Cloud Assurance Challenges, Developments and Practices

March 2013, Utrecht

drs. Mike Chung RE

Part 1

• Understanding the context of cloud computing from an

assurance point of view

• Addressing the perceived and real risks cloud computing

• Sharing good practices and control frameworks

• Any other expectations?

Objectives

Context

• We are re-imagining every part of our software empire to run

on and through the cloud

Steve Ballmer

• Cloud Computing is going to be one of things that enables

Hewlett Packard to recover its leadership role in the ICT

industry

Meg Whitman

‘Tectonic plate shifts in the industry’

• Gmail

• Dropbox

• Facebook

Volume and magnitude

• Gmail: 450 million users on more than 150,000 machines

• Dropbox: 100 million users; services worth 5 billion EUR

• Facebook: 1 billion users; 3 billion EUR turnover

Volume and magnitude

• Salesforce.com: 2012 turnover approaching 1.7 billion EUR

• Amazon EC2: 30% of profit from cloud services

• Office 365: Lowe, Shell, Nutreco, American Red Cross

• Google Apps: 66 of 100 largest universities in the US are

using Google Apps

Cloud as enterprise solution

• Zero

• One

• Infinity

• 1 to N

Mnemonic

• Virtualisation

• Web services

• Broadband internet

• Big data centres

• Services

Drivers to the cloud

Cloud market evolution

• Non-business critical • Commodity • Limited integration

2009 - 2010

• Storage • CRM • Additional computing

power

• Replacement of legacy • Flexibility • Moderate-level integration

2011 - 2012

• Datacentre • ‘Office’ • PaaS • HR

• Business critical • Strategic • High-level integration

2013 - 2014

• Cloud sourcing • Corporate mobile apps • ERP

• SME • Telcos • Universities

• Traditional production • Retail • Entertainment & media

• Government • Financial services • Healthcare

• Google launches new IaaS: Google Compute Engine

• Google Apps for small businesses no longer free

• Oracle increases its presence in the cloud market (Oracle

HCM)

• Major CSPs lower their prices up to 30%

• Cisco acquires Maraki (mobile device mgmt from the cloud)

• OpenStack foundation includes IBM, Dell, Cisco, HP

• PCI guidelines for the cloud

Recent developments

Profile of the cloud

Cloud computing vendors told me that my data at their

locations was just as safe as my money in the bank. Since

the credit crunch we all know how reliable the banks are.

CISO of a firm in the public services sector

Key differences

On-premisee Cloud

Internal data processing and storage

External data processing and storage

Dedicated IT environment Multi-tenancy

LAN, leased lines (Public) internet

On-premise versus cloud

Enterprise IT

Business user

External IT

Business user

Enterprise IT

Business user

External IT

Mobile user

On-premise Cloud Reality

• Key attribute/principle of cloud computing

• Single instance of software (single code-base on a common

infrastructure) serving multiple clients

• Different from virtualisation, yet using virtualisation

• Per tenant metadata

• Standardised instances and releases

Multi-tenancy

• Network of several millions of networks

• Based on TCP/IP protocol suite

• ICANN: IP addresses and DNS

• IETF: TCP/IP, standards

• Different layers: application, transport, internet, link

• Internet exchanges: AMS-IX, DE-CIX

• Heterogeneous

Internet

Internet

Own network Internet

providers network

‘Random’ networks

Internet providers network

CSP’s network

Internet

• Security risks

• Privacy/legal risks

• Operational risks

• Financial risks

• Vendor risks

• Assurance risks

Assignment

• Risk = probability * impact

Risk

• Per risk category

• Per dimension

• Threat/vulnerability-driven

Approach

Cloud computing risks: security

• Data may be stored in cloud without proper customer segregation allowing

possible accidental or malicious disclosure to third parties

• Loss of governance of critical areas, e.g., vulnerability management,

infrastructure hardening, or physical security

• Weak logical access controls due to cloud vendor’s IAM immaturity

• Cloud adoption opens the four Data Center walls to external IT Services

providers, creating new risks

Cloud computing risks: privacy/legal

• Data may be stored in cloud in a legal jurisdiction where the rights of data

subject are not protected

• Outdated laws and regulations create uncertainty when characterizing the

various cloud transactions

Cloud computing risks: operational

• Cloud adoption introduces rapid change in the organisation

• Cloud sourcing may impact existing organisational roles and could require

new skills or make others redundant

• Business resiliency/disaster recovery needs and plans will change and

require updating

• Risk of creating independent silos of information perpetuate the problem of

data integrity, quality, and insight

• Business can bypass the IT function to implement technology solutions,

posing challenges for IT governance

Cloud computing risks: financial

• Movement from CapEx to OpEx model impacts existing budgeting,

forecasting, and reporting processes

• CapEx to OpEx model and changes in the character and source of service

impacts tax considerations

• Cloud ROI and cost/benefit analysis are complicated by need for knowledge

of existing cost of delivery and future use of service

Cloud computing risks: vendor

• Lack of clarity of ownership responsibilities between cloud vendor and user

company

• No prevalent standards for vendor interoperability

• Extensive reliance on CSPs

• Cloud delivery models dramatically change how IT delivers technology

services to support business requirements

Cloud computing risks: assurance

• Lack of visibility into the Cloud Service Providers (CSPs) operations inhibits

analysis of its compliance with pertinent laws and regulations

• Complexity of records management/records retention creates challenges

• Lack of industry standards and certifications for cloud providers creates

risks

Risk dimensions: external IT operations

• Inadequate and/or insufficient data security measures at provider’s

location(s) compromising data integrity and confidentiality

• Issues with retracting data after termination of service

• Discontinuation of business critical services due to failing disaster recovery

at cloud service provider

• Unclearly defined SLAs leading to unsatisfactory services

• Compliance issues due to lack of assurance concerning the physical location

of data

• Location of data in different jurisdictions conflicting with local legislations

applicable to the customer

Risk dimensions: multi-tenancy

• Inadequate data segregation and process isolation leading to data

contamination and/or breach of confidentiality

• Inadequate Identity & Access controls causing illegitimate access to sensitive

data such as intellectual property

• Restricted/limited services due to insufficient allocation of resources and/or

capacity

• Standardized functionalities not meeting business requirements

• Complexity to ensure compliance due to ‘black box’ nature of shared

resources (monitoring & logging)

Risk dimensions: (public) internet

• Unencrypted data getting lost of stolen in transfer

• Clogged parts of the network causing unavailability of data

• Dependency on internet access and availability for all cloud services

• Uncontrolled access from unsecured/malware-infected client devices

affecting services

• Public internet is exceptionally hard to audit and to monitor

• Accountability and responsibilities on internet traffic are difficult to assign

and even more difficult to enforce

• Lack of possibilities to influence technology on the internet

• Governments can shut down parts of the internet (Egypt, China)

• Thousands of customers lost their data in the cloud due to the ‘Sidekick

disaster’ of Microsoft/T-Mobile (2009)

• Botnet incident at Amazon EC2 infected customer’s computers and

compromised their privacy (2009)

• Gmail was unavailable for several hours due to unspecified reasons (2010)

• Hyves was unavailable for an hour due to UPS failure at Evoswitch (2010)

• Linkup lost half of its customer data (2010)

• GoGrid’s network problems had major impact on service availability (2011)

• Salesforce.com was partly unavailable for 30 minutes (2011)

Incidents in the cloud: overview

• November/December 2010 – publicised during January 2010

• Vulnerabilities in IE, Adobe software exploited to get access

to Gmail accounts

• ‘Elderwood’ (Chinese government?) – Operation Aurora

• A number of Gmail accounts hacked

• Vulnerabilities fixed

Incidents in the cloud: Google

• December 2010

• WikiLeaks ‘kicked out’ by Amazon

• Cablegate data protected from DDOS attacks

• Pressure from Homeland Security

• Back to Bahnhof (Sweden)

• Data safely transferred

Incidents in the cloud: Amazon EC2

• April 2011 – users notified 7 days later

• Unpatched servers as entry point – database exploited via

SQL injection – passwords not hashed

• Anonymous or disgruntled former employee(s)?

• Exposed personal information of 77 million Playstation

network users – over 5 million USD direct damage

• Security technology updated, servers patched, increased

levels of encryption

Incidents in the cloud: Sony Playstation

• December 2012

• Maintenance error by developers in production environment

• Configuration error in access control system

• Elastic Load Balancing Service affected for US-East region

for almost 24 hours – performance degradation

• No permanent loss or corruption of data

• Amazon updated their procedures and access settings

Incidents in the cloud: Amazon WS

• December 2012

• Software bug

• Human error: node protection not turned on

• Failure of monitoring, alerts and escalation

• No failover in place

• 1.8% of Azure storage accounts impacted for 32 hours

• No permanent loss of data

Incidents in the cloud: Windows Azure I

• February 2013 – users notified 4 days later

• Evernote detected breaches in their infrastructure

themselves and suspicious activities on their network

• Suspects unknown

• 50 million password changes requested

• No evidence user content was accessed, changed or lost

• Two-factor authentication will be implemented (status Mar

2013)

Incidents in the cloud: Evernote

• February 2013

• Certificates for SSL expired

• Untimely renewal of certificates due to human error

• Failure of monitoring and alerts

• Azure Storage Blobs, Tables and Queues using HTTPS

impacted for 12 hours – worldwide

• No permanent loss of data

Incidents in the cloud: Windows Azure II

• February 2013

• Information on root cause as well as suspects not disclosed

by Zendesk

• Limited number of user data accessed by hackers

• Procedures improved and vulnerable systems patched

Incidents in the cloud: Zendesk

• Low number of incidents compared with on-premises IT

• Far better execution of security measures and architecture

• Security as key factor for cloud service providers

• Incidents are high impact and magnitude events

• Blurring demarcation of responsibilities between cloud

service providers, network providers and customers

• Importance of browsers

Incidents into perspective

• 10% of laptops with locally stored data gets stolen every year

• 99% of data is unencrypted

• 50% of business critical company data is unencrypted

• Almost all big CSP are ISO27001 certified – only 15% of

enterprises are able to match that

Also notice that..

Cloud versus on-premise

Source: AlertLogic

• FUD

• Security: cloud is far less secure than on-premise IT

• Privacy: everybody can access my data

• Maturity: cloud is for kids only

• Practice

• Integration: cloud-on-premise integration is complex and often

incompatible

• Performance: cloud services obey the laws of physics too

• Vendor lock-in: (open) standards are emerging, but it is a long road ahead

FUD and practice

• (Distributed) Denial of Service leading to obstruction of

communication

• Flood services: resource consumption, disruption of

configuration (e-mail bombs)

• Crash services: triggering errors in components

• Twitter, August 2009

• Better firewall/switch/routers configuration; application front-

end (data package analysis)

DDOS

• SQL query via the input data

• Meta character into an input query; the query placed in SQL

commands in the control plane

• SQL databases on websites common

• Sony PlayStation

• Input/output validation; static code analysis

SQL injection

• Exploiting vulnerabilities in hypervisors (VM separations)

• Hack VM A to attack VM B via VM A

• Some minor cases on AWS

• Segmentation, VM hardening

Guest-hopping

• Taking control of the hypervisor

• Directly obtaining control or running a rogue hypervisor

• Theoretical scenario, but potentially extremely damaging

• Cyclic redundancy check (CRC) – state value assigned by the

underlying hardware

Hyper-jacking

• Independent connections with the victims and relaying

messages between them

• Session hijacking; hostname lookup; web proxy

• Several internet banking applications

• Strong mutual authentication, latency examination, second

(secure) channel verification

Man-in-the-middle

• Stealing legitimate user’s session ID

• Often session IDs as cookies, form field or URL

• Not often with public cloud services

Session replay

• Sniffing networks; capturing network packages

• Easy when hubs are used

• Not often with public cloud services

• Encryption, network segmentation, network access

Eavesdropping

• Like guest-hopping – extracting information from the target

VM from the ‘rogue’ VM

• Amazon EC2, 2009 (Case study by MIT)

• Virtual firewall appliance

Side-channel

• IP, DNS, ARP spoofing attacks

• IP spoofing often used for DDOS; DNS spoofing often used to

spread viruses

• Vulnerable with trusts/federations

• Package filtering, spoofing detection software, secure

communication protocols (HTTPS, SSH, TLS)

Spoofing

• US Army is investing heavily in three areas: Special Forces,

drones and cyber security

• Physical systems can be attacked from cyberspace (Stuxnet)

• Transparency on cyber incidents and unintended

consequences (widespread vulnerabilities)

• The good guys are being outspent

• Predominance of two mobile systems (iOS and Android)

• Secure or prepare?

Cybercrime

• Organised cybercrime

• Online espionage

• Hactivism

• State-backed cyber attacks

• Internal computer fraud

Cybercrime types

• Lack of information and obscurity (suspects, alliances,

developments)

• Much more professional (phishing e-mails, sophisticated

attacks)

• Non-technical and technical (harvesting of social data for

targeted attacks)

• Jurisdictional barriers

Cybercrime challenges

• Cloud as partner in crime (botnets on Amazon)

• Collateral damage of attacks (attacks are being copied,

refined and used again: Stuxnet, FinFisher)

Cybercrime challenges

• Ecosystem and architecture

• Technology

• Frameworks and standards

• ‘Right-to-audit’

• IT auditors

Challenges

Sliding scale

Data processing and storage

On-premise

Resource use Single-tenant Multi-tenant

Primary network infrastructure

LAN (Public) internet

On-premise IT SSC Hosting Outsourcing Cloud computing

Off-premise

Layers of services

Business software

Middleware

OS

HW + network

Facilities

IT managem

ent IaaS PaaS

SaaS

Cloud ecosystem: enablers to integrators Cloud service vendors Cloud service integratorsCloud enablers

Examples

H/W and S/W vendors IT & Services players (HW & SW vendors / IT distributors)

Pure Cloud players (e-commerce, Internet giants, Hosting companies)

Telcos

Integrators

Telcos

Value added

Provide the actual cloud services, spanning SaaS, PaaS and IaaS, to customers

Provide cloud focused technology services such as system integration, cloud migration and maintenance

Provide the technology, infrastructure, platforms and Middleware to enable provision of cloud services

Cloud ecosystem: niches and providers

Hardware

Operating System

Virtualization Software

Application Development Platform

Applications

Infrastructure Platform Software

System Integrators

Different niches and service providers

• Increasing number of third party providers

• Service providers

• Co-operators and partners

• Aggregators and brokers

• Examples:

• Twitter, DropBox and many mobile apps on Amazon

• Salesforce on Equinix

• Cloud services via Capgemini

Third party providers

• Acquisitions

• Google acquires Writely

• Salesforce acquires Heroku

• Wolters Kluwer acquires Twinfield

• Bankruptcy (Cassatt)

• Change of Strategy (Iron Mountain, Google Wave, Google

Notebook)

Dynamic market place

• Essential element of cloud computing

• VMware (market leader: VM Server, vSphere), MS Hyper-V,

Cirtrix Xen)

• Already on mainframes since 1960s

Virtualisation 1/3

OS

Hardware

OS OS OS

Virtualisation

OS

Hardware

Virtualisation

Virtualisation 2/3

Large shared storage Large shared database Shared network

Res

ourc

e vi

rtua

lisat

ion

Software

This layer provides many virtual resources but on itself also consist of many components, potentially spread around the World or for example obtained from other Cloud vendors

Software This layer provides many virtual servers or software services but on itself also runs on an intelligent balanced pool of real (physical) servers, utilising the virtualised resources

Virt

ualiz

atio

n la

yer

• More systems ‘virtually’ on one physical machine

• Managed via the Hypervisor

Virtualisation 3/3

• Single point of failure

• Performance degradation (HW, network)

• Licence conditions

• Some applications’s performance degrade significantly

• Unsecure deployment and configuration of VMs

• No firewall between VMs (VM-to-VM undetected by network

protection mechanisms)

Virtualisation risks

• Desktop virtualisation (e.g.. via Citrix and Hyper-V): Shell GID

• Storage virtualisation

• Application virtualisation for legacy apps: de-coupling of OS

and HW – not always possible

Other types of virtualisation

• Based on access from external/third parties, not on access to

cloud services

• Based on management of internally stored data (eventually

managed by externals), not on externally stored data

• Irrelevant and insufficient

Off-premise nature

• Marginal attention on (technical) architecture

• Multi-tenancy virtually unobserved/unexposed

• Mere focus on segregation of duties, facilities and networks

Multi-tenancy

• Financial and legal issues (accountability, ownership) outside

the domain of IT audits

• Exceptionally difficult to audit

• Only few existing principles and practices for e-mail usage

and internet security applicable

(Public) internet

• Given the position of cloud computing, the future mode will be

a hybrid environment

• At large corporations, this hybrid environment will consist of

on-premise IT, outsourced parts, parts on hosting providers,

and parts in the cloud

• The key risk resides in the organization’s inability to

orchestrate the new paradigm of automation

Hybrid environment

• Define scope of services

• Define scope of CSP and other (third) party providers

• Identify components (physical, network, HW, SW, services)

• Agree demarcation of responsibilities/accountabilities

Practices: cloud ecosystem

Conceptual architecture of the cloud

Customer organisation

Cloud service provider

Third party (cloud) provider Data centre

Mobile use Online identities

Network

• Identify data

• Assign ownership

• Classify data (value, legal, sensitivity, importance)

• Devise and implement procedures for data processing

Practices: data classification

• http://www.youtube.com/watch?v=ZwLJ4x7rhzU

• http://www.economist.com/topics/cloud-computing

• http://ec.europa.eu/information_society/activities/cloudcomputing/docs/com/c

om_cloud.pdf

• http://www.alertlogic.com/wp-content/uploads/alert-logic-fall2012-cloud-

security-DIGITAL.pdf

• http://www.dataliberation.org

Links

• chung.mike@kpmg.nl

• 06 – 1455 9916

• Laan van Langerhuize 1, KPMG Amstelveen

• Follow me on Twitter @MikeChung_KPMG

Contact