cloud computing risk management
TRANSCRIPT
Risk Management for Cloud Computing
by Padma S. Jella
CLOUD COMPUTING AS AN EVOLUTION OF ITO
Cloud computing is an outsourcing decision as it gives organizations the opportunity to externalize and purchase IT resources and capabilities from another organization as a service
How CC differs from ITO ? -“with outsourcing an existing function is moved out of the department, enterprise, or geographic jurisdiction, whereas with CC the home of an application originates in the cloud”
CC offers many advantages that surpass the promises of traditional ITO like easy scalability, access to new software and reliability
Google, Microsoft, IBM and all other known and unknown cloud providers offer today's CIO an array of major cost saving alternatives to the traditional data center and IT department.
But like everything that appears too good to be true, cloud computing comes with a set of risks that CIOs and CTOs should do well to recognize before making the decision quickly
ISACA’S Survey on cloud computing ISACA's (Information Systems Audit and Control Association) 2010 survey on cloud computing
adoption presents some interesting findings. 45% of IT professionals think the risks far outweigh the benefits and only 10 percent of
those surveyed said they would consider moving mission critical applications to the cloud.
In a nutshell, ISACA's statistics and other industry published numbers around cloud adoption indicate that cloud computing is a mainstream choice but definitely not the primary choice.
While some organizations have successfully moved part or all of their information assets into some form of cloud computing infrastructure, the large majority still haven't done much with this choice.
In most organizations, there are definitely some areas that could be safely and profitably moved to the cloud.
The extent to which an organization should move it's information assets to the cloud and take advantage of the tremendous benefits by doing so is determined by the application of a risk assessment framework to all candidate information assets.
For this, it's essential to understand the risks and then have a mitigation strategy.
Why use a risk approach for cloud selection? Many organizations are embracing cloud computing, it’s a rage these days Data security risks- Do you trust an external third party with your sensitive
data? Prepared for cloud failure (cloud outages at Microsoft and Amazon) ?? In March 2009, Microsoft Windows Azure was down for 22 hours In April 2011, a large scale outage hit Amazon, affecting Amazon’s Web
Services' Elastic Compute Cloud (EC2). The outage took out popular social networking services Foursquare,
FormSpring, Heroku, HootSuite, Quora and Reddit These outages prevent users from accessing applications or data stored in the
cloud and the financial cost of these outages can be quite high especially when mission critical- such as accounting information systems are outsourced
25th August 2013
Amazon Web Services (AWS), one of the world's largest cloud provider, stumbled over on Sunday for 59 minutes, due to issues with its U.S.-EAST datacenter.
The outage began at about 1 p.m. PT following connectivity issues in the North Virginia datacenter, which led to elevated API error rates in the region.
This led to "degraded experience," resulted in a "small number of EC2 instances unreachable due to packet loss in a single"
Last week, AWS suffered downtime that lasted around 25 minutes . Most websites running on the AWS cloud were unaffected. The biggest
casualty of the outage, however, was Amazon.com itself, which rejected customers from accessing its site in the U.S. and Canada.
Other Amazon-owned websites also suffered, including Audible.com, while Netflix continued to power through the problems.
While international sites were unaffected, some crunched the numbers, and estimated that the company could have lost as much as $1,100 in net sales per second.
Users of Vine and Instagram, as well as others - Airbnb, Flipboard, just to name a few — fell at the mercy of its cloud computing parent.
Instagram alerted its users of a fault to its service almost as soon as it occurred
Cloud Mission Risks
The main cloud-related mission risks to consider are:
The solution does not meet its financial objectives. The solution does not work in the context of the user enterprise’s organization and culture. The solution cannot be developed due to the difficulty of integrating the cloud services involved. The solution does not comply with its legal, contractual, and moral obligations. A disaster occurs from which the solution cannot recover. An external cloud service used by the solution is inadequate. The system quality of the solution is inadequate, so that it does not meet its users’ needs.
How to evaluate your cloud vendorRisk Management
Prior to engaging in a partnership with a cloud vendor an organization should request appropriate documentation and perform a comprehensive review
Investigate the reputation and background of the provider, and the number of years the provider has been in business.
Request a SSAE 16 report. In addition, several important steps that an organization should consider
addressing regulatory compliance, privacy, and business continuity are detailed.
How to evaluate your cloud vendor
Regulatory Compliance
Customer organizations are ultimately responsible for the security and integrity of their own data, even when that data is managed/maintained by a service provider. Therefore, the customer needs to ensure that the provider has adequate security controls in place and request evidence of these controls, such as a SSAE 16 report and/or a PCI compliance attestation.
If the provider has not performed a SSAE 16, the customer will need to gather as much information as possible about the security controls in place with particular focus on the people that will manage the data.
The customer should investigate the provider’s hiring process and ensure that it includes criminal and credit background screenings. It is highly recommended to include in the contract the level of security expected and the right to audit and/or request audit reports.
Those organizations who decide to use providers located internationally should request the provider make a contractual commitment to obey local privacy requirements on behalf of their customers.
How to evaluate cloud vendorPrivacy Data in the cloud is typically in a shared environment alongside with data from
other customers. Encryption becomes crucial to protect the confidentiality and privacy of the data
while in transit and in storage. Therefore, the client should know whether or not encryption is utilized.
Also, the client should know the user access and monitoring controls in place, especially for privileged accounts.
Business Continuity Plan Should a disaster occur, organizations must ascertain what steps the provider will
take to protect data and continue service. Does the provider have the ability to do a complete restoration of all data, and
how long it will take? Customers should evaluate the provider’s business continuity capabilities and ensure they meet the requirements specified in the service level agreement.
How to evaluate cloud vendor
Conclusions
Cloud computing offers organizations a cost effective, competitive and flexible opportunity to perform their operations.
Nevertheless, cloud computing involves some risks that can be mitigated by taking two key steps:
(1) Doing due diligence when selecting the provider, and (2) negotiating a service agreement that covers critical aspects such as payment, warranty, liability, protection, and security.
The first step should be founded on a methodical approach that addresses policies and procedures in selecting and overseeing providers. In regards to the second step, legal advice becomes essential during the contract stipulation
A framework for evaluating cloud computing risk
• Effectiveness of controls• Auditing and oversight• Technical security architecture• Data integrity• Data encryption• Operations security• Standardized procedures• Business stability• Intellectual property• Contractual language
Points to be thought of• Who accesses your sensitive data: The physical, logical and personnel controls that were put in
place when the data was in-house in your data center are no longer valid when you move your organization's information on the cloud. The cloud provider maintains its own hiring practices, rotation of individuals, and access control procedures. It's important to ask and understand the data management and hiring practices of the cloud provider you choose. Large providers like IBM will walk their clients through the process, how sensitive data moves around the cloud and who gets to see what.
• Regulatory compliance: Just because your data is now residing on a provider's cloud; you are not off the hook, you are still accountable to your customers for any security and integrity issues that may affect your data. The ability of the cloud provider to mitigate your risk is typically done through a process of regular external audits, PEN tests, compliance with PCI standards, ensuring SAS 70 Type II standards to name a few. You are responsible to weigh the risks to your organization's information and ensure that the cloud provider has standards and procedures in place to mitigate them.
• Geographical spread of your data: You may be surprised to know that your data may not be residing in the same city, state or for that matter country as your organization. While the provider may be contractually obliged to you to ensure the privacy of your data, they may be even more obliged to abide by the laws of the state, and or country in which your data resides. So your organization's rights may get marginalized. Ask the question and weigh the risk.
Points to be thought of• Data loss and recovery: Data on the cloud is almost always encrypted; this is to ensure security
of the data. However, this comes with a price — corrupted encrypted data is always harder to recover than unencrypted data. It's important to know how your provider plans to recover your data in a disaster scenario and more importantly how long it will take. The provider must be able to demonstrate bench-marked scenarios for data recovery in a disaster scenario.
• What happens when your provider gets acquired: A seamless merger/acquisition on the part of your cloud provider is not always business as usual for you, the client. The provider should have clearly acknowledged and addressed this as one of the possible scenarios in their contract with you. Is there an exit strategy for you as the client — and what are the technical issues you could face to get your data moved someplace else? In short, what is your exit strategy?
• Availability of data: The cloud provider relies on a combination of network, equipment, application, and storage components to provide the cloud service. If one of these components goes down, you won't be able to access your information. Therefore, it is important to understand how much you can do without a certain kind of information before you make a decision to put it on the cloud. If you are an online retailer, and your customer order entry system cannot be accessed because your application resides on the cloud that just went down, that would definitely be unacceptable. It's important to weigh your tolerance level for unavailability of your information against the vendors guaranteed uptime.
AWS Risk Assessment by IVKMajor Risks Amazon’s EC2 model is an IaaS (Infrastructure as a Service) which requires systems between companies to
be linked up so data may pass from Amazon’s (rented) servers to IVK’s. A common fear for this type of IaaS is that this transfer of data weakens security and opens a company
up to a data breach or loss of consumer data.
Privacy Risks IVK handles 2.2 million customer inquiries, processed in excess of 530,000 applications, and funded
180,000 loans. With this much information being stored on a server, the likelihood of that information being hacked increases
There is also a greater opportunity for persons to sell the information from the company.
Security Risks Since the servers are in the cloud, not in a data center, the back end is accessed through application
programming interfaces. The servers can be launched and shut down through the interface. Hackers could gain access to this
interface and shut down all the servers if they wanted to. This would in turn bring the whole company down causing major outages and chaos to bring the servers back up.
Even worse than just shutting down the servers is when hackers can delete or change things. Hackers can do what is called an account hijacking attack.
Risk Management- The Amazon Way!!! Risk Management AWS management has developed a strategic business plan which includes
risk identification and the implementation of controls to mitigate or manage risks. AWS management re-evaluates the strategic business plan at least biannually. AWS’s Compliance and Security teams have established an information security framework
and policies based on the Control Objectives for Information and related Technology (COBIT) framework and have effectively integrated the ISO 27001 certifiable framework based on ISO 27002 controls, American Institute of Certified Public Accountants (AICPA) Trust Services Principles, the PCI DSS v3.0, and the National Institute of Standards and Technology (NIST) Publication 800-53 Rev 3 (Recommended Security Controls for Federal Information Systems).
AWS maintains the security policy, provides security Amazon Web Services Risk and Compliance training to employees, and performs application security reviews.
These reviews assess the confidentiality, integrity, and availability of data, as well as conformance to the information security policy.
AWS Security regularly scans all Internet facing service endpoint IP addresses for vulnerabilities (these scans do not include customer instances).
AWS Security notifies the appropriate parties to remediate any identified vulnerabilities. In addition, external vulnerability threat assessments are performed regularly by
independent security firms. Findings and recommendations resulting from these assessments are categorized and
delivered to AWS leadership.
Risk Management- The Amazon Way!!!
AWS has implemented a formal information security program designed to protect the confidentiality, integrity, and availability of customers’ systems and data. AWS publishes a security whitepaper that is available on the public website that addresses how AWS can help customers secure their data.
Applying cloud computing solutions without the proper care, due diligence, and controls is bound to cause unforeseen problems.
Used appropriately with the necessary precautions and controls in place, cloud computing could yield a multitude of benefits, some unheard of until now and some yet to be discovered.
By being aware of the risks and other issues related to cloud computing, executives are more likely to achieve their organization’s objectives as they manage the risks in this dynamic and evolving environment that likely will become the most popular computing model of the future.
Cloud computing is relatively new in its current form, given that, it is best applied to specific low to medium risk business areas.
