securing and auditing cloud computing jason alexander chief information security officer
TRANSCRIPT
What is Cloud Computing
“A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”• 5 essential characteristics• 3 cloud service models• 4 cloud deployment models
Essential Characteristics
• On-demand service– Computing capabilities as needed, often from a user portal allowing self-provisioning
• Broad Network Access– Services available over the net using desktop, laptop, PDA, mobile phone
• Resource pooling– Provider resources pooled to server multiple clients, Users are often sharing the same physical
machines • Rapid Elasticity
– Ability to quickly scale in/out service levels to meet demand• Measured service
– Services based on metering, usually measured in service/timeframe
Service Models
• Software as a Service (SaaS)– Users access application, Provider manages the network, servers, OS, storage,
application, & infrastructure• Platform as a Service (PaaS)
– User deploys their application, Provider supports servers, network, storage, & infrastructure
• Infrastructure as a Service (IaaS)– User controls application, OS, storage, apps, selected network components,
Provider Controls the infrastructure
Deployment Models
• Public– Cloud infrastructure is available to the general public, owned by provider selling cloud
services• Private
– Cloud infrastructure for single customer only, may be managed by the customer or a 3rd party, on or off premise
• Community– Cloud infrastructure shared by several customers that have shared concerns, managed
by customers or 3rd party• Hybrid
– Combination of clouds bound by standard or proprietary technology
Before Moving to the Cloud
• Identify the asset, application, or information for deployment– Data type and sensitivity level– Application/Function/Process
• Evaluate the asset– How important is the data or the functionality to
the organization.• Identify the stakeholders
Asset Evaluation
• How would we be harmed if• the asset became widely public & widely distributed • An employee of our cloud provider accessed the asset • The process of function were manipulated by an
outsider • The process or function failed to provide expected
results • The info/data was unexpectedly changed • The asset were unavailable for a period of time • Does the deployment type address required security
Understand the Flow of Data
• Understand the flow of data• Can data be used in unintended ways• How can data move in/out of the cloud• What is your risk tolerance for loss of data
Cloud Computing ArchitectureData Center Data Center
Data Center
Remote Data Providers
Internet
CorporateFirewall
Corporate Network
Remote Users
Network LoadBalancer
Cloud Service ExamplesLawson (Financial)
Workday (HR)Office 365 (Productivity)
Cloud Computing Governance
• Cloud computing governance is not much different than a traditional governance program.– Need to establish processes and controls– Effective Information Security Program– Providers must provide documentation – Service Level Agreements
What Should Audit Consider
• Physical– Where are the server physically located – What are the governing laws of that area
• Compliance– Can the provider show a recent SAS 70 Type II, ISO
27001/2, SSAE 16 Type II audit statement?– Contractual “Right to Audit” clause
What Should Audit Consider
• Legal– E-Discovery– Ownership of data– Clearly defined roles and responsibilities – Rights during separation
• Auditability– What regulations impact cloud services– Regulatory impact on data security
What Should Audit Consider
• Data Life Cycle– Data storage requirements – Comingling of data
• Disaster Recovery– Disaster Recovery Plan– Recovery Time Objectives (RTOs)
What Should Audit Consider
• Information Security– Information security is not always a first priority– Is an “Incident” clearly defined– Does the provider meet regulatory requirements
• Application Security– Does the provider have a defined Software
Development Life Cycle
What Should Audit Consider
• Encryption– Encrypt all data in transit, at rest, backup media– Encryption Standards
• Identity and Access Management– Provisioning, deprovisioning– User authentication
Final Thoughts
• Cloud computing should not be scary.• Decide on Public or Private depending on risk.• With the governance, risk management,
information security policy and auditing, a cloud implementation can be as secure a traditional implementation.
References
• Security Guidance for Critical Areas of Focus in Cloud Computing V2.1– http://www.cloudsecurityalliance.org
• NIST Cloud Model– www.csrc.nist.gov/groups/SNS/cloud-computing/index.ht
ml
• Pizza as a Service– Albert Barron, Sr. Software Client Architect at IBM– https://www.linkedin.com/pulse/20140730172610-967988
1-pizza-as-a-service