Thursday, November 17, 2011

The Circle of Trust - Cloud Audit Assurance

Assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. 
(NIST  SP 800-37 and SP 800-53A)  

Cloud Audit Assurance. 
What can you do to provide assurance that your cloud infrastructure serves the purpose for which it was designed while protecting the data? Where do you start? Where does trust begin? Let's discuss three cycles that may help frame the discussion and an approach that may work for you. There's truth in the effectiveness of simple models that are easily understood and that can deliver repeatable results.

Start with the Business: Solution Alignment Cycle.
A previous post discussed GRC in the context of the business. We have to understand the objectives of the business and how the infrastructure and workloads align and support the objectives, in the context of risk, while managing compliance concerns. One of the great values of GRC tools is their ability to continually monitor and measure the effectiveness of your GRC program. A governor, or speed limiter, is a device used to measure and regulate the speed of a machine, such as an engine (wikipedia..). The important analogy is the feedback mechanism to regulate the effectiveness of the mechanical engine to perform as expected. The illustration below shows a simple cycle that is intended to be self governing.

Governance (alignment to business objectives) greatly affects how Risk (probability and impact) and Compliance (authorities, contracts, policies) are managed. Frameworks (COBIT, etc) may be used to help drive the GRC program, whose effectiveness is measured using GRC Tools. The workflow of the GRC Tool helps to continuously regulate the cycle.

Manage the Technology: Solution Delivery Cycle.
The Storage, Network, Compute, and Hypervisor (infrastructure) and Solutions (work loads), deliver a service. The effectiveness of a solution (capacity, performance, alignment/ability to meet needs/applicability) continually drives the selection and amount of technology assets required to deliver the solution. Put differently, the measurement of the effectiveness of the solution drives the hardware and software requirements.

Add Secure Operations Processes.
The PCVMR cycle was discussed in the previous post using the mission of a submarine. Provision the technology assets. Configure in accordance with your authorities, best practices, and policies. Validate against your checklists and using (as risk appropriate) additional tools, scanners, or third party resources. Monitor for deviations from your baseline. Accurately Respond and improve your processes based on what you learned.