1 Florida agencies moving to the cloud: Trends, risks and impactsJOHN CHRISTLY, CHIEF INFORMATION SECURITY OFFICER NETSURION AND EVENTTRACKER Twitter: @Christly

2 Growing expectations for governmentsMoving to the cloud: Trends, Risks, Impacts and Best Practices Security and compliance: Security breach impacts and remediation Mobile: Benefits and Disadvantages

3 Trends in cloud adoptionTech-savvy businesses outperform their peers in the marketplace A growing number of state CIOs have implemented cloud-first policies of their own: December of all Federal IT spending went to the cloud in FY16, according to IDC government insights. The City of Miami The State of Illinois The State of Alabama Florida Dept. of Education The “cloud first” policy: no new federal IT project of any significance was to move forward without

4 Risks and concerns

5 Leap ahead in the cloud

6 Question #1 A questions to ask a cloud /SaaS provider is: a) What is your Cloud provider’s disaster recovery plan? b) Will my organization have to encrypt their own files? c) What files can be saved in the cloud?

7 Cloud: know what you are doing and do it rightSIEM/MDR, FIM, IDS/IPS, and more Monitors systems, applications, firewalls, servers, etc. Helps maintain confident compliance FedRAMP approved Offers 24/7 monitoring Manages installation and configuration

8 Benefits

9 Data breach statistics60% of attackers are able to gain access immediately

10 Question #2 The benefits of utilizing the cloud/SaaS include: a) Weaker security b) Access to updated technology c) Increased staff work/time

11 Impacts of a breach

12 Breach Remediation Have a data breach policy Educate employeesHave tools that prevent and immediately detect a breach

13 Mobile devices support government priorities:Increased productivity Cost savings Citizen service Public safety

14 Complete Managed SecurityManaged Firewall and Next Generation Anti-Virus SIEM and Log Management Threat Detection and Response Vulnerability Assessment Behavior Analysis Compliance Management SIEM and event correlation Actionable threat intelligence analyzed by SOC Unlimited log management Honeynet deception as a service Alert turning and automated response rules Endpoint USB Monitoring Vulnerability assessment Network vulnerability scanning Network intrusion detection Monitors user activity and alerts on anomalous activity Reveals system misuse or compromise Ensures audit trails for compliance File integrity monitoring Automated log review FISMA, PCI DSS, HIPAA, NIST, GPG13 and more

15 Question #3 A completely managed security will provide: a) Threat detection and response b) Antivirus updates c) Lack of log management d) No audit trails

16 BrandGuard Security Adoption for all locationsProfessional solutions tailored to ensure a successful security rollout BrandGuard Trust in your brand starts with security. Strategic security initiative roll-out program Communication and change management expertise Educate and encourage adoption Generate awareness and support

17 “The ease of having someone manage yournetwork is probably the biggest benefit. Other than that, it’s knowing my network is safe.” Harsh Ghai Owner, Burger King Franchisee

18 We will now take questionsThank you. We will now take questions JOHN CHRISTLY CHIEF INFORMATION SECURITY OFFICER NETSURION AND EVENTTRACKER

19 The Cloud, Risks and Internal ControlsPresented By William Blend, CPA, CFE

20 AGENDA Cloud Basics Risks Related Cloud UseGOA on Service Level Agreements COSO ERM Internal Control Model

21 Cloud Basics

22 Evolution

23 Evolution

24

25

26 Cloud Computing CharacteristicsOn-demand self service – Cloud Service Provider (CSP) has ability to utilize computing capabilities without requiring human interaction with customers. Broad network access – Cloud network is accessible from anywhere by almost any device (phone, laptop, tablet, etc.). Resource pooling – CSP resources are pooled to serve multiple entities using a multitenant model. Customers generally do not have control or knowledge of exact location of CSP resources (storage, processing, memory, network, bandwidth and virtual machines).

27 Cloud Computing CharacteristicsRapid elasticity – CSP can rapidly allocate resources for customers to accommodate needs. To customers this appears seamless and they can be charged only for what they use. Measured service – CSP systems automatically control and optimize resource usage. Resource usage can be monitored, controlled and reported, providing transparency for both the CSP and the customer. Multi-tenancy of data – Sharing of an application by multiple customers.

28 Cloud Delivery Models Infrastructure as a Service (IaaS) – Provides online processing or data storage capacity. This service is ideal for entities considering very large, one-time processing projects or infrequent, extremely large data storage, networks and other computing resources. Platform as a Service (PaaS) – Provides resources for application development. Entities essentially rent resources in the cloud for development and testing various applications. Software as a Service (SaaS) – Provides business application usage by many individual users and entities concurrently. Applications are accessible from various client devices through a thin client interface such as a web browser.

29 Question #4 Cloud delivery models include: a) SIEM, FISMA and PCI compliance b) Premise based systems c) SaaS, PaaS and IaaS

30 Cloud Deployment ModelsPrivate Cloud – One entity user. Often employ virtualization within an entity’s existing computer servers to improve computer utilization. This model is closely related to the existing IT outsourcing models. Public Cloud – Offered by one CSP to many entities who share the cloud processing power concurrently. Entities share applications, processing power and data storage space. Entity data is commingled, but segregation is provided through the use of metatags.

31 Cloud Deployment ModelsCommunity Cloud – Private-public cloud with users having a common connection or affiliation, such as a trade association, the same industry or a common locality. The business model allows CSP to provide cloud tools and applications to specific needs of the community. Hybrid Cloud – A combination of tow or more of the other cloud deployment models. Hybrid cloud leverages the advantage of the other models in an attempt to provide a more optimal user experience.

32 Risks related to cloud use

33 COSO Inherent Risk - Cloud Delivery and Deployment

34 Cloud Risks Security Responsibility – Who will be responsible for data security the CSP or the Government? What is the extent of responsibility for each party? Authentication and Authorization – responsibility and controls over user authentication and authorization including any third parties and maintenance of these rights. Isolation Failure – Muti-tenancy creates risk to ensure government specific data is properly segregated, stored and access limited to authorized users.

35 Compliance and Legal – What data for how long and in what form.Security Incidents – Detection, reporting and subsequent notification and remediation. Management Interface Vulnerability – Interfaces to access cloud resources allow access to larger sets of resources this increases risk when combined with remote access and web browser vulnerabilities. Application Protection – With infrastructure security delegated to the CSP governments need to re-evaluate perimeter security at the network level including applying more controls at the user and application data level.

36 Data Protection – Exposure to release sensitive data as well as the loss or unavailability of data. Governments will find it harder to effectively evaluate and check on the CSP data handling practices. This issue becomes more complicated where the CSP utilizes sub-contractors. Malicious Behavior of Employees – Governments risk is compounded to not only its own employees but those of the CSP. CSP Business Failure – CSP business failure could result in data and applications essential to the Governments operations and financial reporting to become unavailable over an extended period of time.

37 Service Unavailability/ Reliability and Performance Issues – Could be caused by hardware, software, communication network failures, or hacks. Vendor Lock-in – Lack of portability of applications and data across provider presents the risk of data and service unavailability in case of a change in providers. Insecure or Incomplete Data Deletion – Termination of CSP may not result in deletion of the Governments data. This could be the result of the CSP back up process where data is co-mingled with other CSP customers making specific data deletion difficult.

38 Lack of Transparency – CSP may be unlikely to provide information about its processes, operations, controls, and methodologies High-value cyber-attack targets – CSP’s may become a more attractive target of cyber attacks because of the ability to disrupt many entities by attacking one CSP IT Organizational Changes – While using a CSP may reduce the size or need for internal IT departments. This may also result in a negative impact on remaining IT personnel and or reduction in the qualifications of IT personnel

39 GAO on Service Level Agreements

40 Properly Prepare Your Service Level Agreements with CSPThe GAO Recommends Key Practices for CSP Agreements Broken Into Four Categories: Roles and Responsibilities (RR) Performance Measures (PM) Security (S) Consequences (C)

41 Properly Prepare Your Service Level Agreements with CSPTHE GAO Recommends the following Key Practices for CSP Agreements: RR - Specify roles and responsibilities of all parties RR - Define key terms, such as dates and performance measures PM – Define who is responsible for measuring performance (level of service, duration, capacity/number of users, response times for processing addressing outages, etc.) PM - How and when government has access to its own data networks. Including how networks will be managed during the agreement period PM - How data networks will be transitioned back to government upon termination

42 Properly Prepare Your Service Level Agreements with CSPTHE GAO Recommends the following Key Practices for CSP Agreements: PM - How the CSP monitor performance and report results to the government PM - When and how the government, via an audit, will evaluate/confirm performance of the CSP PM – CSP should provide disaster recovery and continuity of operations planning and testing PM - CSP reporting responsibilities for outages and other service failures or data base breaches PM - Remediation of outages, service failures and breaches including what steps the CSP will take to mitigate re-occurrence

43 Properly Prepare Your Service Level Agreements with CSPTHE GAO Recommends the following Key Practices for CSP Agreements: PM – Identify PM exceptions when CSP performance measures do not apply (ex. During scheduled maintenance) S – Specify metrics the CSP must meet to show compliance with the governments performance requirements for protecting data. Clearly identify who has access to data and the protections in place to protect the governments data. S – Specify performance requirements and attributes defining how and when the CSP is to notify the agency when security requirements are not being met (when a data breach occurs) C – Specify a range of enforceable consequences, such as penalties for non-compliance with CSP agreement performance measures

44

45 Question #5 The GAO recommended practices for CSP agreements are broken into X categories: a) 4 b) 6 c) 3

46 COSO ERM IC Model

47 COSO ERM CUBE

48 COSO ERM - Framework Internal Environment – The internal environment component serves as the foundation for and defines the organization’s risk appetite in terms of how risks and controls are viewed. For instance, if management has a policy of not outsourcing any of its operations (i.e., there is a culture of risk avoidance), this policy will limit the viable options for cloud deployment and service delivery models so that private cloud solutions might be the only acceptable alternative.

49 COSO ERM - Framework Objective Setting – Management needs to evaluate how cloud computing aligns with the organization’s objectives. Depending on the circumstances, cloud computing might present an opportunity for the organization to enhance its ability to achieve existing objectives, or it might present an opportunity to gain a competitive advantage, which would require new objectives to be defined.

50 COSO ERM - Framework Event Identification – Management is responsible for identifying the events (either opportunities or risks) that can affect the achievement of objectives. The complexity of event identification and risk assessment processes increases when an organization engages cloud service providers. Management needs to consider external environmental factors (e.g., regulatory, economic, natural, political, social, and technological), as well as the organization’s internal factors (e.g., culture, personnel, and financial health), as part of the process when identifying and assessing risk events.

51 COSO ERM - Framework Risk Assessment – Management should evaluate the risk events associated with its cloud strategy to determine the potential impact of the risks associated with each cloud computing option. Ideally, risk assessments should be completed before an organization moves to a cloud solution.

52 COSO ERM - Framework Risk Assessment (cont.) – Cloud computing can affect the following critical focal points of a risk assessment: Risk profile – An organization’s risk profile encompasses the entire population of risks it must manage. Inherent and residual risk – An organization must assess the inherent risks of the events and then develop risk responses and determine the residual risk. Likelihood and impact – The likelihood of certain events and the related potential impact change in many cases when cloud solutions are adopted.

53 COSO ERM - Framework Risk Response – Once risks have been identified and assessed in the context of organizational objectives relative to cloud computing, management needs to determine its risk response.

54 COSO ERM - Framework Risk Response (cont.) – There are four types of risk responses: Avoidance – Exiting the activities giving rise to risk (i.e., not moving to the cloud or considering only private cloud types of solutions as viable options). Reduction – Implementing control activities and taking actions to reduce risk likelihood, risk impact, or both. Sharing – Reducing risk likelihood or risk impact by transferring or otherwise sharing a portion of the risk (e.g., buying insurance). Acceptance – Taking no action to affect risk likelihood or impact. For example, when an organization does not have direct ability to manage the controls of its CSP, the organization is accepting an increased level of inherent risk.

55 COSO ERM - Framework Control Activities – The traditional types of controls (preventive, detective, manual, automated, and entity-level) apply to cloud computing as well. The difference introduced by cloud computing is that some control responsibilities might remain with the organization while certain control responsibilities will be transferred to the CSP

56 COSO ERM - Framework Control Activities (cont.) – If the quality of an organization’s existing control activities is moderate or poor, going to a cloud solution could exacerbate internal control weaknesses. For example, if an organization with poor password controls or data security practices migrates its computing environment to a public or hybrid cloud solution, the possibility of an external security breach is likely to increase significantly due to the fact that access to the organization’s technology base is now through the public Internet.

57 COSO ERM - Framework Information and Communication – To effectively operate its business and manage the related risks, management relies on timely and accurate information and communications from various sources regarding external and internal events. With cloud computing, information received from a CSP might not be as timely or of the same quality as information from an internal IT function. As a result, fulfilling management’s information and communications requirements might require additional or different information processes and sources.

58 COSO ERM - Framework Information and Communication (cont.) – Management should also monitor external information related to its CSP (e.g., financial reports, public disclosures, regulatory filings, industry periodicals, and announcements by fellow cloud tenants), since certain events impacting the CSP or fellow cloud tenants might also have an impact on the organization.

59 COSO ERM - Framework Monitoring – Management must monitor the effectiveness of its ERM program to verify that the program adequately addresses the relevant risks and facilitates achieving the organization’s objectives. Effective ERM programs are evolving and dynamic in nature and must be increasingly so given the pace of cloud computing’s evolution in terms of solution offerings, competitors’ adopting the cloud, and changing laws. Given cloud computing’s potential and actual impact, senior management personnel across the entity (not just the chief information officer) need to be assigned responsibilities to achieve cloud computing governance.

60 Question #6 The COSO ERM framework includes: a) Internal environment b) Monitoring c) Risk Response d) All of the above

61 Cloud Computing ResourcesGAO Report - Cloud Standards Customer Council - COSO Thought Paper - ISACA IT Control Objectives -

62