i controlli nel cloud computing · la governance e i controlli cloud controlli finalizzati alla...

1

I Controlli nel Cloud Computing

impatti su Governance, Rischi, Sicurezza e Privacy

Roma, 4 Febbraio 2013

Giulio Spreafico CISA CISM CGEIT CRISC

22

Agenda

Governance Compliance e Rischi nel Cloud Computing

Sicurezza e Privacy nel Cloud ComputingCambiamenti organizzativiLe misure di sicurezza Cloud e Privacy

Controlli operativi del Cloud Computing e Audit

3

Caratteristiche Cloud Computing

La specifica natura del Cloud computing:– informazioni aziendali trattate in contesti esterni al

perimetro dell’organizzazione e potenzialmente condivisi con gli altri clienti del Cloud provider

– utilizzo strutturale di reti pubbliche per connettere l’ambito aziendale con il cloud provider

– accessibilità delle informazioni aziendali senza vincoli di orario e di luogo da parte degli utenti.

4Milano - Gennaio 2011 4

Il Cloud Computing

Caratteristiche essenziali

Modelli di servizio

Modo in cui èrealizzato

5

Commissione Europea 29 settembre 2012:Unleashing the Potential of Cloud Computing in Europe

6

Commissione Europea 29 9 2012:Unleashing the Potential of Cloud Computing in Europe

• ‘Cloud computing’ in simplified terms can be understood as the storing, processing and use of data on remotely located computers accessed over the internet.

• This means that users can command almost unlimited computing power on demand, that they do not have to make major capital investments to fulfil their needs and that they can get to their data from anywhere with an internet connection.

• Cloud computing has the potential to slash users' IT expenditureand to enable many new services to be developed.

• Using the cloud, even the smallest firms can reach out to ever larger markets while governments can make their services more attractiveand efficient even while reining in spending.

Data protectionEmerged from the consultation and the studies launched by the Commission

as a key area of concern that could impede the adoption of cloud computing.

7

Cloud e Data Protection:WP 29 Opinion 1 luglio 2012

8

Le criticità principali del Cloud

• Loss of Governance

• Sicurezza e Privacy

• Vendor Lock In

• Offerta Cloud inadeguata

99

Agenda



Controlli e Audit del Cloud Computing

10

La Governance del Cloud

Il Governo dei servizi in Cloud:

• i rischi specifici devono essere gestiti in modo esplicito

• i livelli di servizio sono definiti con le modalità di monitoraggio (da definirsi nel contratto di servizio)

• i dati in Cloud devono essere stati classificati

• il rischio di collocazione geografica dei datacenter è valutato

11

La Governance del Cloud Computing• Typical governance activities such as goal setting, policy

and standard development, defining roles and responsibilities, and managing risks must include special considerations when dealing with cloud technology and its providers

• Business processes such as data processing, development and information retrieval are examples of potential change areas

• Additionally, processes detailing the way information are stored, archived and backed up will need revisiting

• One large governance issue is that business unitpersonnel, can now bypass IT and receive servicesdirectly from the cloud. It is, therefore, paramount that information security policies address uses for cloud services

Fonte ISACA: Cloud Computing: Business Benefits With Security, Governanceand Assurance Perspectives

12

La Governance e i controlli Cloud

Obiettivo di verifica

• Le Funzioni di Governance siano definite per assicurare processi di management efficaci con conseguenti:– Trasparenza di decisioni

– Chiare responsabilità

– Sicurezza allineata agli standard

– AccountabilityFonte: Cloud Computing Management Audit Assurance Program

13

La Governance e i controlli Cloud

Controlli finalizzati alla Governance• Definizione del Modello di Governance

– Identificazione di tutti i provider e di tutti i servizi nella catena di sourcing

– Partecipazione di IT, sicurezza e utenti nell’allineamento tra business e service provider

• Collaborazione tra azienda e CSP per la sicurezza• Definizione e monitoraggio di metriche e SLA• Transizione dei servizi al termine del contratto definita

contrattualmenteFonte: Cloud Computing Management Audit Assurance Program

14

La Compliance nel CloudElementi di controllo di Compliance • Diritti di verificabilità

– Specificati nel contratto– Verifiche di terze parti

• Auditabilità dei processi del Cloud Provider• Uso del Cloud non deve violare fabbisogni di Compliance• Assurance dei Service Provider tramite Certificazioni di

sicurezza

Fonte: Cloud Computing Management Audit Assurance Program

15

Obblighi contrattuali Cloud

Il contratto deve definire:– Evidenza esplicita delle procedure di sicurezza del

CSP

– Data retention policies

– Reporting sulla location geografica dei dati

– Notifica di eventi anomali

– Penalità per data breaches

– Compartimentalizzazione (no multitenancy) e Protezione contro la data contamination tra clienti


16

Rischi di outsourcing specifici Cloud

Oltre ai tradizionali rischi di outsourcing esistonorischi specifici addizionali di Cloud:

• Dipendenza da terze parti:– Vulnerabilità nelle interfacce esterne– Centri Elaborazione Dati aggregati– Processi di assurance indipendenti

• Complessità di compliance:– Compliance contrattuale– Flusso di dati internazionale– Rischi PrivacyFonte: Cloud Computing Management Audit Assurance Program

17

Rischi di outsourcing specifici Cloud

inoltre….

• Utilizzo di internet:

– Sicurezza

– Disponibilità della connettività

• Natura dinamica del Cloud:

– Sito elaborativo che cambia dinamicamente per il load balancing fuori dai confini del provider

– Infrastrutture condivise con la concorrenza

– Aspetti legali differenziati in base alle leggi del paese dove è effettuata l’elaborazione


18

Rischi Cloud e Continuità

• Due to the dynamic nature of the cloud, information may not immediately be located in the event of a disaster

• Business continuity and disaster recovery plans must be well documented and tested

• The cloud provider must understand the role it plays in terms of backups, incident response and recovery

• Recovery time objectives (RTO) should be stated in the contractFonte: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives

19

ISACA Rischi Cloud

• Enterprises need to be particular in choosing a provider. Reputation, history and sustainability should all be factors to consider. Sustainability is of particular importance to ensure that services will be available and data can be tracked

• The cloud provider often takes responsibility for information handling, which is a critical part of the business. Failure to perform to agreed-upon service levels can impact not only confidentiality but also availability, severely affecting business operations

• The dynamic nature of cloud computing may result in confusion as to where information actually resides. When information retrieval is required, this may create delaysFonte: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives

20

ISACA Rischi Cloud

• Third-party access to sensitive information creates a risk of compromise to confidential information. In cloud computing, this can pose a significant threat to ensuring the protection of intellectual property (IP) and trade secrets.

• Public clouds allow high-availability systems to be developed at service levels often impossible to create in private networks, except at extraordinary costs. The downside to this availability is thepotential for commingling of information assets with other cloud customers, including competitors.

• Compliance to regulations and laws in different geographic regionscan be a challenge for enterprises.

• At this time there is little legal precedent regarding liability in the cloud. It is critical to obtain proper legal advice to ensure that the contract specifies the areas where the cloud provider is responsible and liable for ramifications arising from potential issues.Fonte: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives

2121

Agenda




22

Cambiamenti Organizzativi Cloud sul cliente

• La Struttura organizzativa viene modificata passando da un focus operativo a uno di gestione di processi

• Il personale operativo assume un ruolo focalizzato sul monitoraggio

• L’acquisizione di personale è rivolta a competenze e capacità in grado di gestire la relazione con il CPS

• Trasferimento di attività alle business unit

• Possibile dipendenza da personale critico

Fonte: IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud

23

Processi IT modificati dal Cloud

Le soluzioni Cloud impattano sui processi IT:– Gestione del Rischio

– Gestione livelli di servizio

– Gestione terze parti

– Gestione Identità, accessi ed Eventi di Sicurezza

– Gestione Configurazione

– Gestione Informazioni e classificazione degli Asset

– Gestione Incidenti

– Resilienza e BC / DR

– Monitoraggio Controllo interno

– Procedure di Conformità e di Audit


24

Sicurezza: Security Concerns Cloud

• Abuse and nefarious use of cloud computing

• Insecure API

• Malicious insiders

• Shared technology vulnerabilities

• Data loss/leakage

• Account, service and traffic hijacking

• Unknown risk profiles


25

Sicurezza: Security Concerns Cloud

e anche– Secure Code

– Physical Security

– IAM

– Operational risk includes the risk of unsuccessful or untested patch management, logical intrusions and possible outages, DR/BC, and the risk that accrues to application and data backups


26

Misure Cloud di sicurezza: IAM

Identity Management (Cobit Ds 5.3) Responsabilità differenziate per modello cloud

User Account Management (Cobit Ds 5.4) Responsabilità del cliente

Accesso monitorato del CSP (logging).


27

Misure Cloud di sicurezza

Security Testing, Surveillance, Monitoring (Cobit DS5.5)Al cliente rimane il test e monitoraggio delle attività di detection e prevention

Security Incident Definition (Cobit DS5.6) Al cliente rimane la definizione dei processi di incident per assicurare la compliance del CSP; il contratto deve garantire il reporting tempestivo di incidenti da parte del CSP

Network Security (Cobit DS5.10)Il cliente è responsabile della sicurezza dei dispositivi nel modello Iaas e della propria rete interna negli altri modelli


28

Misure Cloud di sicurezza

• Usare reti e protocolli di trasmissione sicuri

• Criptare il dato a riposo nel database

• Criptare il dato nel file system

• Rimuovere le chiavi dalla disponibilità del provider

• Sicurezza del browser

• Richiedere al CSP forme di autenticazione federata

• Fornirsi di un sistema di Identity (de)provisioning

• Richiedere al CSP la notifica immediata di eventi di sicurezza

• Richiedere al CSP una virtualizzazione controllata

29

Isaca: Sicurezza Cloud per ciascun Modello vs. Cobit 5

30

Data Protection e impatti cloud

Privacy: With privacy concerns growing across the globe it will be imperative for cloud computing service providers to prove to existing and prospective customers that privacy controls are in place and demonstrate their ability to prevent, detect and react to breaches in a timely manner. Information and reporting lines of communication need to be in place and agreed on before service provisioning commences. These communication channels should be tested periodically during operations. Trans-border information flow: When information can be stored anywhere in the cloud, the physical location of the information can become an issue. Physical location dictates jurisdiction and legal obligation. Country laws governing personally identifiable information (PII) vary greatly. What is allowed in one country can be a violation in another.

Fonte ISACA: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives

31

Data Protection: verifiche contrattuali

• Security practice CSP full disclosure

• Data retention policies compliant

• Geographical location reporting

• Notification of data seized

• Data breaches penalities

• Compartimentalization

• Encryption (data in transit, at rest, in backup)


32

Impatti Organizzativi Cloud e Privacy

Definizione di ruoliDevono essere definiti i ruoli pertinenti al trattamento dei dati in Cloud :

– responsabili presso il CSP – amministratori di sistema presso il CSP (esistono

difficoltà con un fornitore estero)– incaricati del cliente, ed in particolare amministratori

di sistema, che operano sui processi presso il fornitore

– personale del cliente che riveste ruoli importanti dal punto di vista della gestione dei trattamenti in cloud (ad esempio, le figure che verificano gli SLA)

33

Commissione Europea 29 settembre 2012:Unleashing the Potential of Cloud Computing in Europe

The Commission considers that the Article 29 Working Party Opinion provides

a good basis for the transitionfrom the current EU Data Protection Directive

to the new EU Data Protection Regulation.

….once the proposed regulation is adopted, the Commission will make use of the new mechanismsset out therein to provide…… any necessary additional guidance …….. in respect of cloud services.

34

Opinion on cloud computing the Article 29 Working Party Data Protection• Opinion outlines how …. cloud computing services can

trigger a number of data protection risks, mainly a lack of control over personal data as well as insufficient information with regard to how, where and by whom the data is being processed/sub-processed.

• This Opinion examines issues associated with:– the sharing of resources with other parties,– the lack of transparency of an outsourcing chain

consisting of multiple processors and subcontractors,– the unavailability of a common global data portability

framework– uncertainty with regard to the admissibility of the

transfer of personal data to cloud providers established outside of the EEA.

35

Opinion on cloud computing the Article 29 Working Party Data Protection

• Similarly, a lack of transparency in terms of theinformation a controller is able to provide to a data subject on how their personal data is processed is highlighted in the opinion as matter of serious concern.

• Data subjects must be informed who processes their data for what purposes and to be able to exercise the rights afforded to them in this respect.

• A key conclusion of this Opinion is that businesses and administrations wishing to use cloud computing

should conduct, as a first step, a comprehensive and thorough risk analysis

36

Privacy EU: La nuova Regolamentazione

37

Nuovo Regolamento EU e Impatti Cloud

Controller and Processor (CAP. IV Sez. 1)• the controller (Titolare) shall choose a processor

(Responsabile - terza parte di servizio) providing sufficient guarantees to implement appropriate technical and organisational measures (art 26.1)

• the processor shall enlist another processor only with the prior permission of the controller (Art. 26 (2)(d)

• the processor shall hand over all results to the controller after the end of the processing and not process the personal data otherwise (to hand over all data to the data controller after the termination of the contract). (Art. 26(2)(g)).

• data processor to make available to the controller and the supervisory authority all information necessary to control compliance with the (data processor’s) obligations(Art. 26(2)(h))

38

Impatti Cloud Nuovo Regolamento EU

Data Security (Art.30)

– The controller (Titolari) and processor (Responsabili Esterni) shall implement … security measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. (Art 30.1)

– the controller and the data processor following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data. Art.30.2CSP IASS non conosce la natura dei dati

CSP SAAS possono offrire misure specifiche di sicurezza

39

Impatti Cloud Nuovo Regolamento EU

Data Breach Notification and Communication (Art. 4, 31 e 32)

• personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (Art 4.9)

• In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority (Art. 31)

• When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, … communicate the personal data breach to the data subject without undue delay (Art. 32)

Definizione “personal data breach” estesa che proviene dalla Direttiva’ e-privacy Directive 2002/58/EC29 as amended by

Directive 2009/136/EC30 Article 2(h)

40

Regolamento EU: Il Data Protection Officer

• Designazione del Data Protection Officer (Articolo 35)

• Posizione del Data Protection Officer (Articolo 36)

• Compiti del Data Protection Officer (Articolo 37)

Convergenza dei ruoli organizzativi del responsabile Sicurezza del Cloud Computing e il Data Protection

Officer

4141

Agenda




42

I controlli e le attività di verifica Cloud

COSO

Audit/Assurance Program Step COBIT Cross-

reference

Co

ntr

ol

En

viro

nm

ent

Ris

k A

sse

ssm

ent

Co

ntr

ol A

ctiv

itie

s

Info

rmat

ion

an

d

Co

mm

un

icat

ion

Mo

nito

ring

Reference Hyper-

link

Issue Cross-

reference

Comments

1. PLANNING AND SCOPING THE AUDIT

2. GOVERNING THE CLOUD 2.1 Governance and Enterprise Risk Management (ERM)

2.1.1 Governance Audit/Assurance Objective: Governance functions are established to ensure effective and sustainable management processes that result in transparency of business decisions, clear lines of responsibility, information security in alignment with regulatory and customer organization standards, and accountability.

2.1.1.1 Governance Model Control: The organization has mechanisms in place to identify all providers and brokers of cloud services with which it currently does business and all cloud deployments that exist across the enterprise. The organization ensures that customer, IT information security and business units actively participate in the governance and policy activities to align business objectives and information security capabilities of the service provider with those of the organization.

DS5.1 ME1.5 ME4.1 ME4.2 x x x x

2.1.1.2 Information Security Collaboration Control: Both parties define the reporting relationship and responsibilities.

PO4.5 PO4.6 PO4.14 DS2.2 ME2.1

x x x x

2.1.1.3 Metrics and SLAs Control: SLAs that support the business requirements are defined, accepted by the service provider and monitored.

PO4.8 DS1.2 DS1.3 DS1.5 DS1.6 DS2.4

x x x


43

Cloud Computing i Controlli OperativiControlli nel Ciclo di Sviluppo (SDLC)

– Application Control and Auditability (Cobit AI2.3) – Software Quality Assurance (Cobit AI2.8)

Controlli di Change Management– Change Standards and Procedures (Cobit AI6.1) – Promotion to Production (Cobit AI7.8)

Controlli di Capacity– Performance and Capacity Planning (Cobit DS3.1)– Current Performance and Capacity (Cobit DS3.2)

Controlli di Continuità– IT Continuity Framework (Cobit DS4.1)– Critical IT Resources (Cobit DS4.3)– IT Services Recovery and Resumption (Cobit DS4.8)


44

Cloud Computing i Controlli Operativi

Identification of Education and Training Needs (Cobit DS7.1) Registration of Customer Queries (Cobit DS8.2) Business Requirements for Data Management (Cobit DS11.1)Disposal (Cobit DS11.4)


45

Cloud Computing e Sistema dei Controlli Interni

Monitoring of Internal Control Framework (Cobit ME2.1)Il Cliente rimane responsabile di come il sistema dei controlli interni verifica la performance del CSP

Control Exceptions (Cobit ME2.3) Il cliente deve tenere traccia della ripetizione di eventi anomali

Assurance of Internal Control (Cobit ME2.5) Certificazione di terze parti (ISAE3402) per il CSP su processi rilevanti e il diritto di auditare se gli audit sono non disponibili


46

Cloud Computing: Le aree di verifica


GOVERNING THE CLOUDGovernance and Enterprise Risk Management (ERM)Legal and Electronic DiscoveryCompliance and AuditPortability and Interoperability

OPERATING IN THE CLOUDIncident Response, Notification and RemediationApplication SecurityData Security and IntegrityIdentity and Access ManagementVirtualization

47

Cloud Computing: verifiche Area operativa

Incident Response, Notification and Remediation

Application Security

Security Encryption and key management

IAM

Virtualization

Virtualization operating systems are hardened to prevent cross-contamination with other customer environments


48

Cloud Computing Audit Assurance

1. Identity management

2. Security incident management

3. Network perimeter security

4. Systems development

5. Project management

6. IT risk management

7. Data management

8. Vulnerability management

1. If the organization’s identity management system is integrated with the cloud computing system

2. to interface with and manage cloud computing incidents

3. as an access point to the Internet

4. in which the cloud is part of the application infrastructure

5. (in ogni caso)

6. (in ogni caso)

7. for data transmitted and stored on cloud systems

8. (in ogni caso)

Revisioni delle seguenti aree devono essere eseguite prima della esecuzione della revisione di cloud computing :


49

Conclusioni

• Il Cloud computing rende più labili i confini tra l’organizzazione aziendale ed il mondo esterno

• Il Cloud Computing comporta rischi specifici di sicurezza e conformità

• La nuova regolamentazione EU richiederà ai Cloud Service Provider e alle aziende di adeguarsi alle nuove regole

• Le funzioni aziendali: legale, ICT, Sicurezza, Audit, devono operare in sinergia per rivedere i processi e i controlli

• L’Audit assume un ruolo decisivo per assicurare un Governo adeguato dei Rischi Cloud

i controlli nel cloud computing · la governance e i controlli cloud controlli finalizzati alla...

Documents