security issues in cloud computing · jennifer l bayuk, llc . security issues in cloud computing ....

91
Jennifer L Bayuk, LLC Security Issues in Cloud Computing For NJ ISACA April 18, 2013 By: Jennifer Bayuk 1

Upload: others

Post on 22-May-2020

2 views

Category:

Documents


0 download

TRANSCRIPT

Jennifer L Bayuk, LLC

Security Issues in Cloud Computing

For NJ ISACA

April 18, 2013

By:

Jennifer Bayuk

1

Jennifer L Bayuk, LLC

Jennifer Bayuk

• Independent consultant experienced in a wide variety of private security positions including Chief Information Security Officer.

• Author of multiple textbooks on security management topics

• Chair and contributor to multiple public and private InfoSec Boards and Committees

• Systems Engineering PhD, Thesis in Security Metrics

2

3

Seminar Topics

• Cloud Definition and Examples • Cloud-Enabling Technologies • Cloud Activists • Cloud Privacy Concerns • Risks of Cloud Dependencies • Security in Cloud Service Agreements • Example Cloud Security Policy • Cloud Security Review • Cloud Audit Programs • Summary and Discussion

4

Topics

Cloud Definition and Examples

5

Layman’s Terms

Anything on the Internet Any Internet Access Point

“Cloud” refers to the “black box” nature of the service, from the point of view of the consumer, as well as the depiction of black box external network interfaces in

the vernacular of a network engineering diagram.

6

Layman’s Terms

Cloud Computing refers to the dynamic provisioning, use and invoicing of IT services,

based on demand, via a network. These services are only made available and used via defined

technical interfaces and protocols. The range of services provided under Cloud Computing covers the entire information technology

spectrum and includes infrastructure (e.g. processing power, storage), platforms and

software.

Source: Security Recommendations for Cloud Computing Providers (Minimum information security requirements). 2011, German Federal Office for Information Security (www.bsi.bund.de).

7

The NIST Definition of Cloud Computing (SP800-145)

A 7 page publication consisting of : • Five Essential Characteristics

• On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

• Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).

• Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.

• Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

• Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability1 at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

• Three Service Models: Infrastructure, Platform, Software • Four Deployment Models: Public, Community, Hybrid, Private

Wishful Thinking

8

ISACA 2012 Cloud Computing Market Maturity Study

• Survey participants believe that platform and infrastructure service offerings are still in the infancy stage of maturity, while software service offerings are just emerging from infancy and are in the early stages of market growth.

• Respondents estimate that it will take approximately three years for cloud platform and infrastructure services to be firmly placed within the growth stage, and at least two years for software services to reach that stage.

9

Shapes in the Fog

“Provider” refers to the an entity that provides technology services that exhibit Cloud Computing

characteristics

“Consumer” refers to the Cloud customer, presumably an entity with a business relationship wherein the cloud

provider is a vendor of the customer

“Client” refers to the a machine or software application that accesses a cloud over a network connection,

perhaps on behalf of a consumer, but may be any user of cloud services

Jennifer L Bayuk, LLC

Cloud Acronyms

10

AAS = As a Service Infrastructure AAS Platform AAS Software AAS

Jennifer L Bayuk, LLC

Why Cloud?

11

Source: Armbrust, M., et al., A view of cloud computing. Commun. ACM, 2010. 53(4): p. 50-58.

Technology economics and

ease of use.

12

Cloud Taxonomy • IAAS

• Operating system level resources • Network controls such as firewalls and intrusion prevention

• PAAS • Web Hosting • Desktops configured with user software • Custom server development environments

• SAAS • Functional applications run by Cloud providers that consumers access via

menus, e.g. SalesForce, Payroll Services, MS Office 365

• DaaS – Data as a Service Business Intelligence • STaaS – Storage as a Service SharePoint, Google Docs • SECaaS – Firewalls, Intrusion Detection, Anti-virus, Spam Filtering

• Feel free to invent your own! WAAS = Whatever as a Service

13

Frequently used Terminology • Mash-Ups – reference to applications that incorporate one or

more software tools, or widgets, that may be sold, leased, or provided free of charge by the widget-maker. Widgets may be fully contained, such as calendar tools, or integrated with Cloud services such as dining reservations, driving directions, etc.

• Service Oriented Architecture (SOA) – reference to software that is interoperable with a variety of consumers, may be a combination of clients, e.g. users on server software and/or browsers and/or completely automated applications. SOA enables Mash-Ups.

• Distributed Computing – Legacy term for SOA architectures, legacy systems typically had only one type of client.

• Grid – A set of computers with the same service, deployed in the same manner, that receive and respond to requests from a centralized “service coordinator” or master.

14

Example Cloud Services

• IaaS • Amazon Web Services • CloudSigma • Terremark/CloudSwitch

• PaaS • Apprenda • CloudHub by MuleSoft • Oracle Cloud

• SaaS • Amazon Web Services’ Marketplace • CallidusCloud • SalesForce • Workday

15

Provider Public Cloud

Distinguishing Factors: • Only “least common-denominator”, generic, market based agreements • Cloud provider-defined terms of service • All infrastructure is shared, with minimal influence • Services provided directly to and from Internet • Administration interfaces are available over the Internet • No effective commitments to security management/incident management Example Controls: • Provider employs host and network controls to protect the systems hosting the

applications and information for the consumer • Provider offers credible assurances that access to consumer data is restricted to consumer

enterprise users and consumer owned and authorized applications • Service architecture provides defense against ‘internal’ (originating from the cloud

providers networks) as well as external (originating from the Internet or customer networks) attacks on the operating system and application software

• Provider offers a standard set of access control security features that may be utilized by consumers – such as user authentication, single sign on, authorization, and network encryption, including standard procedures to verify the identity of users at registration and password reset.

16

Provider-Community Cloud

Distinguishing Factors: • Cloud Service is used by several enterprise consumers in the same industry • Consumer industry establishes guidelines for community membership • Provider manages shared directory of community member information and

communication between consumers • Provider has strong, demonstrable information security management

Example Controls: All Public example cloud controls plus: • Service architecture provides controls over shared resources while delegating

management of administrative access to consumer supplied information • Strong authentication is used for operations requiring high assurance, including login

to management interfaces, key creation, access to multiple-user accounts, firewall configuration, remote access, etc.

• Software deployment is coordinated with community and cloud service provided testing and QA facilities are available to community members

• Provider offers guarantees on service levels defined by community leadership • Documented procedures and APIs for exporting data from the cloud are available and

adhered to

17

Provider-Consumer Hybrid Cloud

Distinguishing Factors: • Cloud Service is used by several enterprise consumers in different industries • Consumer establishes and utilizes automated business applications that use both

internal and Cloud computing components • Provider manages Logical Segregation of consumer cloud resources (Virtual LAN,

virtual Machine and/or data segregation on application level) • Provider has strong, demonstrable information security management

Example Controls: All Community example cloud controls plus: • Data and audit logs are segmented so they can be made available to the end customer

and/or law enforcement without compromising other customers • Service architecture provides logical isolation of applications, virtual machines,

networks, storage, operations and management systems • Baseline virtual images are cryptographically signed and versioned to ensure

adherence to known configurations • Provider offers guarantees on maximum available resources within a minimum period • Storage, memory and other data traces are fully erased before machines are reallocated

18

Consumer Private Cloud

Distinguishing Factors: • Standard outsourcing agreement with all required provisions • Dedicated environment provided by cloud provider • Segregated network (dedicated components, logical segregation on WAN

level) • Supports deployment of all consumer standard controls • Any access to or from the Internet is authenticated by consumer and VPN

protected Example Controls: All Hybrid example cloud controls plus: • Provider offers transparency and full control over the current physical

location of all consumer data • Provider supports the data classification scheme used by consumer • Provider employs appropriate segregation and controls between systems with

different data classifications • Provider requires strong authentication for consumer access • Provider offers service such that consumer resources are fully isolated (e.g.,

no sharing of physical machines); these may be administered by consumer

19

Topics

Cloud-Enabling Technologies

Jennifer L Bayuk, LLC

Example Cloud Implementation

FW Cloud Service Provider (CSP)

Enterprise Cloud Management Zone (CMZ)

My

SQL

Rep

licat

ion

FW

Enterprise End User

CSP Net Svcs

P2P-VPN

Redundant Router/Switch

Backup Virtual Data Center

VMM Production Environment

Virtual Machine Instances for Linux

Virtual Machine Instances for UNIX

Virtual Machine Instances for Microsoft

Development

Testing Desktops

Image (OS Template) Repository

Virtual Data Center

DHCP

CSP-CMZ NTP DNS

File Transfer SIEM

NFS

Internal Users and Applications

APP 1

Cloud Admin Platforms

PROD

Failover PROD

QA Staging

TEST

DB

MS

Rep

licat

ion

INTERNET

ISOLATED DMZ

Storage Devices

APP N …

Web Proxy

P2P-VPN

Cloud Access

Switches (Redundant)

P2P-VPN

CSP Net Svcs

Redundant Router/Switch

IAM/SSO

VM Platform DR (standby server)

VM Access DR

DR Site

VPN Client

CSP Corporate

Enterprise Cloud Consumer

Network Service Zone

Messaging

Control Panels

DNS-NIS-NTP-OSPF

21

Enterprise Cloud Management

Enterprise tools and techniques to manage and monitor Cloud services range from ad-hoc to sophisticated automation. They include, but are not limited to: • Identity and access management • Network filters at both address

and content level • Software change control • Logging and monitoring

22

Service Provider versus Enterprise Controls

• Information Flow • Network paths from data source

• Information Segregation • Infrastructure supporting data at rest

• Information Access • Identity and access management techniques

Collaborative architecture.

23

Cloud Consumer Connectivity

Network connectivity choices, and corresponding firewall and VPN access rules will depend on Cloud Type and User Community, e.g.: • Provider Public Cloud • Provider-Community • Provider-Consumer (Hybrid) • Consumer Private Cloud

24

Sliding Scale of Cloud Controls

Cloud provides

HVAC and base OS only.

25

Network Services

May include, but do not necessarily include, and when they are included, they typically come with a surcharge: • Ability to route one domain name (e.g. firm.com,

to different service providers, depending on service type)

• Firewall rule maintenance • Intrusion detection and automated response • Dynamic DNS integrated with load-balancing

technologies • Globally diverse redundant storage replication • Architecture specifically designed to deflect

DDoS attacks

26

High Availability Architecture

Adapted from: http://www.akamai.com/dl/brochures/Product_Brief_Terra_GTM.pdf

CSP Globally Dispersed

Redundant CPU, Network Bandwidth Monitoring Servers

Constant monitoring to set ideal traffic allocation.

Traffic allocation instructions.

60%

0%

40%

27

Web Services

PaaS or SaaS Web

Services

May include, but do not necessarily include: • Ability to assign multiple

administrators in different administrative roles.

• Delegation of ability to create and deploy new instances of a service.

• Federated identity access control models.

• Audit logs, summary reports and/or alerts.

28

Traditional Reference Monitor

User Request

Check for

Authorization

Reference Monitor

ProtectedResource

Access Control

List

User Login

Check for

Authentication

Access Monitor

Identity Verification Mechanism

29

Web Single Sign-On

Single-Sign-On Server

Single Sign On Process

User ID and credential

Database

Request Appliaction Access

4

Forward login &

password

2

Selected Application (cookie is read automatically)

7

Application Server

8

User validation check

9

Desktop System

login&password

1

login successful

or not

3

Application credential

5 Cookie-based application credential

6

if success

W E B S E R V E R

Application credential

if success

Application access for user

13

user

valid or not

10

Source: Bayuk, Assurance and Monitoring of E-business: Technical Control Points, ISACA, 2000

Entitlements

Database

11 Authorization check

User entitled or

not

12

Where these can be in different organizations, the term is “federated identity”

30

SAML and XACML

Security Assertion Markup Language (SAML) eXtensible Access Control Markup Language (XACML)

Source: http://docs.oasis-open.org/xacml/3.0/xacml-profile-saml2.0-v2-spec-cd-1-en.html

Points of administration

can be anywhere.

Note: not all implementations follow standard.

31

Virtual Machines

• Called “virtual” because the operating system software does not directly control the hardware, but the hardware is emulated by another operating system that does control it.

• The OS that emulates the hardware is referred to as a Hypervisor, or Host (though that term is ambiguous) or VMM, which stands for Virtual Machine Monitor. There are two types: • Type 1 – runs directly on hardware • Type 2 – runs on another OS

• Allows CPU, memory allocation (static and/or dynamic), network, and disk network configuration for “child” operating systems, who are the VMs

32

Cloud Provider Use of VMs

32

Source: http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf

33

A Physical View of Virtual Machines

Source: Haletky, E.L., VMware vSphere and Virtual Infrastructure Security, Prentice Hall, 2009.

34

Physical View of a VM Kernal

34

Source: Haletky, E.L., VMware vSphere and Virtual Infrastructure Security, Prentice Hall, 2009.

35

Virtual Machine Administration

35

App1 e.g. Web Services

Operating System

Operating System of Virtual VMM

App 2 e.g. DBMS

Operating System

App3 e.g. Auth Services

Operating System

Trusted Admin Console Points of administration.

Virtual OS Config Utilities

Multiple Virtual Network Addresses

AD Server VMM Vendor-provided

Application programming Interfaces (Admin Software APIs)

36

Virtual Machine Security Standards

Source: cisecurity.org

37

VM Security Configuration References

• Center for Internet Security, Information Security Benchmarks and Metrics, cisecurity.org.

• Haletky, E.L., VMware vSphere and Virtual Infrastructure Security. 2009: Prentice Hall.

• Shackleford, D., Virtualization Security. 2013: Wiley.

These provide details on security configuration settings for administrative and user interfaces. Don’t try a security audit without a guide that

corresponds to the VMM OS (e.g.: Citrix, VMWare, Xen).

38

Topics

Cloud Activists

39

Cloud Activists

• Cloud Security Alliance (CSA) • https://cloudsecurityalliance.org/

• Cloud Sleuth • https://cloudsleuth.net/

• The Open Cloud Manifesto • http://www.opencloudmanifesto.org/

• Open Data Center Alliance • http://www.opendatacenteralliance.org

Activist literature, like those produced by any lobbying organization, will be biased.

40

CSA Security, Trust & Assurance Registry (STAR)

Cloud providers can submit two different types of reports to indicate their compliance with CSA “best practices:” • The Consensus Assessments Initiative Questionnaire

(CAIQ), ~140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider.

• The Cloud Controls Matrix (CCM), which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.

https://cloudsecurityalliance.org/star/registry/

41

Cloud Provider Self-Control Reviews

• AICPA - SASE 16 (formerly SAS70) • SysTrust • BITS FISAP • ISO 27001 • PCIS DSS • CSA Open Certification Framework (OCF)

CSA announced that Framework and Auditor certification will be available Q1 2013, as well as a Continuous Monitoring effort underway, but not expected to be available until 2015

42

SASE 16 Standards and Options

Source: Katcher, A., J. Parthun, and C. Stewart, Service Organization Controls: Managing Risks by Obtaining a Service Auditor’s Report, 2013, AICPA. http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TrustServices/DownloadableDocuments/10957-378%20SOC%20Whitepaper.pdf

43

Topics

Cloud Privacy Concerns

44

Privacy Requirements

• Gramm-Leach-Bliley Act (15 U.S.C. § 6802 - Financial Records)

• Video Privacy Protection Act (18 U.S.C. § 2710 - Rental Records)

• Cable Communications Policy (47 U.S.C. § 551 - Cable Subscriptions)

• Health Insurance Portability and Accountability Act (45 C.F.R. Part 164 – individually identifiable health info by covered entities)

• Violence Against Women Act (Public Law 109-162 as amended by Public Law 109–271)

• Legally privileged information (e.g., doctor-patient, lawyer-client, differs by privilege and state)

• Nation-state (EU/Swiss/Hong Kong, etc…) Data Privacy Laws

See: Gellman, R. (2009). Risks to Privacy and Confidentiality from Cloud Computing. World Privacy Forum, http://www.worldprivacyforum.org/.

45

Key considerations

• Terms of service • Location • Provider capability • US Safe Harbor Privacy Principles

• Notice - Individuals must be informed that their data is being collected and about how it will be used.

• Choice - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.

• Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.

• Security - Reasonable efforts must be made to prevent loss of collected information.

• Data Integrity - Data must be relevant and reliable for the purpose it was collected for.

• Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.

• Enforcement - There must be effective means of enforcing these rules. Source: http://export.gov/safeharbor/eu/eg_main_018475.asp and

http://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles

46 Example provided by: Ken Fishkin, Current Trends in Cloud Computing and Virtualization. 2012: NJ ISACA Member Meeting.

Note – terms of service differ from contract!

47

Topics

Risks of Cloud Dependencies

48

Cloud Dependency Risk

Risk

Control

49

Traditional Outsourcing Risks

• Loss of business focus • Solution failing to meet business and/or user requirements; not performing as expected; or not

integrating with strategic IT plan, information architecture and technology direction • Incorrect solution selected or significant missing requirements • Contractual discrepancies and gaps between business expectations and service provider

capabilities • Control gaps between processes performed by the service provider and the organization • Compromised system security and confidentiality • Invalid transactions or transactions processed incorrectly • Costly compensating controls • Reduced system availability and questionable integrity of information • Poor software quality, inadequate testing and high number of failures • Failure to respond to relationship issues with optimal and approved decisions • Insufficient allocation of resources • Unclear responsibilities and accountabilities • Inaccurate billings • Litigation, mediation or termination of the agreement, resulting in added costs and/or business

disruption and/or total loss of the organization • Inability to satisfy audit/assurance charter and requirements of regulators or external auditors • Reputation • Fraud

Source: Cloud Computing Management Audit/Assurance Program, ISACA 2010

50

Cloud Additions to Traditional Outsourcing Risk

Greater dependency on third parties: – Increased vulnerabilities in external interfaces – Increased risks in aggregated data centers – Immaturity of the service providers with the potential for service provider going

concern issues – Increased reliance on independent assurance processes Increased complexity of compliance with laws and regulations: – Greater magnitude of privacy risks – Transborder flow of personally identifiable information – Affecting contractual compliance Reliance on the Internet as the primary conduit to the organization’s data introduces: – Security issues with a public environment – Availability issues of Internet connectivity Due to the dynamic nature of cloud computing: – The location of the processing facility may change according to load balancing – The processing facility may be located across international boundaries – Operating facilities may be shared with competitors – Legal issues (liability, ownership, etc.) relating to differing laws in hosting countries

may put data at risk Source: Cloud Computing Management Audit/Assurance Program, ISACA 2010

51

Major Technology Risks Exacerbated by Clouds

• Data leakage due to excessive user access and lack of segregation.

• Inability to meet recovery point or time objectives.

• Long-term viability of technology support for business process.

• Inadequate technology support for cyber forensics investigations.

• Regulatory and legal compliance on regional issues such as encryption and data location.

52

Cloud Dependency Risk

“ The cloud is still very much a new frontier with very little in the way of specific standards for security or data privacy. In many ways …. cloud computing is in a similar position to where the recording industry found itself when it was trying to combat peer-to-peer file sharing with copyright laws created in the age of analogue.

“ In terms of legislation, at the moment there's nothing that grabs my attention that is specifically built for cloud computing,…As is frequently the case with disruptive technologies, the law lags behind the technology development for cloud computing. ”

Source: Datamonitor's Trifković, as quoted by Binnings, D., Top five cloud computing security issues , ComputerWeekly.com, 24 Apr 2009 ,

53

Recent Cloud Outages

Apple iCloud (June 20, 2012) Desire2Learn (January 30, 2013)

Amazon Web Services (June 14 and December 24, 2012)

Google Gmail (April 17 and June 7, 2012) Microsoft Office 365 (February 1, 2013)

Microsoft Azure (February 29 2012) SalesForce (July 10, 2012)

54

Supply Chain Risk Management (SCRM)

Source: The Under Secretary of Defense for Acquisition Technology and Logistics and The Assistant Secretary of Defense for Networks and Information Integration DoD Chief Information Officer, Report on Trusted Defense Systems. 2009.

55

Topics

Security in Cloud Service Agreements

56

Cloud Lifecycle

Cloud service agreements should cover each phase of the cloud lifecycle individually to ensure that no assumptions

are made about any stage.

Most frequent cause of outage is actually here, planning for migration controls are important to maintain the

cloud consumer business process through the transition.

57

Service Level Agreement/Contractual Parameters

Provider-Consumer relationship Price Caps Functionality Cloud Provider Outsourcing Limitations on Liability Indemnification Termination

http://wrlawfirm.com/BlogWP/technology-social-media/cloud-service-contracts-breaking-down-the-all-important-service-level-agreement-sla/

Data Processing and Storage Ownership of Data Access to and Use of Data Location of Data Government Requests for Access to Data Data Retention and Deletion Metrics

Infrastructure and Security Data Security Representations and warranties Security Breach Response Disaster Recovery Maintenance Right to Audit Network domain name transitions!

Parameters should be set commensurate with data and business process exposure to cloud provider. There is rarely a one-size-fits all contract, and standard templates often delay business opportunities.

58

(Simple) Cloud Threat Tree

58

59

NIST Electronic Authentication Guideline

The document states specific technical requirements for each of the four levels of assurance in the following areas: • Tokens (typically a cryptographic key or password) for

proving identity, • Identity proofing, registration and the delivery of

credentials which bind an identity to a token, • Remote authentication mechanisms, that is the combination

of credentials, tokens and authentication protocols used to establish that a claimant is in fact the subscriber he or she claims to be,

• Assertion mechanisms used to communicate the results of a remote authentication to other parties.

See: http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf

Service agreements should be very specific about strength of authentication and procedures for password reset.

60

Calculating Cloud ROI

“Marketing hype claims that cloud

computing can help any enterprise meet

most IT service needs at a lower total cost of

ownership (TCO) and higher

return on investment (ROI).”

http://www.isaca.org/Knowledge-

Center/Research/Documents/CalculatingCloudROI-WP.pdf

Source: Speed, R., IT Governance and the Cloud: Principles and Practice for Governing Adoption of Cloud Computing. ISACA Journal, 2011. 5.

But some of this may still be necessary!

61

Topics

Example Cloud Security Policy

62

Security Management Cycle

Source: Bayuk, Stepping Through the InfoSec Program, ISACA, 2007

Strategy

Compliance

Monitoring

Policy

Awareness

Implementation

Detection Prevention

Correction

62

Cloud and/or Service Provider

and/or Third Party Service

Policies

Contingency Plans

Contractual requirements

Technical Controls

Cloud risk management

strategy

63

ISACA Journal Advice

Source: Porter, E., et.al, The Tension of Cloud Computing and Compliance, ISACA ISRM-ITGRC, 2012

Policies and Procedures • Policy for Approval of virtualization/cloud

• Acceptable use • Data classification and handling • Information Security Policy • Incident Management Plan

Technical Controls • Access to cloud provider’s monitoring

tools • Plug-In to Organization’s ticketing

system • Real Time access to Cloud Provider

change and Issue management platform • Requirement for vulnerability scans and

attack/testing

Contractual Controls • Clear delineation of responsibilities between organization and cloud provider

• Standardization or generally accepted language for contracts

• Service level agreements that can be measured and enforced

• Right to audit clause

Contingency Plans • Exit strategy for end of contract • Process to get data back from provider • Contingency plan for data format conversion

• Contingency plan if cloud provider is acquired or goes out of business

• Cure provisions in event of data breach

Consider jurisdiction

Almost impossible to get, and don’t count

on exercising it.

64

Control Levels

Service Baseline: Service provider maintains controls that support operational integrity and availability.

Verified Configuration: These controls provide metrics that a consumer can use to verify that a service provider is securing information as per specifications.

Verified Operation: These controls provide metrics that a consumer can use to verify that a service provider is securing information and also to monitor authorized data flow.

Consumer Configuration : These controls allow consumer to directly control information via systems configurations that restrict data usage.

Consumer Operation: These controls allow consumer to directly control access to information as in the Consumer Configuration, and in addition, allow monitoring and oversight of authorized data flow.

65

Example Enterprise Policy

Platform as a Service (PaaS)

Private Community Cloud Connectivity

Public Hybrid Cloud Service

Classified Verified Operation

Public Baseline

Public Only

Verified Configuration

Public Only Baseline

Classified Verified Operation

Public Baseline

Public Only Verified

Configuration

Classified Verified Operation

Public Baseline

Classified Consumer Operation

Public Consumer

Configuration

Software as a Service (SaaS)

Infrastructure as a Service (IaaS)

Public Only Verified

Configuration

Classified Consumer Operation

Public Verified

Configuration

Classified Consumer Operation

Public

Verified Operation

Classified Verified Operation

Public Baseline

Public Only Baseline

This creates a requirement NOT to put Classified data in a public cloud

Controlling configuration and/or data flow by itself MAKES the cloud connectivity model hybrid.

66

CoBIT – CSA – ENSIA – OWASP Cloud Control Map

Source: Vohradsky, D., Cloud Risk—10 Principles and a Framework for Assessment. ISACA Journal, 2012. 5.

67

Topics

Cloud Security Review

68

Confidentiality Requirements

• Cloud Consumer Information Classification and associated data handling requirements

• Regulatory Privacy Requirements • Payment Card Industry – Data Security Standard (PCIS-

DSS) • Franchise and Litigation Risk

– State Breach Reporting – Federal Trade Commission negligence cases – Other settlement cases

• Uniform Trade Secrets Act (http://www.uniformlaws.org/Act.aspx?title=Trade Secrets Act) a trade secret must be protected using reasonable efforts to maintain its secrecy – using a cloud may not qualify

69

Integrity Requirements

• Cloud consumer business process support requirements

• Sarbanes Oxley – Financial Reporting Data Integrity Requirements

• Federal Trade Commission – Transaction integrity requirements

Cloud provider services commonly considered part of financial reporting, subject to

Statements on AICPA Standards for Attestation Engagements No. 16:

Reporting on Controls at a Service Organization

70

Availability Requirements

• Cloud consumer business process support requirements for production and verification of performance metrics

• Integration with cloud consumer recovery plan with respect to: – Recovery point objectives

– Recovery time objectives

71

Cloud Consumer Due Diligence Steps

1. Identify minimum amount of sensitive data which must be released to the cloud provider in order for the cloud provider to supply services.

2. Implement internal controls that ensure that cloud providers do not receive any data other unless required to supply services and that data transfer processes are secure.

3. Consider threats to data flow, and specify confidentiality, integrity, and availability requirements for data at cloud provider site.

4. Identify the technical and operational control measures in place at the cloud provider which are designed to meet confidentiality, integrity, and availability requirements.

5. Map the technical measures identified in (4) to the requirements identified in (3).

6. Assess whether the cloud provider is capable of meeting requirements on a go forward basis.

72

Example Practice A

Cloud consumer compiles a list of questions intended to identify

control activity that would support requirements gathered in step 3. The cloud provider is asked to fill out the questionnaire. Where cloud provider answers do not match requirements,

this is reported.

73

Example Practice B

Same as Strategy A, but in addition, cloud provider is

interviewed via telephone or email to explain questionnaire

answers and provide evidence of alternative controls.

74

Example Practice C

Same as Strategy B, but in addition, where cloud providers are considered high risk, cloud

consumer performs visits to cloud provider site to verify answers to questions and clarify responses.

75

Example Practice D

Cloud consumer reviews cloud provider data processing environment by

charting path taken by cloud consumer data in scope. Cloud provider is

requested to provide documented evidence of controls. Cloud consumer

confirms understanding of cloud provider environment via phone

interviews, and compares to threat environment.

76

Example Practice E

Same as Strategy D, but in addition, where outsourced processing is

considered high risk, cloud consumer performs or requires

independent verification of controls, to include Internet scans, onsite

audits, and/or reports of independent auditors.

77

Example Practices

A.Questions B.Interviews C.Visit D. Evidence E. Testing

Progression

Real Audit

Pseudo Audit

78

Cost Comparison

Review Type Hours same* 100%

low - 80% high 20% Labor 100 revs

Tech Travel Total

A Questionnaire 4 $700 $70,000 $50,000 $120,000 B Questionnaire plus

Documentation Review 20 $3,500 $350,000 $50,000 $400,000

C Questionnaire plus Documentation Review Plus Onsite verification

4 - low risk 80- high risk

$700 $14,000 $336,000 $50,000 $40,000 $426,000

D Data flow analysis plus Documentation Review

20 $3,500 $350,000 $60,000 $410,000

E Data flow analysis plus Documentation Review plus verification options

20 - verify avail

$3,500 $3,500 $385,000 $60,000 $465,000

40 – verify not avail for 50% of high risk

$7,000 $20,000

*Assumes fully-loaded reviewer cost assumed at $175. **Assumes requirement to review 100 vendors annually

79

Self Control Review Scope Adequacy Assessment

• A self-control assessment report is just one piece of evidence

• Each firm must evaluate whether self-control review covers: – scope of service – due diligence requirements

80

Evidence of Independence

• Assessor faces material reputational risk or loss of certification for inaccurate results

• Assessor must keep technology control assessment workpapers

• Workpapers are available for authoritative review

• Assessor is paid by source other than cloud provider under review

81

Requirements

2. Implement internal controls

1. Identify Data

3. Specify Reqmts

4. Identify provider

processes

5. Map 3 and 4

6. Make assessment

1. Have provider fill out questionnaire

3. Collect documentation

5. Publish report A-C

2. Collect evidence of controls

1. Request information on data flow within

provider site

3. Scan and/or audit site

4. Publish findings D-E

2. Interview provider on answers to questions

4. Visit provider

vs Practices

(from slides 4 and 5)

82

Root Cause Observations

• Security reviewers are ordering business managers to pay attention to risk reports rather than Business Managers ordering security reviews.

• Review team activities are dictated by consortiums of other industry review teams, not by firm management or consortiums of firm management.

• Due diligence requirements are rarely integrated with business

• Both cloud providers and large internal review organizations have a vested interest in having industry standard reviewer not subject to standards of independence.

83

Recommendations

• Where requirements are contractual, internal review teams should be enlisted to verify contractual requirements are met. As a cost-saving effort, management may also set standards for reliance on independent audit services and document the reliance. This places management in the position of ordering security reviews and not visa versa.

• Business managers should control the cloud provider security review process via existing points of integration: – Procurement process should set cloud provider expectations. Use

operations and compliance to validate requirements during contract review process.

– IT management should verify that the cloud provider gets only the data they require and only gets it if control functions can be technically verified.

– Legal should determine if controls over information are required, and if so, put them in the contract. Audit clauses should also be included.

84

Requirements

2. Implement Internal Controls

1. Identify Data

3. Specify Requmts

4. Identify provider

processes

5. Map 3 and 4

6. Make assessment

2. Use IT management to verify internal controls over

data

1. Have provider sign contract that includes data

handling requirements

4. Include controls

in contract

3. Review information data

flow within provider site, map

controls to requirements

5. Collect evidence of

controls Scan and/or

audit site

6. Make assessment

vs Recommendations

Reviewers Independent Assessors Legal Procurement/Legal IT Security

Business Driven

85

Rely on reasonably independent review if provided.

When you need to review a cloud provider, use your best talent, real auditors, not checklists.

This will motivate cloud providers to

get their own independent assessment in order to avoid customer audits.

Motivate cloud providers

86

Topics

Cloud Audit Programs.

87

Exercise: ISACA Audit Program by Industry

Section 1: Planning and Scoping Section 2.1: Governance Section 2.2: Legal and Electronic Discovery Section 3.1: Incident Response Section 3.2: Application Security Section 3.3: Data Security and Integrity Section 3.4: Identity and Access Mgmt Section 3.5: Virtualization

88

Cloud-Specific Audit Programs

• ISACA Cloud Computing Audit Program • ENSIA • NIST • National Institute of Standards and

Technology (NIST) SP 800-30 • Federal Risk and Authorization Management

Program (FedRAMP)

89

Security Topics

Summary and Discussion.

90

Summary and Conclusions

• Clouds are unavoidable. • Cloud technologies are no different than enterprise

technologies. • Cloud technology control concerns are the same as

distributed enterprise control concerns. • Cloud audits must have a dual focus on technology

and legal controls. • Cloud legal controls have not yet been thoroughly

exercised or tested. • Control of last resort should include cloud jettison.

If you can’t let go, you may have to leave a piece of your business in the cloud.

91

Security Issues in Cloud Computing

Questions, Discussion?

[email protected] www.bayuk.com