 Okay. Hello everyone. Thanks to everyone joining us today. Hope everyone is staying safe under the circumstances. Welcome to today's CNCF webinar, the Rosetta Stone Guide to Compliance in a Cloud Native World. I'm Sanjeev Rampal, Principal Engineer at Cisco and a CNCF Ambassador. I'll be moderating today's webinar. We would like to welcome our presenter today, Cynthia Berg, is a Program Manager at Capsulate. Before we get started, a few quick housekeeping items. During the webinar, you are not able to talk as an attendee. There is a Q&A box at the bottom of your screen. Please feel free to drop your questions in there. And we'll get to as many as we can during and after the presentation. This is an official webinar of the CNCF and as such is subject to the CNCF Code of Conduct. Please do not add anything to the chat or the questions that would be in violation of that Code of Conduct. Basically, please be respectful of your fellow participants and performers. As we said earlier, put your questions in the Q&A box, not the chat box. With that, I'm going to hand it over to Cynthia to kick off today's presentation. Go ahead, Cynthia. Thank you so much. And thank you for those who joined and welcome to the Rosetta Stone Guide to Compliance in a Cloud Native World. I'm Cynthia. I'm a Program Manager at Capsulate 8 and I am one of those people who actually reads about compliance because I find it interesting. It may or may not be a medical condition. We will see. But we are here to talk about compliance today. And unlike me, it may not be one of your favorite subjects. In fact, it may feel like a massive box checking exercise, pulling in staff and coworkers into this vast abyss mapping our cane controls, deciphering audit speak, and never really sure if you're even shoring up security. But you know it's important and you don't want to make the headlines. But every time an auditor speaks, there seems to be a letter or a sentence describing a compliance control, which may or may not cost you thousands. But I promise you, the auditor on the other side of the table is equally as lost when you start talking about orchestration tools or containers or images. So how can you, the IT expert quickly tease out the essence of what an auditor needs to give them the confidence that you've passed an audit? What's the solution? Today, we're going to dig in and decipher a SOC2 type 1 audit in a cloud native environment. We're going to demystify all the dots and the dashes and control numbers and give a high level actionable roadmap of key elements required to pass your own SOC2 audit, regardless of where you are on your cloud native or compliance journey. And in truth, you're likely already tackling SOC2 problems and you may not even realize it. I'm going to be working right now on looking at your processes and documentation for your stakeholders to demonstrate how you are managing in this new normal. Security of the cloud versus security in the cloud. We've been talking about these these phrases for a long time, but they've come to take on an entirely different meaning in the context of compliance. It's nuanced, but it's critical in the first step on roadmap. A long ago, we worried about stability and accessibility and whether or not cloud was the right place for critical systems and applications. We talked a lot about security of the cloud and then struggled once we got there of how to ensure security in the cloud. But through the lens of present day, security of the cloud now speaks to the shared responsibility model. The who in terms of responsibility when it comes to producing audit evidence in cloud native deployments is a tricky first step. And it speaks volumes to just how significantly discussions around security and compliance have shifted in a cloud native world. So how did a fairly straightforward endeavor and audit become that monster under the bed. It's that thing that looms over us and few understand. I'm going to give an incredibly brief history of suck how suck to came to be seen as the gold standard for compliance attestations for service organizations. So for years, the AI CPA that's the American Institute of certified public accounts performed what was called assess 70 audit of service control organizations. And among these controls included security controls. But keep in mind, this is an accounting organization. Nevertheless, says 70 started being leveraged as an asset to win and keep business, but the controls were really sufficient to assess it organizations. So, in 2009, the AI CPA responded. It became known as the trust service criteria and the sock or service organization control audits were created. But the last major update to these controls really dates back to 2017. When I speak of a Rosetta stone is to understand that the critical importance of clear communication clear language to assist you in helping you map some fairly arcane controls to modern consystems and processes is critical. And also having a clear compliance narrative to describe your it systems from the outset is the foundation for producing clear use cases in your audit evidence, which is essential to pass any audit sock to or otherwise. This presentation is not a primer on sock compliance, there is an assumption here that you understand various compliance reports the purpose of those reports. The presentation is intended to talk through some highlights. We're going to go through a mock audit for those who have experienced or it's been exposed to at least sock audits during some inquiry incarnation of your career. You may be here because you know that having sock to attestation in the cloud, put you at a competitive advantage can help you win and maintain customers, and it may just satisfy some internal and external stakeholders. So those of you who want to move to cognitive applications platform services, putting compliance and security at the front of the planning stage is a great approach. It's a great way to launch a design. So why now. Yes, sock to certifications help build trust it differentiates you from your peers and your competitors. But why are we hearing so much about it right now. And a surface criteria of security processing integrity privacy among others, our problems were all tackling yet again in this new normal. A sudden shift to a highly remote workforce accelerated many organizations plans to move to the cloud quickly. And quite frankly, you know the audit is coming coming. You're having to work through documentation and processes again for stakeholders. So with that said worst case scenario, your approach, you and your team have hazardly cobbled together enough to pass a one time. And again, that's a type one audit of a point in time, and check a box to promote a perceived business value. But if you really want to take the killing tubers with one stone approach, you would dig into this process, revisit security processes overall, and this new normal and couch them in sock to controls, or your framework or choice really and bait compliance in as part of this journey. Another reason we hear so much about sock to quite frankly is the breadth of reporting. The breadth of reporting required to pass a sock to audit is significant. And it really it readies yourself in your organization as a good starting point for building structures which can produce audit evidence, and then this evidence can be repurposed and support a wide variety of compliance controls. So effectively, if you have audit evidence to pass to you, you can often go right in and tackle, say PCI DSS, or missed 853. So sock to is also also often viewed as a business to business virtual handshake, acknowledging the third party has come and reviewed and attested that you, as a service organization, who handles customer data has processes, governance policies, and monitoring in place, which ideally ensures that the data is maintained process transmitted secured stored disposed of in accordance with the standards set forth by the ACPA. And finally, security is not an option in a sock to audit of the sock to principles or criteria, you can choose which principles to include in your sock to audit. But security must be included in a non privacy principle sock to audit. So we're going to dig in and talk about that road knob. Make sure you are clear on the shared responsibilities. And who owns part or all of each control in this matrix and make no mistake. This is the most crucial step and to successful audit. Note that the trust service criteria at the bottom availability processing integrity, etc. These are sets of controls individually, and each box in the matrix would be responsible for producing audit evidence depending on the scope of the sock to audit. So let me couch this in an example. Say for example, your organization uses AWS to host business to business workloads. And as part of your sock to audit, in addition to security which is required, you choose say availability and confidentiality as trust service criteria for those B2B servers. That's in scope of your audit. It would then based on this matrix be a joint effort to produce the audit evidence between you and AWS. It's important to note that while availability. These things are optional understanding the who of responsible responsibility for producing audit evidence for the trust criteria, and the how of the trust criteria will be evaluated upfront is really where the real work is it understanding this from the outset will improve the experience overall and the actual effectiveness of the audit. So, looking at our mock sock to type one audit and again a type one audit is a moment in time versus a type two, which is an audit over a period of time. What is evaluated from a security criteria perspective and the sock to audit what are the required controls in the common criteria controls for communication and information have to be included. You must be able to illustrate how you manage. Excuse me internal and external communication and information flows. The common criteria for control activities have to be included you have to demonstrate how you manage technology risk. In the common criteria for logical and physical access you would demonstrate how you detect and prevent unwanted attacks and access to systems. You would demonstrate logical and physical security here this is a shared activity likely between you and the cloud service provider. The common criteria for system operations also likely a shared responsibility between you and the CSP would illustrate effective anomaly detection incident response and remediation tools. It also digs into effective governance around the communication of security events. And finally in the common criteria for change management. You would demonstrate how you've implemented change management change management and all of your policies related to software infrastructure and data. So, if you aren't working with a governance framework and your goal is sock to compliance, understanding that these are the criteria which will be evaluated is important. Or say you have a well documented set of controls in an existing framework. This is where you would start in terms of mapping your controls to sock to criteria. Or if you're just starting on your journey to the cloud and envisioning that path with these criteria upfront is a wonderful place to start. So we'll dig into the high level roadmap and discuss the key elements required to pass a sock to audit. Regardless of where you are on your cloud native or compliance journey. So returning back to the control matrix step one, building this out is the first step in and can take some significant time and effort. Security in cloud native environments is intrinsically linked to understanding the who and the how of the service provider. Now keep in mind all the public CSPs the cloud service providers, especially recently have extensively expanded their offerings in regards to off the shelf tools. That's part of their service now around compliance specifically for sock to in the shared responsibility matrix boxes. Don't reinvent the wheel. Look to your cloud service providers see what's made available for step two. Once you've determined now you need to determine the trust service criteria that you want to have in scope. We know security is going to be there. In any scenario, this is not a check the box exercise, but an opportunity to set standards for compliance needs of the organization. Remember, you have to include security, but each one of these trust service criteria has its own sets of controls. Step three, perform a gap analysis, implement remediation when necessary. And keep in mind some key factors which is going to determine the number of times you cycle through these steps. And I think this is a real pain point for people who are going after soft to audits. This wins Lather repeat the scope, the scope of your audit is going to determine the number of iterations. In the audit area, you include the more controls you're having to meet, which in turn means the production of more audit evidence and more test cases. Where are you with documented processes. Understanding that will determine whether or not you could already leverage an existing framework. Depending with say, Kobe or CCM from the cloud security Alliance, you can likely lean lean into those many times these frameworks are based on industry accepted security standards and regulations. So a lot of stock to controls are covered in those existing frameworks. Finally, the number of third parties you're working with can really impact the sizing, the number of cloud service providers, etc. Each control in the trust service criteria must be repeated for multi tenancy. So multiple cloud service providers that you're working with for shared stock to audits multiple soft to audit evidence and reports must be generated. And step four, ready your communication skills, because successful audits are rooted in compelling compliance narratives. Remember, this is a certified public accountant auditing your system. How simple is your network diagram to an outsider. How easy right now is it to describe your endpoint detection and response. As you'll see as part of the final audit report. We're going to see a sample it will include your opportunity to include your organization's compliance narrative. It will also include test cases and audit evidence. But leveraging some known frameworks can assist with the production of that audit evidence. Such as MITRE attack can assist in readiness against real world attack tactics and techniques, but can also help translate concepts like intrusion detection and prevention is an example. Your auditor your CPA may be accustomed to being pointed to a piece of hardware during an audit or IDS very different kind of solution maybe presented for IDS IPS and use cases around that in cloud native environments. So let's look at what is in an actual sock to compliance report from an auditor's perspective. So at the top, you're going to see the service auditors report. This is your CPA's executive summary of the audit. Next, this is where you come in your management team has the opportunity to document your compliance strategy. In their words. This is your management's executive summary. Next, you're going to see a description of the system. This is where any diagrams workflows that are documented any end to end system narrative would be appropriate here. Next, there's going to be a section of tests and controls and corresponding results. Now this literally could be volumes of data, depending on the scope of the audit remember more trust service criteria included more use cases. If you have multiple CSPs or multiple third parties that's going to expand. As well. And then lastly any additional information you'd like to provide in the audit potentially noting third party attestations that you have. Or supporting documentation for other folks who work with just as you would not necessarily have the appropriate background as an IT professional to say audit a complex financial statement. So the onus is on the IT organization to demonstrate compliance, even when the use case is unfamiliar to the CPA. And I want to show you some real world examples of where this can become a challenge. You may run into them yourselves. So the common criteria of section six speaks to the logical and physical security aspects of your system. You may be able to demonstrate how you detect and prevent and wanted to tax and access the systems. And keep in mind the common criteria controls for section six have multiple facets, each looking at a specific requirement. And sometimes it's even a shared responsibility. But fundamentally, how would your auditor expect to see how you meet this without a software defined perimeter. You would have to show like functionality. Another example in common criteria seven, you would have to show how you would identify vulnerabilities or misconfigurations and how you do this on a periodic basis. Likely your auditor may be used to seeing a traditional antivirus solution here or anti malware. The auditor may even know how to drive those test cases themselves. Auditors are learning about cloud solutions just like it professionals. But again, the onus is on the it professional to be prepared and reduce confusion with clear test cases which illustrate how you meet these challenges be ready to answer any questions which may come up which are off script. So I've actually given typed up a sample sock to audit to the specific areas, the first being around logical and physical access of the common criteria of section six, specifically around ideas. So in this section here, we would have the actual control listed the control activity specified by the service organization. This is your narrative. This is how you are describing functionality in a cloud native world. See, use this as a tutoring opportunity for your CPA and introduction to how you're meeting ideas requirements. Maybe in a way they've never seen before in a cloud native implementation. Leveraging tests that are defined by a framework like MITRE attack can readily demonstrate tactics and how they are prevented to the service auditor. And you see we pass with wine colors. So another example here was our second example around section, the common criteria for section seven. Looking at how we would manage changes to configurations that would result into the potential introduction of new vulnerabilities and susceptibility. Here again, we would map out the control, we would read the very top is how the AI CPA requires the control there within the sock to documentation. There are some guidelines of types of use cases that they would like to see. But again, you have an opportunity here to give your narrative of how you interpret this control and how you need this control. And then you have use cases and test cases queued up that you can fire off quickly and easily to be able to turn this into a Q&A session with your auditor. So having worked with auditors for a very long time. I would say a safe answer to every sock to control in the cloud native world is to first consider how you would accomplish this in an on premise infrastructure. Again, auditors, especially CPAs for sock to, and it does have to be a CPA to attest a sock to certification. How would you accomplish this in an on-prem deployment? Get out your reset a stone and then show like functionality in your cloud deployment. How you have an opportunity to provide a narrative and then generate basic use cases to support it. Because we're really already solving these problems right now. We're tackling sock to trust service criteria every day. You're already doing the work. Why not couch these efforts in sock to ready use cases. Some examples from May of 2020. Four months ago, we did not see this new normal coming. We now have a highly distributed workforce. We have in some cases a reduced response team and the spike in threats from all angles. So zero trust isn't just a framework we talk about anymore. It's it is the new normal. So how are you going to demonstrate how you protect against unauthorized disclosure of information or an authorized access? I'm sure you're able to do it. But what's your use case? You've just set yourself up to meet at least one control and a sock to audit. How are you going to explain to your auditor that you've actually enhanced accessibility and resilience by leveraging containers and microservices? What does that workflow diagram look like? How can you leverage an existing framework more over to tell this story? Again, we're already doing the work. Take a look at the sock to principles. If it's a goal of yours and start building use cases accordingly, including process integrity. And the common criteria in terms of whether or not it's in scope can be a massive undertaking for organizations working with multiple third parties to contribute to a final product of a sock to audit. But you need easy access to procedures and processes of those third parties anyway. If you say want to stay out of the headlines. Do you know that all, do you know all that you should about your third parties who contribute to the care and feeding infrastructure data and software right now? Confidentiality. New challenges here working from home and now exposes physical security in a new way. Working from common spaces even for stable internet or power on some days or simply having a laptop with sensitive data in a busy household brings new challenges of theft and damage and likely you're talking about this within your organization. So how are you going to demonstrate how you handle confidential information in a highly distributed workforce? Hint. Look at sock to compliance controls. And finally, privacy when failure really is not an option. Looking at the top 15 data breaches of the 21st century. So the past few months alone has exposed over a billion records resulted in millions in fines and actually a couple of prison sentences. Also the California Consumer Privacy Act or CCPA went into effect in jana 2020. If you're impacted by that consumers can now opt out of the sale of their personal information. And it's why you probably have seen an uptick in emails with updates to privacy terms in your inbox. In theory right now every California can find out what information is being collected about them and their devices. So in March 21 of this year right in the middle of the height of the pandemic in New York. Silently the New York Shield Act went into effect. Very similar to the CCPA, but it not only focuses on the protection of private information, but also seeks to enforce disclosure from organizations if they are breached. So our call to action today is to recognize number one, you're tackling these problems already today, you're already working through these challenges, couching them in sock to controls, you can immediately start building out use cases. I recommend visiting our cloud native compliance playbook strategies for how to build both security and compliance in a cloud native world and I've included a link to that present to that document in the presentation. And I appreciate you joining me today and I'd be happy to answer any questions. Did I see questions come in. I haven't had questions into it. Okay, all right. Maybe I'll kick off a question here which is, sure. What are the most common types of compliance standards that you're seeing in the cloud native deployments of, you know, early cloud is it. How does, how often do you see sock to versus PCI DSS versus others. I think we're hearing so much right now, the most I'm, I'm hearing sock to in a new with the new kind of volume. And again, it's because it's such a broad compliance standard. It applies to anyone who who holds customer data, holds your managers customer data. I'd say sock to right now. The reason I chose it as an example is the one I'm hearing about the most, obviously depending on your area of expertise in terms of your organization that you're supporting it could be HIPAA, it could be PCI, it could be GDPR. It could be a major issue but again, sock to is talked about a lot because if you can pass a sock to audit because of the breadth of controls and the size of the audit you often can reuse that evidence to to pass a PCI or list. But it really depends on on your industry it could be fed ramp is driving you as well. So thank you, folks fee free to chime in and or you can type in your questions on the Q amp a box. I think compliance will continue to grow as an important area of that needs more, you know, attention and innovation in the cloud native word. So you want to stay out of the headlines. Yeah. I guess there's a question from weapon here. Is this information. Is this, I guess, referring to your playbook or your. Is this available for all platforms like VMA open stack a deviation Azure. Can this playbook and this information be used in a multi cloud platform. 100% and it's actually a wonderful question. And if I wasn't clear in the presentation it actually is critical. That matrix are step number one, understanding what you have in the cloud. First of all, maybe you have multiple things in the cloud across multiple cloud service providers. If you want to pass a sock to audit understanding that matrix of the who and the how of the trust criteria, who's going to produce the audit evidence is it a joint effort. For example, if you are leveraging, if you're trying to get a SAS application sock to certification or attestation. It's really a joint effort, very heavy on the joint effort right now and actually as of this month. Microsoft has a whole new section of off the shelf sock to ready reports. So the joint area that they would be responsible. And those reports are just you can download them today. And you can actually use them to model how you would report on your responsibilities. But yes, that is what would increase the scope of the audit, and the time it would take to do the audit because you would have to meet the criteria for each one of those public cloud providers, as well as yourself, depending on that trust service criteria, you know, the matrix and how you're going to produce the audit evidence. Another question is you touched on sock one and sock two what is the difference between the two. Sure, type one is a moment in time so it would be that day, you would be like a snapshot of, or maybe that week, a sock to type to audit typically runs for six months. So you kick off the timer, you would start to collect information over a period of time. So in our example for ideas IPS. We would want to be able to provide, not just the use cases that we triggered, you know, as an example for the auditor at that point in time, but we would have to show how we protected in say the real world for a period of months. Kevin asks, where is a good place to get a full breakdown of the control criteria. He's finding that the finding this on the EICPA website is a bit difficult. Sure, actually, if you download this presentation, there are some hyperlinks, and there is a link directly to the PDF, which maps out all of these controls and you're right, there's multiple PDFs, but there is a single one. And again, we're talking a lot about the Rosetta stone because it's from 2017. It doesn't necessarily map easily to cloud native concepts and principles, but it is from 2017 is a single PDF and there's a link to it in this presentation. Another question is, what is the process overall process of a third party assessment. It's a great question. So this can be incredibly overwhelming. Obviously. And depending on the scope of your audit, again, if you're just going after the MVP just tackling the security principles to include or if you if you have to, for example, report on data processing integrity. It's not uncommon to leverage a consultant. There's a lot of folks out there. There's even compliance as a service now in the past year that's that's come up as an offering. But it's not uncommon to have a third party come in and help you map some of these controls help you build these cases really work and break down that responsibility matrix. But to be completely clear, the only people that can give you sock to attestation. It's different than say PCI or NIST or Fed ramp where you can enlist a third party. You know a group of auditors to come in like Deloitte, for example, to sign the piece of paper or Deloitte's not a good example. Joe's compliant shop. They're just someone who does this for a living. You can't do that necessarily for sock to unless Joe is a certified public accountant. And by extension, can any CPA do this. If they know how. Yes, but and that's the challenge right is finding those CPAs who really have one foot in the technical world. It's it can be challenging. You know the big four all have them on staff but not everyone can afford a big four auditor. So it really comes down to how well you can work with that auditor how clear you can make your compliance narrative to that auditor. A couple more questions coming up in the chat window please put your questions in the q amp a box please. And then asks, can you design a customized OS and the control matrix, not entirely sure about the question. Can you design a customized OS and the control. Yeah, no I understand what you're asking. Of course you can. But that's work, right that's a lot of work and that's where the monster under the bed feeling comes from. I would suggest downloading the PDF from the ACPA. If you're using an existing framework right now like if you are making sure you have covered say for MITRE or Kobe. You know, that is a pretty easy exercise of mapping controls but yeah I mean you would have to, if you are using a custom OS to host customer information. You can do it, it's work, you'd have to do it if you wanted to get a sock to attestation. Kyle asks, what do consumers of soft tools, or I guess the soft to reports really look for in the reports consumers so your consumers would be in this case it's not going to be, you know the person who's buying your product. They really just want to see that you have the attestation that you've had a third party, come in and say yes, they really are doing what they say they can do. Your consumer would likely be a business partner or or someone you would want to you know leverage as a. Or you're the third party and you want to work with a larger organization, it really just shows that your business is in order that you really have done diligence around security. It's that virtual handshake that I was talking about but honestly I would be surprised if anyone opened up a sock to report, they may want it, except around privacy now. Privacy principles suck to attestations, you really might start to see some folks dig in and see what the chain of custody is for how you collect. Especially with these latest regulations in California in New York, what you're collecting, how it's being stored, how it's being destroyed. There would be probably some significant scrutiny around that if it was a privacy principle sock to. Sounds good. I think that's about all the questions we have. We'll wait a minute more if anybody has any more last questions. Yes, there's one more now. Kyle asks again. What would happen if I have to issue a qualified report. After issuing them regularly without issue. Are there things I can do to give customers comfort over our environment. Well, I think that's kind of a subjective question but comfort over your environment I think right now privacy is at the forefront of most people's thoughts. That's why we're seeing regulations like GDPR acts in California New York come forward. You, again, you can show pretty readily. I wouldn't want to disclose any confidential operational information but you could, you could make clear statements that you are disposing of consumer information in a specific way, and that specific way is spelled out in the privacy principles for privacy and it really, it's quite rigorous. And I think if you're able to say sock to add to stock, you know, sock to certified for privacy, and you dealt with consumer information, you could have a link, maybe to the section of the website to show exactly what that means in terms of if you put your information into systems that collect data. I hope that answers the question. Thank you, Cynthia. So I think we're about done here. Thank you Cynthia for a great presentation. Absolutely. Yeah, go ahead, Cynthia. No, just thank you for having me. And the webinar recording and the slides will be online later today. We'll be looking forward to seeing you at a future CNC webinar. Stay safe. Have a great day. Goodbye. You as well.