Tools of Cloud Governance

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:03
>> In this video we're going to talk about
00:03
different tools for managing cloud governance,
00:03
specifically Contracts Compliance Assessments
00:03
, and audit reporting.
00:03
The first tool at your disposal is the contract.
00:03
The contract is the primary tool for the cloud user
00:03
to extend governance in
00:03
their relationship with the cloud provider.
00:03
In fact it may be and it probably is the only way
00:03
to guarantee any level of service.
00:03
When there's outages on the product of
00:03
the cloud services and then subsequently
00:03
that affects your customers or
00:03
your internal customers, your external customers.
00:03
This contract is going to be the thing you really want to
00:03
look at because it's going to define
00:03
service-level agreements in it.
00:03
It's also going to define the roles that help you figure
00:03
out in that shared responsibility's model
00:03
that we were talking about, where are the gaps?
00:03
Where are the things that you need to fill?
00:03
The governance gaps just because there's gaps it doesn't
00:03
mean you can't use a particular cloud provider,
00:03
but it's very important to have
00:03
this contract so that you know when to
00:03
adjust your own processes and close those gaps.
00:03
It's very rare for cloud providers to create
00:03
custom contracts with the individual loud users.
00:03
The big thing you have to keep in mind is
00:03
they need to achieve economies of scale.
00:03
So they're going to have lots of different users.
00:03
As they do have more and more cloud users,
00:03
their ability to tailor operations and make
00:03
individual guarantees or tune and refine
00:03
their procedures to meet with
00:03
one person's need versus another is
00:03
really going to be impeded from allowing them
00:03
to have that economies of scale,
00:03
have that consistency in their process,
00:03
and in the way they perform those operations.
00:03
We often think about contracts as one big old document,
00:03
but the reality is these contracts are
00:03
going to span multiple documents.
00:03
You're going to have terms and conditions;
00:03
the TNCs, you're going to have acceptable use policies.
00:03
These are the things that saying
00:03
here's what you can and cannot
00:03
do from the cloud provider's perspective
00:03
using their services.
00:03
Service-level agreements that's what's
00:03
defining those service levels;
00:03
SLAs, and there will be a variety of other clauses.
00:03
It's very important that you look at these all
00:03
holistically and understand that these
00:03
as an aggregate but that contract from which
00:03
you are able to extend
00:03
your governance and understand the relationship.
00:03
Next up, we have provider assessments.
00:03
These are going to be combined with
00:03
the contractual terms,
00:03
and they're going to ensure that your cloud provider
00:03
meets certain standards and is compliant with them.
00:03
For example, NIST 853 is a standard for managing risks.
00:03
IEC 2702 is another information in
00:03
risk security management standard and 27017
00:03
has been particularly tailored
00:03
to work with cloud providers.
00:03
Other standards that you're going to be
00:03
interested in; PCI compliance,
00:03
if you're interested in storing
00:03
credit card information or doing some payment processing.
00:03
HIPAA if you are managing healthcare information,
00:03
but regardless of the specific standards
00:03
you are the most concerned
00:03
about these are going to be
00:03
implemented through third-party attestations.
00:03
Attestation is a legal statement made
00:03
by a third-party as well as the cloud provider,
00:03
asserting that they will do this.
00:03
If they are not meeting
00:03
that statement and if it proves to be inaccurate,
00:03
they are in breach of the contract.
00:03
Additional items may include
00:03
financial viability of the company itself.
00:03
Provisions to describe what happens and what is
00:03
the company's obligation in
00:03
the sense that they're going to shut down.
00:03
Are they going to have to give the data back to
00:03
you or can they just pull the plug and walk away?
00:03
Additional things to meet and ensure that they remain
00:03
solvent and they have
00:03
necessary cash to keep on operations.
00:03
There really can be a lot of ways
00:03
that you can structure this and do this,
00:03
and ultimately it's going to be about
00:03
that balance of how important this is
00:03
to your company and what you're
00:03
using this cloud provider to do.
00:03
What is the role and how critical is
00:03
it to your operations and how
00:03
important and sensitive is
00:03
the information this cloud provider is going to hold.
00:03
Then rounding out our tools is compliance reporting.
00:03
These are built out of audits.
00:03
An audit is a little different than
00:03
an assessment and an audit is where
00:03
a third-party is going to come
00:03
in and they're going to say to
00:03
that cloud provider prove to
00:03
me you are doing these things,
00:03
prove to me you are following these processes.
00:03
For example, prove to me that you are
00:03
doing an access control review every month,
00:03
show me the meeting minutes
00:03
where you looked at all these different people.
00:03
Prove to me that you are
00:03
doing vulnerability management in a way
00:03
that aligns with IEC 27017 standards.
00:03
Show me that data is being
00:03
encrypted to an extent that meets with
00:03
the PCI requirements or HIPAA requirements that
00:03
you've asserted in your assessments
00:03
you are compliant with?
00:03
Very rarely will it be
00:03
your own company performing these audits,
00:03
typically is going to be third-parties.
00:03
In the same way accounting companies
00:03
audit the financials of
00:03
large corporations and examine how they do their books.
00:03
These parties are going to come in,
00:03
and they're going to make sure that
00:03
the operations, and policies,
00:03
and procedures by this cloud provider are aligned
00:03
and meet with the standards that they
00:03
themselves are asserting their compliant with.
00:03
Of course, not all auditing third-parties are the same.
00:03
In the early 2000s,
00:03
Enron was making record amounts of money.
00:03
Their stock was soaring,
00:03
and Arthur Andersen was the company
00:03
responsible for auditing their financials.
00:03
Unfortunately, Arthur Andersen didn't recognize
00:03
Enron was not following
00:03
Generally Accepted Accounting Principles.
00:03
While their profit and loss looked really
00:03
nice and their balance sheets looked really nice,
00:03
there were some real funny shenanigans going on.
00:03
When people started recognizing this
00:03
and Enron started running short on cash,
00:03
their stock imploded, employees lost their jobs,
00:03
employees lost retirement funds.
00:03
Investors lost dramatic amounts of money as
00:03
their shares went to zero and the company went bankrupt.
00:03
Arthur Andersen eventually went out of
00:03
business themselves and went away.
00:03
The point of that story is that just because
00:03
it is audited doesn't mean the auditor is good.
00:03
You will also want to take a look at that.
00:03
Ideally, this auditor
00:03
understands some of the nuances of cloud
00:03
and even has people with
00:03
CCSK designations on their own team.
00:03
Also, of note is that if you do want to access and
00:03
review the audit results of a particular cloud provider,
00:03
it will often be provided to you
00:03
under NDA, a non-disclosure agreement.
00:03
These audits can carry some very sensitive information
00:03
about how the cloud provider
00:03
performs its internal operations,
00:03
and oftentimes that's the secret source of
00:03
the cloud provider or it
00:03
may expose them to vulnerabilities.
00:03
The NDAs give the
00:03
cloud providers some confidence
00:03
that you're not going to take
00:03
potentially very sensitive information described in
00:03
these other results and
00:03
communicate them outside the immediate circle.
00:03
Well, there was only three important items
00:03
and that does it for this video.
00:03
We talked about contracts,
00:03
compliant assessments, and audit reporting.
00:03
We described each of those three items and we also
00:03
discussed the relationships between the three items.
Up Next