isaca cloud computing risks
TRANSCRIPT
Cloud Computing Risks today…
Marc Vael
International Vice-President Chair of the Cloud Computing Task Force
Industrial transformation
When was the term used for the first time?
26th of October 1997
Who hyped all this?“What's interesting [now] is that there is an emergent new model, and you all are here because you are part of that new model. I don't think people have really understood how big this opportunity really is. It starts with the premise that the data services and architecture should be on servers. We call it cloud computing – they should be in a "cloud" somewhere. And that if you have the right kind of browser or the right kind of access, it doesn't matter whether you have a PC or a Mac or a mobile phone or a BlackBerry or what have you – or new devices still to be developed – you can get access to the cloud.”
Mr. Eric Schmidt, Chairman & CEO Google Search Engine Strategies Conference 9th of August 2006 http://www.google.com/press/podium/ses2006.html
http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment
Cloud Computing
Lessons learned...thusfar
DefinitionCloud computing = model for enabling convenient, on-demand broad network access to a shared pool of configurable computing resources that can be rapidly provisioned & released with minimal management effort or service provider interaction and with automatic measuring, controlling & optimization. 5 characteristics 3 service models 4 deployment models NIST, Definition of Cloud Computing, October 2009
Definition : 5 essential characteristics
1. On-demand self-service.
Definition : 5 essential characteristics
2. Broad network access. accessible via different platforms.
Definition : 5 essential characteristics
3. Resource pooling. multi-tenant model.
Location independence : Consumer has no control / knowledge over location of resources but may be able to specify location at a higher level of abstraction
Definition : 5 essential characteristics
4. Rapid & elastic provisioning (add & withdraw). Capabilities appear to be unlimited + can be purchased in any quantity at any time.
Definition : 5 essential characteristics
5. Automatically measured, controlled, optimized service.
DefinitionCloud computing = model for enabling convenient, on-demand broad network access to a shared pool of configurable computing resources that can be rapidly provisioned & released with minimal management effort or service provider interaction and with automatic measuring, controlling & optimization. 5 characteristics 3 service models 4 deployment models NIST, Definition of Cloud Computing, October 2009
ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2010
Considerations in 3 Cloud Computing Service Models
Considerations in 3 Cloud Computing Service Models
• Marketing packaging is becoming important…
DefinitionCloud computing = model for enabling convenient, on-demand broad network access to a shared pool of configurable computing resources that can be rapidly provisioned & released with minimal management effort or service provider interaction and with automatic measuring, controlling & optimization. 5 characteristics 3 service models 4 deployment models NIST, Definition of Cloud Computing, October 2009
Considerations in 4 Cloud Computing Deployment Models
ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2010
Cloud Computing
Lessons learned...thusfar
Analyzing Cloud Computing
CLOUD ROI in practice
TANGIBLE BENEFITS •Cost Reduction (OPEX) •Enhanced productivity •Optimized resource utilization •Improved security •Improved compliance •Access to skills & capabilities •On-demand scalability •Agility (time to market) •Improved customer satisfaction •Higher reliability (DRP) •Better performance and uptime
INTANGIBLE BENEFITS •Avoiding missed business opportunities •Focus on core business •Higher employee satisfaction (mobile) •Boosting innovation •Real-time collaboration •Risk transfer to CSP
UPFRONT COSTS •Technical readiness (bandwidth) •Implementation / Transition •Integration inhouse-cloud •Configuration/Customization •Training •Organisational change
RECURRING COSTS •Subscription fees •Change management •Vendor management (SLA) •Cloud coordination •End-user support & administration •Risk mitigation •Downsize/Upsize costs
TERMINATION COSTS •Revert to on-premises or transfer to other CSP •Penalties, Data export, Knowledge, Documents
UPFRONT COSTS •Technical readiness (bandwidth) •Implementation / Transition •Integration inhouse-cloud •Configuration/Customization •Training •Organisational change
RECURRING COSTS •Subscription fees •Change management •Vendor management (SLA) •Cloud coordination •End-user support & administration •Risk mitigation •Downsize/Upsize costs
TERMINATION COSTS •Revert to on-premises or transfer to other CSP •Penalties, Data export, Knowledge, Documents
CLOUD ROI suggestions
• Focus quickly on the optimal cloud solution Starting with initial/baseline model and iteratively identify the one best suited to the enterprise’s needs.
• Make an “apples to apples” comparisonEvaluate comparable set of costs for as-is & to-be alternatives : make a fair comparison between 2 solutions that are potentially very different. Measuring monetary values in a consistent manner increases ROI accuracy and reliability.
• Stay within the enterprise’s risk tolerance Perform risk assessment of as-is & to-be options to ensure that the solutions being compared are within the enterprise’s risk tolerance and the costs of mitigating unacceptable risk are factored into the calculations. Knowing enterprise’s risk appetite before calculations begin is a must.
Cloud Computing
Lessons learned...thusfar
Risk always exists! (whether or not it is
detected / recognised by the organisation).
Risk always exists! (whether or not it is
detected / recognised by the organisation).
Cloud Computing
Lessons learned...thusfar
Never outsource what you do not
manage properly today!
You always remain accountable!
15 basic “lessons learned”: 1. Psychological impact 2. IT governance model 3. Integration with internal/external IT systems 4. Network connectivity / bandwidth 5. Data location 6. Shared tenancy 7. Vendor lock-in 8. Service Provider stability, reliability and viability 9. Service portability / customization 10.Legal & regulatory compliance requirements (including
licensing, contractual arrangements, record protection for forensic audit)
11.Information security management (including IAM and logging) 12.Incident response & crisis management 13.Business Continuity Mgt & Disaster Recovery Planning 14.Data ownership, lifecycle, archiving & removal 15.(Right to) Audit (pentest, screening, monitoring,…)
Principles, policies & frameworks
Policy & Organizational risks 1. Provider Lock in* 2. Loss of Governance* 3. Compliance challenges* 4. Loss of business reputation due to co-tenant activities 5. Cloud service termination/failure 6. Cloud provider acquisition 7. Supply Chain failure 8. SLA challenges
65
Processes
Legal risks 1. Data protection risks* 2. Risks from changes in jurisdiction 3. Licensing risks 4. Subpoena & e-discovery
Corporate governance : ERM = COSO
Organisational structure
Information
• Transparency : providers must prove effective & robust security controls, assuring consumers all info is properly secured (C-I-A).
- How much transparency is enough/too much? - Which employees (of the provider) have access to consumer
information? - Is Segregation of Duties (SoD) between provider employees
maintained? - How are different consumers’ information segregated? - What controls are in place to prevent, detect and
react to security breaches?- What investigations, examinations and audits
(physical & virtual) are allowed by the provider?
• Privacy : providers must prove privacy controls are in place + demonstrate ability to prevent, detect, react to security breaches in a timely manner.
- Information & reporting lines of communication need to be in place & agreed on.
- Communication channels should be tested periodically.
• Trans-border information flow : physical location of the information:
- Physical location dictates jurisdiction and legal obligation. - National laws governing personally identifiable information
(PII). • What is allowed in one country can be a violation in
another.
Services, Infrastructure, Applications
Technical risks 1. Isolation failure* 2. Malicious insider at cloud provider* 3. Management interface compromise* 4. Insecure/ineffective data deletion* 5. Malicious scans 6. Resource exhaustion 7. Intercepting data in transit 8. Data leakage 9. DDoS 10. Loss of encryption keys 11. Compromise service engine 12. Conflicts consumer procedures vs cloud procedures
Culture, Ethics,
Effec%ve'Cloud'Risk'
Communica%on'
Expecta%on:'strategy,'policies,'
procedures,'awareness,'…'
Capability:'Risk'
Management'Process'Maturity'
Status:'Risk'Profile,'KRIs,'Loss'data,'…'
People, Skills, Competencies
• Certification : providers need to provide independent assurance to consumers that they are doing the “right” things.
Cloud Computing
Lessons learned...thusfar
86
7
Cloud Computing Audit program! Planning & Scoping the Audit ! Cloud Governance
– Governance & Enterprise Risk Management – Legal & Electronic Discovery – Compliance & Audit – Portability & Interoperability
! Cloud Operations – Incident Response, Notification & Remediation – Application Security – Data Security & Integrity – Identity & Access Management – Virtualization
Cloud Computing Conclusions
32
Your cloud computing solution is as strong …
… as its weakest link
www.isaca.org/cobit
http://www.enisa.europa.eu/
http://www.enisa.europa.eu/activities/Resilience-and-CIIP/networks-and-services-resilience/cloud-computing
97
7
! www.cloudsecurityalliance.org/ ! http://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-computing ! csrc.nist.gov/groups/SNS/cloud-computing/ ! opencloudconsortium.org/ ! www.opencloudmanifesto.org/ ! www.cloud-standards.org/wiki/ ! en.wikipedia.org/wiki/Cloud_computing ! searchcloudcomputing.techtarget.com/ ! cloudsecurity.org/ ! www.cloudaudit.org/ ! www.isaca.org/cloud
References : Relevant Cloud Computing websites
Marc Vael
International Vice-President Chairman of the Cloud Computing Task Force http://www.isaca.org/cloud
Contact information
http://www.linkedin.com/in/marcvael
@marcvael
10083/20
www.isaca.org
14 General Cloud Computing Security Advantages
1.Data Fragmentation & Dispersal 2.Dedicated Security Team 3.Greater Investment in Security Infrastructure 4.Fault Tolerance & Reliability 5.Greater Resiliency 6.Hypervisor Protection against Network Attacks 7.Access to Pre-Accredited Clouds 8.Simplification of Compliance Analysis 9.Data held by unbiased party (cloud vendor assertion) 10.Low-Cost Disaster Recovery & Data Storage Solutions 11.On-Demand Security Controls 12.Real-Time Detection of System Tampering 13.Rapid Re-constitution of Services 14.Advanced Honeynet Capabilities
1.Migrating PII & sensitive data to the cloud
– EU Data Protection Directive & U.S. Safe Harbor program
– Exposure of data to foreign government & data subpoenas
– Data retention & records management issues – Privacy Impact Assessments (PIA)
2.Identity & Access Management 3.Multi-tenancy 4.Logging & Monitoring 5.Data ownership /custodianship 6.Quality of Service guarantees
14 Specific Cloud Computing Security Challenges
8.Attracting hackers (high value target) 9.Security of virtual OS in the cloud 10.BCP / DRP 11.Data encryption & key management
– Encrypting access to cloud resource control interface – Encrypting administrative access to OS instances – Encrypting access to applications – Encrypting application data at rest
12.Public cloud vs. Internal cloud security
13.Lack of public SaaS version control 14.Using SLAs to obtain cloud security
– Suggested requirements for cloud SLAs
14 Specific Cloud Computing Security Challenges