS
– Roles/responsibility of subservice orgs
– “Systems” inventory and role of sampling
– Development model (i.e. DevOps)
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 8
Planning: Understanding the Requirements • Controls assessments vs. management systems
• Requirements (PCI) vs safeguards (HIPAA) vs
criteria (SOC 2)
• Point-in-time, review-period, phases / stages CCM
and CAIQ can help but needs support from CSP
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 9
Project Initiation and Evidence Request
• First, identify control activities
• Then, draft specific evidence request lists (ERL)
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 10
Managing Requests – Introducing:
AuditSource.com • Primary Goal:
Replace the spreadsheet!
• Simple front end supported by two leading cloud service providers
• 2-factor authentication
• “Double-encryption” and storage
• Assigns evidence items to persons and also supports “super user” roles at Clients
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 11
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 12
Mission – ERL Item Zero!
Collaboration and Feedback!
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 13
Audit Test Considerations for Cloud
• Policies and procedures on Wiki
• Technical course corrections – Must be able to understand non-traditional firewalls
(e.g. AWS Security Zones)
– Follow the authentication path for access control
– Understand use of puppet and other replication tools
– Understand sources and uses of logging and how to evaluate cloud-based log management
• Last - Understand Agile and DevOps or go home!
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 14
Scanning and Penetration Testing
Considerations for Cloud Environments • Authorization by provider is always required
• Typical details needed include ip addresses,
start and end time, contact, etc.
• Technical Considerations
– Be mindful of cloud networking devices and
load balancers and their potential impact on
port scans
– Many vulnerability scanners leverage APIs
and become “configuration” scanners
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 15
Analysis, Reporting, and Work Paper
Management
• Reports are modular in nature and include multiple “testing matrices”
• Developing a report is collaborative
• Derivative reports require coordination
• Workpapers must be secured and maintained…
So why not use the Cloud?
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 16
What Can Improve in Cloud Auditing
• More online collaboration for analysis and
reporting (working on that…)
• More real-time continuous monitoring tools
and interfaces
• Automated mechanisms to collect assertions
and control types i.e…
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 17
Want to Audit the Cloud? Use with the Cloud
• BrightLine maintains zero hardware other than laptops
• We use best of breed cloud providers and demand the same assurance reports
• We also get the same client objections … and defend those objections!
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 18
Keys Success Factors for Cloud Auditing
• Taking the time to learn cloud
• Understand the architecture and delivery
model before “boots to the ground”
• Altering techniques
• Audit the cloud – with the cloud!
©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 19 ©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 19
WWW.BRIGHTLINE.COM