operational risks - usalearning€¦ · operational risks . 20. operational risks. human resources...
TRANSCRIPT
Operational Risks
Table of Contents
Operational Risks ............................................................................................................................ 2
Human Resources -1 ....................................................................................................................... 3
Human Resources -2 ....................................................................................................................... 5
Physical Security .............................................................................................................................. 6
Data Storage Locations ................................................................................................................... 7
Regulatory Compliance ................................................................................................................... 9
Cloud Provider Outsourcing .......................................................................................................... 10
Data Seizure and Ownership -1 .................................................................................................... 12
Data Seizure and Ownership -2 .................................................................................................... 14
Notices .......................................................................................................................................... 16
Page 1 of 16
Operational Risks
20
Operational Risks
Human resources
Physical security
Data storage locations
Regulatory compliance
Cloud provider outsourcing
Data seizure and ownership
**020 So we'll talk a little bit about the operational risks here.
Page 2 of 16
Human Resources -1
21
Human Resources -1
Insider threat is becoming increasingly recognized as an area of great concern
• There is even more of a risk when using cloud computing• Customers often have little to no control over the hiring practices of
the cloud provider• Cloud provider employees
— Must assume the high-risk roles— Can become targets for criminal gangs as the data that they are storing
becomes known— May feel less responsible for the safety of the data because it is not
their own or they have no stake in the customer’s company
**021 So human resources, this first one is more so human resources within your service provider, within that organization. You know, who has actual access to your instance, the physical hardware that it's on, the systems administrators managing that? Again, that virtual instance has got to be deployed as a physical box someplace. Who has access to that physical box. Are there back doors for the system administrators to get in there, whether it's, you know, Escrow keys for getting unencrypting volumes, or is it, you know, physical access, where you can access the console through that VMware center interface, or some sort of Xen administrative tools? Can they access your virtual box as well? Are they allowed
Page 3 of 16
to, is that part of their management support, right? Are you not only just having them support that infrastructure for you, but are they also managing some of those components, if you've got, like a platform for platform as a service, for example. If they're supporting the whole operating system, and your application code is on there, how secure is the application code? Because it's sensitive information, right, proprietary information that, if they log onto that box and access that code, and dump that, what repercussions are there? What controls do you have in place to prevent something like that from happening? So those are a couple of things that you need to keep in mind. The idea that-- also, is there the physical risk of the employees there? I mean, you know when the security guard for your building or your collocation facility is taking a nap out-- you know, he's out, right, or the cameras aren't working, or the physical controls, and you have access to those logs, and you can review those logs, and you can correlate physical access events to infrastructure network events. You don't really have that same capability in a cloud environment, at least not easily.
Page 4 of 16
Human Resources -2
22
Human Resources -2
Your organization’s employees• May not be properly trained on the use of the
cloud provider’s system— Many data leaks are still accidental in nature
• May be misled to believe that they no longerneed to worry about security since they are nolonger storing it locally
• May introduce new threats into their work environment with the new ability to potentially access information from anywhere on the Internet
**022 And then, of course, you do have to worry about people within your own organization. How do they manage things within the cloud? If they're going to be managing this or accessing these things remotely, are they doing it over a secure connection? Where are those credentials stored? Is it a shared credential that everybody is using, or do we have that role based authentication? If we do have a VPN set up from our corporate infrastructure to that cloud environment, we have those issues, right, again with the data leakage between our corporate environment to the cloud environment and vice versa. So they have to be aware of those types of things,
Page 5 of 16
and what activity is authorized, and what isn't, and what sort of things do they need to be looking for? And again, understand, that just because I'm transferring the service provider aspect somewhere else, doesn't mean I'm transferring all of the security. They're not going to magically secure everything for me. There's a number of things that still have to be done from a defense-in-depth perspective on that host to further protect it.
Physical Security
23
Physical Security
The physical security of the data can be unknown or unverifiable.
• It is much easier to spot your company’s security guards sleeping on the job than your Cloud provider’s.
**023 Physical security, again, this-- here's our guard sleeping example, but you know, in the human resources area, we talked
Page 6 of 16
about the different people that have access to your data, this is just more of a threat here of understanding that the physical environment, if you have certain controls that need to be in place for your organization for the types of data that you're handling, they need to also-- you need to ensure that your service providers, whether it's the cloud computing service provider, or just a collocation service provider, or some sort of application service provider, that those same physical controls are in place there, and that they're actually being enforced. Important things to keep track of.
Data Storage Locations
24
Data Storage Locations
Data stored in the cloud may exist in several different countries at once.
• Customers may not be given full information on where their data can potentially be stored.
Cloud data centers could be located in areas that the customer would not want their data to be.
• If your data is stored in a high-risk country, it could be vulnerable to seizure or disclosure by local authorities.
• Privacy and data handling laws are different in every country.— Some countries are reluctant to store their data in U.S. based cloud
storage due to the Patriot Act.
**024 So where's the data stored? This
Page 7 of 16
is an interesting one. There are certain-- actually, I was going to say that there are certain European companies that don't want their data housed in the US. I actually think that they're not allowed to have them in the US, more so because of the privacy rules that apply in Europe, and the fact that something like the Patriot Act here could give probable cause enough to actually look at that data. So that's why they might have their data located in Canada, for instance. So depending on what your requirements are for privacy, you may not be allowed to leverage cloud computing services in the United States at all, and that's one of the issues that you see here. And we actually have a pretty good reference at the end, that talks about search and seizure and some of the different perspectives or different rules that apply there. The idea here is that each country is different. And we mentioned Amazon, and they have stuff in London, they have stuff in Hong Kong, they have stuff in Tokyo, they have stuff in the United States. Dependent on your privacy requirements, you may want that instance located at one location over another, prefer at one over the other, because again, that physical location of the asset is important, right? It's-- And you may not know where that is. In some cases, you can control that, in other cases, you might not be able to.
Page 8 of 16
Regulatory Compliance
25
Regulatory Compliance
Cloud providers may not understand or abide by the regulations necessary for your data.
• Cloud providers may forbid external auditing for compliance.• Unless the risk is contractually transferred to the provider, regulatory
compliance is ultimately the responsibility of the data owner.
Data that is stored in multiple jurisdictions could be subject to compliance with each location’s specific requirements.
• It may be impossible to maintain compliance in some cases.— European Union privacy laws prohibit customer data from being
transferred to the US.
**025 Again, regulatory compliance, you may not be allowed to do that audit. You may not be allowed to do that vulnerability assessment of that port scan against your network block, because the firewall rules may prevent it. I know when I was dealing with some PCI compliance issues, there was an exception in the firewall to allow scanning from, say, a trustwave, or security metrics or whatever the quarterly scanning was going to come from. You know, that may be against an acceptable use policy in your case. Again, we see the risk transference stuff here. Make sure it's done contractually. Make sure that, if you have certain-- we'll talk about SLA stuff later, but if you have
Page 9 of 16
certain requirements for protecting that data and securing that data, make sure that the service provider adheres to those types of requirements. And there we go with some European Union privacy laws, as I mentioned.
Cloud Provider Outsourcing
26
Cloud Provider Outsourcing
Cloud providers may outsource parts of their services to third parties.
• Infrastructure• Human Resources• Security
Providers may be reluctant to disclosethese relationships.
Security of the cloud is only asstrong as its weakest link.
**026 So cloud provider outsourcing, the thing that we're trying to stress here, is, there may be some pieces to supporting your own infrastructure that's in the cloud that get outsourced, whether it's, again, provisioning that operating system level, or maybe the development, the source code or the application development for your interface in your environment, may be outsourced to someplace else. Maybe
Page 10 of 16
that security monitoring is outsourced. I know for a fact, one service provider, they're sales pitch is all about, yeah, we have this great logging option that we have for you. We can implement, you know, you can have all your logs sent to the central logging facility, all your IDS alerts, and you can log on and you can do this. And so when we went to try and implement that logging infrastructure, it got to be a pain in the butt, it was kind of expensive, and then we started asking more questions about how many people do you actually have using this? And it was like, none. All right, so that was great. As an option that was available, it's just nobody was actually leveraging it because it was too much of a pain in the butt to actually configure and support, and it cost too much money. So there's just-- the point I'm trying to make is, even though some of the services might be listed by a service provider, things that they do for you, it may not be something they do inherently. They might be outsourcing things like log management or security management, and now you not only have to deal with the service level agreements with one company, you've got to deal with service level agreements with another company, and dealing with privacy, and who has access to your information.
Page 11 of 16
Data Seizure and Ownership -1
27
Data Seizure and Ownership -1
Without a physical presence at the location of the data, law enforcement can seize data from the cloud provider.
• This can be done potentially without having to inform the customer.• Example
— In Warshak v United States, the government subpoenaed a user’s webmail provider to hand over emails and was able to postpone notifying the customer using the Stored Communications Act. Requesting the same information, had it been located on the suspect’s own local machines, would have required a warrant.
— http://www.theregister.co.uk/2008/08/20/cloud_computing_privacy/
**027 So data seizure, we mentioned this a few times. Here's actually the link that I was mentioning, too. So this gentleman actually-- there was probable cause, at least enough for law enforcement to get involved, and start to look at his Yahoo mails and a couple of other things. And there's a loophole, and I think it's the Stored Communication Act, that essentially lets you postpone notifying the user. You have 90 days in which you can postpone the notification of the user, because generally the ISP needs to let you know if you're being monitored or something like that. And that's another thing, just in general, understand your acceptable use agreements, and what the policies are, that if law enforcement
Page 12 of 16
needs to access your data, that you want to be notified immediately. Now, obviously, there's conflictions between what the ISP and what your agreement with the ISP might be, versus what actually might happen from law enforcement, and by that, I mean, that 90 day window is there to protect law enforcement. For instance, if you are a flight risk, or if they think there's a chance that you might try to destroy that data or something like that, that's what that 90 day window is in there for the notification to you. so during that course of 90 days, this individual had a number of things compromised, information compromised, including his mail. And this link is actually a good one to go through to see the different things, with this particular case, and the different laws that impact your being notified as well as the access to stored communication, but this is a big one. And this is why that European Union law stuff comes into play, because they have certain privacy requirements that can be circumvented by various laws within the United States such as the Patriot Act, or the Stored of Communication Act, and things like that.
Page 13 of 16
Data Seizure and Ownership -2
28
Data Seizure and Ownership -2
With multiple customer’s data stored on the same physical machines, if hardware is confiscated, innocent users can be affected.
• Example—In April 2009, the FBI raided two Texas data centers looking for
equipment from a few suspect VoIP providers, confiscating hardware and disrupting service for hundreds of unrelated businesses in the process.
You may think that you own your data, but your provider may think otherwise.
• Example—In July 2009, Amazon pulled purchased copies of the book “1984” from
user’s Kindle devices without their knowledge due to a copyright dispute, including all electronic notes that users had made for the book.
**028 So yeah, here's the example that I mentioned with the FBI. The other example, with the Texas data center. The other example here, Amazon, this is kind of a neat one, in that if you had a Kindle, a Kindle, your e-book reader, right, and you can read your electronic books. Individuals had purchased 1984, and the publisher decided that they didn't want to distribute that way. And even though they had actually purchased it, Amazon then pulled that book away from the Kindle. Now it's kind of interesting-- I'm not terribly familiar with the Kindle, and how it all works, right? Because the idea would be, I would think, if I got a device, my books were downloaded to my device. In this particular case, their books would
Page 14 of 16
actually be stored on the cloud server, some sort of service provider server, and maybe you'd go to access that book, and, oh, by the way, it's gone now, because the publisher decided they didn't want it out there anymore. They didn't want it available to e-book readers anymore, regardless of whether or not you paid for it, which is almost like-- I like the example. It's the equivalent to you buying a book, having it in your house, and somebody coming into your house and taking it off your bookshelf, and leaving. It's essentially what happened, all right? It's a very interesting example, and I like the idea, there was one post that said, it's sort of ironic that 1984, and the whole, big brother is watching, thing, and now big brother actually took your book from you. It was a-- that's a pretty good analogy.
Page 15 of 16
Notices
Notices
© 2016 Carnegie Mellon University
This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.
Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].
This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.
THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
CERT ® is a registered mark owned by Carnegie Mellon University.
Page 16 of 16