Cloud provider assurance: Trust but verify

By Mike Small

Using a cloud service means moving from a “hands on” management model to one of indirect governance. How can an organization use an indirect governance to assure trust in the service provided? The answer can be found in the old Russian maxim, which was often quoted by US President Ronald Regan: “trust but verify.”

Risks

The risks associated with cloud computing depend on both the IT service model and the delivery model adopted. Some of these risks are new but many of the risks are already found with any outsourced IT service. The risks can be divided into three general categories; policy and organizational risks, technical risks and legal risks. Examples of these risks include:

    • Ensuring compliance—Many organizations have invested heavily to ensure compliance with laws and regulations. Will using a cloud service affect compliance?

    • Business continuity—The recent reported outages of major cloud services show that 100% availability may not be guaranteed. How does using a cloud service impact business continuity?

    • Data security—What are the risks to data held remotely within the cloud provider’s infrastructure?

Using the cloud may outsource the IT service but it does not outsource responsibility. The cloud user remains responsible for the security of their information and for the continuity of their enterprise. When moving to the cloud, it is essential that steps are taken to manage these risks.

Manage risk through understanding needs

The first step to assuring trust is to understand what the business requirements are. Everything follows from these requirements:

    • Classify data and applications. Some applications are more critical than others and some kinds of data are more sensitive than others.

    • Develop scenarios to understand the benefits and risks. Use these to determine the requirements for controls and the questions that need to be answered. This helps you to decide the appropriate response to the risks based on your enterprise’s risk appetite.

    • Understand what the certification and accreditations offered by the cloud provider mean and actually cover and how these support your needs. Assurance frameworks can help with this.

    • Finally, monitor the service provided using the agreed controls to assure that it is conforming to what was agreed.

Assurance frameworks

There is no shortage of advice on how to manage risk to both cloud service providers, as well as cloud customers. The following list summarizes the most prominent frameworks and sources of advice:

    COBIT

    • ISO/IEC 27001-27005

    • AICPA/CICA Trust Services (SysTrust and WebTrust)

    • Cloud Security Alliance Controls Matrix

    • BITS Shared Assessment Program

    • Jericho Forum® Self-Assessment Scheme (SAS)

    • CSA Shared Assessments

    • ENISA Procure Secure

    • German BSI Security Recommendations for Cloud Computing Providers.

    • NIST Cloud Computing Synopsis and recommendations

However, a survey by ENISA of SLAs across EU Public Sector in Dec 2011 showed that, while 60-70% of respondents had adopted standards like ISO27001 and ITIL for internally produced IT services, only 22% required external IT providers to adhere to the same standards.

COBIT – IT Control Objectives for Cloud Computing

The ISACA document IT Control Objectives for Cloud Computing Appendix A provides a mapping of the entire COBIT control objectives to cloud computing. It identifies the priority of each control to the three cloud service models (IaaS, PaaS, SaaS), and the three cloud deployment models (public, private and hybrid). Appendix B provides a detailed cloud computing management audit/assurance work program, which is obtainable online or as a printed publication.

Independent Auditing and Certification

The cloud customer may wish to audit the cloud provider to verify the service provided. However, it is not usually practical for the provider to allow every customer to perform their own audit. Auditing and certification of providers by a trusted third party is a way to satisfy this need. Therefore, it is important to understand what these certifications mean. Here are three examples:

SOC Reports—The auditing standard SSAE no. 16 (Statement on Standards for Attestation Engagements) is intended to satisfy the need for independent checking of service organizations. This is based on International Standard on Assurance Engagements no. 3402, Assurance Reports on Controls at a Service Organization.

Using these standards, an auditor can examine a service and produce a report. This report is based on the statement of the service that the organization claims to provide. Note: They are not an assessment against best practice. The auditor examines how the service is performed and the controls the organization has in place. The auditor is able to produce two types of reports (often referred to as SOC 1 and SOC 2 reports):

    • Type 1 report provides the auditor’s opinion on whether or not the description of the service is fair (does it exist) and whether or not the controls are appropriate.

    • Type 2 report is similar to a type 1 report but includes further information on whether or not the controls were actually working effectively.

An example of a cloud provider that offers such a report is Amazon Web Services.

WebTrust/SysTrust: As mentioned above, one kind of auditor’s report on service organizations is based on what the service provider states that they offer and not an assessment against best practice. It is also possible for a service organization to obtain an auditor’s report based on established criteria (e.g., Trust Services). Trust Services (including WebTrust® and SysTrust®) are a set of professional assurance and advisory services based on a common framework to address the risks and opportunities of IT. The Trust Services Principles and Criteria were established by the AICPA for use when providing attestation services on systems in the areas of:

    • Security

    • Availability

    • Processing integrity

    • Privacy

    • Confidentiality

For each of these areas, these principles provide criteria and illustrative controls. An example of a cloud provider that offers such a report is SalesForce.com.

ISO/IEC 27001 Certification: ISO/IEC 27001 sets out standards that require management to examine the information security risks associated with a specific part of the organization’s assets. (Note: Certification is limited to the specified area within the organization). The objectives of this process are to ensure confidentiality, integrity and availability of information. The process must consider the vulnerabilities, threats and their pot
ential impact, and plan a response to the identified risks. This response may be to avoid the risk, to transfer the risk or to implement a set of controls to manage the risks. The standard identifies 134 controls and provides detailed advice on this subject These controls cover the following areas:

    • Organization and Information Security

    • Asset Management

    • Human Resources Security

    • Physical and Environmental Security

    • Communications and Operations Management

    • Access Control

    • Information Systems Acquisition, Maintenance and Control

    • Information Security Incident Management

    • Business Continuity Management

A complete list of organizations certified to ISO/IEC 27001:2005 is available. An example of cloud a provider offering ISO27001 certification is Microsoft.

Conclusion

Trust inb the cloud depends upon an enterprise’s needs, the provider’s processes and independent auditing. Choose the right cloud service and delivery model based on business need and risk appetite. It is vital to understand the value and sensitivity of data moved to the cloud. Make sure that the service is clearly specified together with the controls. Remember to monitor the controls and understand what independent certifications and audit reports mean. Finally, “Trust but verify.”

About The Author

Mike Small, CEng, FBCS, CITP, is a member of the London Chapter of ISACA, a fellow of the BCS, and an analyst at KuppingerCole. Until 2009, Mike worked for CA where he developed CA’s identity and access management product strategy. He is a frequent speaker at IT security events around EMEA.

About ISACA

With 95,000 constituents in 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Twitter: http://twitter.com/ISACANews

LinkedIn: ISACA (Official)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s