Cloud Vendor Security INFOSEC ASSESSMENTS & REPORTS

Cloud Vendor Security INFOSEC ASSESSMENTS & REPORTS

April 1 - News Flash! Conficker A master computer was reportedly scheduled to gain control of millions of infected zombie machines on April 1, 2009 Conficker malware uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques Anti-worm researchers banded together in a group called the Conficker Cabal. Members searched for the malicious software program's author and for ways to do damage control if he or she couldn’t be stopped. They were motivated in part by a 250,000 bounty from Microsoft.

Introduction Cloud Vendor Security – - Are company “Crown Jewels” in the cloud? - What evidence do you have that company data in the cloud is secure? Abstract: Lloyd Guyot will lead a collaborative discussion based on his experience implementing and leading a Cloud Vendor Security Assessment service for a global, Fortune 100 company. Topics to be discussed include the processes, procedures and tools used in assessing a Cloud Vendor security posture. Speaker: Lloyd Guyot, CISSP, CISM resides in West Michigan and is a Lead Security Analyst for Johnson Controls, a global Fortune 100 company headquartered in Milwaukee, Wisconsin. Lloyd has over 15 years’ experience in the Information Security field and is an Adjunct at Davenport University and serves on the FBI InfraGard / U.S. Homeland Security – West Michigan Board of Directors.

Agenda - It’s all about the Data! 1. Who’s Accountable for What? 2. Where’s the Data? 3. The Cloud Vendor Security Assessment Service a) b) c) d) e) f) g) h) i) The SLO – Service Level Objective The Service Web Portal The Request Form Where’s the Beef? the Vendor Evidence Calculating the Vendor Risk Score Writing the Cloud Vendor Security Report The Annual Cloud Vendor Re-Assessment The Cloud Vendor Service Team Dashboard The Cloud Vendor Service Metrics 4. A Few Good Resources

Who’s Accountable for What?

#1 - Identify and Follow the Data Public Internal Confidential Restricted Identify Engineering, Financial, Business, HR, legal, and regulatory data (HIPAA, PCI, FISMA, DFARS, ITAR, EAR) PII - Personally Identifiable Information (social security numbers, credit card information, personal health data) IP - Intellectual Property (patents, trademarks, design plans - Engineering drawings) Follow Once this information has been identified, a flow analysis needs to be conducted to identify all systems and devices the data either resides on or flows through. Data Flow Diagram - Transport Storage Process

Cloud Vendor Security Assessment Service Service Description Review Vendor security controls related to Vendor policy, process, and people for protecting the confidentiality, integrity and availability of company information Note: The assessment does not include a security review of the project or system architecture, application, infrastructure design or related technologies. Service Level Objectives - SLO 3 business days to respond to request 7 business days to provide a report & position statement after all requested Vendor documentation has been provided

The Cloud Vendor Service Web Portal SharePoint Customer View Service Description Benefits Process Map Inputs / Outputs Resources Requested Vendor Documents How to Submit a Request Checklist Prior to Submit FAQ’s Security Team View Vendor Support Documents Team Member Data Entry Vendor Dashboard

The Vendor Service Request Form Requester Name / Title, Department, BU Procurement Staff Contact Info Project Name and Business Scope Info Vendor Name and Service(s) Provided Vendor Sub-Service Providers IaaS / PaaS / SaaS Data Classification – Public Internal Confidential Restricted Example Data Types Transported / Stored / Processed Cont.

The Vendor Service Request Form Cont. Cloud Vendor Documentation Requested Data Flow doc including security controls and all end points Third-party evidence of a Security Program Eg. ISO 27001:27005 Third-party evidence of Infosec Controls and their effective operation Eg. SSAE-16 SOC 2 Type 2 Third-Party System / application Penetration test report Third-Party System / application Vulnerability scan report Business Continuity and Disaster Recovery Questionnaire Privacy Questionnaire

Vendor Evidence of InfoSec Controls SSAE-16 (U.S.) / CSAE 3416 (Canada) / ISAE 3402 (International) Note: We request the above security reports to be SOC 2, Type 2 documents which include tests confirming the effectiveness of the Vendor service security controls ISO/IEC 27001:27013 - certification that the Vendor service has a security program Application Penetration Test and Vulnerability Scan Reports In an Exception CSA STAR - CCM / Cloud Security Alliance - Cloud Controls Matrix Attestation of cloud service provider security practices Other - Independent security / privacy assessment from a known trusted security firm

The Cloud Vendor Risk Score NIST CVSS Risk Calculator - Common Vulnerability Scoring System The National Vulnerability Database assigns risk rankings according to CVSS Base risk scores – Low: 0.0 to 3.9 Medium: 4.0 to 6.9 High: 7.0 to 10.0

NIST CVSS Risk Calculator Cont. Base Metrics - characteristics that are constant over time and between different environments Exploitability: Access Vector / Access Complexity / Authentication Impact: Confidentiality / Integrity / Availability Temporal Metrics characteristics that change over time. Exploitability: Unproven / Proof of Concept / Functional / High Remediation Level: Official Fix / Temp Fix / Workaround / Unavailable Report Confidence: Unconfirmed / Uncorroborated / Confirmed Environmental Metrics - tied to an implementation in a specific users environment. Collateral Damage Potential: None / Low / Medium / High Targeted Distribution: None / Low / Medium / High Impact: Confidentiality / Integrity / Availability

The Cloud Vendor Security Report Cloud Vendor Name and Scope of Service Names of Vendor Sub-Service Providers (all providers that transport, store or process company data) Data Classification and Example Data Types Vendor security assessment position statement “Acceptable” / “Not Acceptable” High / Medium / Low Risk Rating Note: By default the CVSS number is not presented Scope of Review General Comments & Action Items Vendor defined Complimentary Security Controls Project Background Data Flow Diagram Vendor Background Findings / Example issues of concern based on evidence and/or attestations provided for review

Annual Cloud Vendor ReAssessments Any changes to MSA / SLA? Services Provided? Scope of Engagement? Data Types / Data Classification? Changes in Cloud Vendor Infosec controls? Remediation follow-up required? All “Action Items” addressed and completed satisfactorily? All current Cloud Vendor security reports been provided? Any issues / findings? New Security Team Position Statement “Acceptable” / “Not Acceptable” High / Medium / Low Risk Rating

The Vendor Service Team Dashboard SharePoint Database / Archive Vendor Name Data Classification Work Status – Cancelled, Pending Open Completed Security Assessment Manager Vendor Position Statement Vendor Status Flag Open / Close Dates Requester, BU, Department CVSS Risk Rating Evidence Provided & ISO / SOC Expiration Dates Remediation & Complimentary Control Requirements Re-Assessment - Required, In-Process, Date

The Vendor Service Metrics Hard to manage or improve what we don’t measure!

Resources AICPA SOC Report Standards http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/sorhome.aspx AICPA Trust Services Principles and Criteria http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TrustServices/Pages/Trust%20Ser vices%20Principles%E2%80%94An%20Overview.aspx? sm au iVVQNvt0QHWWTtFq NIST CVSS Risk Scoring - https://nvd.nist.gov/cvss.cfm NIST CVSS Calculator - https://nvd.nist.gov/cvss.cfm?calculator&version 2 CSA / Cloud Security Alliance - https://cloudsecurityalliance.org/ CCM / Cloud Controls Matrix - https://cloudsecurityalliance.org/research/ccm/ CSA STAR / Trust & Assurance Registry - https://cloudsecurityalliance.org/star/ Shared Assessments - https://sharedassessments.org/

Questions? Who Owns the Risk? Lloyd Guyot, CISSP, CISM Contact Info: Email – [email protected] LinkedIn – http://www.linkedin.com/in/lguyot