©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 1 ©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 1

Close-Up on Cloud Security Audit

Douglas W. Barbin

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 2

About Me • “Partner” at BrightLine

• 17 years experience in security, assessments, forensics, and product management

• Previously at PwC, Guardent, and VeriSign

• Roles included auditor and “auditee”

• CPA, CISSP, QSA, ISO 27001 Lead Auditor, & CCSK!

• Participant in CSA including CCM and CloudAudit

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 3

Key Themes

• Auditing a cloud starts with understanding cloud providers

• Controls are where audits and compliance come together, not requirements

• Organization and preparation is key

• Evidence collection and analysis adjustments must be made

• Want to audit cloud? Better use it.

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 4

Setting the Stage

• Acme Analytics Cloud

• SaaS-based data analytics provider that includes financial and health care clients

• Hosted at Amazon

• Clients requires SOC 2 w/ CSA STAR Attestation, PCI, and HIPAA assessments

• ISO and FedRAMP potential future initiatives

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 5

Understanding Cloud: More than *aaS

Source: PCI Standards Council Cloud Computing Information Supplement (2013)

Auditors must understand the delivery model

in-depth prior to showing up onsite

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 6

Understanding Cloud: The New

Architectures

Dude… Where’s my DMZ?

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 7

Planning: Scoping • The architecture review should happen

during the sales/SOW process not kickoff

• Key elements:

– Operational locations

– Use of subservice organizations i.e. AWS

– Roles/responsibility of subservice orgs

– “Systems” inventory and role of sampling

– Development model (i.e. DevOps)

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 8

Planning: Understanding the Requirements • Controls assessments vs. management systems

• Requirements (PCI) vs safeguards (HIPAA) vs

criteria (SOC 2)

• Point-in-time, review-period, phases / stages CCM

and CAIQ can help but needs support from CSP

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 9

Project Initiation and Evidence Request

• First, identify control activities

• Then, draft specific evidence request lists (ERL)

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 10

Managing Requests – Introducing:

AuditSource.com • Primary Goal:

Replace the spreadsheet!

• Simple front end supported by two leading cloud service providers

• 2-factor authentication

• “Double-encryption” and storage

• Assigns evidence items to persons and also supports “super user” roles at Clients

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 11

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 12

Mission – ERL Item Zero!

Collaboration and Feedback!

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 13

Audit Test Considerations for Cloud

• Policies and procedures on Wiki

• Technical course corrections – Must be able to understand non-traditional firewalls

(e.g. AWS Security Zones)

– Follow the authentication path for access control

– Understand use of puppet and other replication tools

– Understand sources and uses of logging and how to evaluate cloud-based log management

• Last - Understand Agile and DevOps or go home!

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 14

Scanning and Penetration Testing

Considerations for Cloud Environments • Authorization by provider is always required

• Typical details needed include ip addresses,

start and end time, contact, etc.

• Technical Considerations

– Be mindful of cloud networking devices and

load balancers and their potential impact on

port scans

– Many vulnerability scanners leverage APIs

and become “configuration” scanners

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 15

Analysis, Reporting, and Work Paper

Management

• Reports are modular in nature and include multiple “testing matrices”

• Developing a report is collaborative

• Derivative reports require coordination

• Workpapers must be secured and maintained…

So why not use the Cloud?

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 16

What Can Improve in Cloud Auditing

• More online collaboration for analysis and

reporting (working on that…)

• More real-time continuous monitoring tools

and interfaces

• Automated mechanisms to collect assertions

and control types i.e…

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 17

Want to Audit the Cloud? Use with the Cloud

• BrightLine maintains zero hardware other than laptops

• We use best of breed cloud providers and demand the same assurance reports

• We also get the same client objections … and defend those objections!

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 18

Keys Success Factors for Cloud Auditing

• Taking the time to learn cloud

• Understand the architecture and delivery

model before “boots to the ground”

• Altering techniques

• Audit the cloud – with the cloud!

©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 19 ©2014 BrightLine CPAs & Associates, Inc. All Rights Reserved 19

WWW.BRIGHTLINE.COM