WEBVTT

00:00:00.940 --> 00:00:04.560
There are a number of different ways we can evaluate cloud providers.

00:00:05.040 --> 00:00:07.450
We can perform various types of audits,

00:00:07.460 --> 00:00:11.430
either as an external group or as the consumer.

00:00:11.620 --> 00:00:16.320
Many cloud service providers have audits done by external groups

00:00:16.530 --> 00:00:20.350
that they can use to show the fact that they followed good

00:00:20.350 --> 00:00:23.800
practice, for example. In many cases,

00:00:23.800 --> 00:00:27.620
the purpose of an audit is to provide an independent

00:00:27.630 --> 00:00:29.750
assessment of the cloud provider.

00:00:30.140 --> 00:00:35.660
We don't necessarily trust if an organization has just done a self‑assessment.

00:00:36.140 --> 00:00:36.950
Instead,

00:00:37.540 --> 00:00:43.040
we have a reputable firm using a template or some type of standard

00:00:43.040 --> 00:00:47.960
to measure against in order to ensure that the cloud provider is

00:00:47.960 --> 00:00:51.620
adhering to good practice. We have, for example,

00:00:51.620 --> 00:00:58.480
from the Cloud Security Alliance STAR, we have things like the SSAE 18 or

00:00:58.480 --> 00:01:05.530
today, usually, the SSAE 20. We have the ISAE 3402,

00:01:05.540 --> 00:01:10.770
which is the international equivalent of the SSAE series put out

00:01:10.770 --> 00:01:14.830
by the AICPA. In the US Federal Government,

00:01:14.830 --> 00:01:18.760
we have a criteria that is then listed under FISMA.

00:01:20.140 --> 00:01:25.140
The STAR process put forward by the Cloud Security Alliance

00:01:25.340 --> 00:01:29.650
stands for security, trust, assurance, and risk.

00:01:30.340 --> 00:01:35.640
It allows us to take a look at what are good practice for a cloud

00:01:35.640 --> 00:01:39.650
provider as listed in the Cloud Controls Matrix,

00:01:39.650 --> 00:01:46.910
the CCM, and the General Data Protection Regulations would look at privacy.

00:01:47.440 --> 00:01:53.440
So the CSA STAR process allows us to compare and to ensure

00:01:53.700 --> 00:01:57.880
that a cloud provider is adhering to all of the practices

00:01:57.880 --> 00:01:59.760
listed in these documents.

00:02:00.240 --> 00:02:04.780
One way to ensure that something didn't get missed is to use

00:02:04.780 --> 00:02:07.550
something like the Cloud Controls Matrix.

00:02:08.800 --> 00:02:13.230
There are three different levels of STAR certification. Level one is

00:02:13.230 --> 00:02:17.800
where the cloud service provider performs their own self‑assessment, and

00:02:17.800 --> 00:02:21.720
we all know how valid that may or may not be.

00:02:22.440 --> 00:02:24.490
When we take a look at level two,

00:02:24.500 --> 00:02:30.200
we see third‑party audits conducted by a reputable independent and

00:02:30.200 --> 00:02:36.040
hopefully objective organization that reviews the cloud service provider to

00:02:36.040 --> 00:02:39.890
see whether or not they are following the good, trusted security principles

00:02:39.890 --> 00:02:46.040
they should be following. A level three is where we're doing this type of

00:02:46.040 --> 00:02:48.730
review on a continuous basis.

00:02:48.880 --> 00:02:51.560
There is continuous auditing being done.

00:02:52.990 --> 00:02:58.630
The idea of continuous audit is to ensure that an organization

00:02:58.640 --> 00:03:01.730
is not just compliant at the day of a review,

00:03:01.940 --> 00:03:05.620
but if we looked at them at any time, we would find

00:03:05.620 --> 00:03:08.010
that they are following good practice.

00:03:08.540 --> 00:03:11.290
This can be done through things like a Consensus

00:03:11.290 --> 00:03:15.960
Assessment Initiative Questionnaire, CAIQ.

00:03:17.440 --> 00:03:20.820
In the case of a self‑assessment,

00:03:20.910 --> 00:03:28.190
this is done every 30 days for level one. The American Institute of Certified

00:03:28.190 --> 00:03:33.600
Professional Accountants, the AICPA, put out a number of documents over the

00:03:33.600 --> 00:03:39.670
years with standards and audit engagements, and these started with a SAS 70,

00:03:39.670 --> 00:03:43.590
which then evolved in the SSAE 16,

00:03:43.600 --> 00:03:50.940
18, and now the current one is SSAE 20. It gets updated every couple of

00:03:50.940 --> 00:03:56.060
years, and so this was implemented in the end of 2021.

00:03:57.240 --> 00:04:02.080
The idea is that with each implementation we improve from

00:04:02.080 --> 00:04:05.160
what we learned from the earlier documents.

00:04:05.940 --> 00:04:11.590
The SSAE stands for the Statement on Standards for Attestation Engagements.

00:04:11.810 --> 00:04:17.640
So if I have an engagement to do an attestation or review of an organization,

00:04:17.880 --> 00:04:21.480
what are the standards that we should measure against?

00:04:21.779 --> 00:04:25.260
An audit should never be measured against a person's opinion.

00:04:25.640 --> 00:04:31.420
Instead, it should be measured against a reputable and recognized standard.

00:04:32.550 --> 00:04:39.050
It is put out, as we said, by the AICPA and updated on a regular basis.

00:04:39.940 --> 00:04:46.790
The main part of this is SOC, the System and Organization Controls report that

00:04:46.790 --> 00:04:53.460
is generated once the SSAE evaluation has been completed.

00:04:54.340 --> 00:05:00.140
If we took a look at an SSAE 20 SOC 1, that is a review of the

00:05:00.140 --> 00:05:04.690
financial reporting of the organization, very similar to what we

00:05:04.690 --> 00:05:07.860
used to see with the SAS 70, for example.

00:05:08.240 --> 00:05:13.900
So we know with some level of assurance whether or not the financial

00:05:13.900 --> 00:05:17.990
records of that cloud service provider are accurate.

00:05:18.000 --> 00:05:22.960
Are they in any way fictitious? Have they tried to hide something?

00:05:23.150 --> 00:05:27.710
We want to make sure that before we go to a cloud provider that they're not

00:05:27.710 --> 00:05:33.720
going to fall into bankruptcy a couple of days later. When we do a SOC 2,

00:05:33.720 --> 00:05:40.290
we're doing an evaluation of that cloud service provider based on several

00:05:40.290 --> 00:05:46.350
different principles, WebTrust and SysTrust. Here is where we look at the

00:05:46.350 --> 00:05:52.300
areas of security and does the cloud service provider have a good security

00:05:52.300 --> 00:05:58.320
program and are they implementing what are commonly recognized as acceptable

00:05:58.320 --> 00:05:59.860
security practices?

00:06:00.440 --> 00:06:06.260
We review their implementation of privacy and how they are then

00:06:06.260 --> 00:06:09.980
compliant with things like privacy regulations.

00:06:10.540 --> 00:06:13.360
We look at the integrity of their processes.

00:06:13.500 --> 00:06:16.650
We look at how they protect confidentiality.

00:06:16.660 --> 00:06:17.970
And of course,

00:06:17.980 --> 00:06:21.710
because a cloud provider is a critical part of our supply

00:06:21.710 --> 00:06:25.970
chain, we need to ensure that they have processes in place

00:06:26.210 --> 00:06:28.750
to ensure availability as well.

00:06:29.040 --> 00:06:33.360
We don't want to have all of our business reliant on a cloud

00:06:33.360 --> 00:06:37.780
provider and have a cut network cable or equipment failure that

00:06:37.780 --> 00:06:40.460
means none of my systems will actually work.

00:06:41.790 --> 00:06:46.780
The problem with a SOC 2 is the SOC 2 is a very detailed

00:06:46.780 --> 00:06:51.990
report primarily meant for internal use because it says

00:06:51.990 --> 00:06:53.760
what all of the problems are.

00:06:54.140 --> 00:06:57.930
So most organizations will instead give you a summary

00:06:57.930 --> 00:07:01.890
report, which is known as a SOC 3. Really,

00:07:01.900 --> 00:07:07.270
it's just the summary of the SOC 2, but without all of the embarrassing

00:07:07.270 --> 00:07:12.060
details of the things that the organization has to work on.

00:07:12.540 --> 00:07:16.810
Now there are a number of organizations out there that will

00:07:16.810 --> 00:07:19.250
actually provide their SOC 2 for you.

00:07:19.740 --> 00:07:21.380
They want to be transparent.

00:07:21.390 --> 00:07:22.950
They want to earn your trust.

00:07:23.100 --> 00:07:24.470
So therefore, they'll say,

00:07:24.470 --> 00:07:28.330
look, here you go. You can see what we're working on and

00:07:28.330 --> 00:07:30.150
has been brought to our attention.

00:07:30.940 --> 00:07:37.710
The idea of the SOC 3 is that it allows us to do marketing and show

00:07:37.810 --> 00:07:41.530
that we've paid attention to good security principles.

00:07:41.620 --> 00:07:45.410
We've had a review of our financial and, of course,

00:07:45.410 --> 00:07:47.950
WebTrust and SysTrust security.

00:07:48.240 --> 00:07:52.010
We've ensured that we're following the good practices of the Cloud

00:07:52.010 --> 00:07:57.390
Controls Matrix, and therefore, you can trust us with your data

00:07:57.400 --> 00:08:04.120
and data processing. When we conduct an SSAE 20 assessment, there

00:08:04.120 --> 00:08:05.900
are two ways we can do it.

00:08:06.180 --> 00:08:10.000
We can do what's called a Type 1 assessment where we

00:08:10.000 --> 00:08:14.360
conducted the assessment as of a date, as of a point in time.

00:08:15.340 --> 00:08:20.290
But many organizations today will instead want to see a Type 2.

00:08:20.420 --> 00:08:27.140
A Type 2 is a review that's done over a period of time, usually six months.

00:08:27.380 --> 00:08:31.550
But many organizations today are actually then using this

00:08:31.560 --> 00:08:34.600
in a type of continuous audit process.

00:08:35.539 --> 00:08:38.080
The idea being that if I've reviewed an

00:08:38.080 --> 00:08:41.059
organization over a six‑month time period,

00:08:41.640 --> 00:08:46.910
then the things they are doing are probably being done out of habit,

00:08:47.090 --> 00:08:51.100
not just in order to pass the day of the assessment.

00:08:51.390 --> 00:08:57.100
So a Type 2 costs more, but also would provide a higher level of assurance.

00:08:58.310 --> 00:09:02.520
Another way we can review whether or not the cloud service provider is

00:09:02.530 --> 00:09:06.690
following good practice is to see whether or not they are compliant with

00:09:06.690 --> 00:09:10.260
the international standard such as 27001.

00:09:10.740 --> 00:09:17.070
We review whether or not they have managed to ensure they've addressed all

00:09:17.070 --> 00:09:23.460
of the main security concerns that were listed in 27001.

00:09:24.140 --> 00:09:30.090
27001 is really the flagship standard of the 27000 series.

00:09:30.640 --> 00:09:37.270
27000 itself is a glossary of terms and a free document we can use to

00:09:37.270 --> 00:09:39.660
make sure we're all speaking the same language.

00:09:40.240 --> 00:09:45.690
But 27001 is a standard we can be measured against.

00:09:45.910 --> 00:09:51.060
It defines the standards for an information security management system.

00:09:52.540 --> 00:09:57.060
Another type of evaluation that's often done is according

00:09:57.060 --> 00:10:01.460
to the Uptime Institute. The Uptime Institute looks at

00:10:01.460 --> 00:10:07.960
things such as data center design, construction, and ongoing operations.

00:10:08.440 --> 00:10:14.390
It is there to try to ensure high availability of my cloud

00:10:14.390 --> 00:10:16.660
service provider if that's what I want.

00:10:17.340 --> 00:10:21.300
So, it evaluates the data center's infrastructure,

00:10:21.310 --> 00:10:24.080
things like backup power, for example,

00:10:24.110 --> 00:10:29.050
so that I can ensure that I am getting the level of availability I

00:10:29.050 --> 00:10:34.300
need, but, of course, I don't want either to be paying for services

00:10:34.300 --> 00:10:37.090
that we maybe didn't require either.

00:10:38.040 --> 00:10:44.750
A tier 4 data center, as evaluated by the Uptime Institute, is one

00:10:44.760 --> 00:10:48.060
in which we can have a very high level of trust.

00:10:49.730 --> 00:10:52.730
There are a number of other certification standards we can use as

00:10:52.730 --> 00:10:55.670
well. In the US Federal Government, we have FISMA,

00:10:55.670 --> 00:10:58.960
the Federal Information Security Management Act.

00:10:59.640 --> 00:11:04.280
We have PCI‑DSS from the Payment Card Industry,

00:11:04.290 --> 00:11:09.440
the Data Security Standard. And we have others such as the ISO

00:11:09.440 --> 00:11:15.140
standard 15408, better known as the common criteria,

00:11:15.150 --> 00:11:21.060
which is the basis for evaluation of the security properties of IT products.

00:11:21.540 --> 00:11:28.660
So we have things like ISO 15408 that look at the security of a product.

00:11:29.140 --> 00:11:35.260
We'll look at 27001, which will look at the security of an organization.

00:11:35.840 --> 00:11:40.660
So the idea being that if I build my security with good

00:11:40.660 --> 00:11:45.420
products, then of course, I can hopefully also have assurance

00:11:45.520 --> 00:11:47.770
in the security of the organization.

00:11:48.540 --> 00:11:52.500
Another product evaluation criteria that's often used is

00:11:52.500 --> 00:11:57.320
the Federal Information Processing Standard 140‑2, the

00:11:57.320 --> 00:11:59.650
evaluation of crypto devices.

00:11:59.970 --> 00:12:05.710
If I'm going to use a device that handles, for example, chip and PIN with

00:12:05.710 --> 00:12:11.960
a credit card transaction or I'm going to handle any type of encryption

00:12:11.960 --> 00:12:18.380
service that's built into, say, hardware, we want to evaluate it to make

00:12:18.380 --> 00:12:22.360
sure that that cryptography and the cryptographic functions were

00:12:22.360 --> 00:12:24.460
implemented in a secure way.

00:12:24.940 --> 00:12:32.830
So the FIPS140‑2 was the improvement on 140‑1, and it is used

00:12:32.840 --> 00:12:35.540
by organizations all over the world today.

00:12:35.830 --> 00:12:40.430
We also do see, of course, that many organizations are already moving

00:12:40.610 --> 00:12:45.850
towards the implementation of an even higher standard, 140‑3.

00:12:47.840 --> 00:12:53.050
In summary, this course provided an overview of cloud‑based services.

00:12:53.440 --> 00:12:58.160
It highlighted some of the security concerns that we have to look at as

00:12:58.160 --> 00:13:02.330
we move through the rest of this course and look at the adoption of the

00:13:02.330 --> 00:13:08.990
cloud. As a cloud security professional, we must ensure that security

00:13:09.240 --> 00:13:15.460
and business requirements are addressed in cloud migrations and

00:13:15.470 --> 00:13:16.670
implementations.