cloud computing risk management (iia webinar)
TRANSCRIPT
CLOUD COMPUTING RISK MANAGEMENTSECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
George Thomas, SVP Internal Audit – First Data Corp
Brian Dickard, Director Internal Audit – First Data Corp
AGENDA
• Introduction
• Terminology and Stats
• Major Public Cloud Services
• Assessing Public Cloud Risk
• Trends and Issues
• Concluding Remarks
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
2
INTRODUCTION
• First Data Vision
– To shape the future of global commerce by
delivering the world’s most secure and
innovative payment solutions
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
3
CLOUD COMPUTING – WHAT IS IT?
• Where did it come from?
• Why should I care as a business
manager?
• What types of risk are there?
• How does it work?
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
4
CLOUD COMPUTING – HOW DOES IT
WORK?
• Understanding Cloud Computing
• Managing the risks
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
5
POLLING QUESTION
• How familiar are you with the major Cloud
Service and Deployment models
– A. Very familiar
– B. Somewhat familiar
– C. I’ve heard of them
– D. Not familiar at all
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
6
ESSENTIAL CHARACTERISTICS
• Resource Pooling
• Broad Network Access
• Rapid Elasticity
• Measured Service
• On Demand Self Service
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
7
CLOUD SERVICE MODELS
• Infrastructure as a Service (IaaS)
– “Raw” Servers, Disk Space, Network
– Ex. Amazon Elastic Cloud Computing (EC2)
– Foundational to PaaS and SaaS
– Security (other than physical) provided by
cloud consumer
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
8
CLOUD SERVICE MODELS
• Platform as a Service (PaaS)
– Middleware and application development
frameworks supported by provider
– Cloud-deployed applications created and
supported by consumer
– Ex. Google App Engine
– Built on top of IaaS
– Security must be built in by developer
(provider or consumer)
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
9
CLOUD SERVICE MODELS
• Software as a Service (SaaS)
– “On Demand” application availability
– Software and data hosted by provider
– Accessed with a web browser
– Ex. Gmail
– Built on top of IaaS and PaaS
– Highest provider security level
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
10
CLOUD SERVICE LAYERS
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
11
IaaS
PaaS
SaaSIncreasing
consumer
configuration
options
Increasing
provider
security
IN-HOUSE IT ASSETS VS. “SPI” SERVICES
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
In-House Attributes SPI Attributes
Fixed Elastic
Overhead or Chargeback Metered
Service Request Self Service
Private Network Accessible Internet Accessible
Dedicated Shared
12
DEPLOYMENT MODELS
• Public Cloud– More than one organization shares common IT
resources
• Private Cloud– An organization buys and deploys its own IT
resources - OR –
– Contracts exclusive arrangement with a 3rd party
• Community Cloud– Usage of public cloud by common mission or cause
– Ex. State or Local governments
• Hybrid Cloud– Some elements of all three
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
13
POTENTIAL BENEFITS
• Pay as you go model (low fixed cost)
• Remote access
• Rapid scalability
• Quicker deployment of IT-enabled
strategies
• Stay current on technology upgrades
• Resiliency / Redundancy
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
14
WHERE PRIVATE CLOUDS MAKE SENSE
• Large Corporate Data Center
– High rate of optimization through virtualization
– Diversity of apps are coded to run using
common O/S, database and network
– Apps are “swapped out” on common
hardware based on processing load
– Same hardware that runs mission critical app
may also run support app in non-peak time
– “Workload Agnostic Computing”
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
15
VIRTUALIZATION STATS
• InfoWeek Poll – Major Corporations
– 97% use Server Virtualization extensively or on a limited basis (ex. VMWare vSphere)
– 57% use Storage Virtualization (ex. NetApp)
– 44% use Desktop Virtualization (ex. Citrix)
– 42% use Application Virtualization (ex. Vmware ThinApp)
– 37% use I/O Virtualization (ex. Cisco VFrame)
– 30% use Network Virtualization (ex. NiciraNetworks “DVNI”)
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
16
WHERE PUBLIC CLOUDS MAKE SENSE
• Businesses of any size where captive IT resources aren’t cost effective or available– Fixed capital expense becomes variable operating
expense
– Can quickly level the playing field for small and medium sized businesses
• “Cloud Bursting”– Adding incremental capacity to meet peak or
seasonal demands
• Prototyping– Running simulations to determine in-house data
center capacity needs
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
17
POLLING QUESTION
• Describe your usage of Public Cloud
infrastructure
– A. Active production deployment
– B. Evaluating or budgeted plans for
production deployment
– C. No plans for Public Cloud deployment
– D. Don’t know
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
18
PUBLIC CLOUD PLANS
• Infoweek Survey
– 26% plan to deploy in the next year
– 38% have no plans to deploy
– 11% already have public deployment
• Are you sure?
– DR scenario: private cloud becomes public
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
19
ESSENCE OF THE PUBLIC CLOUD
DECISION
• A thoughtfully considered* decision to move one of the following into the public cloud domain:
– Data• Essential to map your data and understand
whether, and how, it flows in and out of the cloud
• Important to classify low value, high value regulated and high value unregulated assets
– Transactions/Processing
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
20
THOUGHTFULLY CONSIDER - HOW?
• How would you be harmed if: – The asset became widely public or widely
distributed?
– An employee of the cloud provider accessed the asset?
– The process or function was manipulated by an outsider?
– The process or function failed to provide the expected results?
– The information/data was unexpectedly changed?
– The asset were unavailable for a period of time?
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
21
TOP PUBLIC CLOUD CONCERNS
• Data Security
– Assurance framework
• Reliability / Availability
• Integration with Existing Systems
• Loss of Control
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
22
A GROWING OPPORTUNITY
• Revenue from "public cloud" services, in billions of dollars. Source: Forrester Research
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
0
10
20
30
40
50
60
70
2008 2009 2010 2011 2012 2013
Revenue
Revenue
23
MAJOR PUBLIC CLOUD SERVICE PROVIDERS
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
24
POLLING QUESTION
• Do you see a vendor on the previous slide,
who is used by your company, but you
were unaware they were a provider of
cloud services?
– A. Yes
– B. No
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
25
APPLICABLE COMPLIANCE
CERTIFICATIONS• SSAE-16, SOC-1,2,3
– Financial Reporting and service oriented controls
– Focused on integrity
• ISO 9002 – Quality oriented controls
– Focused on process
• ISO 27001 /27002 – Security oriented controls
– Focused on security
• TIA 942 (Telecommunications Industry Association)– Data center fault tolerant controls
– Focused on resilience
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
26
PII BREACH BY CLOUD PROVIDER
• Could subject them to violations under the following privacy laws:
– Privacy and safeguard rules under GLBA
– PCI-DSS data transmission and storage security provisions
– HIPAA restrictions on sharing health care data
– Breach provisions under the HITECH Act
• Depends on provider’s contract provisions
• You can’t outsource your accountability for information security
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
27
ASSURANCE FRAMEWORKS
• Cloud Security Alliance (CSA)– Cloud Controls Matrix
– https://cloudsecurityalliance.org
• Information Systems Audit and Control Association (ISACA) – Cloud Computing Management Audit/Assurance Program
– http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cloud-Computing-Management-Audit-Assurance-Program.aspx
• European Network and Information Security Agency (ENISA)– Cloud Computing Security Risk Assessment
– http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
28
CLOUD SECURITY ALLIANCE
• GRC “Stack”
– Cloud Controls Matrix
– Consensus Assessments Initiative
– Cloud Audit
– Cloud Trust Protocol
– Designed to support both cloud consumers and cloud providers
– Created to capture value from the cloud as well as support compliance and control within the cloud
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
29© 2011 Cloud Security Alliance, Inc. All rights reserved
GRC STACK
• Cloud Controls Matrix
– Fundamental security principles in specifying the overall security needs of a cloud consumer and assessing the overall security risk of a cloud provider
– What control requirements should I have as a cloud consumer or cloud provider?
• Consensus Assessments Initiative
– Industry-accepted ways to document what security controls exist
– How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)?
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
30© 2011 Cloud Security Alliance, Inc. All rights reserved
GRC STACK
• Cloud Audit – Common interface and namespace to automate the Audit,
Assertion, Assessment, and Assurance of cloud environments
– How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations?
• Cloud Trust Protocol– Common technique and nomenclature to request and
receive evidence and affirmation of current cloud service operating circumstances from cloud provider
– How do I know that the controls I need are working for me (consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)?
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
31© 2011 Cloud Security Alliance, Inc. All rights reserved
CLOUD CONTROLS MATRIX
Controls base-lined and mapped to:
– BITS Shared Assessments
– COBIT
– FedRAMP
– HIPAA/HITECH Act
– ISO/IEC 27001-2005
– Jericho Forum
– NERC CIP
– NIST SP800-53
– PCI DSSv2.0
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
32© 2011 Cloud Security Alliance, Inc. All rights reserved
CLOUD CONTROL MATRIX - DOMAINS
1. Compliance (CO)
2. Data Governance (DG)
3. Facility Security (FS)
4. Human Resources (HR)
5. Information Security (IS)
6. Legal (LG)
7. Operations Management
(OM)
8. Risk Management (RI)
9. Release Management (RM)
10. Resiliency (RS)
11. Security Architecture (SA)
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
33© 2011 Cloud Security Alliance, Inc. All rights reserved
CCM - CONTROLS
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
34© 2011 Cloud Security Alliance, Inc. All rights reserved
CCM – CONTROLS (CONT.)
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
35© 2011 Cloud Security Alliance, Inc. All rights reserved
CCM – CONTROLS (CONT.)
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
36© 2011 Cloud Security Alliance, Inc. All rights reserved
CCM – CONTROLS (CONT.)
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
37© 2011 Cloud Security Alliance, Inc. All rights reserved
CLOUD CONTROL MATRIX - SAMPLE
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
38© 2011 Cloud Security Alliance, Inc. All rights reserved
WHAT DO YOU DO WITH A COMPLETED
CCM?
• Consumer: As an internal assessment tool
– Log exceptions and draft a report of provider’s level of control maturity or a gap analysis
• Provider: As a public assertion of control maturity
– CSA STAR (Security, Trust and Assurance Registry)
– Trusted Cloud Initiative• www.cloudsecurityalliance.org/trustedcloud.html
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
39© 2011 Cloud Security Alliance, Inc. All rights reserved
POLLING QUESTION
• Regarding the Cloud Security Alliance Cloud Control Matrix:– A. I am familiar with the CSA and CCM and have
used the framework to assess cloud service providers.
– B. I am familiar with the framework but have yet to use it.
– C. I have not previously heard of the framework but think it might be useful.
– D. I don’t think this framework is applicable to my company’s assessment of cloud service providers.
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
40
INTEGRATION TRENDS / CONCERNS
• “Bring Your Own Device” (BYOD)
– Smartphone, tablet, laptop
• “Bring Your Own Cloud” (BYOC)
– Google Docs, Dropbox, iCloud, Skydrive
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
41
“DATA AWARE” SECURITY
• Information Security trend
• Knowing if a particular combination of
user, device, and software can be trusted
with access to specific information
• Challenge: Encoding this security
intelligence into your data before you store
it in the public cloud
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
42
RECAP
• Cloud computing has tangible benefits and
could be a strategic differentiator
• Your organization may be more actively
deployed to the “cloud” than you realize
• New risks are introduced, but can be
managed with assurance frameworks
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
43
QUESTIONS?
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
44
REFERENCES
• Cloud Security Alliance– Security Guidance For Critical Areas of Focus in
Cloud Computing V3.0 (2011)• https://cloudsecurityalliance.org/research/security-
guidance/
– Cloud Security Alliance GRC Stack (2011)• https://cloudsecurityalliance.org/research/grc-stack/
– Cloud Security Alliance Cloud Controls Matrix V1.1 (2010)
• https://cloudsecurityalliance.org/research/ccm/
• Information Week (Jan-Mar 2012)
• MIT Technology Review (Jan-Mar 2012)
CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
45