Cloud Computing Risk Management (IIA Webinar)

CLOUD COMPUTING RISK
MANAGEMENT
SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE

George Thomas, SVP Internal Audit – First Data Corp
Brian Dickard, Director Internal Audit – First Data Corp

CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE

AGENDA

• Introduction
• Terminology and Stats
• Major Public Cloud Services
• Assessing Public Cloud Risk
• Trends and Issues
• Concluding Remarks

2


INTRODUCTION

• First Data Vision
– To shape the future of global commerce by
delivering the world’s most secure and
innovative payment solutions

3


CLOUD COMPUTING – WHAT IS IT?

• Where did it come from?
• Why should I care as a business
manager?
• What types of risk are there?
• How does it work?

4


CLOUD COMPUTING – HOW DOES IT
WORK?
• Understanding Cloud Computing
• Managing the risks

5


POLLING QUESTION

• How familiar are you with the major Cloud
Service and Deployment models
– A. Very familiar
– B. Somewhat familiar
– C. I’ve heard of them
– D. Not familiar at all

6


ESSENTIAL CHARACTERISTICS

• Resource Pooling
• Broad Network Access
• Rapid Elasticity
• Measured Service
• On Demand Self Service

7


CLOUD SERVICE MODELS

• Infrastructure as a Service (IaaS)
– “Raw” Servers, Disk Space, Network
– Ex. Amazon Elastic Cloud Computing (EC2)
– Foundational to PaaS and SaaS
– Security (other than physical) provided by
cloud consumer

8



• Platform as a Service (PaaS)
– Middleware and application development
frameworks supported by provider
– Cloud-deployed applications created and
supported by consumer
– Ex. Google App Engine
– Built on top of IaaS
– Security must be built in by developer
(provider or consumer)
9



• Software as a Service (SaaS)
– “On Demand” application availability
– Software and data hosted by provider
– Accessed with a web browser
– Ex. Gmail
– Built on top of IaaS and PaaS
– Highest provider security level

10


CLOUD SERVICE LAYERS

Increasing SaaS
consumer
configuration
options

PaaS
Increasing
provider
security
IaaS

11


IN-HOUSE IT ASSETS VS. “SPI” SERVICES
In-House Attributes SPI Attributes

Fixed Elastic
Overhead or Chargeback Metered
Service Request Self Service
Private Network Accessible Internet Accessible
Dedicated Shared

12


DEPLOYMENT MODELS
• Public Cloud
– More than one organization shares common IT
resources
• Private Cloud
– An organization buys and deploys its own IT
resources - OR –
– Contracts exclusive arrangement with a 3rd party
• Community Cloud
– Usage of public cloud by common mission or cause
– Ex. State or Local governments
• Hybrid Cloud
– Some elements of all three

13


POTENTIAL BENEFITS

• Pay as you go model (low fixed cost)
• Remote access
• Rapid scalability
• Quicker deployment of IT-enabled
strategies
• Stay current on technology upgrades
• Resiliency / Redundancy

14


WHERE PRIVATE CLOUDS MAKE SENSE

• Large Corporate Data Center
– High rate of optimization through virtualization
– Diversity of apps are coded to run using
common O/S, database and network
– Apps are “swapped out” on common
hardware based on processing load
– Same hardware that runs mission critical app
may also run support app in non-peak time
– “Workload Agnostic Computing”
15


VIRTUALIZATION STATS
• InfoWeek Poll – Major Corporations
– 97% use Server Virtualization extensively or
on a limited basis (ex. VMWare vSphere)
– 57% use Storage Virtualization (ex. NetApp)
– 44% use Desktop Virtualization (ex. Citrix)
– 42% use Application Virtualization (ex.
Vmware ThinApp)
– 37% use I/O Virtualization (ex. Cisco VFrame)
– 30% use Network Virtualization (ex. Nicira
Networks “DVNI”)
16


WHERE PUBLIC CLOUDS MAKE SENSE
• Businesses of any size where captive IT resources
aren’t cost effective or available
– Fixed capital expense becomes variable operating
expense
– Can quickly level the playing field for small and
medium sized businesses
• “Cloud Bursting”
– Adding incremental capacity to meet peak or
seasonal demands
• Prototyping
– Running simulations to determine in-house data
center capacity needs

17


POLLING QUESTION

• Describe your usage of Public Cloud
infrastructure
– A. Active production deployment
– B. Evaluating or budgeted plans for
production deployment
– C. No plans for Public Cloud deployment
– D. Don’t know

18


PUBLIC CLOUD PLANS

• Infoweek Survey
– 26% plan to deploy in the next year
– 38% have no plans to deploy
– 11% already have public deployment
• Are you sure?
– DR scenario: private cloud becomes public

19


ESSENCE OF THE PUBLIC CLOUD
DECISION

• A thoughtfully considered* decision to
move one of the following into the public
cloud domain:
– Data
• Essential to map your data and understand
whether, and how, it flows in and out of the cloud
• Important to classify low value, high value
regulated and high value unregulated assets
– Transactions/Processing

20


THOUGHTFULLY CONSIDER - HOW?
• How would you be harmed if:
– The asset became widely public or widely
distributed?
– An employee of the cloud provider accessed the
asset?
– The process or function was manipulated by an
outsider?
– The process or function failed to provide the
expected results?
– The information/data was unexpectedly changed?
– The asset were unavailable for a period of time?

21


TOP PUBLIC CLOUD CONCERNS

• Data Security
– Assurance framework
• Reliability / Availability
• Integration with Existing Systems
• Loss of Control

22


A GROWING OPPORTUNITY
Revenue
70
60
50
40
30 Revenue
20
10
0
2008 2009 2010 2011 2012 2013

• Revenue from "public cloud" services, in billions of dollars. Source: Forrester Research

23


MAJOR PUBLIC CLOUD SERVICE PROVIDERS

24


POLLING QUESTION

• Do you see a vendor on the previous slide,
who is used by your company, but you
were unaware they were a provider of
cloud services?
– A. Yes
– B. No

25


APPLICABLE COMPLIANCE
CERTIFICATIONS
• SSAE-16, SOC-1,2,3
– Financial Reporting and service oriented controls
– Focused on integrity
• ISO 9002
– Quality oriented controls
– Focused on process
• ISO 27001 /27002
– Security oriented controls
– Focused on security
• TIA 942 (Telecommunications Industry Association)
– Data center fault tolerant controls
– Focused on resilience

26


PII BREACH BY CLOUD PROVIDER
• Could subject them to violations under the
following privacy laws:
– Privacy and safeguard rules under GLBA
– PCI-DSS data transmission and storage security
provisions
– HIPAA restrictions on sharing health care data
– Breach provisions under the HITECH Act
• Depends on provider’s contract provisions
• You can’t outsource your accountability for
information security
27


ASSURANCE FRAMEWORKS
• Cloud Security Alliance (CSA)
– Cloud Controls Matrix
– https://cloudsecurityalliance.org

• Information Systems Audit and Control Association (ISACA)
– Cloud Computing Management Audit/Assurance Program
– http://www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/Cloud-
Computing-Management-Audit-Assurance-Program.aspx

• European Network and Information Security Agency (ENISA)
– Cloud Computing Security Risk Assessment
– http://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-computing-risk-assessment

28


CLOUD SECURITY ALLIANCE
• GRC “Stack”
– Cloud Controls Matrix
– Consensus Assessments Initiative
– Cloud Audit
– Cloud Trust Protocol

– Designed to support both cloud consumers and cloud
providers
– Created to capture value from the cloud as well as
support compliance and control within the cloud

© 2011 Cloud Security Alliance, Inc. All rights reserved 29


GRC STACK
• Cloud Controls Matrix
– Fundamental security principles in specifying the
overall security needs of a cloud consumer and
assessing the overall security risk of a cloud provider
– What control requirements should I have as a cloud
consumer or cloud provider?
• Consensus Assessments Initiative
– Industry-accepted ways to document what security
controls exist
– How do I ask about the control requirements that are
satisfied (consumer) or express my claim of control
response (provider)?


GRC STACK
• Cloud Audit
– Common interface and namespace to automate the Audit,
Assertion, Assessment, and Assurance of cloud
environments
– How do I announce and automate my claims of audit
support for all of the various compliance mandates and
control obligations?
• Cloud Trust Protocol
– Common technique and nomenclature to request and
receive evidence and affirmation of current cloud service
operating circumstances from cloud provider
– How do I know that the controls I need are working for me
(consumer)? How do I provide actual security and
transparency of service to all of my cloud users (provider)?



CLOUD CONTROLS MATRIX
Controls base-lined and mapped to:
– BITS Shared Assessments
– COBIT
– FedRAMP
– HIPAA/HITECH Act
– ISO/IEC 27001-2005
– Jericho Forum
– NERC CIP
– NIST SP800-53
– PCI DSSv2.0


CLOUD CONTROL MATRIX - DOMAINS
1. Compliance (CO) 7. Operations Management
(OM)
2. Data Governance (DG)
8. Risk Management (RI)
3. Facility Security (FS)
9. Release Management (RM)
4. Human Resources (HR)
10. Resiliency (RS)
5. Information Security (IS)
11. Security Architecture (SA)
6. Legal (LG)



CCM - CONTROLS



CCM – CONTROLS (CONT.)



WHAT DO YOU DO WITH A COMPLETED
CCM?
• Consumer: As an internal assessment tool
– Log exceptions and draft a report of provider’s
level of control maturity or a gap analysis
• Provider: As a public assertion of control
maturity
– CSA STAR (Security, Trust and Assurance
Registry)

– Trusted Cloud Initiative
• www.cloudsecurityalliance.org/trustedcloud.html



POLLING QUESTION
• Regarding the Cloud Security Alliance Cloud
Control Matrix:
– A. I am familiar with the CSA and CCM and have
used the framework to assess cloud service
providers.
– B. I am familiar with the framework but have yet
to use it.
– C. I have not previously heard of the framework
but think it might be useful.
– D. I don’t think this framework is applicable to my
company’s assessment of cloud service
providers.

40


INTEGRATION TRENDS / CONCERNS

• “Bring Your Own Device” (BYOD)
– Smartphone, tablet, laptop

• “Bring Your Own Cloud” (BYOC)
– Google Docs, Dropbox, iCloud, Skydrive

41


“DATA AWARE” SECURITY

• Information Security trend
• Knowing if a particular combination of
user, device, and software can be trusted
with access to specific information
• Challenge: Encoding this security
intelligence into your data before you store
it in the public cloud

42


RECAP

• Cloud computing has tangible benefits and
could be a strategic differentiator
• Your organization may be more actively
deployed to the “cloud” than you realize
• New risks are introduced, but can be
managed with assurance frameworks

43


QUESTIONS?

• George.Thomas@firstdata.com

• Brian.Dickard@firstdata.com

44


REFERENCES
• Cloud Security Alliance
– Security Guidance For Critical Areas of Focus in
Cloud Computing V3.0 (2011)
• https://cloudsecurityalliance.org/research/security-
guidance/
– Cloud Security Alliance GRC Stack (2011)
• https://cloudsecurityalliance.org/research/grc-stack/
– Cloud Security Alliance Cloud Controls Matrix
V1.1 (2010)
• https://cloudsecurityalliance.org/research/ccm/
• Information Week (Jan-Mar 2012)
• MIT Technology Review (Jan-Mar 2012)
45

Cloud Computing Risk Management (IIA Webinar)

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (17)

Similaire à Cloud Computing Risk Management (IIA Webinar)

Similaire à Cloud Computing Risk Management (IIA Webinar) (20)

Cloud Computing Risk Management (IIA Webinar)