cloud computing - it's the security, stupid!

25
Black Hat Sessions VIII: Hacking the Cloud – Ede April 2010 It’s the security, stupid! How IT audits cope with cloud computing drs. Mike Chung RE

Upload: mike-c

Post on 17-May-2015

2.360 views

Category:

Business


0 download

DESCRIPTION

This presentation is an updated version of "Security Audit versus Cloud Computing". These slides were used during one of the Black Hat Sessions.

TRANSCRIPT

Page 1: Cloud Computing - It's the security, stupid!

Black Hat Sessions VIII: Hacking the Cloud – Ede April 2010

It’s the security, stupid!How IT audits cope with cloud computing

drs. Mike Chung RE

Page 2: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 2

Cloud computing

Cloud computing is putting your data on someone else’s hard disk and accessing it via a network.. Public cloud: ..with a lot of other people too Private/dedicated cloud: ..alone

Infrastructure-as-a-Service: you have to install OS and software on that hard disk yourself

Platform-as-a-Service: you have to install software only Software-as-a-Service: everything’s been installed

Page 3: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 3

Main questions

What is the (ir)relevance of audits in the cloud? What are the specific factors concerning the cloud? How (ir)relevant are audit standards? How (in)competent are IT auditors?

Page 4: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 4

The relevance of IT audits

Compliance with legislations, regulations and standards SOx, HIPAA, PCI DSS.. No compliance means significant loss of business or even out of business Due to / thanks to the credit crunch, regulations have been tightened

IT audits as part of the annual statement of accounts Cloud computing is a matter of trust – current trust models are weak

You don’t trust what you don’t understand – perceptions, fairy tales and FUD Why should decision-makers trust IT vendors and advisors? Security is the biggest concern for decision-makers: according to KPMG’s 2010

cloud computing survey, security issues are the main concern of CIOs and managers (75%), followed by privacy, compliance and legal matters

Page 5: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 5

Security issues of cloud computing are real

Hackers stole credentials of Salesforce.com’s customers via phishing attacks (2007)

Thousands of customers lost their data in the cloud due to the ‘Sidekick disaster’ of Microsoft/T-Mobile (2009)

Botnet incident at Amazon EC2 infected customer’s computers and compromised their privacy (2009)

Security flaws in GoogleDocs gave erroneous permissions to its users (2009)

Thousands of hotmail accounts were hacked due to technical flaws in Microsoft’s software (2010)

Botnets are increasingly threatening access to internet services SPAM, excessive traffic of multimedia sites and P2P networks are

clogging the internet’s arteries

Page 6: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 6

Security risks: specific factors concerning the cloud

External data storage Multi-tenancy Use of the (public) internet Integration with the internal IT environment

Page 7: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 7

Specific factor concerning the cloud: external data storage

Weak control of data (failing backup, recovery, destruction) Legal complications (privacy violation, conflicting/contradicting and

often unworkable/archaic legislations) Uncertain viability (insufficient guarantees regarding continuity and

availability of services) Single point of failure (failure of one cloud vendor/provider means

disaster for many customers) Vendor lock-in (difficulty in getting back the data in open formats and

switching to other vendors)

Page 8: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 8

Specific factor concerning the cloud: multi-tenancy

Inadequate segregation of data between different customers (datacontamination)

Inadequate Identity & Access Management (erroneous authentication, access and authorization to IT resources and data)

Insufficient logging & monitoring The weakest link is decisive (virtualization, shared databases)

Page 9: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 9

Specific factor concerning the cloud: use of the (public) internet

Unclear and unaddressed accountability, ownership Unclear demarcation of responsibilities and control Limited regulation A lot of clandestine traffic (Spam) and networks (Botnets) Exceptionally poorly protected for such an important infrastructure – the

internet is commercially the most valuable infrastructure Extremely dependent on couple of optic fibers and electricity Threats are virtually unknown to most politicians and decision-makers

Page 10: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 10

Specific factor concerning the cloud: integration with the internal IT environment

Unclear (network) perimeters Difficulties/discrepancies in matching cloud computing vendor’s security

measures with internal security measures, requirements and baselines Complexity of integration between the cloud and the internal IT

Page 11: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 11

Security benefits

Centralized security Concentration of security expertise Economy-of-scale

High accessibility ‘Nakedness leads to fitness’

Page 12: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 12

Audit standards

Localized IT as starting point (ITIL) Strong focus on client-server/on-premise IT (ISO27001/2) Static (Cobit) Strong focus on processes (SOx)

Page 13: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 13

Audit standards versus external data storage

Based on access from external/third parties, not on access to cloud services

Based on management of internally stored data (eventually managed by externals)

From the viewpoint of the customer: irrelevant From the viewpoint of the cloud computing vendor: insufficient New principles and practices

11 commandments of the Jericho Forum Cloud security initiatives from ISF

Page 14: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 14

Audit standards versus multi-tenancy

Marginal attention on (technical) architecture Multi-tenancy virtually unobserved/unexposed Mere focus on segregation of duties, facilities and networks New principles and practices

Cloud Security Alliance – Security guidance Liberty Alliance’s IAM ‘baselines’ for Federated IAM Enisa – Cloud computing security framework

Page 15: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 15

Audit standards versus use of the (public) internet

Primarily financial-legal issues (accountability, ownership) outside the domain of IT audits

Exceptionally difficult to audit – there is no usable and accepted ‘atlas of the internet’

Existing principles and practices for e-mail usage and internet security partly applicable, but an audit framework for the internet is yet to be released

Page 16: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 16

Audit standards versus integration with the internal IT environment

‘Open standards’ – which one(s) to choose? ‘Open’ audit standards versus the reality of ‘proprietary’ cloud

technologies New principles and practices

ISF – The standard of Good Practice for Information Security OWASP frameworks

Page 17: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 17

Compliance

Responsibility and risks are with the customer, not the cloud vendor Legislations versus the current state of (technical) affairs Compliance with different legislations from different countries (SOx,

HIPAA, PCI DSS, WBP..) SAS70 as a way out?

Page 18: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 18

SAS70: objections

Type I or Type II? Free to choose the controls Fully dependent on the expertise and view point of the auditor Many variations on audit approach, set-out and level of (technical) detail Wide intervals between audits

Page 19: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19

SAS70 in practice

Same standards used as for client-server/on-premise IT environments Hardly any attention on multi-tenancy, service integration and external

data storage Superficially reviewed by (potential) customers and auditors Lacunas rarely raised

Page 20: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 20

IT auditors

Competent researchers and analysts High-level knowledge of architecture and technology Mostly educated in economics, accounting, business management Existing audit standards and baselines as starting points

Page 21: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 21

IT audits in practice

Use of partly irrelevant and insufficient controls for cloud computing Approach tailored for client-server/on-premise IT Emphasis on (service management) processes with paper evidences Recommendations only partly aimed to mitigate cloud specific risks

Page 22: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 22

Steps forward

Actualize existing standards and frameworks with relevant controls for the cloud

Control (read: reduce) the many good initiatives of setting up new standards and frameworks – consolidate expertise

More emphasis on architecture and technology with technical evidences Increase the share of technically educated auditors

Page 23: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 23

Conclusion

IT audits are essential part of compliance and assurance Cloud computing harbours specific security risks Audit standards and baselines are partly irrelevant and insufficient, but

there are (too) many initiatives to actualize these While IT auditors are competent researchers, their (technical) knowledge

on cloud computing needs to be updated

Page 24: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 24

Contact

Drs. Mike Chung REManagerKPMG Advisory N.V.E-mail: [email protected]: +31 (0)6 1455 9916

Page 25: Cloud Computing - It's the security, stupid!

© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 25

About the spider

The spider as depicted in this presentation is the European Garden Spider, also known as the Cross Spider (Araneus diadematus)

The Garden Spider makes large webs Like most spiders, it possesses venom glands However, this spider is docile and its venom is harmless to humans