Cloud Computing Risk Assessments & Governance Donald Gallien Obinna Nwagbara April 21, 2015

2 Overview  Introductions  Cloud Models and Inherent Risk  Cloud Computing Risk Ranking Model  Cloud Computing Governance Activities  Questions

3 Presenters  Donald Gallien, American Express, Vice President  Obinna Nwagbara, American Express, Senior Manager

4 Quiz  Amazon Web Services (EC2) is an example of which deployment model: a. Public b. Hybrid c. Private d. All of the above

5 Overview Risk Assessment Governance Activities Deployment Model Service Model Other Risk Dimensions

Cloud Models and Inherent Risk

7 Deployment Models ModelDefinition PublicAvailable to the general public or a large industry group HybridPrivate cloud foundation combined with the strategic use of public cloud PrivateOperated solely for an organization

8 Deployment Model Risk Profile HigherLower PublicPrivateHybrid Likelihood of Data Security, Privacy, and Control Breach

9 Service Models ModelDefinition Infrastructure as a Service (IaaS) Fundamental computing resources to deploy software, including OS and applications Platform as a Service (PaaS) Applications based on programming languages and tools supported by the cloud provider Software as a Service (SaaS) Cloud provider applications running on a cloud infrastructure

10 Service Model Complexity SaaS PaaS IaaS StructuredSimple Flexible Complex

11 Service Model Risk Profile HigherLower IaaSSaaSPaaS Impact of Loss of Control & Security Breach

12 Section Summary  Deployment and Service Models are key drivers of cloud governance needs  Public clouds provide less security and service  Private clouds align better with technology and security standards  IaaS models are very broad in scope and flexible  SaaS models are narrow in scope and structured

Cloud Computing Risk Ranking Model

14 A few thoughts before we start  Risk models include elements of judgment and must fit the organization  Some of our risk model assumptions may be completely wrong for your organization  We come from a large financial services company, and fundamentally believe our company can do any important IT process as well as anyone with less risk  You will need to customize for your organization  Risk ranking scores must drive governance requirements and audit activities

15 Cloud Risk Scoring Model Example AttributeHigh (9)Medium (5)Low (1) Deployment Model *PublicHybridPrivate Service Model *IaaSPaaSSaaS Data SecuritySecretRestrictedUnclassified Hosting SiteUnknownInternationalDomestic Customer FacingYesNo Dependent Applications <10 Recovery Time4 hours1 week1 month Data RetentionRequiredNot Required * - Consider rating these attributes more heavily than the others

16 Deployment Mode l HighMediumLow Deploy Model PublicHybridPrivate - Security and privacy may not be a priority - Service level agreements may not exist - Private environments provide adequate security and privacy - Service level agreements should exist Public Private

17 Service Model HighMediumLow Service Model IaaSPaaSSaaS - Issues may broadly impact all hosted applications and data - No control over foundational general controls - PaaS - Impact limited to outsourced platform - SaaS - Impact limited to applications and data IaaS SaaS

18 Data Security HighMediumLow Security Level SecretRestrictedUnclassified - May be difficult to enforce security standards when in cloud - May be difficult to demonstrate compliance with regulations like GLBA - Security and privacy is not a concern (making unclassified data a good candidate for cloud computing) Secret Unclassified

19 Hosting Site HighMediumLow Hosting Site UndefinedInternational Location Domestic Location - May result in cross border data protection regulatory issues - May be difficult to demonstrate compliance with regulations like GLBA - Minimizes concerns about cross border data protection regulations Undefined Domestic Location

20 Customer Facing HighMediumLow Customer Facing YesNo - Perhaps internally hosted applications are better for critical customer interactions, especially for those with regulatory or brand implications - Non critical customer applications may be good candidates for cloud computing Yes No

21 Dependent Applications HighMediumLow Number of Apps <10 - Implies complexity and greater organizational significance - Implies simplicity and less organizational significance 21+ < 10

22 Recovery Time Objectives (RTO) HighMediumLow RTO4 Hours1 Week1 Month - Implies higher business importance – good candidate for cloud computing - Cloud configuration may lack geographic diversity - Implies lower business importance - good candidate for cloud computing 4 Hours 1 Month

23 Data Retention HighMediumLow RetentionRequiredNot Required - Snapshot backups may be difficult to obtain in SaaS environment (may lack functionality) - May be good candidate for cloud computing Required Not Required

24 Section Summary  Cloud risk ranking attributes and scoring must vary based on environment and need  Risk attributes and scoring require alignment with organizational standards What other risk attributes might you use, and how would your rank them on a high, medium, low basis?

Cloud Computing Governance Activities

26 Cloud Governance Requirements Cloud Risk Ranking Minimum Governance Required Minimum Governance Frequency High (>40) SSAE 16 SOC 2 Type II, CCC Testing, SLA Monitoring, Internal Audits Annually Medium (21-39) SSAE 16 SOC 2 Type I, SLA Monitoring Every Two Years Low (<20) Re-validate Risk Assessment Every Three Years Governance should be driven by risk assessment

27 SSAE 16 SOC 2 Reports  SOC 2 “Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy”  Report is appropriate for Cloud Service Providers AttributeType IType II Period of CoveragePoint in TimePeriod of Time Type of CoverageControl DesignControl Design and Operating Effectiveness Description of the Service Organization’s “System” Yes Management Control Assertion Yes

28 SFDC - Complementary Control Considerations Examples Logical Security Password Parameters Security Administration Browser Configuration IP Address Restrictions Backup & Recovery Backup, retention, and rotation Other Data Classification Regulatory Compliance (HIPAA, GLBA, etc.) Complementary Control Considerations are the controls that should be in place at the client side for the controls within the report to be considered fully operational (see Appendix 1)

29 Routine Vendor Governance  Pre-contract and post-contract procedures to demonstrate vendor governance  May be accomplished through security and privacy questionnaires  Governance should be required by contract and monitored via Service Level Agreements (SLAs)  Vendor Relationship Manager must have technical skills to ensure appropriate governance

30  The Twitter Entities make no warranty and disclaim all responsibility and liability for:  (i) the completeness, accuracy, availability, timeliness, security or reliability of the Services or any Content  (ii) any harm to your computer system, loss of data, or other harm that results from your access to or use of the Services or any Content  (iii) the deletion of, or the failure to store or to transmit, any Content and other communications maintained by the Services  (iv) whether the Services will meet your requirements or be available on an uninterrupted, secure, or error-free basis. Social Media Terms of Service

31 Potential Social Media Control s  Social Media Policy  Approvals for Use and Content  Offer Fulfillment Monitoring  Monitoring What is Said  Appropriate use of Tools (see Appendix 2) for Managing Administrative Access, Backups, Audit Trail, Content Approvals, Availability, Monitoring, etc. SSAE 16

32 AWS Shared Security Responsibilities (EC2)  You must secure anything you put in the infrastructure  Security configuration varies depending on how sensitive your data is and services you select  Examples include:  patching the guest OS and as any software you install  configuring the firewall that allows outside access  configuring VPC subnets  setting access control policies for each your storage buckets  configuring encryption options for the stored data  specifying backup and archiving preferences

33 Governing IaaS  Very complex to securely configure  100s of settings – everything from memory, CPU, storage, network, firewall, load balancing, etc  Requires server and network architect engineer skills much like physical data center  Could require numerous audits of “IaaS General Controls” (i.e., user managed configurations) to determine compliance with internal security standards  Internal Audit and other governance requirements may not be much different from in-sourced model

34 Section Summary  Risk Ranking models must drive governance requirements  SSAE 16 SOC 2 Type II will provide most independent audit assurance  Ensure existence and effectiveness of complementary controls  Verify cloud services are configured in accordance with your information security standards  SaaS may be fairly straightforward (with the potential exception of Social Media)  IaaS can be complex and require a lot of technical skills to assess

35 Questions Contact Information:

Salesforce.com (SFDC) User Managed Configurations Appendix 1

37 SFDC Password Configurations Parameter Recommended Setting SFDC Default Setting Ref* Encrypted Custom Fields When required by regulations Not Used55 User passwords expire inNo greater than 90 days90 days41 Enforce password history12 or more341 Minimum password length8 characters841 Password complexity requirement Must mix alpha, numeric, and special characters Must mix alpha and numeric 41 Password question requirement Password hint cannot contain password 42 Maximum invalid login attemptsMaximum of * - SFDC Security Implementation Guide Page Number

38 Other SFDC Configurations Parameter Recommended Setting SFDC Default SettingRef* Lockout effective period60 minutes or more15 minutes42 Restricting Login IP RangesExternal firewallsDisabled44 Restricting Login HoursEnableDisabled45 Timeout value60 minutes2 hours46 Disable session timeout warning popupCheckedNot checked46 Require secure connections (HTTPS)Enabled 47 Enable caching and password auto- complete on login page DisabledEnabled47 * - SFDC Security Implementation Guide Page Number

Social Media Tools Appendix 2

40 Resources for Social Media Tools TopicResources Account Management enterprise/tracking-down-the-right-social-media-management-tool/ Content (Compliance) Monitoring & Analytics media-monitoring-analytics-and-management-2013 Archivinghttp:// e_to_help_firms_track_social_media/ Archivinghttp://financialsocialmedia.com/search-engine-optimization-seo/the- best-social-media-compliance-products-for-financial-professionals/ SMMShttp://searchengineland.com/buyers-guides/enterprise-social-media- management-software-a-buyers-guide