Cloud Solutions: Getting the Security and Controls Right July 20, 2016

Welcome NASPO ValuePoint – non-profit subsidiary of NASPO (National Association of State Procurement Officials). NASPO is dedicated to providing State Chief Procurement Officers with the support and procurement resources they need Formerly known as WSCA-NASPO. It has been facilitating cooperative purchases using a lead state model to meet the procurement needs of states, local governments, and public schools since 1993 CloudBC – formed in 2015 as a British Columbia consortium to facilitate the procurement and adoption of cloud services by provincial public sector entities

Background and Context CloudBC and Utah/NASPO ValuePoint - Two separate Cooperative Procurements of Cloud Services on a parallel track Collaborating since January 2015 Differing scopes, but overlap of IaaS and PaaS Cloud services Differing award approaches, but both will result in awards that must meet the needs of the purchasing agency Common approach - use of Cloud Security Alliance tools to enable purchasing agency to perform due diligence that cloud service has appropriate data and security controls

Introducing Our Speakers Sophia Tham CloudBC Chris Hughes Contracts Manager State of Utah New Cooperative Procurements for Cloud Contracts

Key objectives – flexibility, choice and competition; “best practice” Ts & Cs Minimum requirements for entry into the “Marketplace” (online site) o Must provide professional services as well as IaaS and/or PaaS o Must meet NIST characteristics (i.e. be a true cloud services provider) o Must meet security requirements, which leverage the following cloud-focused security frameworks: CSA STAR ISO/IEC NIST SP (basis for FedRAMP) For vendors interested in providing “data sovereign” services, must also meet privacy and data residency requirements Selection Process: Solicitation #ON – IaaS & PaaS ITSO

Process includes scoring based on corporate profile questions in order to ensure that the Marketplace is efficient (provides option of limiting the number of vendors per direct cloud provider) “Eligible Customers” (CCIO Entities and other BPS) make purchases based on their own internal procurement policies and guidelines: o For commodity-like services, expect that sufficient information will be available through the Marketplace to support the selection decision (i.e. able to issue PO) o For complex purchases, a secondary selection process (e.g. RFX directed toward some or all vendors in the Marketplace) likely required Selection Process: Solicitation #ON – IaaS & PaaS ITSO

Purpose: Execute Master Agreements with qualified vendors to provide Participating Entities with the SaaS, IaaS, and PaaS cloud services. Key objectives: Provide Participating Entities with flexibility to make a best value determination in selecting which qualified vendor to sign a participating addendum and purchase cloud services from. Qualified vendors must have met the mandatory minimum requirements and the minimum score threshold for the technical evaluation identified in the solicitation The mandatory minimum requirements are objective criteria that vendors must respond to by providing a point-by-point response in order to move on to the technical evaluation of a proposal. The technical evaluation is subjective criteria in which Offerors provide a responses to the criteria if applicable to their cloud services, and includes: o Business profile, including the organization and staffing of an vendor; o Ability to work with a Participating Entity; o Compliance with NIST standards; o Capacity to maintain and secure data, including a review of the CSA documents submitted, data controls and security. Selection Process: Solicitation #CH16012 – Cloud Solutions

Master Agreements will contain the following information: The terms and conditions, which contain the NASPO ValuePoint Terms and Conditions along with specific terms and conditions to a vendor’s offering; The Scope of Services that the vendor is authorized to provide Participating Entities (NASPO ValuePoint does not allow for scope creep within the Master Agreement); The pricing catalog and applicable minimum discount that is offered by the awarded vendor to its offering; and A copy (by reference) to the vendor’s response to the solicitation, including the submitted CSA documents. Participating Entities will sign participating addendums and make purchases based on their own internal procurement policies and guidelines, including formal and informal processes to make a best value determination. Purchasing Entities may modify the terms and conditions made in the Master Agreement through the participating addendum. Selection Process: Solicitation #CH16012 – Cloud Solutions

Despite jurisdictional differences, there are many common elements: Focus on choice and competition: Agreements signed with multiple providers Minimum requirements established, with expectation that Participating Entity/Eligible Customer will assess vendors on additional or modified requirements based on business needs Contract frameworks designed to support flexibility for Participating Entities/Eligible Customers Leveraged industry or international standards whenever possible o the CCM/CAIQ from the Cloud Security Alliance o NIST characteristics and definitions o Center for Digital Government Best Practices Common Approach and Outcomes

Participating Entity’s/Eligible Customer’s responsibilities include: Ensuring that its organizational policies and guidelines are followed Reviewing the vendor’s response to the Solicitation, including the CSA documents, to ensure the vendor meets the its requirements Complying with its organizational security and privacy requirements (e.g. when deciding on approach to network connectivity) Adhering to the Agreement terms and conditions, unless a Participating Entity modifies a term in its participating addendum (for CloudBC: adhering to CloudBC Framework Agreement unless modified by the Entity) Common Approach and Outcomes Conclusion: collaboration has yielded benefits, which we see continuing as Participating Entities/Eligible Customers begin to use the contracts (i.e. consume cloud services)

Our Speakers Elayne Starkey Chief Information Security Officer State of Delaware Gary Perkins Chief Information Security Officer Province of British Columbia Assessing Security and Control Needs

Public sector entities are increasingly adopting cloud services; many jurisdictions now have a “cloud first” policy o Use of cloud requires a new approach to assessing risks and control o Contractual clauses, along with assertive negotiation, will mitigate risks and maximize the benefits of cloud computing Guiding principles: o Ensure security is an early consideration – planning is key to success o Jump in the driver’s seat – be assertive with Service Providers o Buyer beware – use a risk based approach o Hold Service Providers accountable – but understand customer responsibilities Data Classification and Security Controls Goal: an enterprise-level climate of ownership and accountability for the confidentiality, integrity, and availability of information assets

The key elements for effective cloud security management have emerged as: o a structured and transparent approach to data classification; o a transparent and published cloud security framework based on the data classification; and o the use of [industry] standards as an effective way to demonstrate compliance with the cloud security framework. Data Classification and Security Controls

Data classification: 1 st step in determining the security controls you should consider o Understand the Breach Notification Laws (for PII or personally identifiable information) in your jurisdiction  47 out of 50 States have these laws (exceptions are Alabama, New Mexico, South Dakota)  British Columbia legislation is the Freedom of Information and Protection of Privacy Act or FOIPPA o Determine the sensitivity of the data and if PII is involved  Risk level set by consequences of exposure  Most frameworks use three tier classification model (e.g. Low, Medium, High; Official, Secret, Top Secret)  Example frameworks are included in the Appendices but each Entity needs to decide what best meets their business requirements Discussion: Organizations that do not classify data effectively often default to a higher risk level. What are the impacts to adoption? Data Classification and Security Controls

Workload classification or Service Level Agreement metrics: defines non-functional requirements such as availability and performance o Assess the criticality of the system/application or service:  Impacts contract Ts and Cs (Service Level Agreement schedule)  Defines business continuity and/or disaster recovery requirements  Affects system architecture and design for IaaS and PaaS o Define the performance expectations:  For migration of existing/legacy workloads, baseline measurements are key  New applications should be designed to minimize impact of network latency in order to support flexibility with respect to workload location Discussion: Cost of network connectivity can often impact business cases significantly, so there is a desire to use the Internet. What are the implications? Data Classification and Security Controls

Recommendations for Public Sector Organizations* Understand the customer’s responsibilities (e.g. for IaaS and PaaS, customer defines requirement for encryption) Leverage industry standard certifications to demonstrate compliance for cloud security controls – use information from the Cloud Security Alliance tools to short-list vendors Review the certification or compliance documents in detail – vendor may not comply with the specific controls that your organization needs Ensure that Ts and Cs support the customer’s right to verify that the defined or contracted levels of security are being fulfilled Identify specific controls and request additional certifications to comply with privacy requirements when PII is involved (e.g. ISO/IEC 27018) *Additional reference material available in Appendices Data Classification and Security Controls

Our Speaker Luciano (J.R.) Santos Executive Vice President of Research Cloud Security Alliance Due Diligence and Trust Using Cloud Security Alliance Tools

J.R. Santos, EVP of Research

Copyright © 2016 Cloud Security Alliance Global, not-for-profit organization Building security best practices for next generation IT Research and Educational Programs Cloud Provider Certification – CSA STAR User Certification - CCSK The globally authoritative source for Trust in the Cloud “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

Copyright © 2016 Cloud Security Alliance Founded in 2009 Headquarters in Seattle (Bellingham), Singapore, Edinburgh UK 74,000+ Individual members 300+ Corporate members 75+ Chapters Over 30 research projects in 25 working groups Strategic partnerships with governments, research institutions, professional associations and industry CSA Research is FREE!

Copyright © 2016 Cloud Security Alliance Cloud Controls Matrix (CCM) Industry leading security controls framework for cloud Consensus Assessment Initiative Questionnaire (CAIQ) Assessment tool based on CCM CSA STAR (Security, Trust and Assurance Registry), Provider Assurance Program Leverages CCM & CAIQ as its foundation Future Innovations STARWatch: SaaS assessment tool CSA STAR Continuous Monitoring

Copyright © 2016 Cloud Security Alliance First ever baseline control framework specifically designed for Cloud supply chain risk management: Delineates control ownership (Provider, Customer) Ranks applicability to cloud provider type (SaaS vs PaaS vs IaaS) An anchor for security and compliance posture measurement Provides a framework of 16 control domains Controls map to global regulations and security standards: e.g. NIST, ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP – mappings growing virally

Copyright © 2016 Cloud Security Alliance

Copyright © 2016 Cloud Security Alliance Companion to CSA Cloud Controls Matrix (CCM) Series of Yes/No/NA questions used to assess compliance with CCM Narrative may be included for each question to explain why the particular answer is given Helps organizations build assessment processes for cloud providers Helps cloud providers assess their own security posture

Copyright © 2016 Cloud Security Alliance CCM Controls Specification (using control ID BCR-07 as an example) 5 CAIQ questions that are related to this CCM control

Copyright © 2016 Cloud Security Alliance CSA STAR (Security, Trust and Assurance Registry), 3 Level Provider Certification Program Managed by CSA in partnership with world leading ISO certification bodies and audit firms Adopted Worldwide by Providers, Enterprises and Governments Promotes Transparency within Cloud Ecosystem

Copyright © 2016 Cloud Security Alliance Level 1 STAR: Self-Assessment Public Registry of Cloud Provider self assessments based on either CCM or CAIQ Level 2 STAR 3 rd Party Assessments STAR Certification: Integrates ISO/IEC 27001:2013 CCM used to create the control scope All major ISO certification bodies STAR Attestation: Based upon AICPA SOC Type 2 Attestation Report CCM used to create the control scope Attestation provided by CPAs Ask for provider’s STAR entry If unavailable, ask provider to fill out CSA’s Cloud Controls Matrix or Consensus Assessments Initiative Questionnaire

Copyright © 2016 Cloud Security Alliance CSA STAR Continuous (Level 3) will be based on a continuous auditing/assessment of relevant security properties. CSA STAR Continuous is currently under development CSA STARWatch: SaaS tool to help organizations manage compliance with CSA STAR requirements Multi-user access to CCM/CAIQ in a database format Currently in Beta with a Q release

Copyright © 2016 Cloud Security Alliance Cloud Controls Matrix (CCM) Consensus Assessment Initiative Questionnaire (CAIQ) assessments/ CSA STAR (Security, Trust and Assurance Registry), Provider Assurance Program CCM & STAR Training STARWatch Beta Download CSA Research Artifacts

Copyright © 2016 Cloud Security Alliance Copyright © 2016 Cloud Security Alliance

Cloud Solutions: Getting the Security and Controls Right SophiaChrisElayneGaryJ.R. Questions ?

For More Information Sophia Tham CloudBC Dugan Petty (Moderator) Education and Outreach ICT Coordinator NASPO ValuePoint Or visit

Thanks to Our Speakers

Data/Information Classification Frameworks 35 Canadian Federal Government United States Government Classification levels in use within U.S. Government: 1.Restricted Data/Formerly Restricted Data 2.Code Word classifications 3.Top Secret 4.Secret 5.Confidential 6.Public Trust 7.Unclassified Controlled Unclassified Information (CUI) 8.Restricted 9.Classified classifications

Several governments have developed approaches to cloud security management; the UK is one of the countries at the forefront. The UK has published a full suite of documentation as a pathfinder: o approach-as-a-pathfinder-for-other-countries/ approach-as-a-pathfinder-for-other-countries/ Other references: “Seeding the Public Sector Cloud: Data Classification, Security Frameworks and International Standards” o sector-cloud-data-classification-security-frameworks-and-international-standards- part-2/ sector-cloud-data-classification-security-frameworks-and-international-standards- part-2/ Center for Digital Government’s “Best Practice Guide for Cloud and As-A-Service Procurements” (see next slide) Other Useful References….