cloud computing risk management (multi venue)
DESCRIPTION
TRANSCRIPT
© Copyright 2012 | First Data Corporation
Cloud Computing Risk Management
Brian Dickard – Director, Enterprise Risk Management
Security Considerations from an Assurance Perspective
2 | © Copyright 2012 | First Data Corporation
Agenda
• Introduction
• Terminology
• Major Public Cloud Services
• Assessing Public Cloud Risk
• Trends and Issues
• Concluding Remarks
3 | © Copyright 2012 | First Data Corporation
Introduction
•First Data Vision
•To shape the future of global commerce by delivering the world’s most secure and innovative payment solutions
.
4 | © Copyright 2012 | First Data Corporation
Introduction
•First Data Business • First Data provides a single source for payment processing virtually anywhere and
any way our customers want to pay. We deliver innovative, data-driven solutions that help merchants, financial institutions, businesses and government agencies across the globe reduce costs and drive revenue..
5 | © Copyright 2012 | First Data Corporation
Cloud computing – what is it?
• Where did it come from?
• Why should I care as a business manager?
• What types of risk are there?
• How does it work? .
6 | © Copyright 2012 | First Data Corporation
7 | © Copyright 2012 | First Data Corporation
How familiar are you with the major Cloud
Service and Deployment models ?
•A. Very familiar
•B. Somewhat familiar
•C. I’ve heard of them
•D. Not familiar at all
8 | © Copyright 2012 | First Data Corporation
Essential Characteristics
•Resource Pooling
•Broad Network Access
•Rapid Elasticity
•Measured Service
•On Demand Self Service
9 | © Copyright 2012 | First Data Corporation
Cloud Service Models
• Infrastructure as a Service (IaaS)
•“Raw” Servers, Disk Space, Network
•Ex. Amazon Elastic Cloud Computing (EC2)
•Foundational to PaaS and SaaS
•Security (other than physical) provided by cloud consumer
10 | © Copyright 2012 | First Data Corporation
Cloud Service Models
•Platform as a Service (PaaS)
•Middleware and application development frameworks supported by provider
•Cloud-deployed applications created and supported by consumer
•Ex. Google App Engine
•Built on top of IaaS
•Security must be built in by developer (provider or consumer)
11 | © Copyright 2012 | First Data Corporation
Cloud Service Models
•Software as a Service (SaaS)
•“On Demand” application availability
•Software and data hosted by provider
•Accessed with a web browser
•Ex. Gmail
•Built on top of IaaS and PaaS
•Highest provider security level
12 | © Copyright 2012 | First Data Corporation
Cloud Service Layers
IaaS
PaaS
SaaS Increasing
consumer
configuration
options
Increasing
provider
security
13 | © Copyright 2012 | First Data Corporation
In-House IT Assets vs. “SPI” Services
In-House Attributes SPI Attributes
Fixed Elastic
Overhead or Chargeback Metered
Service Request Self Service
Private Network Accessible Internet Accessible
Dedicated Shared
14 | © Copyright 2012 | First Data Corporation
Deployment Models
•Public Cloud • More than one organization shares common IT resources
•Private Cloud • An organization buys and deploys its own IT resources
- OR –
• Contracts exclusive arrangement with a 3rd party
•Community Cloud • Usage of public cloud by common mission or cause
• Ex. State or Local governments
•Hybrid Cloud • Some elements of all three
15 | © Copyright 2012 | First Data Corporation
Potential Benefits
•Pay as you go model (low fixed cost)
•Remote access
•Rapid scalability
•Quicker deployment of IT-enabled strategies
•Stay current on technology upgrades
•Resiliency / Redundancy
16 | © Copyright 2012 | First Data Corporation
17 | © Copyright 2012 | First Data Corporation
Where Private Clouds Make Sense
•Large Corporate Data Center
•High rate of optimization through virtualization
•Diversity of apps are coded to run using common O/S, database and network
•Apps are “swapped out” on common hardware based on processing load
•Same hardware that runs mission critical app may also run support app in non-peak time
•“Workload Agnostic Computing”
18 | © Copyright 2012 | First Data Corporation
Virtualization Stats
• InfoWeek Poll – Major Corporations
• 97% use Server Virtualization extensively or on a limited basis (ex. VMWare vSphere)
• 57% use Storage Virtualization (ex. NetApp)
• 44% use Desktop Virtualization (ex. Citrix)
• 42% use Application Virtualization (ex. Vmware ThinApp)
• 37% use I/O Virtualization (ex. Cisco VFrame)
• 30% use Network Virtualization (ex. Nicira Networks “DVNI” – Acquired by VMWare)
19 | © Copyright 2012 | First Data Corporation
Where Public Clouds Make Sense
• Businesses of any size where captive IT resources aren’t cost effective or available
• Fixed capital expense becomes variable operating expense
• Can quickly level the playing field for small and medium sized businesses
• “Cloud Bursting”
• Adding incremental capacity to meet peak or seasonal demands
• Prototyping
• Running simulations to determine in-house data center capacity needs
20 | © Copyright 2012 | First Data Corporation
Public Cloud Plans
• Infoweek Survey
•26% plan to deploy in the next year
•38% have no plans to deploy
•11% already have public deployment
•Are you sure?
•DR scenario: private cloud becomes public
21 | © Copyright 2012 | First Data Corporation
22 | © Copyright 2012 | First Data Corporation
Essence of the Public Cloud Decision
•A thoughtfully considered* decision to move one of the following into the public cloud domain:
•Data
•Essential to map your data and understand whether, and how, it flows in and out of the cloud
•Important to classify low value, high value regulated and high value unregulated assets
•Transactions/Processing
23 | © Copyright 2012 | First Data Corporation
Thoughtfully Consider - How?
• How would you be harmed if:
• The asset became widely public or widely distributed?
• An employee of the cloud provider accessed the asset?
• The process or function was manipulated by an outsider?
• The process or function failed to provide the expected results?
• The information/data was unexpectedly changed?
• The asset were unavailable for a period of time?
24 | © Copyright 2012 | First Data Corporation
Top Public Cloud Concerns
25 | © Copyright 2012 | First Data Corporation
A Growing Opportunity
0
10
20
30
40
50
60
70
2008 2009 2010 2011 2012 2013
Revenue
Revenue
Revenue from "public cloud" services, in billions of dollars. Source: Forrester Research
26 | © Copyright 2012 | First Data Corporation
Major Public Cloud Service Providers
27 | © Copyright 2012 | First Data Corporation
28 | © Copyright 2012 | First Data Corporation
Applicable Compliance Certifications
• SSAE-16, SOC-1,2,3
• Financial Reporting and service oriented controls
• Focused on integrity
• ISO 9002
• Quality oriented controls
• Focused on process
• ISO 27001 /27002
• Security oriented controls
• Focused on security
• TIA 942 (Telecommunications Industry Association)
• Data center fault tolerant controls
• Focused on resilience
29 | © Copyright 2012 | First Data Corporation
PII Breach by Cloud Provider
• Could subject them to violations under the following privacy laws:
• Privacy and safeguard rules under GLBA
• PCI-DSS data transmission and storage security provisions
• HIPAA restrictions on sharing health care data
• Breach provisions under the HITECH Act
• Depends on provider’s contract provisions
• You can’t outsource your accountability for information security
30 | © Copyright 2012 | First Data Corporation
Assurance Frameworks
• Cloud Security Alliance (CSA)
• Cloud Controls Matrix
• https://cloudsecurityalliance.org
• Information Systems Audit and Control Association (ISACA)
• Cloud Computing Management Audit/Assurance Program
• http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cloud-Computing-Management-Audit-Assurance-Program.aspx
• European Network and Information Security Agency (ENISA)
• Cloud Computing Security Risk Assessment
• http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment
31 | © Copyright 2012 | First Data Corporation
Cloud Security Alliance
• GRC “Stack”
• Cloud Controls Matrix
• Consensus Assessments Initiative
• Cloud Audit
• Cloud Trust Protocol
• Designed to support both cloud consumers and cloud providers
• Created to capture value from the cloud as well as support compliance and control within the cloud
© 2011 Cloud Security Alliance, Inc. All rights reserved
32 | © Copyright 2012 | First Data Corporation
33 | © Copyright 2012 | First Data Corporation
Cloud Controls Matrix
Controls base-lined and mapped to:
• BITS Shared Assessments
• COBIT
• FedRAMP
• HIPAA/HITECH Act
• ISO/IEC 27001-2005
• Jericho Forum
• NERC CIP
• NIST SP800-53
• PCI DSSv2.0
© 2011 Cloud Security Alliance, Inc. All rights reserved
34 | © Copyright 2012 | First Data Corporation
Cloud Control Matrix - Domains
1. Compliance (CO)
2. Data Governance (DG)
3. Facility Security (FS)
4. Human Resources (HR)
5. Information Security (IS)
6. Legal (LG)
7. Operations Management
(OM)
8. Risk Management (RI)
9. Release Management (RM)
10. Resiliency (RS)
11. Security Architecture (SA)
© 2011 Cloud Security Alliance, Inc. All rights reserved
100 Individual Controls
35 | © Copyright 2012 | First Data Corporation
Cloud Control Matrix - Sample
© 2011 Cloud Security Alliance, Inc. All rights reserved
36 | © Copyright 2012 | First Data Corporation
Key CCM Controls
Compliance
© 2011 Cloud Security Alliance, Inc. All rights reserved
• Compliance - Independent Audits • Independent reviews and assessments shall be performed at least annually, or at
planned intervals, to ensure the organization is compliant with policies, procedures, standards and applicable regulatory requirements (i.e., internal/external audits, certifications, vulnerability and penetration testing)
• Compliance - Third Party Audits • Third party service providers shall demonstrate compliance with information
security and confidentiality, service definitions and delivery level agreements included in third party contracts. Third party reports, records and services shall undergo audit and review, at planned intervals, to govern and maintain compliance with the service delivery agreements.
• Compliance - Intellectual Property • Policy, process and procedure shall be established and implemented to safeguard
intellectual property and the use of proprietary software within the legislative jurisdiction and contractual constraints governing the organization.
37 | © Copyright 2012 | First Data Corporation
Key CCM Controls
Data Governance
© 2011 Cloud Security Alliance, Inc. All rights reserved
• Data Governance – Classification • Data, and objects containing data, shall be assigned a classification based on
data type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints, contractual constraints, value, sensitivity, criticality to the organization and third party obligation for retention and prevention of unauthorized disclosure or misuse.
• Data Governance - Retention Policy • Policies and procedures for data retention and storage shall be established
and backup or redundancy mechanisms implemented to ensure compliance with regulatory, statutory, contractual or business requirements. Testing the recovery of backups must be implemented at planned intervals.
• Data Governance - Information Leakage • Security mechanisms shall be implemented to prevent data leakage.
38 | © Copyright 2012 | First Data Corporation
Key CCM Controls
Facility Security
© 2011 Cloud Security Alliance, Inc. All rights reserved
• Facility Security - Controlled Access Points • Physical security perimeters (fences, walls, barriers, guards, gates, electronic
surveillance, physical authentication mechanisms, reception desks and security patrols) shall be implemented to safeguard sensitive data and information systems.
• Facility Security - Off-Site Authorization • Authorization must be obtained prior to relocation or transfer of hardware,
software or data to an offsite premises.
39 | © Copyright 2012 | First Data Corporation
Key CCM Controls
Information Security
© 2011 Cloud Security Alliance, Inc. All rights reserved
• Information Security - Baseline Requirements • Baseline security requirements shall be established and applied to the design
and implementation of (developed or purchased) applications, databases, systems, and network infrastructure and information processing that comply with policies, standards and applicable regulatory requirements. Compliance with security baseline requirements must be reassessed at least annually or upon significant changes.
• Information Security - User Access Reviews • All levels of user access shall be reviewed by management at planned
intervals and documented. For access violations identified, remediation must follow documented access control policies and procedures.
• Information Security – Encryption • Policies and procedures shall be established and mechanisms implemented
for encrypting sensitive data in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging).
40 | © Copyright 2012 | First Data Corporation
Key CCM Controls
Information Security
© 2011 Cloud Security Alliance, Inc. All rights reserved
• Information Security - Vulnerability / Patch Management • Policies and procedures shall be established and mechanism implemented for
vulnerability and patch management, ensuring that application, system, and network device vulnerabilities are evaluated and vendor-supplied security patches applied in a timely manner taking a risk-based approach for prioritizing critical patches.
• Information Security - Incident Reporting • Contractors, employees and third party users shall be made aware of their
responsibility to report all information security events in a timely manner. Information security events shall be reported through predefined communications channels in a prompt and expedient manner in compliance with statutory, regulatory and contractual requirements.
• Information Security - eCommerce Transactions • Electronic commerce (e-commerce) related data traversing public networks shall
be appropriately classified and protected from fraudulent activity, unauthorized disclosure or modification in such a manner to prevent contract dispute and compromise of data.
41 | © Copyright 2012 | First Data Corporation
Key CCM Controls
Operations Management
© 2011 Cloud Security Alliance, Inc. All rights reserved
• Operations Management - Capacity / Resource Planning • The availability, quality, and adequate capacity and resources shall be
planned, prepared, and measured to deliver the required system performance in accordance with regulatory, contractual and business requirements. Projections of future capacity requirements shall be made to mitigate the risk of system overload.
• Operations Management - Equipment Maintenance • Policies and procedures shall be established for equipment maintenance
ensuring continuity and availability of operations.
42 | © Copyright 2012 | First Data Corporation
43 | © Copyright 2012 | First Data Corporation
Key CCM Controls
Risk Management
© 2011 Cloud Security Alliance, Inc. All rights reserved
• Risk Management – Assessments • Aligned with the enterprise-wide framework, formal risk assessments shall be
performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk should be determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance).
• Risk Management - Third Party Access • The identification, assessment, and prioritization of risks posed by business
processes requiring third party access to the organization's information systems and data shall be followed by coordinated application of resources to minimize, monitor, and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls derived from the risk analysis shall be implemented prior to provisioning access.
44 | © Copyright 2012 | First Data Corporation
Key CCM Controls
Release Management
© 2011 Cloud Security Alliance, Inc. All rights reserved
• Release Management - Production Changes • Changes to the production environment shall be documented, tested and
approved prior to implementation. Production software and hardware changes may include applications, systems, databases and network devices requiring patches, service packs, and other updates and modifications.
• Release Management - Unauthorized Software Installations • Policies and procedures shall be established and mechanisms implemented to
restrict the installation of unauthorized software.
45 | © Copyright 2012 | First Data Corporation
Key CCM Controls
Resiliency
© 2011 Cloud Security Alliance, Inc. All rights reserved
• Resiliency - Business Continuity Planning • A consistent unified framework for business continuity planning and plan
development shall be established, documented and adopted to ensure all business continuity plans are consistent in addressing priorities for testing and maintenance and information security requirements.
• Resiliency - Business Continuity Testing • Business continuity plans shall be subject to test at planned intervals or upon
significant organizational or environmental changes to ensure continuing effectiveness.
46 | © Copyright 2012 | First Data Corporation
Key CCM Controls
Security Architecture
© 2011 Cloud Security Alliance, Inc. All rights reserved
• Security Architecture - Network Security • Network environments shall be designed and configured to restrict
connections between trusted and untrusted networks and reviewed at planned intervals, documenting the business justification for use of all services, protocols, and ports allowed, including rationale or compensating controls implemented for those protocols considered to be insecure. Network architecture diagrams must clearly identify high-risk environments and data flows that may have regulatory compliance impacts.
• Security Architecture - Shared Networks • Access to systems with shared network infrastructure shall be restricted to
authorized personnel in accordance with security policies, procedures and standards. Networks shared with external entities shall have a documented plan detailing the compensating controls used to separate network traffic between organizations.
47 | © Copyright 2012 | First Data Corporation
Key CCM Controls
Security Architecture
© 2011 Cloud Security Alliance, Inc. All rights reserved
• Security Architecture - Audit Logging / Intrusion Detection • Audit logs recording privileged user access activities, authorized and
unauthorized access attempts, system exceptions, and information security events shall be retained, complying with applicable policies and regulations. Audit logs shall be reviewed at least daily and file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents. Physical and logical user access to audit logs shall be restricted to authorized personnel.
48 | © Copyright 2012 | First Data Corporation
What do you do with a completed
CCM?
© 2011 Cloud Security Alliance, Inc. All rights reserved
•Consumer: As an internal assessment tool • Log exceptions and draft a report of provider’s level of control
maturity or a gap analysis
•Provider: As a public assertion of control maturity • CSA STAR (Security, Trust and Assurance Registry)
• Trusted Cloud Initiative
•www.cloudsecurityalliance.org/trustedcloud.html
49 | © Copyright 2012 | First Data Corporation
Are Assessments Being Done?
50 | © Copyright 2012 | First Data Corporation
51 | © Copyright 2012 | First Data Corporation
Integration Trends / Concerns
• “Bring Your Own Device” (BYOD)
•Smartphone, tablet, laptop
• “Bring Your Own Cloud” (BYOC)
•Google Docs, Dropbox, iCloud, Skydrive
52 | © Copyright 2012 | First Data Corporation
“Data Aware” Security
• Information Security trend
•Knowing if a particular combination of user, device, and software can be trusted with access to specific information
•Challenge: Encoding this security intelligence into your data before you store it in the public cloud
53 | © Copyright 2012 | First Data Corporation
Recap
•Cloud computing has tangible benefits and could be a strategic differentiator
•Your organization may be more actively deployed to the “cloud” than you realize
•New risks are introduced, but can be managed with assurance frameworks
54 | © Copyright 2012 | First Data Corporation
55 | © Copyright 2012 | First Data Corporation
Questions?
56 | © Copyright 2012 | First Data Corporation
References
•Cloud Security Alliance • Security Guidance For Critical Areas of Focus in Cloud Computing
V3.0 (2011)
• https://cloudsecurityalliance.org/research/security-guidance/
• Cloud Security Alliance GRC Stack (2011)
• https://cloudsecurityalliance.org/research/grc-stack/
• Cloud Security Alliance Cloud Controls Matrix V1.1 (2010)
• https://cloudsecurityalliance.org/research/ccm/
• Information Week (Jan-Mar 2012)
•MIT Technology Review (Jan-Mar 2012)