Cloud Computing - Security audits versus cloud computing

Download Cloud Computing - Security audits versus cloud computing

Post on 17-May-2015

10.978 views

Category:

Documents

1 download

Embed Size (px)

DESCRIPTION

Security audits versus cloud computing (English version). A presentation by Mike Chung, manager at KPMG Netherlands.

TRANSCRIPT

<ul><li> 1. KPMG Risk &amp; Compliance Audit in the cloud Security audits versus cloud computingdrs. Mike Chung READVISORY </li></ul> <p> 2. Cloud computing as phenomenon The IT service model of choice for 2010 and beyond The total revenue of cloud services is approaching 25 billion USD worldwide in2010 Cloud computing is growing by over 30% per year More than 50% of all Fortune500 enterprises are already using some form ofcloud computingMassive investments by leading software vendors and IT integratorsGrowing demand despite/thanks to the low economic tide and theperceptive reliability of the internet 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMGInternational, a Swiss cooperative. 2 3. Main questions How (un)secure is the cloud compared with on-premise IT? Integrity Confidentiality AvailabilityHow (ir)relevant are audit standards?How (in)competent are IT auditors? 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMGInternational, a Swiss cooperative. 3 4. Definition of cloud computing Hosted services from the (inter)net, metaphorically depicted as a cloudUtilization of Web 2.0ASP 2.0Examples: Software-as-a-Service (Salesforce.com, Gmail, Microsoft Online) Platform-as-a-Service (GoogleApps, Force.com, 3tera AppLogic) Infrastructure-as-a-Service (Amazon EC2, Citrix Cloud Centre) 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMGInternational, a Swiss cooperative. 4 5. Characteristics of cloud computing Multi-tenantExternal data storageUse of the (public) internetOn-demandSubscription-based modelElasticWeb based 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMGInternational, a Swiss cooperative. 5 6. Security issues of cloud computing are real Google Web Service vulnerability leaked database usernames andpasswords (2007)Hackers stole credentials of Salesforce.coms customers via phishingattacks (2007)Thousands of customers lost their data in the cloud due to the Sidekickdisaster of Microsoft/T-Mobile (2009)Botnet incident at Amazon EC2 infected customers computers andcompromised their privacy (2009)Thousands of hotmail accounts were hacked due to technical flaws inMicrosofts software (2010) 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 6 7. Security risks: specific factors concerning the cloud External data storageMulti-tenancyUse of the (public) internetIntegration with the internal IT environment 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMGInternational, a Swiss cooperative. 7 8. Security risks: external data storage Weak control of data (failing backup &amp; recovery)Legal complications (privacy violation, conflicting/contradictinglegislations)Uncertain viability (insufficient guarantees regarding continuity andavailability of services)Single point of failure (failure of one cloud vendor/provider meansdisaster for many customers) 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 8 9. Security risks: multi-tenancy Inadequate segregation of data between different customersInadequate Identity &amp; Access ManagementInsufficient logging &amp; monitoringThe weakest link is decisive (virtualization, shared databases) 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 9 10. Security risks: use of the (public) internet Unclear and unaddressed accountability, ownershipLoss, misuse and theft of dataNo access to data and/or servicesNon-repudiation issues 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 10 11. Security risks: integration with the internal IT environment Unclear (network) perimetersNo match with internal security measures, requirements and baselinesComplexity of integration between the cloud and the internal IT 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 11 12. Residual risks High, unforeseen, initial investments Legal costs Costs to perform risk analyses Costs of escrow arrangementPoor performanceAdditional IT management Identity &amp; Access Management Key management 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMGInternational, a Swiss cooperative. 12 13. Security benefits Centralized security Concentration of security expertise Economy-of-scaleHigh accessibilityNakedness leads to fitness 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMGInternational, a Swiss cooperative. 13 14. Audit standards Localized IT as starting point (ITIL)Strong focus on client-server/on-premise IT (ISO27001/2)Static (Cobit)Strong focus on processes (SOx) 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMGInternational, a Swiss cooperative. 14 15. Audit standards versus external data storage Based on access from external/third parties, not on access to cloudservicesBased on management of internally stored data (eventually managed byexternals)From the viewpoint of the customer: irrelevantFrom the viewpoint of the cloud computing vendor: insufficientNew principles and practices 11 commandments of the Jericho Forum Cloud security initiatives from ISF 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 15 16. Audit standards versus multi-tenancy Marginal attention on (technical) architectureMulti-tenancy virtually unobserved/unexposedMere focus on segregation of duties, facilities and networksNew principles and practices Cloud Security Alliance Security guidance Liberty Alliances IAM baselines 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 16 17. Audit standards versus use of the (public) internet Primarily financial-legal issues (accountability, ownership) outside thedomain of IT auditsExceptionally difficult to auditExisting principles and practices for e-mail usage and internet securityapplicable 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMGInternational, a Swiss cooperative. 17 18. Audit standards versus integration with the internal IT environment Open standards which one(s) to choose?Open audit standards versus the reality of proprietary cloudtechnologiesNew principles and practices ISF The standard of Good Practice for Information Security 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMGInternational, a Swiss cooperative. 18 19. Compliance Responsibility and risks are with the customer, not the cloud vendorLegislations versus the current state of (technical) affairsCompliance with different legislations from different countries (SOx,HIPAA, PCI DSS, WBP..)SAS70 as a way out? 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMGInternational, a Swiss cooperative. 19 20. SAS70: objections Free to choose the controlsFully dependent on the expertise and view point of the auditorMany variations on audit approach, set-out and level of (technical) detailWide intervals between audits 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 20 21. SAS70 in practice Same standards used as for client-server/on-premise IT environmentsHardly any attention on multi-tenancy, service integration and externaldata storageSuperficially reviewed by (potential) customers and auditorsLacunas rarely raised 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 21 22. IT auditors Competent researchers and analystsHigh-level knowledge of architecture and technologyMostly educated in economics, accounting, business managementExisting audit standards and baselines as starting points 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 22 23. IT audits in practice Use of partly irrelevant and insufficient controls for cloud computingApproach tailored for client-server/on-premise ITEmphasis on (service management) processes with paper evidencesRecommendations only partly aimed to mitigate cloud specific risks 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 23 24. Conclusion Cloud computing harbours specific security risksAudit standards and baselines are partly irrelevant and insufficient, butthere are initiatives to actualize theseWhile IT auditors are competent researchers, their (technical) knowledgeon cloud computing needs to be updated 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 24 25. ContactDrs. Mike Chung RE Manager KPMG Advisory N.V. E-mail: chung.mike@kpmg.nl Mobile: +31 (0)6 1455 9916 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 25 26. About the painter &amp; painting J.H. Weissenbruch was a 19th century Dutch painter famed for hisdepiction of cloudsHis style of painting is typical for the so-called Hague School (HaagseSchool)The title of the painting is Beach at Scheveningen (Strand bijScheveningen)The picture as used for this presentation has been modified a bit 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 26 </p>