Authorities on Risk Assurance
The Shared Assessments Blog
In the past five years, we have seen tremendous changes in technology, personnel and business practices. Cloud has now become the de-facto industry model for providing computing services. Mobile has become the most common model for accessing data. Cloud platforms are managing billions of Internet of Things (IoT) devices daily, and new exciting developments are evolving, such as microservices, to enable previously unimaginable scalability and efficiencies.
However, with the introduction of enterprise cloud, new audit controls are required to address the use of these new technologies, new service models, and new nuances in how existing audit controls apply to cloud.
The Evaluating Cloud Risk for the Enterprise whitepaper is a Shared Assessment guide that provides step-by-step guidance for enterprise organizations moving their services to the cloud. It assists in helping enterprise organizations create a cloud strategy that will scale across hundreds of their cloud providers, both locally and internationally. I had the privilege of being the chair of this enterprise cloud whitepaper. My role as CISO at Domo, the largest analytics platform in the Cloud and with more than 25% of the Global Fortune 50 companies as customers, enabled me to incorporate some key industry best practices and lessons learned into this whitepaper.
Best Practices for Enterprise Cloud Computing Management
The whitepaper introduces the concept of Common Cloud Controls. These are mature control areas associated with traditional IT services environments, also equally applicable to cloud-based services. These audit mechanisms are considered mature (e.g., anti-virus, background checks, etc.), and there are hundreds of these mature controls that apply to cloud. Organizations can simply use their existing audit vehicles to assess these controls, such as SOC II, ISO 27001, Shared Assessments AUP, etc.
This process should allow an organization to quickly and efficiently evaluate greater than 80% of a cloud provider’s controls, using current audit programs.
This then leaves those control areas that are not typically covered in ISO 27001 or SOC II (e.g., multi-tenancy, containerization, etc.). The whitepaper refers to these as Delta Cloud Controls and provides dozens of practical examples of how to effectively incorporate these control areas into an organization’s cloud strategy and audit program.
The Evaluating Cloud Risk for the Enterprise white paper includes the full list of practical recommendations, questions to discuss with cloud providers and lessons learned for cloud-related control domains, but we have summarized the Cloud Control evaluation steps into some key themes to consider:
What are the controls at each of the four main layers? As public cloud services all run on the same cloud environment, they share the same infrastructure.
Look at the data segmentation and separation controls at the main layers: network, physical, system and application, and evaluate each of the above controls at each layer (e.g., cloud data separation controls are typically weaker or non-existent at the physical layer as there is often no physical separation), requiring controls on the other three layers to be far stronger. Pay particular attention to the application controls, since this is the layer where the majority of critical cloud controls will reside.
Also organizations should understand their role and responsibility as the “data controller” and that of the cloud provider as the “data processor.” Misunderstanding who is responsible for what is one of the leading causes of security and privacy incidents.
Determine whether each customer is provided with a unique encryption key or whether encryption keys are shared. Unique customer keys are a strong control that can render co-mingled data unreadable in the database by another customer.
Ascertain whether customer data will be encrypted at storage and in-network transmissions, across external and internal networks, i.e. cloud provider and their underlying infrastructure (e.g., AWS, Azure). Internal network and datacenter-to-datacenter network encryption is increasingly important; as private or internal networks are susceptible to unauthorized network sniffing.
Where is my data? This is particularly important for cloud providers that may have datacenters and support teams in multiple legal jurisdictions.
It is important to ask your cloud providers to list all the locations that they store, process, transmit or access customer data and whether these are explicitly defined in the contract. Ensuring that the cloud contract documents all the countries or legal jurisdictions where company data will be stored, processed or accessed from is important in helping organizations meet their internal data privacy requirements. It is important to note that simple web access by support from another country is oftentimes considered the same as “data storage” in that country, and as such the full set of security and privacy requirement for data storage can apply.
The evaluation process should include investigating thoroughly any potential conflict in countries’ data privacy and legal requirements. One example is that a data privacy conflict could arise if the customer and cloud provider are located in the US and the provider has multiple datacenters in the US, but also has a datacenter in Germany for disaster recovery and resilience. The US could mandate certain data be deleted (due to a US data privacy requirement), while German law may require that the data be retained (as evidence in a subsequent legal case). In this scenario, the conflict of laws between jurisdictions may place the integrity of the customer data at risk.
How is user authentication, authorization and accounting managed? A unified user management model is an essential component of cloud, from a business, usability and security perspective.
Businesses using cloud may be presented with the challenge of integrating their existing identity and log management solutions with that of the cloud provider. Ensure that the cloud provider supports identity federation standards such as SAML or OpenID, so as to help prevent costly and one-off individual integrations.
Once the user is authenticated, the next step is authorization. It is important that the cloud provider can support a granular set of user permissions, so that a customer’s least privilege and separation of duties requirements can be complied followed within that cloud provider’s environment.
Also, ensure that all end user actions, be it write or view, are logged in the cloud and that there is an API available to integrate the log data directly into the customer’s security monitoring tools. This is important so that the customer can monitor their numerous cloud providers from the customer’s Security Operations Center (SOC).
How do I assess my cloud vendor? As with any vendor model, an organization can outsource the responsibility for the service, but not the associated risk or accountability.
One of the foundations of cloud is its agile nature, which is inherent in its roots in innovation and rapid change. As such, the classic model of assessing your vendor once per annum does not scale for cloud. Instead companies must build an on-demand vendor monitoring and management program that is based on the continuous level of change in cloud. Where possible, this should mandate that the cloud vendor provides a number of notification requirement triggers, including notification upon substantive security control changes, change of the cloud provider’s relevant vendors (e.g., move from AWS to Azure), or upon certain defined control deficiencies (e.g., an external high level vulnerability remains open for a certain period of time).
One challenge is to ensure the benefit of deploying a cloud solution is not outweighed by the complexity of doing business in the cloud. The cloud provider should provide a single point of contact, a single contract and a single point of accountability to manage the solution end-to-end, independent of what underlying services that they themselves use.
It’s important to guard against an “out of sight, out of mind” mentality: it’s still your data and your service even if it is hosted or directly managed by the cloud provider.
The above are just some of the best practices that can be found in the recently-published Shared Assessments Evaluating Cloud Risk for the Enterprise white paper.
I hope that you find value in the Evaluating Cloud Risk guide and that it becomes an integral component of your cloud vendor management toolkit. The complete whitepaper can be downloaded from here.
Niall Browne, SVP Trust & Security, CISO Domo, brings more than 20 years of experience in managing global security, compliance, and risk management programs for financial institutions, cloud providers, and technology services companies. Prior to Domo he served as Workday’s chief trust officer and vice president of trust, and before this as chief security officer, where he created and managed their enterprise trust program. Niall served as Chair of the Evaluating Cloud Risk for the Enterprise white paper.