cloud computing risk management (iia webinar)

CLOUD COMPUTING RISK MANAGEMENTSECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE

George Thomas, SVP Internal Audit – First Data Corp

Brian Dickard, Director Internal Audit – First Data Corp

AGENDA

• Introduction

• Terminology and Stats

• Major Public Cloud Services

• Assessing Public Cloud Risk

• Trends and Issues

• Concluding Remarks

CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE

2

INTRODUCTION

• First Data Vision

– To shape the future of global commerce by

delivering the world’s most secure and

innovative payment solutions


3

CLOUD COMPUTING – WHAT IS IT?

• Where did it come from?

• Why should I care as a business

manager?

• What types of risk are there?

• How does it work?


4

CLOUD COMPUTING – HOW DOES IT

WORK?

• Understanding Cloud Computing

• Managing the risks


5

POLLING QUESTION

• How familiar are you with the major Cloud

Service and Deployment models

– A. Very familiar

– B. Somewhat familiar

– C. I’ve heard of them

– D. Not familiar at all


6

ESSENTIAL CHARACTERISTICS

• Resource Pooling

• Broad Network Access

• Rapid Elasticity

• Measured Service

• On Demand Self Service


7

CLOUD SERVICE MODELS

• Infrastructure as a Service (IaaS)

– “Raw” Servers, Disk Space, Network

– Ex. Amazon Elastic Cloud Computing (EC2)

– Foundational to PaaS and SaaS

– Security (other than physical) provided by

cloud consumer


8


• Platform as a Service (PaaS)

– Middleware and application development

frameworks supported by provider

– Cloud-deployed applications created and

supported by consumer

– Ex. Google App Engine

– Built on top of IaaS

– Security must be built in by developer

(provider or consumer)


9


• Software as a Service (SaaS)

– “On Demand” application availability

– Software and data hosted by provider

– Accessed with a web browser

– Ex. Gmail

– Built on top of IaaS and PaaS

– Highest provider security level


10

CLOUD SERVICE LAYERS


11

IaaS

PaaS

SaaSIncreasing

consumer

configuration

options

Increasing

provider

security

IN-HOUSE IT ASSETS VS. “SPI” SERVICES


In-House Attributes SPI Attributes

Fixed Elastic

Overhead or Chargeback Metered

Service Request Self Service

Private Network Accessible Internet Accessible

Dedicated Shared

12

DEPLOYMENT MODELS

• Public Cloud– More than one organization shares common IT

resources

• Private Cloud– An organization buys and deploys its own IT

resources - OR –

– Contracts exclusive arrangement with a 3rd party

• Community Cloud– Usage of public cloud by common mission or cause

– Ex. State or Local governments

• Hybrid Cloud– Some elements of all three


13

POTENTIAL BENEFITS

• Pay as you go model (low fixed cost)

• Remote access

• Rapid scalability

• Quicker deployment of IT-enabled

strategies

• Stay current on technology upgrades

• Resiliency / Redundancy


14

WHERE PRIVATE CLOUDS MAKE SENSE

• Large Corporate Data Center

– High rate of optimization through virtualization

– Diversity of apps are coded to run using

common O/S, database and network

– Apps are “swapped out” on common

hardware based on processing load

– Same hardware that runs mission critical app

may also run support app in non-peak time

– “Workload Agnostic Computing”


15

VIRTUALIZATION STATS

• InfoWeek Poll – Major Corporations

– 97% use Server Virtualization extensively or on a limited basis (ex. VMWare vSphere)

– 57% use Storage Virtualization (ex. NetApp)

– 44% use Desktop Virtualization (ex. Citrix)

– 42% use Application Virtualization (ex. Vmware ThinApp)

– 37% use I/O Virtualization (ex. Cisco VFrame)

– 30% use Network Virtualization (ex. NiciraNetworks “DVNI”)


16

WHERE PUBLIC CLOUDS MAKE SENSE

• Businesses of any size where captive IT resources aren’t cost effective or available– Fixed capital expense becomes variable operating

expense

– Can quickly level the playing field for small and medium sized businesses

• “Cloud Bursting”– Adding incremental capacity to meet peak or

seasonal demands

• Prototyping– Running simulations to determine in-house data

center capacity needs


17

POLLING QUESTION

• Describe your usage of Public Cloud

infrastructure

– A. Active production deployment

– B. Evaluating or budgeted plans for

production deployment

– C. No plans for Public Cloud deployment

– D. Don’t know


18

PUBLIC CLOUD PLANS

• Infoweek Survey

– 26% plan to deploy in the next year

– 38% have no plans to deploy

– 11% already have public deployment

• Are you sure?

– DR scenario: private cloud becomes public


19

ESSENCE OF THE PUBLIC CLOUD

DECISION

• A thoughtfully considered* decision to move one of the following into the public cloud domain:

– Data• Essential to map your data and understand

whether, and how, it flows in and out of the cloud

• Important to classify low value, high value regulated and high value unregulated assets

– Transactions/Processing


20

THOUGHTFULLY CONSIDER - HOW?

• How would you be harmed if: – The asset became widely public or widely

distributed?

– An employee of the cloud provider accessed the asset?

– The process or function was manipulated by an outsider?

– The process or function failed to provide the expected results?

– The information/data was unexpectedly changed?

– The asset were unavailable for a period of time?


21

TOP PUBLIC CLOUD CONCERNS

• Data Security

– Assurance framework

• Reliability / Availability

• Integration with Existing Systems

• Loss of Control


22

A GROWING OPPORTUNITY

• Revenue from "public cloud" services, in billions of dollars. Source: Forrester Research


0

10

20

30

40

50

60

70

2008 2009 2010 2011 2012 2013

Revenue

Revenue

23

MAJOR PUBLIC CLOUD SERVICE PROVIDERS


24

POLLING QUESTION

• Do you see a vendor on the previous slide,

who is used by your company, but you

were unaware they were a provider of

cloud services?

– A. Yes

– B. No


25

APPLICABLE COMPLIANCE

CERTIFICATIONS• SSAE-16, SOC-1,2,3

– Financial Reporting and service oriented controls

– Focused on integrity

• ISO 9002 – Quality oriented controls

– Focused on process

• ISO 27001 /27002 – Security oriented controls

– Focused on security

• TIA 942 (Telecommunications Industry Association)– Data center fault tolerant controls

– Focused on resilience


26

PII BREACH BY CLOUD PROVIDER

• Could subject them to violations under the following privacy laws:

– Privacy and safeguard rules under GLBA

– PCI-DSS data transmission and storage security provisions

– HIPAA restrictions on sharing health care data

– Breach provisions under the HITECH Act

• Depends on provider’s contract provisions

• You can’t outsource your accountability for information security


27

ASSURANCE FRAMEWORKS

• Cloud Security Alliance (CSA)– Cloud Controls Matrix

– https://cloudsecurityalliance.org

• Information Systems Audit and Control Association (ISACA) – Cloud Computing Management Audit/Assurance Program

– http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cloud-Computing-Management-Audit-Assurance-Program.aspx

• European Network and Information Security Agency (ENISA)– Cloud Computing Security Risk Assessment

– http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment


28

https://cloudsecurityalliance.org/

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cloud-Computing-Management-Audit-Assurance-Program.aspx













http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment









CLOUD SECURITY ALLIANCE

• GRC “Stack”

– Cloud Controls Matrix

– Consensus Assessments Initiative

– Cloud Audit

– Cloud Trust Protocol

– Designed to support both cloud consumers and cloud providers

– Created to capture value from the cloud as well as support compliance and control within the cloud


29© 2011 Cloud Security Alliance, Inc. All rights reserved

GRC STACK

• Cloud Controls Matrix

– Fundamental security principles in specifying the overall security needs of a cloud consumer and assessing the overall security risk of a cloud provider

– What control requirements should I have as a cloud consumer or cloud provider?

• Consensus Assessments Initiative

– Industry-accepted ways to document what security controls exist

– How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)?



GRC STACK

• Cloud Audit – Common interface and namespace to automate the Audit,

Assertion, Assessment, and Assurance of cloud environments

– How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations?

• Cloud Trust Protocol– Common technique and nomenclature to request and

receive evidence and affirmation of current cloud service operating circumstances from cloud provider

– How do I know that the controls I need are working for me (consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)?



CLOUD CONTROLS MATRIX

Controls base-lined and mapped to:

– BITS Shared Assessments

– COBIT

– FedRAMP

– HIPAA/HITECH Act

– ISO/IEC 27001-2005

– Jericho Forum

– NERC CIP

– NIST SP800-53

– PCI DSSv2.0



CLOUD CONTROL MATRIX - DOMAINS

1. Compliance (CO)

2. Data Governance (DG)

3. Facility Security (FS)

4. Human Resources (HR)

5. Information Security (IS)

6. Legal (LG)

7. Operations Management

(OM)

8. Risk Management (RI)

9. Release Management (RM)

10. Resiliency (RS)

11. Security Architecture (SA)



CCM - CONTROLS



CCM – CONTROLS (CONT.)



CLOUD CONTROL MATRIX - SAMPLE



WHAT DO YOU DO WITH A COMPLETED

CCM?

• Consumer: As an internal assessment tool

– Log exceptions and draft a report of provider’s level of control maturity or a gap analysis

• Provider: As a public assertion of control maturity

– CSA STAR (Security, Trust and Assurance Registry)

– Trusted Cloud Initiative• www.cloudsecurityalliance.org/trustedcloud.html



http://www.cloudsecurityalliance.org/trustedcloud.html

POLLING QUESTION

• Regarding the Cloud Security Alliance Cloud Control Matrix:– A. I am familiar with the CSA and CCM and have

used the framework to assess cloud service providers.

– B. I am familiar with the framework but have yet to use it.

– C. I have not previously heard of the framework but think it might be useful.

– D. I don’t think this framework is applicable to my company’s assessment of cloud service providers.


40

INTEGRATION TRENDS / CONCERNS

• “Bring Your Own Device” (BYOD)

– Smartphone, tablet, laptop

• “Bring Your Own Cloud” (BYOC)

– Google Docs, Dropbox, iCloud, Skydrive


41

“DATA AWARE” SECURITY

• Information Security trend

• Knowing if a particular combination of

user, device, and software can be trusted

with access to specific information

• Challenge: Encoding this security

intelligence into your data before you store

it in the public cloud


42

RECAP

• Cloud computing has tangible benefits and

could be a strategic differentiator

• Your organization may be more actively

deployed to the “cloud” than you realize

• New risks are introduced, but can be

managed with assurance frameworks


43

QUESTIONS?

• [email protected]

• [email protected]


44

mailto:[email protected]



REFERENCES

• Cloud Security Alliance– Security Guidance For Critical Areas of Focus in

Cloud Computing V3.0 (2011)• https://cloudsecurityalliance.org/research/security-

guidance/

– Cloud Security Alliance GRC Stack (2011)• https://cloudsecurityalliance.org/research/grc-stack/

– Cloud Security Alliance Cloud Controls Matrix V1.1 (2010)

• https://cloudsecurityalliance.org/research/ccm/

• Information Week (Jan-Mar 2012)

• MIT Technology Review (Jan-Mar 2012)


45

https://cloudsecurityalliance.org/research/security-guidance/



https://cloudsecurityalliance.org/research/grc-stack/



https://cloudsecurityalliance.org/research/ccm/

cloud computing risk management (iia webinar)

Documents

iaas security

saas security

major cloud service

public cloud risk trends

types of risk

service saas

resources private cloud

service paas middleware