Cloud Computing Risk Management (Multi Venue)

Cloud Computing Risk
Management
Security Considerations from an Assurance
Perspective

Brian Dickard – Director, Enterprise Risk
Management

© Copyright 2012 | First Data Corporation

• Introduction
• Terminology
• Major Public Cloud Services
Agenda • Assessing Public Cloud Risk
• Trends and Issues
• Concluding Remarks

© Copyright 2012 | First Data Corporation | 2

Introduction
• First Data Vision
•To shape the future of global
commerce by delivering the world’s
most secure and innovative payment
solutions
.


Introduction
• First Data Business
• First Data provides a single source for payment processing virtually anywhere and
any way our customers want to pay. We deliver innovative, data-driven solutions that
help merchants, financial institutions, businesses and government agencies across
the globe reduce costs and drive revenue..


Cloud computing – what is it?
• Where did it come from?
• Why should I care as a business manager?
• What types of risk are there?
• How does it work?
.


How familiar are you with the major Cloud
Service and Deployment models ?

•A. Very familiar
•B. Somewhat familiar
•C. I’ve heard of them
•D. Not familiar at all


Essential Characteristics
•Resource Pooling
•Broad Network Access
•Rapid Elasticity
•Measured Service
•On Demand Self Service


Cloud Service Models
• Infrastructure as a Service (IaaS)
•“Raw” Servers, Disk Space, Network
•Ex. Amazon Elastic Cloud Computing
(EC2)
•Foundational to PaaS and SaaS
•Security (other than physical) provided by
cloud consumer


• Platform as a Service (PaaS)
•Middleware and application development
frameworks supported by provider
•Cloud-deployed applications created and
supported by consumer
•Ex. Google App Engine
•Built on top of IaaS
•Security must be built in by developer
(provider or consumer)


• Software as a Service (SaaS)
•“On Demand” application availability
•Software and data hosted by provider
•Accessed with a web browser
•Ex. Gmail
•Built on top of IaaS and PaaS
•Highest provider security level


Cloud Service Layers

Increasing SaaS
consumer
configuration
options

PaaS

Increasing
IaaS provider
security


In-House IT Assets vs. “SPI” Services
In-House Attributes SPI Attributes

Fixed Elastic
Overhead or Chargeback Metered
Service Request Self Service
Private Network Accessible Internet Accessible
Dedicated Shared


Deployment Models
• Public Cloud
• More than one organization shares common IT resources
• Private Cloud
• An organization buys and deploys its own IT resources
- OR –
• Contracts exclusive arrangement with a 3rd party
• Community Cloud
• Usage of public cloud by common mission or cause
• Ex. State or Local governments
• Hybrid Cloud
• Some elements of all three


Potential Benefits
• Pay as you go model (low fixed cost)
• Remote access
• Rapid scalability
• Quicker deployment of IT-enabled strategies
• Stay current on technology upgrades
• Resiliency / Redundancy


Where Private Clouds Make Sense
• Large Corporate Data Center
•High rate of optimization through
virtualization
•Diversity of apps are coded to run using
common O/S, database and network
•Apps are “swapped out” on common
hardware based on processing load
•Same hardware that runs mission critical
app may also run support app in non-peak
time
•“Workload Agnostic Computing”

Virtualization Stats
• InfoWeek Poll – Major Corporations
• 97% use Server Virtualization extensively or on a
limited basis (ex. VMWare vSphere)
• 57% use Storage Virtualization (ex. NetApp)
• 44% use Desktop Virtualization (ex. Citrix)
• 42% use Application Virtualization (ex. Vmware
ThinApp)
• 37% use I/O Virtualization (ex. Cisco VFrame)
• 30% use Network Virtualization (ex. Nicira
Networks “DVNI” – Acquired by VMWare)


Where Public Clouds Make Sense
• Businesses of any size where captive IT resources
aren’t cost effective or available
• Fixed capital expense becomes variable operating
expense
• Can quickly level the playing field for small and
medium sized businesses
• “Cloud Bursting”
• Adding incremental capacity to meet peak or
seasonal demands
• Prototyping
• Running simulations to determine in-house data
center capacity needs


Public Cloud Plans
• Infoweek Survey
•26% plan to deploy in the next year
•38% have no plans to deploy
•11% already have public deployment
• Are you sure?
•DR scenario: private cloud becomes public


Essence of the Public Cloud Decision
• A thoughtfully considered* decision to move
one of the following into the public cloud
domain:
•Data
•Essential to map your data and understand
whether, and how, it flows in and out of the
cloud
•Important to classify low value, high value
regulated and high value unregulated assets
•Transactions/Processing


Thoughtfully Consider - How?
• How would you be harmed if:
• The asset became widely public or widely
distributed?
• An employee of the cloud provider accessed the
asset?
• The process or function was manipulated by an
outsider?
• The process or function failed to provide the
expected results?
• The information/data was unexpectedly changed?
• The asset were unavailable for a period of time?


Top Public Cloud Concerns


A Growing Opportunity

Revenue
70
60
50
40
30 Revenue
20
10
0
2008 2009 2010 2011 2012 2013

Revenue from "public cloud" services, in billions of dollars. Source: Forrester Research


Major Public Cloud Service Providers


Applicable Compliance Certifications
• SSAE-16, SOC-1,2,3
• Financial Reporting and service oriented controls
• Focused on integrity
• ISO 9002
• Quality oriented controls
• Focused on process
• ISO 27001 /27002
• Security oriented controls
• Focused on security
• TIA 942 (Telecommunications Industry Association)
• Data center fault tolerant controls
• Focused on resilience


PII Breach by Cloud Provider
• Could subject them to violations under the following
privacy laws:
• Privacy and safeguard rules under GLBA
• PCI-DSS data transmission and storage security
provisions
• HIPAA restrictions on sharing health care data
• Breach provisions under the HITECH Act
• Depends on provider’s contract provisions
• You can’t outsource your accountability for information
security


Assurance Frameworks
• Cloud Security Alliance (CSA)
• Cloud Controls Matrix
• https://cloudsecurityalliance.org
• Information Systems Audit and Control Association
(ISACA)
• Cloud Computing Management Audit/Assurance Program
• http://www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/Cloud-Computing-
Management-Audit-Assurance-Program.aspx
• European Network and Information Security Agency
(ENISA)
• Cloud Computing Security Risk Assessment
• http://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-computing-risk-assessment


Cloud Security Alliance
• GRC “Stack”
• Cloud Controls Matrix
• Consensus Assessments Initiative
• Cloud Audit
• Cloud Trust Protocol

• Designed to support both cloud consumers and
cloud providers
• Created to capture value from the cloud as well as
support compliance and control within the cloud

© 2011 Cloud Security Alliance, Inc. All rights reserved

Cloud Controls Matrix
Controls base-lined and mapped to:
• BITS Shared Assessments
• COBIT
• FedRAMP
• HIPAA/HITECH Act
• ISO/IEC 27001-2005
• Jericho Forum
• NERC CIP
• NIST SP800-53
• PCI DSSv2.0


Cloud Control Matrix - Domains

1. Compliance (CO) 7. Operations Management
(OM)
2. Data Governance (DG)
8. Risk Management (RI)
3. Facility Security (FS)
9. Release Management (RM)
4. Human Resources (HR)
10. Resiliency (RS)
5. Information Security (IS)
11. Security Architecture (SA)
6. Legal (LG)
100 Individual Controls


Cloud Control Matrix - Sample


Key CCM Controls
Compliance
• Compliance - Independent Audits
• Independent reviews and assessments shall be performed at least annually, or at
planned intervals, to ensure the organization is compliant with policies, procedures,
standards and applicable regulatory requirements (i.e., internal/external audits,
certifications, vulnerability and penetration testing)
• Compliance - Third Party Audits
• Third party service providers shall demonstrate compliance with information
security and confidentiality, service definitions and delivery level agreements
included in third party contracts. Third party reports, records and services shall
undergo audit and review, at planned intervals, to govern and maintain compliance
with the service delivery agreements.
• Compliance - Intellectual Property
• Policy, process and procedure shall be established and implemented to safeguard
intellectual property and the use of proprietary software within the legislative
jurisdiction and contractual constraints governing the organization.


Key CCM Controls
Data Governance

• Data Governance – Classification
• Data, and objects containing data, shall be assigned a classification based on
data type, jurisdiction of origin, jurisdiction domiciled, context, legal
constraints, contractual constraints, value, sensitivity, criticality to the
organization and third party obligation for retention and prevention of
unauthorized disclosure or misuse.
• Data Governance - Retention Policy
• Policies and procedures for data retention and storage shall be established
and backup or redundancy mechanisms implemented to ensure compliance
with regulatory, statutory, contractual or business requirements. Testing the
recovery of backups must be implemented at planned intervals.
• Data Governance - Information Leakage
• Security mechanisms shall be implemented to prevent data leakage.


Key CCM Controls
Facility Security

• Facility Security - Controlled Access Points
• Physical security perimeters (fences, walls, barriers, guards, gates, electronic
surveillance, physical authentication mechanisms, reception desks and
security patrols) shall be implemented to safeguard sensitive data and
information systems.
• Facility Security - Off-Site Authorization
• Authorization must be obtained prior to relocation or transfer of hardware,
software or data to an offsite premises.


Key CCM Controls
Information Security
• Information Security - Baseline Requirements
• Baseline security requirements shall be established and applied to the design
and implementation of (developed or purchased) applications, databases,
systems, and network infrastructure and information processing that comply
with policies, standards and applicable regulatory requirements. Compliance
with security baseline requirements must be reassessed at least annually or
upon significant changes.
• Information Security - User Access Reviews
• All levels of user access shall be reviewed by management at planned
intervals and documented. For access violations identified, remediation must
follow documented access control policies and procedures.
• Information Security – Encryption
• Policies and procedures shall be established and mechanisms implemented
for encrypting sensitive data in storage (e.g., file servers, databases, and end-
user workstations) and data in transmission (e.g., system interfaces, over
public networks, and electronic messaging).


Key CCM Controls
Information Security
• Information Security - Vulnerability / Patch Management
• Policies and procedures shall be established and mechanism implemented for
vulnerability and patch management, ensuring that application, system, and
network device vulnerabilities are evaluated and vendor-supplied security patches
applied in a timely manner taking a risk-based approach for prioritizing critical
patches.
• Information Security - Incident Reporting
• Contractors, employees and third party users shall be made aware of their
responsibility to report all information security events in a timely manner.
Information security events shall be reported through predefined communications
channels in a prompt and expedient manner in compliance with statutory,
regulatory and contractual requirements.
• Information Security - eCommerce Transactions
• Electronic commerce (e-commerce) related data traversing public networks shall
be appropriately classified and protected from fraudulent activity, unauthorized
disclosure or modification in such a manner to prevent contract dispute and
compromise of data.


Key CCM Controls
Operations Management

• Operations Management - Capacity / Resource Planning
• The availability, quality, and adequate capacity and resources shall be
planned, prepared, and measured to deliver the required system performance
in accordance with regulatory, contractual and business requirements.
Projections of future capacity requirements shall be made to mitigate the risk
of system overload.
• Operations Management - Equipment Maintenance
• Policies and procedures shall be established for equipment maintenance
ensuring continuity and availability of operations.


Key CCM Controls
Risk Management

• Risk Management – Assessments
• Aligned with the enterprise-wide framework, formal risk assessments shall be
performed at least annually, or at planned intervals, determining the likelihood
and impact of all identified risks, using qualitative and quantitative methods.
The likelihood and impact associated with inherent and residual risk should be
determined independently, considering all risk categories (e.g., audit results,
threat and vulnerability analysis, and regulatory compliance).
• Risk Management - Third Party Access
• The identification, assessment, and prioritization of risks posed by business
processes requiring third party access to the organization's information
systems and data shall be followed by coordinated application of resources to
minimize, monitor, and measure likelihood and impact of unauthorized or
inappropriate access. Compensating controls derived from the risk analysis
shall be implemented prior to provisioning access.


Key CCM Controls
Release Management

• Release Management - Production Changes
• Changes to the production environment shall be documented, tested and
approved prior to implementation. Production software and hardware changes
may include applications, systems, databases and network devices requiring
patches, service packs, and other updates and modifications.
• Release Management - Unauthorized Software Installations
• Policies and procedures shall be established and mechanisms implemented to
restrict the installation of unauthorized software.


Key CCM Controls
Resiliency

• Resiliency - Business Continuity Planning
• A consistent unified framework for business continuity planning and plan
development shall be established, documented and adopted to ensure all
business continuity plans are consistent in addressing priorities for testing and
maintenance and information security requirements.
• Resiliency - Business Continuity Testing
• Business continuity plans shall be subject to test at planned intervals or upon
significant organizational or environmental changes to ensure continuing
effectiveness.


Key CCM Controls
Security Architecture

• Security Architecture - Network Security
• Network environments shall be designed and configured to restrict
connections between trusted and untrusted networks and reviewed at planned
intervals, documenting the business justification for use of all services,
protocols, and ports allowed, including rationale or compensating controls
implemented for those protocols considered to be insecure. Network
architecture diagrams must clearly identify high-risk environments and data
flows that may have regulatory compliance impacts.
• Security Architecture - Shared Networks
• Access to systems with shared network infrastructure shall be restricted to
authorized personnel in accordance with security policies, procedures and
standards. Networks shared with external entities shall have a documented
plan detailing the compensating controls used to separate network traffic
between organizations.


Key CCM Controls
Security Architecture

• Security Architecture - Audit Logging / Intrusion Detection
• Audit logs recording privileged user access activities, authorized and
unauthorized access attempts, system exceptions, and information security
events shall be retained, complying with applicable policies and regulations.
Audit logs shall be reviewed at least daily and file integrity (host) and network
intrusion detection (IDS) tools implemented to help facilitate timely detection,
investigation by root cause analysis and response to incidents. Physical and
logical user access to audit logs shall be restricted to authorized personnel.


What do you do with a completed
CCM?

• Consumer: As an internal assessment tool
• Log exceptions and draft a report of provider’s level of control
maturity or a gap analysis
• Provider: As a public assertion of control maturity
• CSA STAR (Security, Trust and Assurance Registry)

• Trusted Cloud Initiative
• www.cloudsecurityalliance.org/trustedcloud.html


Are Assessments Being Done?


Integration Trends / Concerns

• “Bring Your Own Device” (BYOD)
•Smartphone, tablet, laptop

• “Bring Your Own Cloud” (BYOC)
•Google Docs, Dropbox, iCloud, Skydrive


“Data Aware” Security

• Information Security trend
• Knowing if a particular combination of user,
device, and software can be trusted with
access to specific information
• Challenge: Encoding this security intelligence
into your data before you store it in the public
cloud


Recap

• Cloud computing has tangible benefits and
could be a strategic differentiator
• Your organization may be more actively
deployed to the “cloud” than you realize
• New risks are introduced, but can be
managed with assurance frameworks


Questions?

• Brian.Dickard@firstdata.com


References

• Cloud Security Alliance
• Security Guidance For Critical Areas of Focus in Cloud Computing
V3.0 (2011)
• https://cloudsecurityalliance.org/research/security-guidance/
• Cloud Security Alliance GRC Stack (2011)
• https://cloudsecurityalliance.org/research/grc-stack/
• Cloud Security Alliance Cloud Controls Matrix V1.1 (2010)
• https://cloudsecurityalliance.org/research/ccm/
• Information Week (Jan-Mar 2012)
• MIT Technology Review (Jan-Mar 2012)


Cloud Computing Risk Management (Multi Venue)

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Cloud Computing Risk Management (Multi Venue)

Similaire à Cloud Computing Risk Management (Multi Venue) (20)

Dernier

Dernier (20)

Cloud Computing Risk Management (Multi Venue)