The document discusses standards, assurance, and certification in cloud security. It begins by defining commonly used terms like standard, assurance, and certified. It then discusses who defines standards, such as occupants of a house or independent authorities. Different types of assurance are examined, including self-assessment, third-party attestation for a point in time or period of time, and perpetual validation. The document also discusses issues with multiple standards and audits for service organizations and proposes using a SOC2 report to satisfy multiple standards with one audit. Potential objections to this approach are addressed.
2. Welcome
Definition of some commonly used, but
often misunderstood terms.
Subject matter might be controversial
Please make a note of the page number,
jot down your thoughts, and hold
questions and comments for the
discussion period (Only 30 seconds per Please
slide! ). keep
clean?
OR
tweet #csamtg with slide number X
and your question or comment 2
4. Who Defines Standards?
What does it mean to have a
clean house?
Why
Who should decide? not?
Occupants of the house
Independent authority or
general consent
4
5. Standards
“Clean” Defined by Occupant:
1. Self defined-not a standard by
definition
Bare No clutter
Minimum
Clean floors
No food left on the counter
5
6. Standards
“Clean” Defined by Authority:
Get to
decide what 2. Broad objectives
this means
to you. No clutter
No dishes in the sink
Clean floors
No dust
No food left on the counter
Everything in its place
6
7. Standards
“Clean” Defined by Authority (cont.):
3. More detailed
No clutter
No clothes on the floor
Beds must be made
No excessive trinket collection or picture
hanging
No dishes in the sink
Dishes must be placed in the dishwasher
Sometimes immediately
not Sink must be washed after use
applicable Clean floors
Carpeted floors must be vacuumed daily
Tiled floors must be cleaned daily with bleach
Baseboards must be wiped down with a rag
by hand
No dust
All furniture surface areas must be dusted
daily
The inside of the refrigerator, stove, and all 7
appliances must be wiped daily
8. Standards
“Clean” Defined by Authority (cont.):
4. Hybrid – Even More Detailed in some areas, but
not applicable in others
No clutter (In the kitchen)
Nothing on the floor
No counter top appliances
Range must be electric
All appliances must be stainless steel
No dishes in the sink
Sink must not be used for washing dishes
Dishwasher must be commercial quality
Clean floors (In the kitchen)
Floors must be cleaned daily with bleach
Baseboards must be wiped down with a rag by hand
Anti-bacterial spray must be used daily
No dust (In the kitchen)
The outside of the refrigerator, stove, and all
appliances must be wiped daily
The inside of the refrigerator, stove, and all
appliances must be wiped daily
Bedrooms, living rooms, den, bathrooms, etc.
(N/A)
8
10. Assurance
Really?
1. My house is clean.
What
What
about 2. His house was clean when I about
before?
inspected it. after?
What
3. His house was clean all last about
after?
How do year.
you know?
4. His house is continually clean.
10
11. Assurance
“My house is clean.”
Self Assessment or
Management Attestation
High risk – Low Reliability
Requires high degree of trust
in the person making the
attestation
Lack of accountability. Leads
to cutting corners because
no one is looking.
11
12. Assurance
“His house was clean when I
checked.”
Third Party Attestation (Point
in Time)
Medium Risk & Reliability
Provides minimal if any
assurance, and still requires
trust.
Lack of accountability. Leads
to cutting corners when no
one is looking.
12
13. Assurance
“His house was clean all last
year.”
Third Party Attestation
(Period of Time)
Low Risk – High Reliability
“Trust, but verify”
Provides reasonable
assurance.
Accountability exists - When
corners are cut, there is a
high likelihood of being
caught 13
14. Assurance
“His house is continually clean.”
• Perpetual Validation (Real
Time - Utopia)
• Little to No Risk – Very High
Reliability
• Provides near absolute
assurance, and does not
require trust
• Accountability exists. Corners
cannot be cut, or there is a
certainty of being caught
14
15. Certified
cer·ti·fied I am a
CISA.
[sur-tuh-fahyd] adjective
1. having or proved by a
certificate
Does
2. guaranteed; reliably ISACA
guarantee
endorsed: my work?
15
16. Please
tweet Which Assurance Should
answer.
“Certified” Belong To?
1. Self Assessment
2. Third Party Attestation –
Point in Time
3. Third Party Attestation –
Period of Time
4. Perpetual Validation –
Real Time Utopia
16
17. Security Standards & Assurance
Standard Standard Category Assurance
CSA STAR (CCM, CAIQ, etc.) More Detailed Self Assessment
NIST/FedRAMP More Detailed Self Assessment
COBIT Broad Objectives Self Assessment
HIPAA / HITRUST Broad Objectives Point in Time
ISO 27001 Broad Objectives Point in Time
PCI-DSS Hybrid – Focused on Point in Time
cardholder data environments
N/A – Controls Related to Self Defined AICPA SSAE 16 - SOC1
Financial Statement Accuracy (formerly SAS70)
Only Type 1 – Point in Time
Type 2 – Period of Time
Trust Services Principles & Broad Objectives AICPA SSAE 10~14 –
Criteria (TSPC) SOC2/SOC3
Type 1 – Point in Time
Type 2 – Period of Time
17
18. Issues Created for
Service Organizations
Forced to satisfy customer’s need
for assurance with multiple
standards and audits.
Wasting time scheduling and
supporting external auditors
from multiple firms.
Wasting time scheduling and
supporting audits by customers
exercising their “right to audit.”
Lack of clarity and confusion
regarding customer expectations.
18
19. Is there a “Silver Bullet”
to Satisfy Everyone?
No.
Governing bodies will always
require their own standards and
reports- (ie VISA, Mastercard
require PCI, Federal Government
requires HIPAA compliance)
Customers have to provide their
external auditors reports that
meet their requirements. 19
20. What can be done to reduce
the burden of compliance?
Take the best from each
available Standard and
How?
Assurance
Get Period of Time
Assurance
With
More Detailed Standards
20
21. What can be done to reduce
What? the burden of compliance?
Use SOC2 Type 2 Report as
the Assurance wrapper for:
Any or all of the following:
o ISO 27002
What good
would it do? o CSA CCM Who would
Reports come
from separate o PCI-DSS Test?
auditors. Accountants?
o HITECH
o NIST/FedRamp
21
22. SOC2 and
“Additional Subject Matter”
PCI-DSS The SOC2 Attestation
Standard (AT-101 or SSAE
TSPC 10~14) allows for inclusion
of other standards
Is this even CPA firms can partner with
allowed?
Yes…”Technical QSAs and ISO registrars to
Specialists”
AT-101 conduct testing together Is there much
eliminating testing overlap in
standards?
redundancy Yes.
22
23. SOC2 and
“Additional Subject Matter”
At the end of the engagement,
organizations receive a SOC2
report that covers a period of
time
AND
They receive separate reports
covering the other standards-
i.e. PCI-DSS (ROC), and / or ISO
27001 Certificate
23
24. SOC2 and
“Additional Subject Matter”
One core set of audit work
serves as the basis for
multiple reports
Customers receive
o Solid detail great standards like
CSA CCM provide
o Little to No Risk – Very high
reliability provided by period of
time testing
o Specific reports to satisfy
everybody
o International Acceptance
24
25. Objectors Say
CPA firms that are not competent
to perform CSA STAR, ISO 27001,
AT-101 This knowledge
requirement may be met,
PCI-DSS, etc. testing are not
in part, through the use
of one or more specialists competent to accept the
on a particular attest
engagement if the engagement referencing SAS 73
practitioner has sufficient
knowledge of the subject as the Technical Specialist
matter (a) to
communicate to the guideline CPA firms must follow.
specialist the objectives
of the work and (b) to
evaluate the specialist's
work to determine if the
objectives were achieved.
We say, the AICPA provided for
the use of technical specialists in
AT-101, and the standard is clear.
The use of specialists to
demonstrate competence is
allowed. 25
26. Objectors Say
ISO 27001 is a real time
assurance because the
certificate is valid for three
years.
We say, read the fine print.
The certificate is void if any of
the terms in the certificate
agreement are broken. See -
"Proof that ISO 27001 is a
Point-in-Time Assurance" 26
27. Objectors Say
Period of Time assurance is no
better than Point in Time
assurance because both are
“dated”, meaning they are
irrelevant even before they are
issued.
We say, the discipline that is
instilled in an organization, that
knows there is an increased
likelihood of being caught when
they stray, shifts culture in the
direction of better security.
27
28. Discussion & Reading
The Risk Assurance Revolution has Begun
http://riskassuranceguy.blogspot.com/2012/01/risk-assurance-revolution-has-begun.html
SOC Reports: The customer is always right
http://turnkeyit.blogspot.com/2012/01/soc-reports-customer-is-always-right.html
Standards, Audits, and Certifications: Which One is Right?
http://www.infosecisland.com/blog/show/slug/19296-Standards-Audits-and-Certifications-Which-One-is-Right/page/2.html
When I See a Can in the Road, All I Want to do is Smash It
https://www.infosecisland.com/blogview/19769-When-I-See-a-Can-in-the-Road-All-I-Want-to-do-is-Smash-It.html
Why Data Centers Don't Need SSAE 16
https://www.infosecisland.com/blogview/16080-Why-Data-Centers-Dont-Need-SSAE-16.html
Why Data Centers Need SSAE 16
https://www.infosecisland.com/blogview/16952-Why-Data-Centers-Need-SSAE-16.html
SOC 2 for Cloud Computing
https://www.infosecisland.com/blogview/17174-SOC-2-for-Cloud-Computing.html
AICPA Fumbles Audit Standards at the 5-Yard Line
http://www.datacenterknowledge.com/archives/2012/01/19/aicpa-fumbles-audit-standards-at-the-5-yard-line/
Good Reading:
http://www.schrammassurance.com/wp-content/uploads/2012/01/11-Schramm-SAS70-to-AT101-KLv4.pdf
http://cpa2biz.com/AST/Main/CPA2BIZ_Primary/AuditAttest/Standards/StandardsImplementationGuidance
CSA Atlanta Chapter Q1’12 Meeting Feedback:
http://www.linkedin.com/groupItem?view=&gid=3664160&type=member&item=91992030&qid=bd5c4379-ecac-4383-b1e8-
1a7387f86ac3&trk=group_most_recent_rich-0-b-ttl&goback=.gmr_3664160
http://www.linkedin.com/groupItem?view=&gid=3664160&type=member&item=46520870&qid=bd5c4379-ecac-4383-b1e8-
1a7387f86ac3&goback=.gmr_3664160.gde_3664160_member_91992030
LinkedIn Group on SOC Reports:
http://www.linkedin.com/groups/SOC-formerly-SAS70-Reports-4223260?
28
29. The Cloud Security Alliance Governance,
Risk, and Compliance (CSA GRC) Stack
• A suite of four integrated and reinforcing CSA initiatives (the
“stack packages”)
– The Stack Packs
• Cloud Controls Matrix
• Consensus Assessments Initiative
• Cloud Audit
• CloudTrust Protocol
• Designed to support cloud consumers and cloud providers
• Prepared to capture value from the cloud as well as support
compliance and control within the cloud
The CSA GRC V2.0 Workshop | Ron Knode 7 Oct 2011 Page 29
30. The CSA GRC Stack
Bringing the Stack Pack Together
Delivering Stack Pack Descri
• Common technique an
Continuous monitoring … request and receive ev
with a purpose of current cloud servic
circumstances from clo
Claims, offers, and the • Common interface and
basis for auditing service automate the Audit, As
delivery and Assurance (A6) of
Pre-audit checklists and
• Industry-accepted way
questionnaires to
inventory controls security controls exist
• Fundamental security p
The recommended The CSA GRC V2.0 Workshop | Ron Knode
specifying the overall s
7 Oct 2011 Page 30
31. CSA GRC Value Equation Contributions for Consumers and Providers
• Individually useful
What control requirements should I • Collectively powerful
have as a cloud consumer or cloud • Productive way to reclaim
provider? end-to-end information risk
management capability
How do I ask about the control
requirements that are satisfied
(consumer) or express my claim of
control response (provider)?
Static How do I announce and automate my
claims &
claims of audit support for all of the
assurances
various compliance mandates and
control obligations?
How do I know that the controls I
Dynamic need are working for me now
(continuous) (consumer)? How do I provide actual
monitoring and security and transparency of service
transparency
to all of my cloud users (provider)?
The CSA GRC V2.0 Workshop | Ron Knode 7 Oct 2011 Page 31
32. Using the GRC Stack
Making the Stack Pack Approach Work for You
• Easy to get started
• Many successful combinations
• Benefits accrue with each stack pack addition
• Multiple alternatives to application and
deployment
• Mapped across multiple compliance mandates
The CSA GRC V2.0 Workshop | Ron Knode 7 Oct 2011 Page 32
33. 2011 Recap
•GRC Stack Training Courses offered across US and Europe
•Cloud Security Alliance acquires CTP from CSC (July)
•CCM 1.2 released (August)
•CAIQ 1.1 released (September)
34. 2012
•CCM v1.3
•CAIQ and CCM migrating to database format
•More GRC Stack Training Courses (TBA)
•2012 CTP Roadmap release – Volunteer opportunities and more
details will be announced in Q1
https://cloudsecurityalliance.org/research/grc-stack/
35. https://cloudsecurityalliance.org/star/
The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible
registry that documents the security controls provided by various cloud
service providers.
It helps users assess the security of cloud providers they currently use or
are considering contracting with.
It is a simple but powerful idea, cloud providers post self assessments of
their cloud services, CSA makes these assessments publicly available and
cloud consumers can use this data to make informed purchasing decisions.
It supports CSA GRC Stack, AICPA SOC, ISO 27001, FedRAMP, etc.
36. CSA Summit 2012 at RSA-
USA
February 27 – March 2
Moscone Center - San Francisco
37. Help Us Secure Cloud Computing
– www.cloudsecurityalliance.org
– info@cloudsecurityalliance.org
– LinkedIn: www.linkedin.com/groups?gid=1864210
– Twitter: @cloudsa