what finance needs to know about cloud computing and mobile device security 2013 csmfo

©2013 Maze & Assoc ia tes

What Finance Needs to Know About Cloud Computing and Mobile Device Security


Presenter Donald E. Hester

Director Information Systems Audits, Maze & Associates Instructor, San Diego City College

[email protected] Twitter @sobca www.LearnSecurity.org

mailto:[email protected]

http://www.learnsecurity.org/


Cloud Computing


What is Cloud Computing? The “Cloud” Buzz word Overused cliché Ill defined Many different definitions Marketing term All hype The “unknown path” Service provider “____-as-a-service” Nebulous Image Source: NASA


Definition

“..[a] model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, services) that can be provisioned and released with minimal management effort or service provider interactions.” NIST & Cloud Security Alliance

A utility model of technology delivery.


Definition

According to NIST the cloud model is composed of five essential characteristics, three service models, and four deployment models.


Essential Characteristics On-demand self-service, customer driven utility

Broad network access, using standard networking

Resource pooling, economies of scale Rapid elasticity, dynamic provisioning and releasing

Measured service, the ability to measure usage


“____-as-a-service” (Service Models) Software-as-a-Service (SaaS)** Platform-as-a-Service (PaaS)** Infrastructure-as-a-Service (IaaS)** Communication-as-a-Service (CaaS) Monitoring-as-a-Service (MaaS) Security-as-a-Service (SECaaS) Everything-as-a-Service (EaaS) Anything-as-a-Service (XaaS)** Defined by NIST


Cloud Flavors (Deployment Models) Private Cloud

Operated solely for one organization In-sourcing

Community Cloud Operated for a group of similar organizations

Public Cloud Outsourced Multi-tenant

Hybrid Cloud Combination of the above


Potential Spending on Cloud Computing


Reasons

Efficiency

Agility

Innovation


Benefits Save time and money on provisioning new services Less time spent on deployment Move capital investment to operational expenses Instant test bed Enables IT systems to be scalable and elastic Provision computing resources as required, on-demand No need to own data center infrastructure (for public cloud service)


Benefits Energy saving (green)

Increased utilization, less idle time Cost based on usage More effective use of capital resources ($)

Better service Allows IT staff to focus on core competencies Repurpose IT staff for more customer service Outsource to esoteric experts 24/7 service and support Economies of scale


Benefits Business Continuity

Typically hosted at a remote location, so you can access from almost anywhere

They may have redundancy for you (multiple geographically dispersed datacenters)

Save $s on remote processing capabilities

Disaster Recovery Typically have service level agreements Options for frequency of back-up


Cloud Provider Benefits (NIST SP 800-144)

They will have specialized staff The platform will typically be more uniform They have the ability to scale and add redundancy

Better backup and recovery May support a greater number of mobile devices

Data may be centralized and not on laptops


Benefits


Cost Considerations Traditional CostsCapital Expenses Hardware (initial)Software (initial)Hardware repair/upgradesSoftware upgradesStaff costsEnergy costsTraining (IT and End User)

Traditional LimitsMaximum loadMaximum up-timeMaximum usersMTTRDependencies

Cloud CostsOperational ExpensesCost per userCost by bandwidth/storageCost increase over timeCost of additional servicesLegal consultation costsTraining (End User)

Cloud LimitsUsers (cost per)BandwidthStorage (additional costs)Service Support (may not be 24/7/365)Dependencies


Cost Benefit Analysis ExampleTraditional CostsTCO $21,000

Cloud CostsTCO $22,850

1 2 3 4 5 6 7 8 9 100

2000

4000

6000

8000

10000

12000

14000

YearTraditionalCloud


Cloud Risks Where’s My Data? The Bad Divorce Trust but Verify “I thought you knew” I didn’t think of that Clarify Consider Expectations, Put it in Writing Compatibility


Where’s My Data? In the information age your key asset is information.

Some information requires protection (Credit Card Data, Student Records, SSN, etc…)

Your information could be anywhere in the world

You may loss access to your data (availability) ISP failure Service provider failure Failure to pay (service provider stops access)


The Bad Divorce “Vendor Lock” All relationships come to an end

Let you down, had a breach, SLA performance etc… The company fails/gets sold Introductory pricing or it goes up over time

Transition to new vendor or in-source How will you get your data back?

Lack of Portability between PaaS Clouds Example, something built for Google won’t work for SharePoint or

Amazon

Get a prenup – get it in the contract up front


Trust but Verify Assurance How do you know they are protecting your data? Not everyone is treated the same by service providers

Disclosure concerning security posture 3rd party independent verification (audit/assessment) SAS 70 / SSAE 16 SysTrust / WebTrust ISO 27001 Certification Audit / Assessment MOU/MOA & ISA


“I thought you knew” Cloud systems are typically more complex

This may create a larger attack surface

Breach Notification When do you want to know about a data breach? (Data that you are legal obligated to protect)

Typical contracts give wide latitude for service providers Actual verses possible breach Timeliness of notification


I didn’t think of that Dependencies

Infrastructure – Internet Authentication management (SSO) Operational budget Greater dependency on 3rd parties

Other considerations Complex legal issues Multi-tenancy Transborder data flow Jurisdiction and Regulation Support for Forensics


Clarify What do they mean by “Cloud” Establish clear responsibilities and accountability

Your expectations Cost of compensating controls What will happen with billing disputes Will your data be in a multi-tenant environment

What controls will you have


Consider The reputation of the service provider

Track record of issues Large or small, likelihood of change Vendor ‘supply chain management’ issues

The reliability of the service or technology Is the technology time tested Competency of cloud provider

Typically you have no control over upgrades and changes Training for staff


Compatibility When will they upgrade their service?

Will they be ready when you are ready for an upgrade of dependent software

Will you be ready when they are ready to upgrade

Browser-based Risks and Risk Remediation What software will be required on the client side? Java Flash Active-X Silverlight HTML 5


New attack vectors Hypervisor complexity Data leakage (multi-tenant environment) Man in the Middle Browser vulnerabilities Mobile device vulnerabilities


Service Agreements Service Level Agreement (SLA)

Some are predefined and non-negotiable Some are negotiable (typically cost more)

Terms of Service May cover privacy Breach notification Licensing Acceptable use (What you can and can’t do) Limitations on liability (Typically in the favor of the service provider) Modifications of the terms of service (Do you want this?) Data ownership


Traditional risks no matter where you go

Insider threat, Instead of your staff it is their staff

Access control How can you control and monitor?

Authentication Another logon or SSO

Data sanitation Is your data really deleted?

Others????


What to do? Careful planning before engagement Understand the technical aspects of the solution

Make sure it will meet your needs (security and privacy)

Maintain accountability Define data location restrictions Ensure laws and regulations are met Make sure they can support electronic discovery and forensics Make sure you can view audit logs of the server and application at

any time

Follow NIST and Cloud Security Alliance guidance


Remember to specify Personnel (clear backgrounds) Access control, account resource and management Availability, including SLA and dependencies Problem & Incident reporting, notification and resolution Disclosure agreements Physical controls Network boundary protection Continuity, Backup and Recovery Assurance levels Independent audit or assessment


Resources Cloud Security Alliance - cloudsecurityalliance.org ISACA: Cloud Computing Management Audit/Assurance Program,

2010 NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud

Computing NIST SP 800-145 The NIST Definition of Cloud Computing NIST SP 800-146 Cloud Computing Synopsis and Recommendations Federal Cloud Computing Strategy, February 2011 CIO.gov Above the Clouds managing Risk in the World of Cloud Computing

by McDonald (978-1-84928-031-0) Cloud Computing, Implementation, Management, and Security by

Rittinghouse and Ransome (978-1-4398-0680-7)


Mobile Device Security


Today Proliferation of mobile devices BYOD “Bring Your Own Device” to work How many mobile device do you have?

Laptops Phones Tablets eReaders MP3 players Gaming devices


What is a mobile device? Small form factor Some wireless network interface

Wi-Fi Cellular Network Bluetooth NFC – Near-Field Communication

Basic Operating System Smaller amounts of storage Cameras, Microphones, GPS


Benefits Anywhere Anytime Lower Cost (BYOD) Limited Functions* Touch Interface Increased Productivity People Like It


Risks Mobile devices often need additional protection because by nature they have higher exposure to threats than other client devices

Lack of physical security Untrusted mobile devices on your network Mobile devices often use untrusted networks

Applications from unknown source especially free apps


Minimize Risk Limit access of mobile devices Encrypt mobile devices or limit local storage

Encrypted communications Policy on reporting loss Require passwords Restrict applications – difficult in BYOD there are some tools to help


Costs Direct costs

Mobile devices Client software Wi-Fi or Cellular plan

Indirect costs Maintaining mobile devices Compensating controls Technical support for users


Resources NIST SP 800-124 Guidelines for Managing and Securing Mobile Devices in the Enterprise (draft)

NIST SP 800-114 Revision 1 (Draft), User's Guide to Telework and Bring Your Own Device (BYOD) Security

NIST SP 800-46 Revision 2 (Draft), Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security

what finance needs to know about cloud computing and mobile device security 2013 csmfo

Technology

cloud costs tco

traditional costs tco

user cost

year traditional cloud

bandwidthstorage cost

efficiency agility innovation