7/27/10
1
Proprietary & Business Confidential
Cloud Computing – A Risk Overview Kostja Reim, CISA, CISM, CGEIT, Security Risk Solutions Ltd.
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
Agenda
! Introduction ! Cloud Foundation ! Considerations and Risks ! The Role of the IS Auditor ! Q&A
2
7/27/10
2
Regulatory Pressure ! Compliance Demands:
– Internal Audit • Independent • Audits IT
– Defined RM Framework • Annual assessment • Risk Treatment Plan • Investigation of all
significant incidents – Segregation of Duties – BCM (processes, systems,
succession) – Logging and Monitoring – Security Measures of
accepted standard (BSI, ISO17799, etc.)
– Outsourcing Controls
! To address: – Internal fraud – External fraud – Hiring practices – Occupational safety and
security – Customer, products &
services, practices – Impact on assets
(terrorism, earthquakes, fire, etc.)
– System outages and business failure
– Process management (execution of transactions, false details, money laundering, confidentiality of customer information etc.)
Did you know the Payment Card Industry (PCI) Council for Security released a Data Security Standard (DSS) that all financial institutions and merchants processing or storing credit card transactions must comply with by 30 September 2010? Did you know that Uganda has put in place new laws and penalties for IT?
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
3
Cloud Foundation – What is going on inside an application?
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
4
7/27/10
3
Cloud Foundation – How does it work?
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
5
Cloud Foundation – What is Cloud Computing?
IT Capabilities provided as a service over the Internet and characterized by: ! Usually pay as you use (can also be subscription) ! Shared physical infrastructure not visible to the customer ! Provided over the Internet ! Geographic Independence ! On Demand allocation of resources ! Scalability
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
‘’Gartner defines cloud computing as a style of computing where massively scalable IT-related capabilities are provided ‘as a service’ using Internet technologies to multiple external customers.’’
6
7/27/10
4
Cloud Foundation – Types of Cloud Services
! SaaS – Software as a Service – Network-hosted application
! DaaS – Data as a Service – Customer queries against provider’s database
! PaaS– Platform as a Service – Network-hosted software development platform
! IaaS – Infrastructure as a Service – Provider hosts customer VMs or provides network storage
! IPMaaS – Identity and Policy Management as a Service – Provider manages identity and/or access control policy for customer
! NaaS – Network as a Service – Provider offers virtualized networks (e.g. VPNs)
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
7
Cloud Foundation - IaaS
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
8
7/27/10
5
Cloud Foundation - PaaS
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
9
Cloud Foundation - SaaS
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
10
7/27/10
6
Cloud Foundation – Service Providers
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
11
Cloud Foundation – What is gained?
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
12
7/27/10
7
Cloud Foundation – Service Delivery Models
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
13
Cloud Foundation - Benefits
! Example use Scenarios: – High Demand Applications – High Variable Demand (Bursting) – Geographically dispersed user base – Startup – Reduce Size and Scope of IT – PER – Cheap to experiment – DR
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
14
7/27/10
8
Cloud Foundation – Pro’s and Con’s Summary
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
15
Considerations & Risks
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
16
7/27/10
9
Considerations & Risks - Other
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
17
Considerations – Confidentiality & Privacy
! Risk Factors: – Data stored, transmitted and processed outside the organization – Shared computing environments – Loss of physical control of data – Physical and logical access managed by provider – Limited information about provider personnel
! Mitigation Techniques: – Separation of user directories and access control – Encryption – Key Management – Define standards – Procedural reviews – Access Control reviews
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
18
7/27/10
10
Considerations – Data Segregation
! Risk Factors: – Shared computing environments – Lack of segmentation – Geographical residence of data – One compromised system could affect another
! Mitigation Techniques: – Encryption – Key Management – Logical segregation – Firewalls, routers, ACLs – Info Classification – Isolation of data
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
19
Considerations – Data Integrity
! Risk Factors: – Lack of controls to prevent data modification – Undetected modification of data – Incorrectly implemented encryption leading to data corruption
! Mitigation Techniques: – File integrity, logging and monitoring – Digital signatures – Periodic review of data – Redundancy and error recovery – Error checking and correcting codes – Encryption
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
20
7/27/10
11
Considerations – Vendor Responses
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
21
Considerations – Availability
! Risk Factors: – Network connectivity required – Transmission of data over ‘noisy’ channels – Increased potential points of failure – Limited ability to control changes – Reliance on provider DR – Viability of provider is not assured
! Mitigation Techniques: – RTO’s in SLA – Network availability in ISP SLA – Diversify replication – Formal CCP – Multiple provider use – Plan for data retrieval – Error correction systems – Caching to address latency
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
22
7/27/10
12
Considerations – Vendor Responses
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
23
Considerations – Regulatory Compliance
! Risk Factors: – Data transmitted and stored – Information subject to new laws – Foreign governments – Different retention requirements – Audits of provider – Increased complexity to comply
! Mitigation Techniques: – Limit storage to specific countries – Contractual commitment to obey
privacy laws – Security certifications of provider – External reviews (PCI, SAS70) – Limit data types / classification
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
24
7/27/10
13
Considerations - Enablers
! CSA – Cloud Security Alliance ! ISACA – Information Systems Audit & Control Association
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
25
Considerations – Overall Principles
Extensive Due Diligence involving: ! A portion of the cost savings obtained by cloud computing must be invested into
increased scrutiny of the security capabilities of the provider and ongoing detailed audits to ensure requirements are continuously met.
! The principles of cloud computing make it very flexible and affordable, create a relationship dynamism, which must be mitigated by ongoing risk management.
! Providers should have regular third party risk assessments and these should be made available to customers.
! Require listings of all third parties of the cloud provider. ! Understand financial viability of the cloud provider. ! Understand the cloud provider’s key risks and performance indicators and how
these can be monitored and measured.
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
26
7/27/10
14
The IS Auditor’s Role – Implementing the Cloud
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
27
IS Audit’s Role - Activities
! 1. Identify Control Requirements – Scope: Identify and evaluate controls to be implemented – Relevant Skills: Controls, business risks, processes, RM, and 3rd party risk assessments – Business Value: Perceived risks are the biggest barrier – IA can help understand and manage these risks and
therefore support the business – Partners: IT and Information Security
! 2. Vendor Selection Support – Scope: Supports the evaluation of vendors – ensure balanced assessment, review SAS70 reports, vendor
contracts etc. – Relevant Skills: Independence, financial process, IT technical, due diligence – Business Value: Manages the significant risk that the selected vendor will not be around tomorrow, internal
technology won’t integrate, appropriate contractual provisions, evidence of reliability (e.g. through 3rd party assessments)
– Partners: IT, Procurement, Legal, Business users (depending on Cloud type)
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
28
7/27/10
15
IS Audit’s Role - Activities
! 3. Vendor Management Review – Scope: Evaluate controls and procedures for managing vendor relationships (e.g. SLAs, invoice review,
escalation, etc.) – Relevant Skills: Contracts, ITIL, COBIT, Performance Management – Business Value: Ensures that appropriate processes are in place to manage the significant new vendor
relationship and maximize the value the organisation receives from it – Partners: IT, Procurement, Business Management
! 4. Data Migration Assessment – Scope: Assess planned data migration scope and method as well as future state data interface design – Relevant Skills: Business process, accounting, data analytics – Business Value: Assists the business and finance gain comfort around plans for cut over from old to new
systems and for the completeness and accuracy of data transferred – Partners: IT, Finance, Business Management
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
29
IS Audit’s Role - Activities
! 5. PMO / Project Management Assessment – Scope: Review project management / PMO capabilities – Relevant Skills: Project management, risk management, financial performance management – Business Value: Ensures that processes are in place that can support managing this complex and high risk
project to the greatest benefit, in the shortest time with the lowest risk – Partners: IT and PMO
! 6. Controls Review / Assessment / Testing – Scope: Perform review of controls to be put in place, test controls and provide advice on improvements – Relevant Skills: Independence, IT controls, business processes, change management, security etc. – Business Value: Ensure IT and business have taken appropriate steps to mitigate implementation and
business process risks that will arise as part of the implementation – Partners: IT, Finance, Business Management
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010
30
7/27/10
16
31
Questions?
! This presentation pack necessarily represents only part of the information we have considered in carrying out our work, being that which we selected to be most relevant to our understanding of your needs, in the light of this engagement.
! The information in this presentation pack will have been supplemented by matters arising from any oral presentation by us, and should be considered in the light of this additional information.
! If you require any further information or explanations of our underlying work, please contact us.
! The information in this presentation pack is confidential and contains proprietary information of Security Risk Solutions Ltd. It should not be provided to anyone other than the intended recipients without our written consent.
! Anyone who receives a copy of this presentation pack other than in the context of our oral presentation of its contents should note the first two points above, and that we shall not have any responsibility to anyone other than our client in respect of the information contained in this document.
Security Risk Solutions Limited Bemuda Plaza, E2 Ngong Road P.O. Box 15306, 00509 NAIROBI, Kenya Tel. +254 (0) 20 2735401 / 2019286 Email. [email protected] Web. http://www.securityrisksolutions.net
Map to our office:
Cloud Computing - Considerations & Risks - (c) Security Risk Solutions Ltd., All rights reserved. 2010