security issues in cloud computing · jennifer l bayuk, llc . security issues in cloud computing ....
TRANSCRIPT
Jennifer L Bayuk, LLC
Security Issues in Cloud Computing
For NJ ISACA
April 18, 2013
By:
Jennifer Bayuk
1
Jennifer L Bayuk, LLC
Jennifer Bayuk
• Independent consultant experienced in a wide variety of private security positions including Chief Information Security Officer.
• Author of multiple textbooks on security management topics
• Chair and contributor to multiple public and private InfoSec Boards and Committees
• Systems Engineering PhD, Thesis in Security Metrics
2
3
Seminar Topics
• Cloud Definition and Examples • Cloud-Enabling Technologies • Cloud Activists • Cloud Privacy Concerns • Risks of Cloud Dependencies • Security in Cloud Service Agreements • Example Cloud Security Policy • Cloud Security Review • Cloud Audit Programs • Summary and Discussion
5
Layman’s Terms
Anything on the Internet Any Internet Access Point
“Cloud” refers to the “black box” nature of the service, from the point of view of the consumer, as well as the depiction of black box external network interfaces in
the vernacular of a network engineering diagram.
6
Layman’s Terms
Cloud Computing refers to the dynamic provisioning, use and invoicing of IT services,
based on demand, via a network. These services are only made available and used via defined
technical interfaces and protocols. The range of services provided under Cloud Computing covers the entire information technology
spectrum and includes infrastructure (e.g. processing power, storage), platforms and
software.
Source: Security Recommendations for Cloud Computing Providers (Minimum information security requirements). 2011, German Federal Office for Information Security (www.bsi.bund.de).
7
The NIST Definition of Cloud Computing (SP800-145)
A 7 page publication consisting of : • Five Essential Characteristics
• On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
• Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
• Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
• Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
• Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability1 at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
• Three Service Models: Infrastructure, Platform, Software • Four Deployment Models: Public, Community, Hybrid, Private
Wishful Thinking
8
ISACA 2012 Cloud Computing Market Maturity Study
• Survey participants believe that platform and infrastructure service offerings are still in the infancy stage of maturity, while software service offerings are just emerging from infancy and are in the early stages of market growth.
• Respondents estimate that it will take approximately three years for cloud platform and infrastructure services to be firmly placed within the growth stage, and at least two years for software services to reach that stage.
9
Shapes in the Fog
“Provider” refers to the an entity that provides technology services that exhibit Cloud Computing
characteristics
“Consumer” refers to the Cloud customer, presumably an entity with a business relationship wherein the cloud
provider is a vendor of the customer
“Client” refers to the a machine or software application that accesses a cloud over a network connection,
perhaps on behalf of a consumer, but may be any user of cloud services
Jennifer L Bayuk, LLC
Cloud Acronyms
10
AAS = As a Service Infrastructure AAS Platform AAS Software AAS
Jennifer L Bayuk, LLC
Why Cloud?
11
Source: Armbrust, M., et al., A view of cloud computing. Commun. ACM, 2010. 53(4): p. 50-58.
Technology economics and
ease of use.
12
Cloud Taxonomy • IAAS
• Operating system level resources • Network controls such as firewalls and intrusion prevention
• PAAS • Web Hosting • Desktops configured with user software • Custom server development environments
• SAAS • Functional applications run by Cloud providers that consumers access via
menus, e.g. SalesForce, Payroll Services, MS Office 365
• DaaS – Data as a Service Business Intelligence • STaaS – Storage as a Service SharePoint, Google Docs • SECaaS – Firewalls, Intrusion Detection, Anti-virus, Spam Filtering
• Feel free to invent your own! WAAS = Whatever as a Service
13
Frequently used Terminology • Mash-Ups – reference to applications that incorporate one or
more software tools, or widgets, that may be sold, leased, or provided free of charge by the widget-maker. Widgets may be fully contained, such as calendar tools, or integrated with Cloud services such as dining reservations, driving directions, etc.
• Service Oriented Architecture (SOA) – reference to software that is interoperable with a variety of consumers, may be a combination of clients, e.g. users on server software and/or browsers and/or completely automated applications. SOA enables Mash-Ups.
• Distributed Computing – Legacy term for SOA architectures, legacy systems typically had only one type of client.
• Grid – A set of computers with the same service, deployed in the same manner, that receive and respond to requests from a centralized “service coordinator” or master.
14
Example Cloud Services
• IaaS • Amazon Web Services • CloudSigma • Terremark/CloudSwitch
• PaaS • Apprenda • CloudHub by MuleSoft • Oracle Cloud
• SaaS • Amazon Web Services’ Marketplace • CallidusCloud • SalesForce • Workday
15
Provider Public Cloud
Distinguishing Factors: • Only “least common-denominator”, generic, market based agreements • Cloud provider-defined terms of service • All infrastructure is shared, with minimal influence • Services provided directly to and from Internet • Administration interfaces are available over the Internet • No effective commitments to security management/incident management Example Controls: • Provider employs host and network controls to protect the systems hosting the
applications and information for the consumer • Provider offers credible assurances that access to consumer data is restricted to consumer
enterprise users and consumer owned and authorized applications • Service architecture provides defense against ‘internal’ (originating from the cloud
providers networks) as well as external (originating from the Internet or customer networks) attacks on the operating system and application software
• Provider offers a standard set of access control security features that may be utilized by consumers – such as user authentication, single sign on, authorization, and network encryption, including standard procedures to verify the identity of users at registration and password reset.
16
Provider-Community Cloud
Distinguishing Factors: • Cloud Service is used by several enterprise consumers in the same industry • Consumer industry establishes guidelines for community membership • Provider manages shared directory of community member information and
communication between consumers • Provider has strong, demonstrable information security management
Example Controls: All Public example cloud controls plus: • Service architecture provides controls over shared resources while delegating
management of administrative access to consumer supplied information • Strong authentication is used for operations requiring high assurance, including login
to management interfaces, key creation, access to multiple-user accounts, firewall configuration, remote access, etc.
• Software deployment is coordinated with community and cloud service provided testing and QA facilities are available to community members
• Provider offers guarantees on service levels defined by community leadership • Documented procedures and APIs for exporting data from the cloud are available and
adhered to
17
Provider-Consumer Hybrid Cloud
Distinguishing Factors: • Cloud Service is used by several enterprise consumers in different industries • Consumer establishes and utilizes automated business applications that use both
internal and Cloud computing components • Provider manages Logical Segregation of consumer cloud resources (Virtual LAN,
virtual Machine and/or data segregation on application level) • Provider has strong, demonstrable information security management
Example Controls: All Community example cloud controls plus: • Data and audit logs are segmented so they can be made available to the end customer
and/or law enforcement without compromising other customers • Service architecture provides logical isolation of applications, virtual machines,
networks, storage, operations and management systems • Baseline virtual images are cryptographically signed and versioned to ensure
adherence to known configurations • Provider offers guarantees on maximum available resources within a minimum period • Storage, memory and other data traces are fully erased before machines are reallocated
18
Consumer Private Cloud
Distinguishing Factors: • Standard outsourcing agreement with all required provisions • Dedicated environment provided by cloud provider • Segregated network (dedicated components, logical segregation on WAN
level) • Supports deployment of all consumer standard controls • Any access to or from the Internet is authenticated by consumer and VPN
protected Example Controls: All Hybrid example cloud controls plus: • Provider offers transparency and full control over the current physical
location of all consumer data • Provider supports the data classification scheme used by consumer • Provider employs appropriate segregation and controls between systems with
different data classifications • Provider requires strong authentication for consumer access • Provider offers service such that consumer resources are fully isolated (e.g.,
no sharing of physical machines); these may be administered by consumer
Jennifer L Bayuk, LLC
Example Cloud Implementation
FW Cloud Service Provider (CSP)
Enterprise Cloud Management Zone (CMZ)
My
SQL
Rep
licat
ion
FW
Enterprise End User
CSP Net Svcs
P2P-VPN
Redundant Router/Switch
Backup Virtual Data Center
VMM Production Environment
Virtual Machine Instances for Linux
Virtual Machine Instances for UNIX
Virtual Machine Instances for Microsoft
Development
Testing Desktops
Image (OS Template) Repository
Virtual Data Center
DHCP
CSP-CMZ NTP DNS
File Transfer SIEM
NFS
Internal Users and Applications
APP 1
Cloud Admin Platforms
PROD
Failover PROD
QA Staging
TEST
DB
MS
Rep
licat
ion
INTERNET
ISOLATED DMZ
Storage Devices
APP N …
Web Proxy
P2P-VPN
Cloud Access
Switches (Redundant)
P2P-VPN
CSP Net Svcs
Redundant Router/Switch
IAM/SSO
VM Platform DR (standby server)
VM Access DR
DR Site
VPN Client
CSP Corporate
Enterprise Cloud Consumer
Network Service Zone
Messaging
Control Panels
DNS-NIS-NTP-OSPF
21
Enterprise Cloud Management
Enterprise tools and techniques to manage and monitor Cloud services range from ad-hoc to sophisticated automation. They include, but are not limited to: • Identity and access management • Network filters at both address
and content level • Software change control • Logging and monitoring
22
Service Provider versus Enterprise Controls
• Information Flow • Network paths from data source
• Information Segregation • Infrastructure supporting data at rest
• Information Access • Identity and access management techniques
Collaborative architecture.
23
Cloud Consumer Connectivity
Network connectivity choices, and corresponding firewall and VPN access rules will depend on Cloud Type and User Community, e.g.: • Provider Public Cloud • Provider-Community • Provider-Consumer (Hybrid) • Consumer Private Cloud
25
Network Services
May include, but do not necessarily include, and when they are included, they typically come with a surcharge: • Ability to route one domain name (e.g. firm.com,
to different service providers, depending on service type)
• Firewall rule maintenance • Intrusion detection and automated response • Dynamic DNS integrated with load-balancing
technologies • Globally diverse redundant storage replication • Architecture specifically designed to deflect
DDoS attacks
26
High Availability Architecture
Adapted from: http://www.akamai.com/dl/brochures/Product_Brief_Terra_GTM.pdf
CSP Globally Dispersed
Redundant CPU, Network Bandwidth Monitoring Servers
Constant monitoring to set ideal traffic allocation.
Traffic allocation instructions.
60%
0%
40%
27
Web Services
PaaS or SaaS Web
Services
May include, but do not necessarily include: • Ability to assign multiple
administrators in different administrative roles.
• Delegation of ability to create and deploy new instances of a service.
• Federated identity access control models.
• Audit logs, summary reports and/or alerts.
28
Traditional Reference Monitor
User Request
Check for
Authorization
Reference Monitor
ProtectedResource
Access Control
List
User Login
Check for
Authentication
Access Monitor
Identity Verification Mechanism
29
Web Single Sign-On
Single-Sign-On Server
Single Sign On Process
User ID and credential
Database
Request Appliaction Access
4
Forward login &
password
2
Selected Application (cookie is read automatically)
7
Application Server
8
User validation check
9
Desktop System
login&password
1
login successful
or not
3
Application credential
5 Cookie-based application credential
6
if success
W E B S E R V E R
Application credential
if success
Application access for user
13
user
valid or not
10
Source: Bayuk, Assurance and Monitoring of E-business: Technical Control Points, ISACA, 2000
Entitlements
Database
11 Authorization check
User entitled or
not
12
Where these can be in different organizations, the term is “federated identity”
30
SAML and XACML
Security Assertion Markup Language (SAML) eXtensible Access Control Markup Language (XACML)
Source: http://docs.oasis-open.org/xacml/3.0/xacml-profile-saml2.0-v2-spec-cd-1-en.html
Points of administration
can be anywhere.
Note: not all implementations follow standard.
31
Virtual Machines
• Called “virtual” because the operating system software does not directly control the hardware, but the hardware is emulated by another operating system that does control it.
• The OS that emulates the hardware is referred to as a Hypervisor, or Host (though that term is ambiguous) or VMM, which stands for Virtual Machine Monitor. There are two types: • Type 1 – runs directly on hardware • Type 2 – runs on another OS
• Allows CPU, memory allocation (static and/or dynamic), network, and disk network configuration for “child” operating systems, who are the VMs
32
Cloud Provider Use of VMs
32
Source: http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
33
A Physical View of Virtual Machines
Source: Haletky, E.L., VMware vSphere and Virtual Infrastructure Security, Prentice Hall, 2009.
34
Physical View of a VM Kernal
34
Source: Haletky, E.L., VMware vSphere and Virtual Infrastructure Security, Prentice Hall, 2009.
35
Virtual Machine Administration
35
App1 e.g. Web Services
Operating System
Operating System of Virtual VMM
App 2 e.g. DBMS
Operating System
App3 e.g. Auth Services
Operating System
Trusted Admin Console Points of administration.
Virtual OS Config Utilities
Multiple Virtual Network Addresses
AD Server VMM Vendor-provided
Application programming Interfaces (Admin Software APIs)
37
VM Security Configuration References
• Center for Internet Security, Information Security Benchmarks and Metrics, cisecurity.org.
• Haletky, E.L., VMware vSphere and Virtual Infrastructure Security. 2009: Prentice Hall.
• Shackleford, D., Virtualization Security. 2013: Wiley.
These provide details on security configuration settings for administrative and user interfaces. Don’t try a security audit without a guide that
corresponds to the VMM OS (e.g.: Citrix, VMWare, Xen).
39
Cloud Activists
• Cloud Security Alliance (CSA) • https://cloudsecurityalliance.org/
• Cloud Sleuth • https://cloudsleuth.net/
• The Open Cloud Manifesto • http://www.opencloudmanifesto.org/
• Open Data Center Alliance • http://www.opendatacenteralliance.org
Activist literature, like those produced by any lobbying organization, will be biased.
40
CSA Security, Trust & Assurance Registry (STAR)
Cloud providers can submit two different types of reports to indicate their compliance with CSA “best practices:” • The Consensus Assessments Initiative Questionnaire
(CAIQ), ~140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider.
• The Cloud Controls Matrix (CCM), which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.
https://cloudsecurityalliance.org/star/registry/
41
Cloud Provider Self-Control Reviews
• AICPA - SASE 16 (formerly SAS70) • SysTrust • BITS FISAP • ISO 27001 • PCIS DSS • CSA Open Certification Framework (OCF)
CSA announced that Framework and Auditor certification will be available Q1 2013, as well as a Continuous Monitoring effort underway, but not expected to be available until 2015
42
SASE 16 Standards and Options
Source: Katcher, A., J. Parthun, and C. Stewart, Service Organization Controls: Managing Risks by Obtaining a Service Auditor’s Report, 2013, AICPA. http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TrustServices/DownloadableDocuments/10957-378%20SOC%20Whitepaper.pdf
44
Privacy Requirements
• Gramm-Leach-Bliley Act (15 U.S.C. § 6802 - Financial Records)
• Video Privacy Protection Act (18 U.S.C. § 2710 - Rental Records)
• Cable Communications Policy (47 U.S.C. § 551 - Cable Subscriptions)
• Health Insurance Portability and Accountability Act (45 C.F.R. Part 164 – individually identifiable health info by covered entities)
• Violence Against Women Act (Public Law 109-162 as amended by Public Law 109–271)
• Legally privileged information (e.g., doctor-patient, lawyer-client, differs by privilege and state)
• Nation-state (EU/Swiss/Hong Kong, etc…) Data Privacy Laws
See: Gellman, R. (2009). Risks to Privacy and Confidentiality from Cloud Computing. World Privacy Forum, http://www.worldprivacyforum.org/.
45
Key considerations
• Terms of service • Location • Provider capability • US Safe Harbor Privacy Principles
• Notice - Individuals must be informed that their data is being collected and about how it will be used.
• Choice - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
• Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
• Security - Reasonable efforts must be made to prevent loss of collected information.
• Data Integrity - Data must be relevant and reliable for the purpose it was collected for.
• Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
• Enforcement - There must be effective means of enforcing these rules. Source: http://export.gov/safeharbor/eu/eg_main_018475.asp and
http://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles
46 Example provided by: Ken Fishkin, Current Trends in Cloud Computing and Virtualization. 2012: NJ ISACA Member Meeting.
Note – terms of service differ from contract!
49
Traditional Outsourcing Risks
• Loss of business focus • Solution failing to meet business and/or user requirements; not performing as expected; or not
integrating with strategic IT plan, information architecture and technology direction • Incorrect solution selected or significant missing requirements • Contractual discrepancies and gaps between business expectations and service provider
capabilities • Control gaps between processes performed by the service provider and the organization • Compromised system security and confidentiality • Invalid transactions or transactions processed incorrectly • Costly compensating controls • Reduced system availability and questionable integrity of information • Poor software quality, inadequate testing and high number of failures • Failure to respond to relationship issues with optimal and approved decisions • Insufficient allocation of resources • Unclear responsibilities and accountabilities • Inaccurate billings • Litigation, mediation or termination of the agreement, resulting in added costs and/or business
disruption and/or total loss of the organization • Inability to satisfy audit/assurance charter and requirements of regulators or external auditors • Reputation • Fraud
Source: Cloud Computing Management Audit/Assurance Program, ISACA 2010
50
Cloud Additions to Traditional Outsourcing Risk
Greater dependency on third parties: – Increased vulnerabilities in external interfaces – Increased risks in aggregated data centers – Immaturity of the service providers with the potential for service provider going
concern issues – Increased reliance on independent assurance processes Increased complexity of compliance with laws and regulations: – Greater magnitude of privacy risks – Transborder flow of personally identifiable information – Affecting contractual compliance Reliance on the Internet as the primary conduit to the organization’s data introduces: – Security issues with a public environment – Availability issues of Internet connectivity Due to the dynamic nature of cloud computing: – The location of the processing facility may change according to load balancing – The processing facility may be located across international boundaries – Operating facilities may be shared with competitors – Legal issues (liability, ownership, etc.) relating to differing laws in hosting countries
may put data at risk Source: Cloud Computing Management Audit/Assurance Program, ISACA 2010
51
Major Technology Risks Exacerbated by Clouds
• Data leakage due to excessive user access and lack of segregation.
• Inability to meet recovery point or time objectives.
• Long-term viability of technology support for business process.
• Inadequate technology support for cyber forensics investigations.
• Regulatory and legal compliance on regional issues such as encryption and data location.
52
Cloud Dependency Risk
“ The cloud is still very much a new frontier with very little in the way of specific standards for security or data privacy. In many ways …. cloud computing is in a similar position to where the recording industry found itself when it was trying to combat peer-to-peer file sharing with copyright laws created in the age of analogue.
“ In terms of legislation, at the moment there's nothing that grabs my attention that is specifically built for cloud computing,…As is frequently the case with disruptive technologies, the law lags behind the technology development for cloud computing. ”
Source: Datamonitor's Trifković, as quoted by Binnings, D., Top five cloud computing security issues , ComputerWeekly.com, 24 Apr 2009 ,
53
Recent Cloud Outages
Apple iCloud (June 20, 2012) Desire2Learn (January 30, 2013)
Amazon Web Services (June 14 and December 24, 2012)
Google Gmail (April 17 and June 7, 2012) Microsoft Office 365 (February 1, 2013)
Microsoft Azure (February 29 2012) SalesForce (July 10, 2012)
54
Supply Chain Risk Management (SCRM)
Source: The Under Secretary of Defense for Acquisition Technology and Logistics and The Assistant Secretary of Defense for Networks and Information Integration DoD Chief Information Officer, Report on Trusted Defense Systems. 2009.
56
Cloud Lifecycle
Cloud service agreements should cover each phase of the cloud lifecycle individually to ensure that no assumptions
are made about any stage.
Most frequent cause of outage is actually here, planning for migration controls are important to maintain the
cloud consumer business process through the transition.
57
Service Level Agreement/Contractual Parameters
Provider-Consumer relationship Price Caps Functionality Cloud Provider Outsourcing Limitations on Liability Indemnification Termination
http://wrlawfirm.com/BlogWP/technology-social-media/cloud-service-contracts-breaking-down-the-all-important-service-level-agreement-sla/
Data Processing and Storage Ownership of Data Access to and Use of Data Location of Data Government Requests for Access to Data Data Retention and Deletion Metrics
Infrastructure and Security Data Security Representations and warranties Security Breach Response Disaster Recovery Maintenance Right to Audit Network domain name transitions!
Parameters should be set commensurate with data and business process exposure to cloud provider. There is rarely a one-size-fits all contract, and standard templates often delay business opportunities.
59
NIST Electronic Authentication Guideline
The document states specific technical requirements for each of the four levels of assurance in the following areas: • Tokens (typically a cryptographic key or password) for
proving identity, • Identity proofing, registration and the delivery of
credentials which bind an identity to a token, • Remote authentication mechanisms, that is the combination
of credentials, tokens and authentication protocols used to establish that a claimant is in fact the subscriber he or she claims to be,
• Assertion mechanisms used to communicate the results of a remote authentication to other parties.
See: http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf
Service agreements should be very specific about strength of authentication and procedures for password reset.
60
Calculating Cloud ROI
“Marketing hype claims that cloud
computing can help any enterprise meet
most IT service needs at a lower total cost of
ownership (TCO) and higher
return on investment (ROI).”
http://www.isaca.org/Knowledge-
Center/Research/Documents/CalculatingCloudROI-WP.pdf
Source: Speed, R., IT Governance and the Cloud: Principles and Practice for Governing Adoption of Cloud Computing. ISACA Journal, 2011. 5.
But some of this may still be necessary!
62
Security Management Cycle
Source: Bayuk, Stepping Through the InfoSec Program, ISACA, 2007
Strategy
Compliance
Monitoring
Policy
Awareness
Implementation
Detection Prevention
Correction
62
Cloud and/or Service Provider
and/or Third Party Service
Policies
Contingency Plans
Contractual requirements
Technical Controls
Cloud risk management
strategy
63
ISACA Journal Advice
Source: Porter, E., et.al, The Tension of Cloud Computing and Compliance, ISACA ISRM-ITGRC, 2012
Policies and Procedures • Policy for Approval of virtualization/cloud
• Acceptable use • Data classification and handling • Information Security Policy • Incident Management Plan
Technical Controls • Access to cloud provider’s monitoring
tools • Plug-In to Organization’s ticketing
system • Real Time access to Cloud Provider
change and Issue management platform • Requirement for vulnerability scans and
attack/testing
Contractual Controls • Clear delineation of responsibilities between organization and cloud provider
• Standardization or generally accepted language for contracts
• Service level agreements that can be measured and enforced
• Right to audit clause
Contingency Plans • Exit strategy for end of contract • Process to get data back from provider • Contingency plan for data format conversion
• Contingency plan if cloud provider is acquired or goes out of business
• Cure provisions in event of data breach
Consider jurisdiction
Almost impossible to get, and don’t count
on exercising it.
64
Control Levels
Service Baseline: Service provider maintains controls that support operational integrity and availability.
Verified Configuration: These controls provide metrics that a consumer can use to verify that a service provider is securing information as per specifications.
Verified Operation: These controls provide metrics that a consumer can use to verify that a service provider is securing information and also to monitor authorized data flow.
Consumer Configuration : These controls allow consumer to directly control information via systems configurations that restrict data usage.
Consumer Operation: These controls allow consumer to directly control access to information as in the Consumer Configuration, and in addition, allow monitoring and oversight of authorized data flow.
65
Example Enterprise Policy
Platform as a Service (PaaS)
Private Community Cloud Connectivity
Public Hybrid Cloud Service
Classified Verified Operation
Public Baseline
Public Only
Verified Configuration
Public Only Baseline
Classified Verified Operation
Public Baseline
Public Only Verified
Configuration
Classified Verified Operation
Public Baseline
Classified Consumer Operation
Public Consumer
Configuration
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
Public Only Verified
Configuration
Classified Consumer Operation
Public Verified
Configuration
Classified Consumer Operation
Public
Verified Operation
Classified Verified Operation
Public Baseline
Public Only Baseline
This creates a requirement NOT to put Classified data in a public cloud
Controlling configuration and/or data flow by itself MAKES the cloud connectivity model hybrid.
66
CoBIT – CSA – ENSIA – OWASP Cloud Control Map
Source: Vohradsky, D., Cloud Risk—10 Principles and a Framework for Assessment. ISACA Journal, 2012. 5.
68
Confidentiality Requirements
• Cloud Consumer Information Classification and associated data handling requirements
• Regulatory Privacy Requirements • Payment Card Industry – Data Security Standard (PCIS-
DSS) • Franchise and Litigation Risk
– State Breach Reporting – Federal Trade Commission negligence cases – Other settlement cases
• Uniform Trade Secrets Act (http://www.uniformlaws.org/Act.aspx?title=Trade Secrets Act) a trade secret must be protected using reasonable efforts to maintain its secrecy – using a cloud may not qualify
69
Integrity Requirements
• Cloud consumer business process support requirements
• Sarbanes Oxley – Financial Reporting Data Integrity Requirements
• Federal Trade Commission – Transaction integrity requirements
Cloud provider services commonly considered part of financial reporting, subject to
Statements on AICPA Standards for Attestation Engagements No. 16:
Reporting on Controls at a Service Organization
70
Availability Requirements
• Cloud consumer business process support requirements for production and verification of performance metrics
• Integration with cloud consumer recovery plan with respect to: – Recovery point objectives
– Recovery time objectives
71
Cloud Consumer Due Diligence Steps
1. Identify minimum amount of sensitive data which must be released to the cloud provider in order for the cloud provider to supply services.
2. Implement internal controls that ensure that cloud providers do not receive any data other unless required to supply services and that data transfer processes are secure.
3. Consider threats to data flow, and specify confidentiality, integrity, and availability requirements for data at cloud provider site.
4. Identify the technical and operational control measures in place at the cloud provider which are designed to meet confidentiality, integrity, and availability requirements.
5. Map the technical measures identified in (4) to the requirements identified in (3).
6. Assess whether the cloud provider is capable of meeting requirements on a go forward basis.
72
Example Practice A
Cloud consumer compiles a list of questions intended to identify
control activity that would support requirements gathered in step 3. The cloud provider is asked to fill out the questionnaire. Where cloud provider answers do not match requirements,
this is reported.
73
Example Practice B
Same as Strategy A, but in addition, cloud provider is
interviewed via telephone or email to explain questionnaire
answers and provide evidence of alternative controls.
74
Example Practice C
Same as Strategy B, but in addition, where cloud providers are considered high risk, cloud
consumer performs visits to cloud provider site to verify answers to questions and clarify responses.
75
Example Practice D
Cloud consumer reviews cloud provider data processing environment by
charting path taken by cloud consumer data in scope. Cloud provider is
requested to provide documented evidence of controls. Cloud consumer
confirms understanding of cloud provider environment via phone
interviews, and compares to threat environment.
76
Example Practice E
Same as Strategy D, but in addition, where outsourced processing is
considered high risk, cloud consumer performs or requires
independent verification of controls, to include Internet scans, onsite
audits, and/or reports of independent auditors.
77
Example Practices
A.Questions B.Interviews C.Visit D. Evidence E. Testing
Progression
Real Audit
Pseudo Audit
78
Cost Comparison
Review Type Hours same* 100%
low - 80% high 20% Labor 100 revs
Tech Travel Total
A Questionnaire 4 $700 $70,000 $50,000 $120,000 B Questionnaire plus
Documentation Review 20 $3,500 $350,000 $50,000 $400,000
C Questionnaire plus Documentation Review Plus Onsite verification
4 - low risk 80- high risk
$700 $14,000 $336,000 $50,000 $40,000 $426,000
D Data flow analysis plus Documentation Review
20 $3,500 $350,000 $60,000 $410,000
E Data flow analysis plus Documentation Review plus verification options
20 - verify avail
$3,500 $3,500 $385,000 $60,000 $465,000
40 – verify not avail for 50% of high risk
$7,000 $20,000
*Assumes fully-loaded reviewer cost assumed at $175. **Assumes requirement to review 100 vendors annually
79
Self Control Review Scope Adequacy Assessment
• A self-control assessment report is just one piece of evidence
• Each firm must evaluate whether self-control review covers: – scope of service – due diligence requirements
80
Evidence of Independence
• Assessor faces material reputational risk or loss of certification for inaccurate results
• Assessor must keep technology control assessment workpapers
• Workpapers are available for authoritative review
• Assessor is paid by source other than cloud provider under review
81
Requirements
2. Implement internal controls
1. Identify Data
3. Specify Reqmts
4. Identify provider
processes
5. Map 3 and 4
6. Make assessment
1. Have provider fill out questionnaire
3. Collect documentation
5. Publish report A-C
2. Collect evidence of controls
1. Request information on data flow within
provider site
3. Scan and/or audit site
4. Publish findings D-E
2. Interview provider on answers to questions
4. Visit provider
vs Practices
(from slides 4 and 5)
82
Root Cause Observations
• Security reviewers are ordering business managers to pay attention to risk reports rather than Business Managers ordering security reviews.
• Review team activities are dictated by consortiums of other industry review teams, not by firm management or consortiums of firm management.
• Due diligence requirements are rarely integrated with business
• Both cloud providers and large internal review organizations have a vested interest in having industry standard reviewer not subject to standards of independence.
83
Recommendations
• Where requirements are contractual, internal review teams should be enlisted to verify contractual requirements are met. As a cost-saving effort, management may also set standards for reliance on independent audit services and document the reliance. This places management in the position of ordering security reviews and not visa versa.
• Business managers should control the cloud provider security review process via existing points of integration: – Procurement process should set cloud provider expectations. Use
operations and compliance to validate requirements during contract review process.
– IT management should verify that the cloud provider gets only the data they require and only gets it if control functions can be technically verified.
– Legal should determine if controls over information are required, and if so, put them in the contract. Audit clauses should also be included.
84
Requirements
2. Implement Internal Controls
1. Identify Data
3. Specify Requmts
4. Identify provider
processes
5. Map 3 and 4
6. Make assessment
2. Use IT management to verify internal controls over
data
1. Have provider sign contract that includes data
handling requirements
4. Include controls
in contract
3. Review information data
flow within provider site, map
controls to requirements
5. Collect evidence of
controls Scan and/or
audit site
6. Make assessment
vs Recommendations
Reviewers Independent Assessors Legal Procurement/Legal IT Security
Business Driven
85
Rely on reasonably independent review if provided.
When you need to review a cloud provider, use your best talent, real auditors, not checklists.
This will motivate cloud providers to
get their own independent assessment in order to avoid customer audits.
Motivate cloud providers
87
Exercise: ISACA Audit Program by Industry
Section 1: Planning and Scoping Section 2.1: Governance Section 2.2: Legal and Electronic Discovery Section 3.1: Incident Response Section 3.2: Application Security Section 3.3: Data Security and Integrity Section 3.4: Identity and Access Mgmt Section 3.5: Virtualization
88
Cloud-Specific Audit Programs
• ISACA Cloud Computing Audit Program • ENSIA • NIST • National Institute of Standards and
Technology (NIST) SP 800-30 • Federal Risk and Authorization Management
Program (FedRAMP)
90
Summary and Conclusions
• Clouds are unavoidable. • Cloud technologies are no different than enterprise
technologies. • Cloud technology control concerns are the same as
distributed enterprise control concerns. • Cloud audits must have a dual focus on technology
and legal controls. • Cloud legal controls have not yet been thoroughly
exercised or tested. • Control of last resort should include cloud jettison.
If you can’t let go, you may have to leave a piece of your business in the cloud.