cloud computing risk management (multi venue)

© Copyright 2012 | First Data Corporation

Cloud Computing Risk Management

Brian Dickard – Director, Enterprise Risk Management

Security Considerations from an Assurance Perspective

2 | © Copyright 2012 | First Data Corporation

Agenda

• Introduction

• Terminology

• Major Public Cloud Services

• Assessing Public Cloud Risk

• Trends and Issues

• Concluding Remarks


Introduction

•First Data Vision

•To shape the future of global commerce by delivering the world’s most secure and innovative payment solutions

.


Introduction

•First Data Business • First Data provides a single source for payment processing virtually anywhere and

any way our customers want to pay. We deliver innovative, data-driven solutions that help merchants, financial institutions, businesses and government agencies across the globe reduce costs and drive revenue..


Cloud computing – what is it?

• Where did it come from?

• Why should I care as a business manager?

• What types of risk are there?

• How does it work? .


How familiar are you with the major Cloud

Service and Deployment models ?

•A. Very familiar

•B. Somewhat familiar

•C. I’ve heard of them

•D. Not familiar at all


Essential Characteristics

•Resource Pooling

•Broad Network Access

•Rapid Elasticity

•Measured Service

•On Demand Self Service


Cloud Service Models

• Infrastructure as a Service (IaaS)

•“Raw” Servers, Disk Space, Network

•Ex. Amazon Elastic Cloud Computing (EC2)

•Foundational to PaaS and SaaS

•Security (other than physical) provided by cloud consumer



•Platform as a Service (PaaS)

•Middleware and application development frameworks supported by provider

•Cloud-deployed applications created and supported by consumer

•Ex. Google App Engine

•Built on top of IaaS

•Security must be built in by developer (provider or consumer)



•Software as a Service (SaaS)

•“On Demand” application availability

•Software and data hosted by provider

•Accessed with a web browser

•Ex. Gmail

•Built on top of IaaS and PaaS

•Highest provider security level


Cloud Service Layers

IaaS

PaaS

SaaS Increasing

consumer

configuration

options

Increasing

provider

security


In-House IT Assets vs. “SPI” Services

In-House Attributes SPI Attributes

Fixed Elastic

Overhead or Chargeback Metered

Service Request Self Service

Private Network Accessible Internet Accessible

Dedicated Shared


Deployment Models

•Public Cloud • More than one organization shares common IT resources

•Private Cloud • An organization buys and deploys its own IT resources

- OR –

• Contracts exclusive arrangement with a 3rd party

•Community Cloud • Usage of public cloud by common mission or cause

• Ex. State or Local governments

•Hybrid Cloud • Some elements of all three


Potential Benefits

•Pay as you go model (low fixed cost)

•Remote access

•Rapid scalability

•Quicker deployment of IT-enabled strategies

•Stay current on technology upgrades

•Resiliency / Redundancy


http://cloudappreciationsociety.org/gallery/photo-n-53/


Where Private Clouds Make Sense

•Large Corporate Data Center

•High rate of optimization through virtualization

•Diversity of apps are coded to run using common O/S, database and network

•Apps are “swapped out” on common hardware based on processing load

•Same hardware that runs mission critical app may also run support app in non-peak time

•“Workload Agnostic Computing”


Virtualization Stats

• InfoWeek Poll – Major Corporations

• 97% use Server Virtualization extensively or on a limited basis (ex. VMWare vSphere)

• 57% use Storage Virtualization (ex. NetApp)

• 44% use Desktop Virtualization (ex. Citrix)

• 42% use Application Virtualization (ex. Vmware ThinApp)

• 37% use I/O Virtualization (ex. Cisco VFrame)

• 30% use Network Virtualization (ex. Nicira Networks “DVNI” – Acquired by VMWare)


Where Public Clouds Make Sense

• Businesses of any size where captive IT resources aren’t cost effective or available

• Fixed capital expense becomes variable operating expense

• Can quickly level the playing field for small and medium sized businesses

• “Cloud Bursting”

• Adding incremental capacity to meet peak or seasonal demands

• Prototyping

• Running simulations to determine in-house data center capacity needs


Public Cloud Plans

• Infoweek Survey

•26% plan to deploy in the next year

•38% have no plans to deploy

•11% already have public deployment

•Are you sure?

•DR scenario: private cloud becomes public


http://cloudappreciationsociety.org/gallery/photo-08076-2/


Essence of the Public Cloud Decision

•A thoughtfully considered* decision to move one of the following into the public cloud domain:

•Data

•Essential to map your data and understand whether, and how, it flows in and out of the cloud

•Important to classify low value, high value regulated and high value unregulated assets

•Transactions/Processing


Thoughtfully Consider - How?

• How would you be harmed if:

• The asset became widely public or widely distributed?

• An employee of the cloud provider accessed the asset?

• The process or function was manipulated by an outsider?

• The process or function failed to provide the expected results?

• The information/data was unexpectedly changed?

• The asset were unavailable for a period of time?


Top Public Cloud Concerns


A Growing Opportunity

0

10

20

30

40

50

60

70

2008 2009 2010 2011 2012 2013

Revenue

Revenue

Revenue from "public cloud" services, in billions of dollars. Source: Forrester Research


Major Public Cloud Service Providers


http://cloudappreciationsociety.org/gallery/photo-07512/


Applicable Compliance Certifications

• SSAE-16, SOC-1,2,3

• Financial Reporting and service oriented controls

• Focused on integrity

• ISO 9002

• Quality oriented controls

• Focused on process

• ISO 27001 /27002

• Security oriented controls

• Focused on security

• TIA 942 (Telecommunications Industry Association)

• Data center fault tolerant controls

• Focused on resilience


PII Breach by Cloud Provider

• Could subject them to violations under the following privacy laws:

• Privacy and safeguard rules under GLBA

• PCI-DSS data transmission and storage security provisions

• HIPAA restrictions on sharing health care data

• Breach provisions under the HITECH Act

• Depends on provider’s contract provisions

• You can’t outsource your accountability for information security


Assurance Frameworks

• Cloud Security Alliance (CSA)

• Cloud Controls Matrix

• https://cloudsecurityalliance.org

• Information Systems Audit and Control Association (ISACA)

• Cloud Computing Management Audit/Assurance Program

• http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cloud-Computing-Management-Audit-Assurance-Program.aspx

• European Network and Information Security Agency (ENISA)

• Cloud Computing Security Risk Assessment

• http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment

https://cloudsecurityalliance.org/

https://cloudsecurityalliance.org/

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cloud-Computing-Management-Audit-Assurance-Program.aspx














http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment










Cloud Security Alliance

• GRC “Stack”

• Cloud Controls Matrix

• Consensus Assessments Initiative

• Cloud Audit

• Cloud Trust Protocol

• Designed to support both cloud consumers and cloud providers

• Created to capture value from the cloud as well as support compliance and control within the cloud

© 2011 Cloud Security Alliance, Inc. All rights reserved


Cloud Controls Matrix

Controls base-lined and mapped to:

• BITS Shared Assessments

• COBIT

• FedRAMP

• HIPAA/HITECH Act

• ISO/IEC 27001-2005

• Jericho Forum

• NERC CIP

• NIST SP800-53

• PCI DSSv2.0



Cloud Control Matrix - Domains

1. Compliance (CO)

2. Data Governance (DG)

3. Facility Security (FS)

4. Human Resources (HR)

5. Information Security (IS)

6. Legal (LG)

7. Operations Management

(OM)

8. Risk Management (RI)

9. Release Management (RM)

10. Resiliency (RS)

11. Security Architecture (SA)


100 Individual Controls


Cloud Control Matrix - Sample



Key CCM Controls

Compliance


• Compliance - Independent Audits • Independent reviews and assessments shall be performed at least annually, or at

planned intervals, to ensure the organization is compliant with policies, procedures, standards and applicable regulatory requirements (i.e., internal/external audits, certifications, vulnerability and penetration testing)

• Compliance - Third Party Audits • Third party service providers shall demonstrate compliance with information

security and confidentiality, service definitions and delivery level agreements included in third party contracts. Third party reports, records and services shall undergo audit and review, at planned intervals, to govern and maintain compliance with the service delivery agreements.

• Compliance - Intellectual Property • Policy, process and procedure shall be established and implemented to safeguard

intellectual property and the use of proprietary software within the legislative jurisdiction and contractual constraints governing the organization.


Key CCM Controls

Data Governance


• Data Governance – Classification • Data, and objects containing data, shall be assigned a classification based on

data type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints, contractual constraints, value, sensitivity, criticality to the organization and third party obligation for retention and prevention of unauthorized disclosure or misuse.

• Data Governance - Retention Policy • Policies and procedures for data retention and storage shall be established

and backup or redundancy mechanisms implemented to ensure compliance with regulatory, statutory, contractual or business requirements. Testing the recovery of backups must be implemented at planned intervals.

• Data Governance - Information Leakage • Security mechanisms shall be implemented to prevent data leakage.


Key CCM Controls

Facility Security


• Facility Security - Controlled Access Points • Physical security perimeters (fences, walls, barriers, guards, gates, electronic

surveillance, physical authentication mechanisms, reception desks and security patrols) shall be implemented to safeguard sensitive data and information systems.

• Facility Security - Off-Site Authorization • Authorization must be obtained prior to relocation or transfer of hardware,

software or data to an offsite premises.


Key CCM Controls

Information Security


• Information Security - Baseline Requirements • Baseline security requirements shall be established and applied to the design

and implementation of (developed or purchased) applications, databases, systems, and network infrastructure and information processing that comply with policies, standards and applicable regulatory requirements. Compliance with security baseline requirements must be reassessed at least annually or upon significant changes.

• Information Security - User Access Reviews • All levels of user access shall be reviewed by management at planned

intervals and documented. For access violations identified, remediation must follow documented access control policies and procedures.

• Information Security – Encryption • Policies and procedures shall be established and mechanisms implemented

for encrypting sensitive data in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging).


Key CCM Controls

Information Security


• Information Security - Vulnerability / Patch Management • Policies and procedures shall be established and mechanism implemented for

vulnerability and patch management, ensuring that application, system, and network device vulnerabilities are evaluated and vendor-supplied security patches applied in a timely manner taking a risk-based approach for prioritizing critical patches.

• Information Security - Incident Reporting • Contractors, employees and third party users shall be made aware of their

responsibility to report all information security events in a timely manner. Information security events shall be reported through predefined communications channels in a prompt and expedient manner in compliance with statutory, regulatory and contractual requirements.

• Information Security - eCommerce Transactions • Electronic commerce (e-commerce) related data traversing public networks shall

be appropriately classified and protected from fraudulent activity, unauthorized disclosure or modification in such a manner to prevent contract dispute and compromise of data.


Key CCM Controls

Operations Management


• Operations Management - Capacity / Resource Planning • The availability, quality, and adequate capacity and resources shall be

planned, prepared, and measured to deliver the required system performance in accordance with regulatory, contractual and business requirements. Projections of future capacity requirements shall be made to mitigate the risk of system overload.

• Operations Management - Equipment Maintenance • Policies and procedures shall be established for equipment maintenance

ensuring continuity and availability of operations.


Key CCM Controls

Risk Management


• Risk Management – Assessments • Aligned with the enterprise-wide framework, formal risk assessments shall be

performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk should be determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance).

• Risk Management - Third Party Access • The identification, assessment, and prioritization of risks posed by business

processes requiring third party access to the organization's information systems and data shall be followed by coordinated application of resources to minimize, monitor, and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls derived from the risk analysis shall be implemented prior to provisioning access.


Key CCM Controls

Release Management


• Release Management - Production Changes • Changes to the production environment shall be documented, tested and

approved prior to implementation. Production software and hardware changes may include applications, systems, databases and network devices requiring patches, service packs, and other updates and modifications.

• Release Management - Unauthorized Software Installations • Policies and procedures shall be established and mechanisms implemented to

restrict the installation of unauthorized software.


Key CCM Controls

Resiliency


• Resiliency - Business Continuity Planning • A consistent unified framework for business continuity planning and plan

development shall be established, documented and adopted to ensure all business continuity plans are consistent in addressing priorities for testing and maintenance and information security requirements.

• Resiliency - Business Continuity Testing • Business continuity plans shall be subject to test at planned intervals or upon

significant organizational or environmental changes to ensure continuing effectiveness.


Key CCM Controls

Security Architecture


• Security Architecture - Network Security • Network environments shall be designed and configured to restrict

connections between trusted and untrusted networks and reviewed at planned intervals, documenting the business justification for use of all services, protocols, and ports allowed, including rationale or compensating controls implemented for those protocols considered to be insecure. Network architecture diagrams must clearly identify high-risk environments and data flows that may have regulatory compliance impacts.

• Security Architecture - Shared Networks • Access to systems with shared network infrastructure shall be restricted to

authorized personnel in accordance with security policies, procedures and standards. Networks shared with external entities shall have a documented plan detailing the compensating controls used to separate network traffic between organizations.


Key CCM Controls

Security Architecture


• Security Architecture - Audit Logging / Intrusion Detection • Audit logs recording privileged user access activities, authorized and

unauthorized access attempts, system exceptions, and information security events shall be retained, complying with applicable policies and regulations. Audit logs shall be reviewed at least daily and file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents. Physical and logical user access to audit logs shall be restricted to authorized personnel.


What do you do with a completed

CCM?


•Consumer: As an internal assessment tool • Log exceptions and draft a report of provider’s level of control

maturity or a gap analysis

•Provider: As a public assertion of control maturity • CSA STAR (Security, Trust and Assurance Registry)

• Trusted Cloud Initiative

•www.cloudsecurityalliance.org/trustedcloud.html

http://www.cloudsecurityalliance.org/trustedcloud.html


Are Assessments Being Done?


Integration Trends / Concerns

• “Bring Your Own Device” (BYOD)

•Smartphone, tablet, laptop

• “Bring Your Own Cloud” (BYOC)

•Google Docs, Dropbox, iCloud, Skydrive


“Data Aware” Security

• Information Security trend

•Knowing if a particular combination of user, device, and software can be trusted with access to specific information

•Challenge: Encoding this security intelligence into your data before you store it in the public cloud


Recap

•Cloud computing has tangible benefits and could be a strategic differentiator

•Your organization may be more actively deployed to the “cloud” than you realize

•New risks are introduced, but can be managed with assurance frameworks


Questions?

•[email protected]

mailto:[email protected]


References

•Cloud Security Alliance • Security Guidance For Critical Areas of Focus in Cloud Computing

V3.0 (2011)

• https://cloudsecurityalliance.org/research/security-guidance/

• Cloud Security Alliance GRC Stack (2011)

• https://cloudsecurityalliance.org/research/grc-stack/

• Cloud Security Alliance Cloud Controls Matrix V1.1 (2010)

• https://cloudsecurityalliance.org/research/ccm/

• Information Week (Jan-Mar 2012)

•MIT Technology Review (Jan-Mar 2012)

https://cloudsecurityalliance.org/research/security-guidance/



https://cloudsecurityalliance.org/research/grc-stack/



https://cloudsecurityalliance.org/research/ccm/