what finance needs to know about cloud computing and mobile device security 2013 csmfo
DESCRIPTION
Coverage of the risks and rewards of Cloud computing and mobile computing. Including proper management and risk assessment considerations.TRANSCRIPT
©2013 Maze & Assoc ia tes
What Finance Needs to Know About Cloud Computing and Mobile Device Security
©2013 Maze & Assoc ia tes
Presenter Donald E. Hester
Director Information Systems Audits, Maze & Associates Instructor, San Diego City College
[email protected] Twitter @sobca www.LearnSecurity.org
©2013 Maze & Assoc ia tes
Cloud Computing
©2013 Maze & Assoc ia tes
What is Cloud Computing? The “Cloud” Buzz word Overused cliché Ill defined Many different definitions Marketing term All hype The “unknown path” Service provider “____-as-a-service” Nebulous Image Source: NASA
©2013 Maze & Assoc ia tes
Definition
“..[a] model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, services) that can be provisioned and released with minimal management effort or service provider interactions.” NIST & Cloud Security Alliance
A utility model of technology delivery.
©2013 Maze & Assoc ia tes
Definition
According to NIST the cloud model is composed of five essential characteristics, three service models, and four deployment models.
©2013 Maze & Assoc ia tes
Essential Characteristics On-demand self-service, customer driven utility
Broad network access, using standard networking
Resource pooling, economies of scale Rapid elasticity, dynamic provisioning and releasing
Measured service, the ability to measure usage
©2013 Maze & Assoc ia tes
“____-as-a-service” (Service Models) Software-as-a-Service (SaaS)** Platform-as-a-Service (PaaS)** Infrastructure-as-a-Service (IaaS)** Communication-as-a-Service (CaaS) Monitoring-as-a-Service (MaaS) Security-as-a-Service (SECaaS) Everything-as-a-Service (EaaS) Anything-as-a-Service (XaaS)** Defined by NIST
©2013 Maze & Assoc ia tes
Cloud Flavors (Deployment Models) Private Cloud
Operated solely for one organization In-sourcing
Community Cloud Operated for a group of similar organizations
Public Cloud Outsourced Multi-tenant
Hybrid Cloud Combination of the above
©2013 Maze & Assoc ia tes
©2013 Maze & Assoc ia tes
Potential Spending on Cloud Computing
©2013 Maze & Assoc ia tes
Reasons
Efficiency
Agility
Innovation
©2013 Maze & Assoc ia tes
Benefits Save time and money on provisioning new services Less time spent on deployment Move capital investment to operational expenses Instant test bed Enables IT systems to be scalable and elastic Provision computing resources as required, on-demand No need to own data center infrastructure (for public cloud service)
©2013 Maze & Assoc ia tes
Benefits Energy saving (green)
Increased utilization, less idle time Cost based on usage More effective use of capital resources ($)
Better service Allows IT staff to focus on core competencies Repurpose IT staff for more customer service Outsource to esoteric experts 24/7 service and support Economies of scale
©2013 Maze & Assoc ia tes
Benefits Business Continuity
Typically hosted at a remote location, so you can access from almost anywhere
They may have redundancy for you (multiple geographically dispersed datacenters)
Save $s on remote processing capabilities
Disaster Recovery Typically have service level agreements Options for frequency of back-up
©2013 Maze & Assoc ia tes
Cloud Provider Benefits (NIST SP 800-144)
They will have specialized staff The platform will typically be more uniform They have the ability to scale and add redundancy
Better backup and recovery May support a greater number of mobile devices
Data may be centralized and not on laptops
©2013 Maze & Assoc ia tes
Benefits
©2013 Maze & Assoc ia tes
Cost Considerations Traditional CostsCapital Expenses Hardware (initial)Software (initial)Hardware repair/upgradesSoftware upgradesStaff costsEnergy costsTraining (IT and End User)
Traditional LimitsMaximum loadMaximum up-timeMaximum usersMTTRDependencies
Cloud CostsOperational ExpensesCost per userCost by bandwidth/storageCost increase over timeCost of additional servicesLegal consultation costsTraining (End User)
Cloud LimitsUsers (cost per)BandwidthStorage (additional costs)Service Support (may not be 24/7/365)Dependencies
©2013 Maze & Assoc ia tes
Cost Benefit Analysis ExampleTraditional CostsTCO $21,000
Cloud CostsTCO $22,850
1 2 3 4 5 6 7 8 9 100
2000
4000
6000
8000
10000
12000
14000
YearTraditionalCloud
©2013 Maze & Assoc ia tes
Cloud Risks Where’s My Data? The Bad Divorce Trust but Verify “I thought you knew” I didn’t think of that Clarify Consider Expectations, Put it in Writing Compatibility
©2013 Maze & Assoc ia tes
Where’s My Data? In the information age your key asset is information.
Some information requires protection (Credit Card Data, Student Records, SSN, etc…)
Your information could be anywhere in the world
You may loss access to your data (availability) ISP failure Service provider failure Failure to pay (service provider stops access)
©2013 Maze & Assoc ia tes
The Bad Divorce “Vendor Lock” All relationships come to an end
Let you down, had a breach, SLA performance etc… The company fails/gets sold Introductory pricing or it goes up over time
Transition to new vendor or in-source How will you get your data back?
Lack of Portability between PaaS Clouds Example, something built for Google won’t work for SharePoint or
Amazon
Get a prenup – get it in the contract up front
©2013 Maze & Assoc ia tes
Trust but Verify Assurance How do you know they are protecting your data? Not everyone is treated the same by service providers
Disclosure concerning security posture 3rd party independent verification (audit/assessment) SAS 70 / SSAE 16 SysTrust / WebTrust ISO 27001 Certification Audit / Assessment MOU/MOA & ISA
©2013 Maze & Assoc ia tes
“I thought you knew” Cloud systems are typically more complex
This may create a larger attack surface
Breach Notification When do you want to know about a data breach? (Data that you are legal obligated to protect)
Typical contracts give wide latitude for service providers Actual verses possible breach Timeliness of notification
©2013 Maze & Assoc ia tes
I didn’t think of that Dependencies
Infrastructure – Internet Authentication management (SSO) Operational budget Greater dependency on 3rd parties
Other considerations Complex legal issues Multi-tenancy Transborder data flow Jurisdiction and Regulation Support for Forensics
©2013 Maze & Assoc ia tes
Clarify What do they mean by “Cloud” Establish clear responsibilities and accountability
Your expectations Cost of compensating controls What will happen with billing disputes Will your data be in a multi-tenant environment
What controls will you have
©2013 Maze & Assoc ia tes
Consider The reputation of the service provider
Track record of issues Large or small, likelihood of change Vendor ‘supply chain management’ issues
The reliability of the service or technology Is the technology time tested Competency of cloud provider
Typically you have no control over upgrades and changes Training for staff
©2013 Maze & Assoc ia tes
Compatibility When will they upgrade their service?
Will they be ready when you are ready for an upgrade of dependent software
Will you be ready when they are ready to upgrade
Browser-based Risks and Risk Remediation What software will be required on the client side? Java Flash Active-X Silverlight HTML 5
©2013 Maze & Assoc ia tes
New attack vectors Hypervisor complexity Data leakage (multi-tenant environment) Man in the Middle Browser vulnerabilities Mobile device vulnerabilities
©2013 Maze & Assoc ia tes
Service Agreements Service Level Agreement (SLA)
Some are predefined and non-negotiable Some are negotiable (typically cost more)
Terms of Service May cover privacy Breach notification Licensing Acceptable use (What you can and can’t do) Limitations on liability (Typically in the favor of the service provider) Modifications of the terms of service (Do you want this?) Data ownership
©2013 Maze & Assoc ia tes
Traditional risks no matter where you go
Insider threat, Instead of your staff it is their staff
Access control How can you control and monitor?
Authentication Another logon or SSO
Data sanitation Is your data really deleted?
Others????
©2013 Maze & Assoc ia tes
What to do? Careful planning before engagement Understand the technical aspects of the solution
Make sure it will meet your needs (security and privacy)
Maintain accountability Define data location restrictions Ensure laws and regulations are met Make sure they can support electronic discovery and forensics Make sure you can view audit logs of the server and application at
any time
Follow NIST and Cloud Security Alliance guidance
©2013 Maze & Assoc ia tes
Remember to specify Personnel (clear backgrounds) Access control, account resource and management Availability, including SLA and dependencies Problem & Incident reporting, notification and resolution Disclosure agreements Physical controls Network boundary protection Continuity, Backup and Recovery Assurance levels Independent audit or assessment
©2013 Maze & Assoc ia tes
Resources Cloud Security Alliance - cloudsecurityalliance.org ISACA: Cloud Computing Management Audit/Assurance Program,
2010 NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud
Computing NIST SP 800-145 The NIST Definition of Cloud Computing NIST SP 800-146 Cloud Computing Synopsis and Recommendations Federal Cloud Computing Strategy, February 2011 CIO.gov Above the Clouds managing Risk in the World of Cloud Computing
by McDonald (978-1-84928-031-0) Cloud Computing, Implementation, Management, and Security by
Rittinghouse and Ransome (978-1-4398-0680-7)
©2013 Maze & Assoc ia tes
Mobile Device Security
©2013 Maze & Assoc ia tes
Today Proliferation of mobile devices BYOD “Bring Your Own Device” to work How many mobile device do you have?
Laptops Phones Tablets eReaders MP3 players Gaming devices
©2013 Maze & Assoc ia tes
What is a mobile device? Small form factor Some wireless network interface
Wi-Fi Cellular Network Bluetooth NFC – Near-Field Communication
Basic Operating System Smaller amounts of storage Cameras, Microphones, GPS
©2013 Maze & Assoc ia tes
Benefits Anywhere Anytime Lower Cost (BYOD) Limited Functions* Touch Interface Increased Productivity People Like It
©2013 Maze & Assoc ia tes
Risks Mobile devices often need additional protection because by nature they have higher exposure to threats than other client devices
Lack of physical security Untrusted mobile devices on your network Mobile devices often use untrusted networks
Applications from unknown source especially free apps
©2013 Maze & Assoc ia tes
Minimize Risk Limit access of mobile devices Encrypt mobile devices or limit local storage
Encrypted communications Policy on reporting loss Require passwords Restrict applications – difficult in BYOD there are some tools to help
©2013 Maze & Assoc ia tes
Costs Direct costs
Mobile devices Client software Wi-Fi or Cellular plan
Indirect costs Maintaining mobile devices Compensating controls Technical support for users
©2013 Maze & Assoc ia tes
Resources NIST SP 800-124 Guidelines for Managing and Securing Mobile Devices in the Enterprise (draft)
NIST SP 800-114 Revision 1 (Draft), User's Guide to Telework and Bring Your Own Device (BYOD) Security
NIST SP 800-46 Revision 2 (Draft), Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security