cloud computing nsaa tallahassee september 2010 brian rue [email protected]
TRANSCRIPT
![Page 2: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/2.jpg)
Agenda1) Cloud Audit Drivers2) Cloud Deployment (SaaS, PaaS, IaaS)3) Cloud Delivery Methods (Private, Community, Public, Hybrid)4) Cloud Communications 5) Data/Application Data Center Geography6) Select Cloud Legal Issues7) Select Data Security Issues8) Cloud Contract Review9) Cloud Audit Program Resources10) Cloud Resources
2
![Page 3: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/3.jpg)
* Back to the Future*- Centralized Computing Architecture,
Application Service Providers, and Thin Client Computing Architectures
3
![Page 4: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/4.jpg)
Why State Entities Cloud - • Potential to Reduce Costs
Cloud technology can result in cost savings over in-house solutions. • Promotes Automation
Can shift (variable by cloud type) backend hardware and software support to cloud vendor reducing required staff at the client site.
• On-DemandScalable architecture allows client to dial-up and dial-down computing resources to match work flows.
• Mobility Web User Interface allows clients to connect from any computing device using a supported Web browser.
• Shift IT Security Controls Client can contractually shift IT security controls to the vendor depending
on the type of cloud architecture.• Frees IT to Innovate
Clients have less support issues to worry about allowing IT to concentrate on innovation.
4
![Page 5: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/5.jpg)
5
1. Cloud Audit Drivers
![Page 6: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/6.jpg)
6
Audit Reports
![Page 7: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/7.jpg)
7
Evolving Government GuidanceLegislative Interest
![Page 8: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/8.jpg)
8
Outsourcing Compliance Mandated Reviews
Evolving Cloud Security Controls
![Page 9: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/9.jpg)
9
State Cloud IssuesState Cloud Migration
![Page 10: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/10.jpg)
Getting Confortable in the Cloud Environment
10
![Page 11: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/11.jpg)
2. Three Cloud Deployment Methods
11
![Page 12: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/12.jpg)
1. Software as a Service (SaaS)• Vendor runs/owns:
– Application Software– Platform (Operating System/Web apps/middleware/database)– Supporting Infrastructure (data center)
• The applications are accessible from various client devices through a thin client interface such as a web browser.
12
![Page 13: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/13.jpg)
SAS Video
13
![Page 14: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/14.jpg)
14
Example SaaS Product--Google Apps
![Page 15: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/15.jpg)
2. Platform as a Service (PaaS)
• Vendor runs/owns:– Platform (Operating System/Web
apps/middleware/database)– Supporting Infrastructure (data center)
• Client does not manage underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.
15
![Page 16: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/16.jpg)
PaaS Video
16
![Page 17: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/17.jpg)
3. Infrastructure as a Service (IaaS)
• Vendor runs/owns:– Supporting Infrastructure (data center)
• The client does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
17
![Page 18: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/18.jpg)
IaaS Video
18
![Page 19: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/19.jpg)
19
NIST Chart
![Page 20: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/20.jpg)
20
Cloud Providers
![Page 21: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/21.jpg)
3. Cloud Delivery Methods 21
![Page 22: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/22.jpg)
1. Private Clouds
• The Private Cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.
22
![Page 23: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/23.jpg)
1.1 Private Clouds
23
![Page 24: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/24.jpg)
2. Community Clouds
• The Community cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
24
![Page 25: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/25.jpg)
2.1 Community Clouds Video
25
![Page 26: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/26.jpg)
3. Public Clouds• The Public Cloud infrastructure is made
available to the general public or a large industry group and is owned by an organization selling cloud services.
26
![Page 27: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/27.jpg)
3.1 Public Clouds
27
![Page 28: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/28.jpg)
4. Hybrid Clouds
• The Hybrid Cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
28
![Page 29: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/29.jpg)
4.1 Hybrid Cloud Video
29
![Page 30: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/30.jpg)
30
NIST Cloud Delivery Chart
![Page 31: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/31.jpg)
31
4. Cloud CommunicationsMapping the data flows between auditee,
the cloud service, and any outside customers
![Page 32: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/32.jpg)
32
Understanding the Pipes
• Internet• Secure 100 Mbps or Gigabit private
networks• Virtual Private Networks (VPNs)• Dedicated Lines• SSL/SSH• Wireless Carriers (Wi-Fi/WiMax/LTE/3G)• Home Networks• Public Access Points• Multinational
![Page 33: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/33.jpg)
Security of the Pipes-A Cloud Security Concern (Does a Plan B Exist?)Service Disruptions – From entity ISP Internet connectivity to Denial of service attacks against Internet/Vendor infrastructure
33
![Page 34: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/34.jpg)
34
Encrypted Communications
• Encrypted Cloud Contacts– Strength– Key Management• Vendor Retains Encryption Keys• Entity Retains Keys
![Page 35: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/35.jpg)
Data Packet 54 Where are
You?
5. Data Center
Geography
35
![Page 36: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/36.jpg)
Cloud Vendors Maintain Data Centers in Multiple Locations Across the Globe
36
![Page 37: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/37.jpg)
Location, Location, Location
37
Cloud vendors can have the ability to port client data and application processing across borders absent contractual geographical restrictions.
![Page 38: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/38.jpg)
38
• One prominent SaaS provider has been identified as not being able to state, definitively, where one's data is hosted or that its location will be restricted to any given region.
http://www.cio.com/article/612063/Data_Compliance_and_Cloud_Computing_Collide_Key_Questions
![Page 39: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/39.jpg)
39
![Page 40: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/40.jpg)
40
More Secrecy from Vendors
• According to Network World, “Cloud service providers often cultivate an aura of secrecy about data centers and operations, claiming this stance improves their security even if it leaves everyone else in the dark”; these providers often believe that such secrecy is an integral part of the cloud-computing business model.
![Page 41: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/41.jpg)
41
6. Select Legal Issues
![Page 42: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/42.jpg)
42
IMPORTANT: Cloud Vendors do not always know if entity is using cloud resources to store and/or process data that is protected by State, Federal, or Contractual Obligations….
![Page 43: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/43.jpg)
43
HIPAA/HITECH – Note requirements concerning the terms between audited entity and the business associate contract (BAC) which HIPAA/HITECH requires these parties to have. HITECH does create security obligations for Business Associates (BAs) with responsibility for joint IT environments. Additional issues concern BAs ability to monitor entity’s environment to ensure any privacy/security issues are promptly communicated to contracted entity.
PCI DSS – Cloud use for credit card processing must include cloud contract provisions concerning the cloud vendors duties as a Service Provider under PCI DSS including the vendors obligation to maintain a compliant cloud environment.
State Privacy Laws – Contracted cloud provisions should match the appropriate state security or privacy laws.
Business Associates – State Laws – Service Providers
![Page 44: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/44.jpg)
44
e-Discovery in the Cloudcloud provider possession and custody but delegation of control to a customer
• Has the auditee developed e-discovery procedures including getting information off the cloud when a request is made?
• Has the auditee reviewed and validated controls used to of protect the cloud documents to counter potential legal challenges?
– How does the entity ensure documents are not moved to geographical locations that may put e-document integrity at risk?
![Page 45: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/45.jpg)
45
Subpoenas
• State or Federal Subpoenas could be issued against data/logs held by the cloud vendor– Subpoena procedures may result in customer
data/logs being reviewed even if customer data is not part of subpoena due to multi-tenant cloud architecture if data is not encrypted and key held by client.
• There may be not judicial oversight requiring the cloud vendor to alert the client of the subpoena activity involving client data or network logs
![Page 46: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/46.jpg)
7. Cloud Data Security Issues
46
![Page 47: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/47.jpg)
Security Issues• Vendor connections to entity data security systems
– Vendor may have access to local authentication and authorization assets maintained by client (i.e. Active Directory) through hosted apps and databases
• Lack of client audit clauses• Data encryption keys controlled by cloud vendor not entity• Lack of vendor logs (Application/Database/Network) or
limited access logs to vendor logs• Slack vendor change management/patching procedures• Unclear vendor incident response procedures (timely
alerts?)• Loss of physical control of data assets
– Controlling movement of data assets geographically– Increased security issues in virtual environments 47
![Page 48: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/48.jpg)
Top Cloud Client Security Fails
• 0.0% development of client risk assessment to understand and develop appropriate control and monitoring procedures to ensure CIA in the cloud and end-points
• Client gives up ownership or responsibility or governance of what's going on with their data to cloud service providers
48
![Page 49: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/49.jpg)
Contracted Security
• Cloud vendors will construct security clauses in client contracts that best protect the legal interest of the vendor and not necessarily the client:– Vendor may not define security
standards they will follow to protect client assets
– Vendor may not define procedures for the timely application of security patches to purchased infrastructure
– Most vendors contractually prohibit client vulnerability and PII scans of purchased cloud environment
– Not specify what privacy or data security laws they must comply with.
49
![Page 50: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/50.jpg)
50
SAS 70 - ISO/IEC 27002 – SSAE No. 16The Vendor Entity Contracting Guidelines or Procedures
SSAE No. 16
![Page 51: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/51.jpg)
8. Cloud Contract Review
51
![Page 52: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/52.jpg)
It’s All About the Contracts
• The majority of your program audit hours will be allocated to cloud contract review
52
![Page 53: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/53.jpg)
9. Developing a Cloud Audit Program
53
![Page 54: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/54.jpg)
54http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit-Programs/Pages/ICQs-and-Audit-Programs.aspx
ISACA – Cloud Computing ManagementAudit/Assurance Program
![Page 55: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/55.jpg)
55
![Page 56: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/56.jpg)
56
![Page 57: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/57.jpg)
10. Cloud Auditing Resources
57
![Page 58: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/58.jpg)
58http://www.gao.gov/new.items/d10855t.pdf
GSA Cloud Guidance
![Page 59: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/59.jpg)
59
http://www.privacylives.com/wp-content/uploads/2010/08/Privacy-Recommendations-Cloud-Computing-8-19-2010.pdf
Cloud Federal Privacy Recommendations
![Page 60: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/60.jpg)
60http://www.cloudsecurityalliance.org/csaguide.pdf
CSA Cloud Security Guidance
![Page 61: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/61.jpg)
61
http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
NIST Cloud Presentations
![Page 62: Cloud Computing NSAA Tallahassee September 2010 Brian Rue brue@fsu.edu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cc95503460f9499159e/html5/thumbnails/62.jpg)
62
Questions