Archive for the ‘Compliance and Certification’ Category

« Older Entries

Colocation Strategies – Perspectives from Data Center World

Posted by Douglas Barbin
May 13th, 2013

I was delighted to be invited to speak on security and compliance during the Colocation Tutorial at Data Center World last week in Las Vegas, Nevada.  The tutorial was an all-day session for enterprise data center operations executives – mostly data center operators from large corporations that currently outsource to a colocation facility.  I had the privilege of joining a panel comprising of executives from RagingWire, Equinix, Schneider Electric, Dominion Virginia Power, Transitional Data Center Services, and Neustar.

I wanted to give the readers who were not able to attend the conference or tutorial session some of my key takeaways from the event:

Not all colos are created equal – Fundamentally most individuals think that a colo facility just provides power and space.  However, those of us familiar with the business know that there can be embedded service providers and data centers within data centers.  Then, add a layer of complexity to the increased prominence of real estate companies, such as Digital Realty Trust, that specialize in data center property management.    Lee Tamassia from Equinix provided an excellent overview of the different models from wholesale to retail up to and including cloud services.  Mr. Tamassia then discussed how these models integrate with different data center standards.  I was then able to add onto these comments to discuss compliance responsibility between a data center and its tenants.

Data center operators may not think compliance is #1 priority – Imagine that!  When Jim Leach from RagingWire asked the audience who either managed or was exposed to compliance initiatives on a frequent basis – very few raised their hands.  Make no mistake – everyone expects the environment to be secure and more importantly reliable.  A few participants stated that compliance often was mandated from legal, IT security, or external auditors.  However, the day-to-day activities for these operation executives typically only revolve around topics such as power consumption, utilization, and resources – which affect the bottom line.

Security and compliance should be a topic of focus early on (during the selection and procurement process) – Steve Gunderson from Transitional Data Center Services and Jim Weber from Neustar walked through a template and evaluation process that included looking at security and availability features as well as available audits.  One participant from a manufacturing company stated that “I don’t handle credit card information, but the fact that the data center has gone through PCI, in my mind puts them at a higher level.”

The different compliance and certification acronyms can be confusing – I believe I was able to provide insight with this topic.  At a minimum, the participants walked away understanding that “SSAE 16 certified” was technically incorrect and could be an indication of misleading marketing.  We also discussed HIPAA, FISMA, and how a data center plays a role when its tenants (or the tenants’ customers) are the ones mandated to comply.

In summary, we auditors, just like those in security, can get so ingrained in the details of SOC reporting standards, PCI compliance requirements, FedRAMP authorizations, etc. that we often need reminding of the end-user’s perspective.  This conference brought a lot of insight to the auditor in me, and I hope the attendees took away some tangible recommendations and action points from the Colocation Tutorial.

On May 15th, I get another opportunity to speak – this time at the Uptime Institute conference in Santa Clara, CA. Hope to see you there!

SocialTwist Tell-a-Friend

Tags: , , , , , , , , , , , , , , , , , ,
Posted in Compliance and Certification, FedRAMP, FISMA, Industry Topics, Payment Card Industry (PCI) Data Security, SOC 1, SOC 2, SOC Reports, SSAE 16 / ISAE 3402 | No Comments »

Part II – PCI Cloud Computing Supplement: Technical Considerations

Posted by Douglas Barbin
April 11th, 2013

By Eric Sampson and Doug Barbin

In a previous article, we provided a summary of the key components of the PCI DSS Cloud Computing Guidelines (“cloud supplement”).  That article focused on roles, responsibilities, agreements, and audit considerations.  This article speaks more to the technical considerations.

Segmentation challenges

Cloud hosted environments often present new layers of responsibility for common shared layers, such as hypervisors and virtual infrastructure layers, which can present a single point of entry (or attack) for all systems above or below those shared layers.  The security applied to these layers is therefore critical not only to the security of the individual environments they support, but also to ensure that segmentation is enforced between different tenants’ environments.

Regardless of whether a hosted environment can achieve PCI DSS compliance, risks and threats persist, especially for shared cloud environments.  The need for adequate segmentation of client environments in a public or shared cloud is underscored by the principle that the other client environments running on the same infrastructure are to be considered untrusted networks.  The client has no way of confirming whether other client environments are securely configured or patched appropriately to protect against attack, or that they are not already compromised or designed with malicious intent.  This is particularly relevant where a cloud provider offers IaaS and PaaS services, as the individual tenants have greater control and management of their environments.

Virtualization Considerations

Virtualization requirements apply generally to cloud hosted environments.  The SSC had previously published the PCI DSS Virtualization Guidelines to discuss security considerations for virtual technologies.  In a complementary manner, the Cloud Guidelines reiterates some virtualization guidance and provides additional security considerations for cloud hosted environments.  Of note regarding technical considerations are the following:

  • VM-to-VM traffic does not pass through traditional network-based security controls, such as a firewall, router, or network IDS/IPS.  Rather, traffic can pass through virtual network routes.  The use of additional host-based security controls to monitor and control traffic, such as host-based firewalls and host-based IDS/IPS applications may be necessary.
  • Dormant virtual machines must be secured when dormant and not actively used for any period of time.  Security vulnerabilities can be introduced when dormant host is activated.  In the same vein, if a virtual machine can be removed and replaced, a malicious user can make modifications offline and introduce a malware infected virtual machine.
  • In cloud hosted environments, audit logs are available both at the virtual host and at the virtual machine operating system.  Cloud providers and tenants should discuss roles and responsibilities to ensure all audit logs are reviewed appropriately and in a timely manner.  Creating an environment where virtual host and virtual machine audit logs can be correlated into meaningful events is recommended.
  • Where the hypervisor has introspection capabilities, or the ability to control and monitor individual VM activity from outside the VMs, presents security challenges.  For instance, the introspection function allows files of VMs to be access within the privileged state of the hypervisor without an audit trail being generated by the VM.  This can present a greater concern for tenants of public, community, or hybrid cloud hosted environments than for tenants of private cloud services.  Tenants should be aware that any personnel with access to the introspection function on the hypervisor could potentially have access to data on any VM managed by the hypervisor.  Therefore, the introspection function should be carefully managed, controlled, and monitored to ensure that role-based access and segregation of duties is maintained.  For example, the hypervisor administration and hypervisor monitoring and auditing functions should be separated.

As noted in the previous article, many of the above issues apply equally in the world of SOC 1, SOC 2, ISO 27001 certification, and FedRAMP.

Please feel free to contact BrightLine if you have any additional questions.  BrightLine specializes in PCI validation for cloud providers.  We are also the only firm in the world that is a licensed CPA firm, PCI QSA, ISO 27001 certification body, and FedRAMP 3PAO.

Eric Sampson is a QSA at BrightLine who leads assessments for some of the largest SaaS providers in the US.  Doug Barbin is a Principal at BrightLine and the firm-wide practice leader for PCI.

 

SocialTwist Tell-a-Friend

Tags: , , , , , , , ,
Posted in Cloud Audit, Cloud Computing, Payment Card Industry (PCI) Data Security | No Comments »

Part I – PCI Cloud Computing Supplement: Know Your CSP!

Posted by Douglas Barbin
April 4th, 2013

By Eric Sampson and Doug Barbin

The writing is on the wall.  For many businesses, cloud providers are becoming a key component of IT and business strategies, service delivery capability and scalability, innovation, and delivering new service models and solutions to market.  For merchants and service providers that store, process, or transmit cardholder data, the PCI DSS provides the requirements necessary to ensure a secure and compliant cardholder data environment.  Until recently, guidance was limited to the interpretation of existing PCI standards, which never fully accounted for today’s evolving cloud computing models. The release of the PCI DSS Cloud Computing Guidelines (“cloud supplement”), attempts to align core PCI goals with a better understanding of cloud provider and cloud customer (“tenant”) responsibilities to maintain a compliant cloud-hosted cardholder data.  BrightLine had the privilege of participating in this group. The document is, by default, supplementary and as with all PCI supplements does not supersede, replace, or extend the PCI DSS requirements.  In fact, the cloud supplement states they are provided especially to “[present] recommendations for starting discussions about cloud services” in giving cloud providers and tenants a point of discussion for approaching their individual roles and responsibilities in meeting the PCI DSS requirements.” In the cloud supplement, the SSC describes the following important areas, to name a few, for understanding provider and client relationships:

  • Cloud provider deployment and service models
  • How roles and responsibilities may differ among tenants and cloud provider environments including segmentation and scoping considerations
  • PCI DSS compliance challenges
  • Contractual needs
  • Technical security considerations

Understanding the Models Generally speaking, cloud provider service delivery models can be categorized into one or more of the following three areas: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).  Cloud provider responsibilities over security and operational controls and meeting PCI DSS requirements tend to increase from an IaaS model (most client responsibility) to a SaaS model (least client responsibility).  In addition, cloud providers can deploy hosted environments differently.  Tenants need to understand the cloud deployment model being utilized or proposed for their cloud hosted environment.  Cloud deployment models include private, community, public, and hybrid cloud (a combination of private, community, and/or public). Tenents need to understand the level of oversight or visibility they will have into the security functions that are outside their control.  If these security responsibilities are not properly assigned, communicated, and understood, insecure configurations or vulnerabilities could go unnoticed and unaddressed, resulting in potential exploit and data loss or other compromise.  Cloud providers can help their tenants understand how the service models being offered affect their tenants in terms of roles and responsibilities.

Written agreements Once cloud provider and tenants roles and responsibilities for operation, management, and reporting are understood for each requirement, a formal agreement with clear policies and procedures should be defined.  Contractual agreements are especially critical where control responsibility is outsourced to ensure the required security measures are being met and maintained by the cloud provider for the duration of the agreement.

Mind the Gap Be mindful of when a CSP claims “PCI compliance” for their cloud environment.  It is not uncommon for a provider to sell data center, managed, and cloud services only to have the PCI ROC/AOC cover the data center component.  This is why it is critical that a tenant and their QSA be able to understand the scope of what was and was not covered to be able to determine if additional procedures are required. It is also important to note that many of the above issues apply equally in the world of SOC 1, SOC 2, ISO 27001 certification, and FedRAMP.

In the next article we will discuss some of the technical considerations presented within the supplement.

Eric Sampson is a QSA at BrightLine who leads assessments for some of the largest SaaS providers in the US.  Doug Barbin is a Principal at BrightLine and the firm wide practice leader for PCI.

SocialTwist Tell-a-Friend

Tags: , , , , , , , , , , , , ,
Posted in Cloud Audit, Cloud Computing, Payment Card Industry (PCI) Data Security | No Comments »

ISO 27001:2013 – Understanding the New Standard

Posted by Ryan Mackie
April 2nd, 2013

Part 1: Scoping and the approach of implementing the ISMS

Organizations currently implementing or planning to implement a management system based on ISO 27001 will have a tough decision to make in the near future: Should management implement the information security management system (ISMS) based on ISO 27001:2005 or should ISMS implementation be delayed until the issuance of the new standard, ISO 27001:2013?  The decision of selecting either ISO27001 standard will have major implications as to how your organization approaches and designs your ISMS.

Organizations currently certified should not expect much difficulty in transitioning from the 2005 version to the 2013 version.  Organizations that are not currently certified will be impacted by the revised 27001 standard, which is expected to be released later in 2013.

Background

The draft version of the updated 27001 standard was recently released for review.  The draft version format of the updated 27001 standard was redesigned to better align with other ISO standards, such as ISO 9001 and ISO 20000.  Moreover, the draft version received slight modifications in both the management system requirements and the controls included in Annex A.  These modifications better interconnect software-based infrastructures (i.e. cloud computing) that have predominantly emerged within the last few years.

The intent and focus of the standard hasn’t changed in the 27001:2013 draft.  The standard remains focused on information security and an organization’s approach to design, plan, implement, and monitor a management system to effectively manage information security risk.  However, the foundation for designing and planning the management system has shifted to better align with the practical matters of today’s organizational environment.  This will come as a positive shift for several organizations as the scope moves away from assessing the risk approach, which organizations have historically struggled with during the implementation of their management system.

Scoping Your Information Security Management System Under ISO 27001:2013

By adopting the draft version of the standard, organizations will now have the ability to base the scope of their ISMS on the issues and objectives most meaningful to the organization’s risk environment.  The draft version takes into consideration the dependencies between the organization and third parties.  This is a critical component for organizations that have third party relationships (specifically data centers) that provide a key system or service to the organization.  Likewise, by adopting the draft version it is assumed that the organization will have a greater acceptance and understanding of scope limitations pertaining to third party relationships and dependencies.

See below for a comparison of the 2005 and 2013 versions of the standard:

27001:2005 Establishing the ISMS ISO 27001:2013 Context of the Organization
Define the scope and boundaries of the ISMS in terms of the following: 

  • characteristics of the business;
  • the organization;
  • its location;
  • assets and technology; and
  • details of and justification for any exclusions from the scope.
 Determine external and internal issues that are relevant to its purpose and that affect the ability to achieve the intended outcome of its ISMS. 

Determine interested parties that are relevant to the ISMS and their requirements relevant to information security.

Determine the boundaries and applicability of the ISMS to establish its scope and consider the following:

  • the previously determined external and internal issues;
  • the previously noted requirements of interested parties; and
  • interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.

 

The draft version’s approach for defining the scope provides more directed guidance regarding necessary considerations which should ultimately formulate a more grounded scope.  This could potentially lead to a better defined implementation process for the foundations of their ISMS.  Organizations in the process of planning their ISMS or those that expect to undertake the project during the latter part of the year may have the opportunity to reassess their approach to implementation, should difficulties arise in defining the scope and/or potential scope creep.

What to do Today?

Organizations currently in the process of implementing an ISMS using the 27001:2005 standard may find it in their best interest to obtain and review the draft 27001:2013 standard so that the appropriate decision for the organization can be made.  In addition, please do not hesitate to contact BrightLine to schedule a call to discuss the ISO 27001 certification process and upcoming changes.  We are happy to provide your organization with a free consultation.

 

 

SocialTwist Tell-a-Friend

Tags: , ,
Posted in Compliance and Certification, ISO 27001 / 27002, News, Uncategorized | No Comments »

BrightLine Principal, Doug Barbin, To Speak During the Knowledge Congress Webcast Series About PCI-DSS For The Cloud

Posted by avani.desai
March 27th, 2013

Via Business Wire

PCI – DSS in the Cloud: Practical Guide for Cloud Computing Security and Compliance

Tampa, FL- BrightLine CPAs & Associates Principal, Doug Barbin, will be part of a two-hour live webcast on Thursday, April 4, 2013 from 12:00-2:00pm EST.  The live webcast will discuss the importance of Payment Card Industry Data Security Standard (PCI-DSS) compliance.  While the PCI-DSS remains to be a challenge for many organizations, PCI-DSS compliance in a cloud computing environment can be even more daunting. It is therefore vital for financial institutions, merchants, and service providers to be informed of the latest and most significant issues with respect to PCI-DSS to help ensure cloud computing security and compliance within the organization, while at the same time minimizing the risk of any potential pitfalls.

Barbin will be part of key panel of experts discussing the fundamentals of PCI-DSS, cloud provider responsibilities, virtualization infrastructure, audit and assessments, strategic initiatives, and legal and regulatory issues.  Unlike some events that often feature technology or service providers, Barbin will be the only QSA along with attorneys who specialize in cloud service agreements and breach litigation.

BrightLine is offering complimentary passes to this event to its clients and prospective clients.  If you would like to claim CLE/CPE hours, a nominal fee of $49 is charged.  Interested parties who would like to listen to the live webcast can click here to register.

ABOUT BRIGHTLINE

BrightLine CPAs & Associates is a leading provider of attestation and compliance services. BrightLine is the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body and a FedRAMP 3PAO. Renowned for expertise tempered by practical experience, BrightLine’s professionals provide superior client service balanced by steadfast independence. BrightLine’s approach builds successful, long-term relationships and allows clients to achieve multiple compliance objectives using a single third party assessor.

 

SocialTwist Tell-a-Friend

Tags: , , , , , ,
Posted in Cloud Audit, Cloud Computing, News, Payment Card Industry (PCI) Data Security | No Comments »

“Become a Champion in Your Space” – Re-cap of the SaaShr Conference

Posted by avani.desai
September 25th, 2012

The SaaShr’s 5th Annual Partner Community Workshop was held in Philadelphia, PA on September 19-21, 2012.  BrightLine Principal, Scott Zelko and I (Chief Marketing Officer, Avani Desai) attended as the Diamond Sponsor of the event.  The conference was attended by over 150 SaaShr customers and business partners.   SaaShr, a Kronos Company, is a provider of Software as a Service (SaaS)-based workforce management applications with a major focus in Human Resources (HR), Payroll, and Time and Labor Management.  The conference had several content-packed sessions which focused on implementation, support, sales, and marketing strategies, and new this year, emerging topic areas, such as social media use and regulatory / contractual compliance.

Wednesday marked the official start of the conference.  The conversation was lively as the attendees discussed with us various types of compliance reporting that they either perform or are being asked to perform; specifically SSAE 16 examinations.  The attendees were very interested in what could lie ahead in their industry, which they described as an environment that is compliance heavy, under continuous scrutiny and intertwined with customer, business partner, and legislative requirements.  We discussed some of the benefits of compliance reporting – meeting customer audit and compliance requirements, forging business partnerships, building trust with current customers, third party assurance, and competitive advantage. The attendees agreed and a CEO of an HR Service Bureau commented “An unqualified SSAE 16 report allowed our company, a small player in the market, to compete in the field with some very larger competitors.”

One of the highlights of the conference was when I had a chance to speak to the attendees during the Sponsor Circle.  I discussed that companies today increasingly rely on the services of outsourced providers to perform certain tasks or functions related to their business.  This is evident in the growth that the attendees have seen in their own companies – an average of over 10% annually.  However, the inherent risk a user organization assumes in outsourcing business functionality is the dependence on the service organization’s capability to deliver services.  I mentioned one efficient way for user organizations to get comfort and help mitigate these risks, is require service organizations to obtain third-party assurance concerning their internal control environment.  Accordingly, service organizations should get ahead of the curve and be proactive by preparing for the assurance reports before they are asked.  This resonated well with the attendees, as they thought about supplementary ways to compete in the market.

As the conference wrapped up, my favorite quote was made by an attendee who stopped by the BrightLine booth and asked questions about our services.  I mentioned SSAE 16, and he immediately said, “I need to get one of those Sassy 16’s done –the report knows it adds value, it is inevitable in today’s environment, it can help me grow, and also mitigate risk, so it has the right to throw a little bit of attitude around.”  Point well taken.

 

SocialTwist Tell-a-Friend

Tags: , , , , , ,
Posted in BrightLine, Compliance and Certification, SOC 1, SOC 2, SOC Reports, SSAE 16 / ISAE 3402 | No Comments »

« Older Entries