avoiding stormy skies with cloud computing todd … · risk slides source: orus dearman, grant...

© Grant Thornton International, Ltd.. All rights reserved.

Avoiding Stormy Skies With Cloud Computing

Todd Fitzgerald CISSP, CISA, CISM, CRISC, CGEIT, PMP, ISO27000, CIPP, CIPP/US, ITILV3f

Global Director Information Security

Grant Thornton International, Ltd.

2014 Mega Healthcare Conference

Jan 29-31, 2014

Wisconsin Dells, WI


Today’s Objective

• Define “The Cloud”

• Cloud Computing Architecture

• Cloud Deployment Models

• Cloud Use Cases

• Security Risks, Benefits,

Vulnerabilities

• Current Cloud Market space

• Information Security Issues

2


Disclaimer

• Todd Fitzgerald is a Director of Information Security with Grant Thornton

International Ltd. The views expressed in this presentation are solely

Todd Fitzgerald's personal views and do not necessarily represent the

views of Grant Thornton or its clients or its related entities. The

information provided with respect to Todd Fitzgerald's affiliation with

Grant Thornton is solely for identification purposes and may not and

should not be construed to imply endorsement or support by Grant

Thornton of the views expressed herein.

© Grant Thornton International, Ltd.. All rights reserved. 4

About Grant Thornton

35,000 people in over

100 countries

Total global revenues

$4.2bn (2012)

Global tax revenues

$909m 9% growth

(2012)

Mergers in 19

countries Q1-Q3 2012

adding revenues of

$250m

Global advisory revenues

$1.1bn

18% growth 2012


THE 'WHAT'S' AND 'WHY'S' OF

CLOUD

Section I


Current State of Cloud Computing

• Evolving Landscape

• New Business Opportunities

• Much Hype, Some Reality.. In

It’s Infancy

• … It Will Impact Future IT

Delivery


Business Drivers

• Lower Costs

• Delivering IT according to Business

Priorities

• Faster Delivery

• Reacting to changes

• Standards Migration

• Pricing to influence business behavior

• Lowering barrier to entry/exit

7


The Central Issue: What Are We Trying To

Protect ?

For Each Asset, ask These Questions…How

Would we be harmed if…

…the asset became widely public and distributed?

…an employee of the cloud provider accessed the asset?

…the process or function was manipulated by an outsider?

…the process or function failed to provide expected results

…the data was unexpectedly changed

…the asset was unavailable for a period of time?

Source: Cloud Security Alliance, Security Guidance for critical areas of Cloud Computing 3.0


Working Definition of “The Cloud”

9

Source: Cloud Security Alliance/ NIST


Cloud Computing Taxonomy

10

Source: Cloud Computing Uses Whitepaper, Version 4


Standards Will Be Determined By Interoperability,

Auditability, Security & Management

11

Source: Cloud Computing Use Cases White Paper


Platform Stacks – Who Is In Control?

12

Source: cloudblueprint.wordpress.com/cloud-taxonomy


Many Cloud Players Entering

13


Source: Gartner,2011


Gartner Hype Cycle Predictions 2014 and Beyond

• Cloud computing interest "peaked", now in Trough of

Disillusionment

• Mainstream cloud adoption 2014-2017

– Salesforce automation, SAAS, and Virtualization

• Cloud email – by 2014 10% adoption rate

• Big Data – by 2015, competitors defeated by 20%

• PAAS – confusing to enterprises, varying experiences

• SAAS-50% organizations have SAAS strategy by 2015

• Personal cloud replaces PC by 2014

Source: www.rickscloud.com


Source: Gartner,2011


Match Security Tool To Cloud Computing Problem

• Low security

environments 20% of

market

• High-End – APIs for

Externalized Security

Monitoring

• Middle-Compromise

between public/private

clouds

17


HEALTHCARE SECURITY

BREACHES

Section II


2012 data breach statistics

• Of 621 security breach incident investigations:

– 92% perpetrated by outsiders

– 52% utilized some form of hacking

– 40% incorporated malware

– 29% used social tactics

– 66% took months or more to discover (69% by a third

party)

– 78% initial intrusions rated as low difficulty, 71%

targeted end user devices

Source: Verizon RISK Team 2013 Data Breach Investigations Report


Large Gap Between Time To Attack and Discovery


Top 2013 Cloud Threats (Notorious Nine)

1. Data Breaches

2. Data Loss

3. Account or Service Traffic Hijacking

4. Insecure Interfaces and APIs

5. Denial of Service

6. Malicious Insiders

7. Abuse of Cloud Services

8. Insufficient Due Diligence

9. Shared technology Vulnerabilities

26

Source: Cloud Security Alliance, Feb 2013


Top 5 HIPAA Breach Violations Reported to HHS (281 >

than 500 as of June 2011) – In the Cloud?

27

Provider Year #Affected How?

Health Net 2011 1,900,000 Stolen Portable

Disk from Office

NYC Health & Hospitals Corp 2010 1,700,000 Hard drives stolen

from van

AVMed 2009 1,220,000 Laptops stolen corp

office

BCBS Tennessee 2009 1,023,209 Hard drives stolen

from IT closet

South Shore Hospital 2010 800,000 Drives lost while

transported for

destruction

Source: Software Advice study 6/11


2013- 3,000 Patients Posted on Google E-mail

and Document Storage Services

HIPAA Violation?


CLOUD RISKS Section III


RISK: Physical Cloud Components

– Data Centers: self-hosted, third-party, both?

– Network circuits and firewalls: who’s

managing, who’s watching?

– Disaster preparedness and recoverability: is

there a plan, is it tested?

– Who is aware of and managing vendor

SLAs and are they adequate? Risk Slides Source: Orus Dearman, Grant Thornton Lost In Cyberspace Presentation


RISK: Data and Organizational

• Where is the data and how is it protected?

– In-flight, standing still / at-rest, etc.?

– Archives and back-up?

– Unintended uses?

– Data privacy and compliance?

• What is the tone at the top?

– Stakeholder knowledge of attributes and risks

– Have internal controls evolved effectively?

– Who is monitoring internal use of public cloud services?


RISK: Attention To Security

• The cloud provider’s security policies are not as strong as

the organization’s data security requirements

• Cloud systems which store organization data are not

updated or patched when necessary

• Security vulnerability assessments or

penetration tests are not performed to

ensure logical and physical security controls

are in place

• The physical location of organization data is

not properly secured


Source: 2013 Ponemon Institute Survey, Who's minding your cloud?


Security Vulnerabilities

• AAA Vulnerabilities

• User Provisioning/De-

provisioning

• Remote access to mgmt

interface

• Hypervisor

• Lack of resource isolation

• Lack of reputational

Isolation

• Communication encryption

• Weak archive encryption

• Impossibility of processing

in encrypted form

• Poor key mgmt procedures

35

Source: Cloud Computing Benefits, Risks and recommendations for Information Security, ENISA


Security Vulnerabilities (Cont’d)

• Key Generation/Low entropy for

random number generation

• Lack standard

technologies/solutions (lock-in)

• No source escrow agreement

• Inaccurate modelling of resource

usage

• Conflicting SLAs/stakeholders

• Audit not available

• No control over vulnerability

assessment process

• Internal net probing

• Co-residence checks

• Forensic readiness

• Sensitive media sanitization

• Synchronizing responsibilities

• Cross-cloud applications

dependency

36



Best Practices

• Implement IP Restrictions

• Consider Two-Factor Authentication

• Secure Employee Systems

– Use malware/spyware utilities

• Strengthen Password Policies

• Require Secure Sessions (https://)

• Decrease Session Timeout Thresholds

• Identify a Primary Security Contact


Security Vulnerabilities (Not specific to the cloud

• Lack of security awareness

• Lack of vetting process

• Unclear roles/responsibilities

• Poor enforcement role definitions

• Need-to-know principles not

applied

• Inadequate physical security

• Mis-configuration

• Unclear asset ownership

• Un-trusted software

• Incomplete asset

inventory/classification/ownership

• Poor provider selection

• Liability from data loss

• Inadequate/mis-configured

filtering resources

38



RISK: Multi-tenancy

• Organization data is not appropriately segregated on shared hardware resulting in organization data being inappropriately accessed by third parties

• The cloud service provider has not deployed appropriate levels of encryption to ensure data is appropriately segregated both in rest and transit

• The cloud service provider cannot determine the specific location of the organization’s data on its systems

• Organization data resides on shared server space which might conflict with regulatory compliance requirements for the organization


RISK: Data Location

• The organization is not aware of all of the

cloud service provider’s physical

location(s)

• The organization does not know where

their data is physically or virtually stored

• The Cloud service provider moves

organization data to another location

without informing the organization

• Organization data is stored in international

locations and falls under foreign business

or national laws/regulations


RISK: Reliability

• The cloud service provider has quality of service

standards which conflict with operational

requirements

• During peak system activity times, the cloud

service provider experiences system

performance issues that result in the following:

― organization employees cannot access the

organization’s data when needed

― Customers are unable to use the organization’s

systems (such as placing an order on the organization’s

web site) because of performance problems with the

cloud provider


RISK: Sustainability

• In the event the cloud service provider goes

out of business, the organization might not

be able to retrieve the organization’s data.

In addition, another third party might gain

access/control of the organization’s data

• The cloud service provider does not have

appropriate system recovery procedures

in place in the event of a disaster

• The organization’s business continuity plan does not

address the cloud’s service offering being unavailable

• Organization data is compromised as a result of a disaster


Scalability risks

• The cloud service provider’s systems

cannot scale to meet the organization’s

anticipated growth, both for a short-term

spike and/or to meet a long-term strategy

• If the organization decides to migrate all

or part of the organization’s system

and/or data back in-house (or to

another provider), the cloud service

provider cannot (or will not) provide

the data


Source Information Week, 2013 Cloud Security and Risk Survey, Sept 2013


THE FUTURE OF CLOUD Section IV


Compliance Frameworks For Evaluating The

Cloud Security

• COBIT

• CSA Security Matrix

• Jericho Forum Self-

Assessment Scheme

• AICPA Service Organization

Control (SOC) 1 Report

• AICPA/CICA Trust Services

(Systrust/Webtrust)

• FedRAMP

• NIST 800-53

• HITRUST

• BITS

• ENISA Report

• RYO (Roll Your Own)


NIST Has Excellent Publications To Help With

Security and Privacy


Source Information Week, 2013 Cloud Security and Risk Survey, Sept 2013


Key Cloud Macro Issues

• Critical mass of separation between data owners and data processors

• Anonymity of geography of data centers & devices

• Anonymity of provider

• Transient provider relationships

• Physical controls must be replaced by virtual controls

• Identity management has a key role to play

• Cloud WILL drive change in the security status quo

• Reset button for security ecosystem Source: Achieving Security Assurance and Compliance in the Cloud, Cloud Security Alliance 2011


Key Trust Issues Are Emerging

– Will my cloud provider be transparent about

governance and operational issues?

– Will I be considered compliant?

– Do I know where my data is?

– Will a lack of standards drive unexpected

obsolescence?

– Is my provider really better at security than me?

– Are the hackers waiting for me in the cloud?

– Will I get fired? Source: Achieving Security Assurance and Compliance in the Cloud, Cloud Security Alliance 2011


Potential Challenges For Tomorrow

• Keeping pace with cloud changes

• Globally incompatible legislation and policy

• Non-standard Private & Public clouds

• Lack of continuous Risk Management &

Compliance monitoring

• Incomplete Identity Management

implementations

• Haphazard response to security incidents Source: Achieving Security Assurance and Compliance in the Cloud, Cloud Security Alliance 2011


4 Stages to Cloud Maturity

Source: Assess Your Cloud Maturity, Forrester Research 5/29/12


10 2013 Cloud Predictions… Which Ones Came

True? Which will Remain This Year (In 2014) ?

• End of cloud "one-size-fits-all"

• Cloud and mobile will become one

• Stop stressing about cloud service-level-agreements

• Get real about cost modelling

• Developers will be developing with support from infrastructure and

operations professionals

• Get real about cloud for backup and disaster recovery

• Cloud ≠ commodity

• Cloud ≠ Amazon Web Services

• Virtualization is good, but not a cloud

• Development in the cloud not that much different Source: Forrester Research, Predictions for 2013: Cloud Computing, Feb 22, 2013


Final Thoughts – Remember The Baby Toddler

• Cloud Computing Is now a Toddler

• …But as a Toddler, it is wise to plan

for college early

• …because the Toddler does grow up

• Apply concepts from other prior kids

to this one

• Learn from the Toddler

• Embrace and don’t be afraid of the

Toddler

• Know where the Toddler is coming

from, and know they will always be

your baby!

55


References

• Cloud Computing: Benefits, Risks and Recommendations for

Information Security, www.enisa.europa.eu

• Security Guidance for Critical Areas of Focus in Cloud

Computing V3.0, www.cloudsecurityalliance.org/

• Cloud Computing Use Cases White Paper, Version 4.0,

http://cloudusecases.org

• Moving to the Cloud, V1.0, http://cloudusecases.org

• The NIST Definition of Cloud Computing (Draft), SP 800-145,

Jan 2011, http://csrc.nist.gov/publications/drafts/800-

145_cloud-definition.pdf

• Gartner Security & Risk Management Summit, 6/11,

Washington, DC, various presentations

• IT Control Objectives for Cloud Computing: Controls and

Assurance in the Cloud, ISACA

• cloud.cio.gov/action/secure-your-cloud

• Information Security Governance Simplified: From The

Boardroom to the Keyboard (Fitzgerald, 2012)

• CISO Leadership: Essential Principles for Success (Fitzgerald

& Krause, 2008)

56

http://www.enisa.europa.eu/

http://www.cloudsecurityalliance.org/

http://cloudusecases.org/

http://cloudusecases.org/

http://csrc.nist.gov/publications/drafts/800-145_cloud-definition.pdf






Todd Fitzgerald

Global Information Security Director


Oak Brook Terrace, IL

[email protected]

linkedin.com/in/toddfitzgerald

[email protected]


CLOUD USE CASES Additional Slides


Use Case #1: End User To Public Cloud

• End user accesses data

and applications in the

cloud

• Gmail,Facebook, LinkedIn

• No idea of Architecture

• Any browser, any device

59



Use Case #1: End User To Public Cloud –

Requirements

• Identity- Cloud service must

authenticate

• Open client

• SLAs for end users simpler

• Cloud vendors must be

clear on service level

60



Use Case #2: End User-Public Cloud To

Enterprise

• End user interacts with

enterprise

• Enterprise interacts with cloud

• End user is external or

internal

• (Variation Use case w/o

Internal User for Internal

processes)

61



Use Case #2: End User-Public Cloud To Enterprise -

Requirements

• Identity- cloud service must

authenticate

• Open client

• Federated identities, single

ID for end user

• Location awareness

• Metering & Monitoring

• Governance/Mgmt

62



Use Case #2: End User-Public Cloud To Enterprise –

Requirements (Cont’d)

• VM Common file format

• Common API Cloud

Storage/Middleware

• Data/Application

FederationSLA and

Benchmarks

• Lifecycle Mgmt

63



Use Case #3: Enterprise to Cloud to

Enterprise

• Two enterprises using the

same cloud

• Hosted resources in cloud

• Applications interoperate

• Supply chain

64



Use Case #3: Enterprise to Cloud to

Enterprise - Requirements

• Similar to Enterprise-To-

Cloud Use Case

• Plus:

– Transactions and

concurrency

– Interoperability

65



Use Case #4: Private Cloud

• Cloud contained within

enterprise

• Computing power spread

across enterprise

• Department gets extra

cycles when needed (i.e.,

Payroll, Finance)

66



Use Case #4: Private Cloud - Requirements

• Requirements same as

public cloud, except:

– Identity/Federated

– Location awareness

– Transactions

– Industry standards

– Common APIs for middleware

67



Use Case #5: Hybrid Cloud

• Multiple clouds working

together

• Federated cloud provider-

combines own resources

with others

• Cloud Broker – delivers

clouds, no resources of

their own

• No difference to end user

68



Use Case #5: Hybrid Cloud - Requirements

• Same requirements as prior

use cases

• SLAs – machine readable

to permit cloud provider to

select resources without

human intervention

69



Use Case #5a – Community Cloud

• Subset of Hybrid Cloud

• Users access via Intranet

vs Internet

• User has no knowledge of

what hybrid cloud provider

does

70


5 Customer Scenarios

71 Source: Cloud Computing Use Cases White Paper


Todd Fitzgerald

Global Information Security Director


Oak Brook Terrace, IL

[email protected]

linkedin.com/in/toddfitzgerald

[email protected]

avoiding stormy skies with cloud computing todd … · risk slides source: orus dearman, grant...

Documents