srs cloud computing - information assurance | system outages and ... business management cloud...

7/27/10

1

Proprietary & Business Confidential

Cloud Computing – A Risk Overview Kostja Reim, CISA, CISM, CGEIT, Security Risk Solutions Ltd.

Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010

Agenda

!  Introduction !  Cloud Foundation !  Considerations and Risks !  The Role of the IS Auditor !  Q&A

2

7/27/10

2

Regulatory Pressure !  Compliance Demands:

–  Internal Audit •  Independent •  Audits IT

–  Defined RM Framework •  Annual assessment •  Risk Treatment Plan •  Investigation of all

significant incidents –  Segregation of Duties –  BCM (processes, systems,

succession) –  Logging and Monitoring –  Security Measures of

accepted standard (BSI, ISO17799, etc.)

–  Outsourcing Controls

!  To address: –  Internal fraud –  External fraud –  Hiring practices –  Occupational safety and

security –  Customer, products &

services, practices –  Impact on assets

(terrorism, earthquakes, fire, etc.)

–  System outages and business failure

–  Process management (execution of transactions, false details, money laundering, confidentiality of customer information etc.)

Did you know the Payment Card Industry (PCI) Council for Security released a Data Security Standard (DSS) that all financial institutions and merchants processing or storing credit card transactions must comply with by 30 September 2010? Did you know that Uganda has put in place new laws and penalties for IT?


3

Cloud Foundation – What is going on inside an application?


4

7/27/10

3

Cloud Foundation – How does it work?


5

Cloud Foundation – What is Cloud Computing?

IT Capabilities provided as a service over the Internet and characterized by: !  Usually pay as you use (can also be subscription) !  Shared physical infrastructure not visible to the customer !  Provided over the Internet !  Geographic Independence !  On Demand allocation of resources !  Scalability


‘’Gartner defines cloud computing as a style of computing where massively scalable IT-related capabilities are provided ‘as a service’ using Internet technologies to multiple external customers.’’

6

7/27/10

4

Cloud Foundation – Types of Cloud Services

!  SaaS – Software as a Service –  Network-hosted application

!  DaaS – Data as a Service –  Customer queries against provider’s database

!  PaaS– Platform as a Service –  Network-hosted software development platform

!  IaaS – Infrastructure as a Service –  Provider hosts customer VMs or provides network storage

!  IPMaaS – Identity and Policy Management as a Service –  Provider manages identity and/or access control policy for customer

!  NaaS – Network as a Service –  Provider offers virtualized networks (e.g. VPNs)


7

Cloud Foundation - IaaS


8

7/27/10

5

Cloud Foundation - PaaS


9

Cloud Foundation - SaaS


10

7/27/10

6

Cloud Foundation – Service Providers


11

Cloud Foundation – What is gained?


12

7/27/10

7

Cloud Foundation – Service Delivery Models


13

Cloud Foundation - Benefits

!  Example use Scenarios: –  High Demand Applications –  High Variable Demand (Bursting) –  Geographically dispersed user base –  Startup –  Reduce Size and Scope of IT –  PER –  Cheap to experiment –  DR


14

7/27/10

8

Cloud Foundation – Pro’s and Con’s Summary


15

Considerations & Risks


16

7/27/10

9

Considerations & Risks - Other


17

Considerations – Confidentiality & Privacy

!  Risk Factors: –  Data stored, transmitted and processed outside the organization –  Shared computing environments –  Loss of physical control of data –  Physical and logical access managed by provider –  Limited information about provider personnel

!  Mitigation Techniques: –  Separation of user directories and access control –  Encryption –  Key Management –  Define standards –  Procedural reviews –  Access Control reviews


18

7/27/10

10

Considerations – Data Segregation

!  Risk Factors: –  Shared computing environments –  Lack of segmentation –  Geographical residence of data –  One compromised system could affect another

!  Mitigation Techniques: –  Encryption –  Key Management –  Logical segregation –  Firewalls, routers, ACLs –  Info Classification –  Isolation of data


19

Considerations – Data Integrity

!  Risk Factors: –  Lack of controls to prevent data modification –  Undetected modification of data –  Incorrectly implemented encryption leading to data corruption

!  Mitigation Techniques: –  File integrity, logging and monitoring –  Digital signatures –  Periodic review of data –  Redundancy and error recovery –  Error checking and correcting codes –  Encryption


20

7/27/10

11

Considerations – Vendor Responses


21

Considerations – Availability

!  Risk Factors: –  Network connectivity required –  Transmission of data over ‘noisy’ channels –  Increased potential points of failure –  Limited ability to control changes –  Reliance on provider DR –  Viability of provider is not assured

!  Mitigation Techniques: –  RTO’s in SLA –  Network availability in ISP SLA –  Diversify replication –  Formal CCP –  Multiple provider use –  Plan for data retrieval –  Error correction systems –  Caching to address latency


22

7/27/10

12

Considerations – Vendor Responses


23

Considerations – Regulatory Compliance

!  Risk Factors: –  Data transmitted and stored –  Information subject to new laws –  Foreign governments –  Different retention requirements –  Audits of provider –  Increased complexity to comply

!  Mitigation Techniques: –  Limit storage to specific countries –  Contractual commitment to obey

privacy laws –  Security certifications of provider –  External reviews (PCI, SAS70) –  Limit data types / classification


24

7/27/10

13

Considerations - Enablers

!  CSA – Cloud Security Alliance !  ISACA – Information Systems Audit & Control Association


25

Considerations – Overall Principles

Extensive Due Diligence involving: !  A portion of the cost savings obtained by cloud computing must be invested into

increased scrutiny of the security capabilities of the provider and ongoing detailed audits to ensure requirements are continuously met.

!  The principles of cloud computing make it very flexible and affordable, create a relationship dynamism, which must be mitigated by ongoing risk management.

!  Providers should have regular third party risk assessments and these should be made available to customers.

!  Require listings of all third parties of the cloud provider. !  Understand financial viability of the cloud provider. !  Understand the cloud provider’s key risks and performance indicators and how

these can be monitored and measured.


26

7/27/10

14

The IS Auditor’s Role – Implementing the Cloud


27

IS Audit’s Role - Activities

!  1. Identify Control Requirements –  Scope: Identify and evaluate controls to be implemented –  Relevant Skills: Controls, business risks, processes, RM, and 3rd party risk assessments –  Business Value: Perceived risks are the biggest barrier – IA can help understand and manage these risks and

therefore support the business –  Partners: IT and Information Security

!  2. Vendor Selection Support –  Scope: Supports the evaluation of vendors – ensure balanced assessment, review SAS70 reports, vendor

contracts etc. –  Relevant Skills: Independence, financial process, IT technical, due diligence –  Business Value: Manages the significant risk that the selected vendor will not be around tomorrow, internal

technology won’t integrate, appropriate contractual provisions, evidence of reliability (e.g. through 3rd party assessments)

–  Partners: IT, Procurement, Legal, Business users (depending on Cloud type)


28

7/27/10

15


!  3. Vendor Management Review –  Scope: Evaluate controls and procedures for managing vendor relationships (e.g. SLAs, invoice review,

escalation, etc.) –  Relevant Skills: Contracts, ITIL, COBIT, Performance Management –  Business Value: Ensures that appropriate processes are in place to manage the significant new vendor

relationship and maximize the value the organisation receives from it –  Partners: IT, Procurement, Business Management

!  4. Data Migration Assessment –  Scope: Assess planned data migration scope and method as well as future state data interface design –  Relevant Skills: Business process, accounting, data analytics –  Business Value: Assists the business and finance gain comfort around plans for cut over from old to new

systems and for the completeness and accuracy of data transferred –  Partners: IT, Finance, Business Management


29


!  5. PMO / Project Management Assessment –  Scope: Review project management / PMO capabilities –  Relevant Skills: Project management, risk management, financial performance management –  Business Value: Ensures that processes are in place that can support managing this complex and high risk

project to the greatest benefit, in the shortest time with the lowest risk –  Partners: IT and PMO

!  6. Controls Review / Assessment / Testing –  Scope: Perform review of controls to be put in place, test controls and provide advice on improvements –  Relevant Skills: Independence, IT controls, business processes, change management, security etc. –  Business Value: Ensure IT and business have taken appropriate steps to mitigate implementation and

business process risks that will arise as part of the implementation –  Partners: IT, Finance, Business Management


30

7/27/10

16

31

Questions?

!  This presentation pack necessarily represents only part of the information we have considered in carrying out our work, being that which we selected to be most relevant to our understanding of your needs, in the light of this engagement.

!  The information in this presentation pack will have been supplemented by matters arising from any oral presentation by us, and should be considered in the light of this additional information.

!  If you require any further information or explanations of our underlying work, please contact us.

!  The information in this presentation pack is confidential and contains proprietary information of Security Risk Solutions Ltd. It should not be provided to anyone other than the intended recipients without our written consent.

!  Anyone who receives a copy of this presentation pack other than in the context of our oral presentation of its contents should note the first two points above, and that we shall not have any responsibility to anyone other than our client in respect of the information contained in this document.

Security Risk Solutions Limited Bemuda Plaza, E2 Ngong Road P.O. Box 15306, 00509 NAIROBI, Kenya Tel. +254 (0) 20 2735401 / 2019286 Email. [email protected] Web. http://www.securityrisksolutions.net

Map to our office:


srs cloud computing - information assurance | system outages and ... business management cloud...

Documents