• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cloud Security
 

Cloud Security

on

  • 2,134 views

This is the ISACANE - Metrowest Breakfast Meeting held on December 18, 2009.

This is the ISACANE - Metrowest Breakfast Meeting held on December 18, 2009.

Statistics

Views

Total Views
2,134
Views on SlideShare
2,132
Embed Views
2

Actions

Likes
1
Downloads
67
Comments
0

1 Embed 2

http://www.slideshare.net 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Extensible Markup Language – Service Oriented Architecture – The basic tools for web-based applications- XML is the basic language for specifying data or documents into web apps. -SOA describes the method of interconnecting various pre-designed applets or application building blocks into one contiguous programHypervisor - A software/hardware platform virtualization system that allows multiple operating systems to run on a host computer concurrently.Dynamic Partitioning - In a symmetric multiprocessing (SMP) system, the ability to reassign processors , memory and I/O to specific applications on the fly without shutting down the machine Application Programming Interface - is an interface in computer science that defines the ways by which an application program may request services from libraries and/or operating systems part of the Service Oriented Architecture
  • Extensible Markup Language – Service Oriented Architecture – The basic tools for web-based applications- XML is the basic language for specifying data or documents into web apps. -SOA describes the method of interconnecting various pre-designed applets or application building blocks into one contiguous programHypervisor - A software/hardware platform virtualization system that allows multiple operating systems to run on a host computer concurrently.Dynamic Partitioning - In a symmetric multiprocessing (SMP) system, the ability to reassign processors , memory and I/O to specific applications on the fly without shutting down the machine Application Programming Interface - is an interface in computer science that defines the ways by which an application program may request services from libraries and/or operating systems part of the Service Oriented Architecture
  • Cloud Computing and Cloud Service Providers (CSPs) are recognized as logical extensions of the Internet Service Providers (ISPs) ISP1.0 – ISPs provided internet access to individuals and organizations via dial up or dedicated lines early 1990’sISP2.0 – ISPs provided email, and connectivity to early clients’ web sight servers, primarily promotional information early-mid 1990’sISP3.0 – Cohosting – multiple clients’ webservers connected to broadband access at one facility late-mid1990’sISP 4.0 – the birth of ASPs. Dedicated instances of applications on dedicated servers for each customer. 2000ISP 5.0 ASPs evolved into SaaSs, which are applications based on IaaSs, which are based on PaaSs
  • ASP applications are traditional, single-tenant applications, but are hosted by a third party. They are client/server applications with HTML front ends added to allow remote access to the application. They do not make use of SOA-applets. Their user interface may be crude, often slow and upgrades are often no better than what an end user could provide for themselves.SaaS applications are multitenant applications that are hosted by a vendor with expertise in the applications and that have been designed as Net-native applications, employing SOA’ applets and are updated on an ongoing basis.
  • PaaS is a variation of SaaS whereby the development environment is offered as a service. The developers use the building blocks (e.g., predefined blocks of code) of the vendor’s development environment to create their own applications.In a platform-as-a-service (PaaS) model, the vendor offers a development environment to application developers, who develop applications and offer those services through the provider’s platform. The provider typically develops toolkits and standards for development, and channels for distribution and payment. The provider typically receives a payment for providing the platform and the sales and distribution services. This enables rapid propagation of software applications, given the low cost of entry and the leveraging of established channels for customer acquisition.The benefits of PaaS lie in greatly increasing the number of people who can develop, maintain, and deploy web applications. In short, PaaS offers to democratize the development of web applications, allowing many developers a chance to enter the SW apps market.
  • In a platform-as-a-service (PaaS) model, the vendor offers a development environment toapplication developers, who develop applications and offer those services through theprovider’s platform. The provider typically develops toolkits and standards for development,and channels for distribution and payment. The provider typically receives a payment forproviding the platform and the sales and distribution services. This enables rapid propagationof software applications, given the low cost of entry and the leveraging of established channelsfor customer acquisition.
  • A public cloud is hosted, operated, and managed by a third-party vendor from one or moredata centers. The service is offered to multiple customers (the cloud is offered to multipletenants) over a common infrastructurePrivate clouds differ from public clouds in that the network, computing, and storageinfrastructure associated with private clouds is dedicated to a single organization and is notshared with any other organizations (i.e., the cloud is dedicated to a single organizationaltenant). As such, a variety of private cloud patterns have emerged:
  • According to a May 2008 forecast by Merrill Lynch, the volume of the cloud computing marketopportunity will amount to $160 billion by 2011, including $95 billion in business andproductivity applications and $65 billion in online advertising.†According to a March 2009 forecast by Gartner, worldwide cloud services are on pace to surpass$56.3 billion in 2009, a 21.3% increase from 2008 revenues of $46.4 billion. The market isexpected to reach $150.1 billion in 2013.‡
  • In 2008-2009NASDQ and NYT made use of public cloud processing to digitize their entire printer history.Salesforce w/o question the most successful ASP, transitioned to SaaS to better optimize performance and cost savings.Signiant – takes informational data and configures it for delivery to various end-viewer outlets , ie TV, PCs, smart phones, PDA’s with the correct format, correct language dialogue, and targeted advertizing in near real time. They process data in huge bursts.ThinLaunch (partnered with CITRIX) directs users at signon to the determined web browser only – intranet based. Users are able only to view the desktop provided to them. MS Office, email, then applications assigned, and what ever websites assigned.Intuit is a internally hosted excel/access like application.Webroot is one of many web based email security providers
  • IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
  • IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
  • IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
  • IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
  • IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
  • The cloud oppty is for us to undo the Rodney Dangerfield opinion enterprises typically afford us.The cloud offers ISACA members an unprecedented oppty to positively impact your employer organization. Typically most ISACA members I have met are not “A” type personas. Now you need to become one.We are and could be facing something similar to what our peers at Enron / Worldcom / Tyco were seeing in 2001. Initially the threat will not be from internal to the organization, but will be from a too rapid adoption of cloud technologies. However, if clouds become imbedded into your enterprise without adequate controls, then the internal threats are more likely than ever before. Which will likely then have external threats following.Now is the time to earn your organizational respect. From my research there are many currently-considered best practice IT controls just not in place with CSPs. This is the area and time where you can make a significant impact inot the success of cloud engagements.You can lead two goals – adequate security and audit-ability of the program as well as an avoidance in the use of proprietary tey technologies.chIAM – Research New Best of Breed IAM programs such as Symplified, Ping Identity, Conformity, and TriCipher. For large organizations, with much interdependencies in data /application access between disparate groups, evolve IAM towards the Federation model. Organizations need to implement robust fundamental technologies
  • Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
  • There are many A types, who enjoy learning new business technologies especially if it is perceived to be an aid in their career goals. Let them take ownership of this issue. You can be the behind-the-scenes information source advisory. Work with them from the get-go.Feed them information at a level they will understand, perhaps in WSJ-speak. The Cloud Security Alliance is a great source at this level. Bring in an outside Cloud Security authority.You will likely move to the clouds – in time. But attempt to develop a uniformly agreed-upon list of requirements between the company champion/players for the CSP before jumping on. Look to possible leverage the cloud to improve the internal enterprise. Look to require best practice security controls which are now just evolving ieexternalization of authentication and authorization components from applications (loosely coupled) as this can aid in the rapid adoption of cloud-based services including cloud identity services, policy-based authentication, centralized logging, and auditing (e.g., OpenSSO from Sun Microsystems and Microsoft’s Geneva claimsbased authentication framework can help externalize authentication).
  • REVERT to BEST PRACTICE IT Audit PracticesThe first order of business is an internal audit of all the data and applications being considered for Cloud Computing. What data, with what internal security levels are being considered for the Cloud?What are the compliance implications?Who are the data owners?Will these data owners accept these new risks? All this needs to be documented
  • Try to find the CSP who will meet your company’s established Enterprise Security level. Do not lower your established security standards.Ask to review the CSPs written internal security policies. Are they current? Are they updated & reviewed annually. They should be tighter than yours. And once gaining a comprehension of the CSP’s agreed-to responsibilities, you will then come to understand the scope of IT system management and monitoring responsibilities that fall on you the customer’s shoulders, including access, change, configuration, patch, and vulnerability management.
  • Organizations need to implement robust fundamental technologies in the IAM space - Thru use of SAML, SPML and XACML, achieve Federated user access priviledges across multiple web based and internally hosted applications with SSOs.Most cloud services support at least dual roles (privileges): administrator and end user. It is a normal practice among CSPs to provision the administrator role with administrative privileges. These privileges allow administrators to provision and deprovision identities, basic attributeprofiles, and, in some cases, to set access control policies such as password strength and trusted networks from which connections are accepted.IAM (user access management) is a key control group for many compliance requirements (SOX, HIPIAA, PII etc). For both the customer and CSP, IAM integration considerations at the early stage of service design will help avoid costly retrofitsEnterprise IAM requirements include:• Provisioning of cloud service accounts to users, including administrators.• Provisioning of cloud services for service-to-service integration (e.g., private [internal]cloud integration with a public cloud).• SSO support for users based on federation standards (e.g., SAML supportSupport for internal- and regulatory-policy compliance requirements, includingsegregation of duties using RBAC, rules, or claims-based authentication methodology.RBAC features promote a least-privilege-based access model where a user is granted theright number of privileges required to perform the job. Claims-based methodology enablessome important privacy use cases because it allows for only the user’s entitlements, nother actual identity, to flow with messages, which allows for fine-grained authorizationwithout the requirement to actually embed the user’s identity into messages.• User activity monitoring, logging, and reporting dictated by internal policies andregulatory compliance, such as SOX, PCI, and HIPAA.You should strive for CSP to provide XACML-compliant entitlement management even if thishas not been implemented internally. In your own enterprise. XACML programs will be readily adopted.CSPs should communicate the account management policies including account lock-outs(after many login failures), account provisioning methods, and privilege accountmanagement roles.Enterprises need to have a strategy for employing risk-based IAM methodsincluding strong authentication, automated provisioning, deprovisioning, auditing, andmonitoring to address risks specific to a CSP.If IAM controls can only be provided by the CSP and they are determined to be inadequate for your determined risk and compliance requirements, then your applications and data containing this critical information has no business in the clouds.
  • Organizations need to implement robust fundamental technologies - Thru use of SAML, SPML and XACML, achieve Federated user access priviledges across multiple web based and internally hosted applications with SSOs.Most cloud services support at least dual roles (privileges): administrator and end user. It is a normal practice among CSPs to provision the administrator role with administrative privileges. These privileges allow administrators to provision and deprovision identities, basic attributeprofiles, and, in some cases, to set access control policies such as password strength and trusted networks from which connections are accepted.IAM (user access management) is a key control group for many compliance requirements (SOX, HIPIAA, PII etc). For both the customer and CSP, IAM integration considerations at the early stage of service design will help avoid costly retrofitsEnterprise IAM requirements include:• Provisioning of cloud service accounts to users, including administrators.• Provisioning of cloud services for service-to-service integration (e.g., private [internal]cloud integration with a public cloud).• SSO support for users based on federation standards (e.g., SAML supportSupport for internal- and regulatory-policy compliance requirements, includingsegregation of duties using RBAC, rules, or claims-based authentication methodology.RBAC features promote a least-privilege-based access model where a user is granted theright number of privileges required to perform the job. Claims-based methodology enablessome important privacy use cases because it allows for only the user’s entitlements, nother actual identity, to flow with messages, which allows for fine-grained authorizationwithout the requirement to actually embed the user’s identity into messages.• User activity monitoring, logging, and reporting dictated by internal policies andregulatory compliance, such as SOX, PCI, and HIPAA.You should strive for CSP to provide XACML-compliant entitlement management even if thishas not been implemented internally. In your own enterprise. XACML programs will be readily adopted.CSPs should communicate the account management policies including account lock-outs(after many login failures), account provisioning methods, and privilege accountmanagement roles.Enterprises need to have a strategy for employing risk-based IAM methodsincluding strong authentication, automated provisioning, deprovisioning, auditing, andmonitoring to address risks specific to a CSP.If IAM controls can only be provided by the CSP and they are determined to be inadequate for your determined risk and compliance requirements, then your applications and data containing this critical information has no business in the clouds.
  • Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
  • Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
  • Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
  • Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
  • Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
  • Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
  • Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
  • Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.

Cloud Security Cloud Security Presentation Transcript

  • Cloud Security and Audit Issues
    1
    Rapp Consulting peet.rapp@yahoo.com
  • Agenda
    Cloud Computing 101
    Reality Check
    Security Issues
    ISACA Member Responsibilities
    What’s Missing
    2
    Rapp Consulting peet.rapp@yahoo.com
  • Cloud Computing 101
    Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
    - NIST Definition of Cloud Computing
    3
    Rapp Consulting peet.rapp@yahoo.com
  • Cloud Computing 101 History - Definitions
    Distributed
    Centralized
    De-Centralized
    Re-Centralized
    Applications
    System
    Platform
    Hardware
    1970
    2010
    Per Novell Cloud Presentation 09/09
    4
    Rapp Consulting peet.rapp@yahoo.com
  • Cloud Computing 101 History - Definitions
    5
    Rapp Consulting peet.rapp@yahoo.com
  • Basic Concepts – Cloud Enabling Technologies / Functions
    Cloud Computing is the attemtped commercialization of Virtual computing
    6
    Rapp Consulting peet.rapp@yahoo.com
  • Basic Concepts – Cloud Enabling Technologies / Functions
    SOA - XML – API
    Hypervisor
    Dynamic Partitioning
    API - Application Programming Interface
    Server Optimization
    OS / Application / Data Server Migration
    Client CPU/Memory Utilization Monitoring
    7
    Rapp Consulting peet.rapp@yahoo.com
  • Basic Concepts – Enabling Technologies
    Dynamic Partitioning – the variable allocation of cpu processing and memory to multiple OS’s, applications, and data within one server
    Rapp Consulting peet.rapp@yahoo.com
  • Cloud Computing 101 History - Definitions
    9
    Rapp Consulting peet.rapp@yahoo.com
  • Cloud Computing 101ASPs vs SaaS
    ASPs are traditional, single-tenant applications, hosted by a third party.
    SaaS applications are multi-tenant, user facing, web-based applications hosted by a vendor
    10
    Rapp Consulting peet.rapp@yahoo.com
  • Cloud Computing 101PaaS
    A Development Environment (Platform) as a Service.
    Developer Tool Kits provided. “Pay as you develop/test” business model
    Rapid Propagation of Software Applications – Low Cost of Entry
    11
    Rapp Consulting peet.rapp@yahoo.com
  • Cloud Computing 101IaaS
    The “Bare Metal” Infrastructure as a Service
    • Clients provide all OS, security and
    application software
    • Used for quick-implementation, as-needed data processing / data storage
    12
    Rapp Consulting peet.rapp@yahoo.com
  • Cloud Computing 101 - Service Delivery Models
    SaaS
    Software as a Service
    PaaS
    Platform as a Service
    IaaS
    Infrastructure as a Service
    13
    Rapp Consulting peet.rapp@yahoo.com
  • Cloud Deployment Models
    Public cloud
    Sold to the public, mega-scale infrastructures
    Private cloud
    Enterprise-owned or leased to a Single Client
    Community cloud
    Shared infrastructure for a Specific Community
    Hybrid cloud
    Composition of two or more Cloud Models
    14
    Rapp Consulting peet.rapp@yahoo.com
  • Cloud Computing 101
    15
    Rapp Consulting peet.rapp@yahoo.com
  • Reality Check
    The Cloud Is and Will Happen
    Current Major Players – IaaS, PaaS
    Amazon Web Services, ATT, IBM Rackspace, Terramark, Savvis
    Current Major Players - SaaS
    FaceBook, Salesforce.com, Google (Gmail), Netsuite
    16
    Rapp Consulting peet.rapp@yahoo.com
  • Reality Check
    17
    Rapp Consulting peet.rapp@yahoo.com
  • Reality Check Spending Forecasts
    18
    Rapp Consulting peet.rapp@yahoo.com
  • Claimed Cloud Computing Business Advantages
    Optimizes Server Utilization
    Cost Savings
    Dynamic Scalability
    Time Savings for New Programs
    Right-sizes your enterprise
    Outsources IT
    Transitions CAPEX to OPEX
    19
    Rapp Consulting peet.rapp@yahoo.com
  • Excellent Cloud Examples
    NASDAQ / NYT
    SalesForce.com
    Signiant
    ThinLaunch Software
    Intuit QuickBase
    Webroot
    20
    Rapp Consulting peet.rapp@yahoo.com
  • A Disruptive Technology
    The Cloud Reshuffles the IT deck
    Shrink Wrapped Application s and Enterprise-Sized will migrate to Online Apps, Possibly Open-Sourced
    OS will tend towards web-partial systems
    Desktops and Notebooks Lose Hard Drives
    Businesses’ IT Staffing Requirements Will Drop
    21
    Rapp Consulting peet.rapp@yahoo.com
  • Current Press Status
    The Majority of Press Coverage supports Service Providers attempting to gain mindshare.
    Most IT Analysis is very positive about (hyping) the merits of the cloud.
    Very little is written of Cloud Security or its Audit- ability
    22
    Rapp Consulting peet.rapp@yahoo.com
  • The Gartner Hype Curve
    23
    Rapp Consulting peet.rapp@yahoo.com
  • Reality Check
    Greatest concerns surrounding cloud adoption at your company (per CIO)
    Security 45%
    24
    Rapp Consulting peet.rapp@yahoo.com
  • Security Issues
    “Cyber Crime in 2008 measured more to be a larger
    societal loss than illegal drugs.
    “The main objective of most attackers is to make
    money. The underground prices for stolen bank login
    accounts range from $10–$1000 (depending on the
    available amount of funds), $0.40–$20 for credit card
    numbers, $1–$8 for online auction site accounts and
    $4–$30 for email passwords.”
    Symantec Global Internet Security Threat Report – April 2009
    25
    Rapp Consulting peet.rapp@yahoo.com
  • Security Issues
    “Cybersecurity risks pose some of the most
    serious economic and national security challenges
    of the 21st Century. The digital infrastructure’s
    architecture was driven more by considerations of
    interoperability and efficiency than of security.”
    White House Cyberspace Security Review May 2009
    26
    Rapp Consulting peet.rapp@yahoo.com
  • Security Issues
    27
    Rapp Consulting peet.rapp@yahoo.com
  • Reality Check
    Greatest concerns surrounding cloud adoption at your company (per CIO)
    Security 45%
    Integration with existing systems 26%
    Loss of control over data 26%
    Availability concerns 25%
    Performance issues 24%
    IT governance issues 19%
    Regulatory/compliance concerns 19%
    28
    Rapp Consulting peet.rapp@yahoo.com
  • Cloud Security & Control Groups
    ENISA
    Cloud Security
    Alliance – CSA
    ISACA
    DMTF
    NIST
    Jericho Forum
    Apps.gov
    OWASP
    Rapp Consulting peet.rapp@yahoo.com
    29
  • Cloud Security Alliance Members
    Rapp Consulting peet.rapp@yahoo.com
    30
  • Cloud Security Alliance
    31
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA
    32
    Rapp Consulting peet.rapp@yahoo.com
  • ENISA
    33
    Rapp Consulting peet.rapp@yahoo.com
  • DMTF
    34
    Rapp Consulting peet.rapp@yahoo.com
  • Security Issues
    Data Location
    SaaS Clients’ data co-mingled
    Accuracy and Authenticity of both Data and Applications transferred between servers
    Penetration Detection & Multi-Client UA
    Public Cloud-Server Owner – Due Diligence?
    Data Erasure?
    35
    Rapp Consulting peet.rapp@yahoo.com
  • Current Regulations
    PCI Compliance
    States’ PII requirements
    Sarbanes Oxley
    HIPAA
    36
    Rapp Consulting peet.rapp@yahoo.com
  • Current Regulations & Standards
    37
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    Greatest concerns surrounding cloud adoption at your company (per CIO)
    Security 45%
    Integration with existing systems 26%
    Loss of control over data 26%
    Availability concerns 25%
    Performance issues 24%
    IT governance issues 19%
    Regulatory/compliance concerns 19%
    38
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    Ensure Organization’s Key Players Aware of Cloud Security Issues
    Audit Data / Applications targeted for Cloud Computing
    Input / Review Cloud Provider’s SLA Agreement
    Strengthen internal IAM Program
    Rapp Consulting
    39
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    Ensure Organization’s Key Players Aware of Cloud Security Issue
    Target respected type “A”champions
    Business Application Owners
    Corporate Attorneys
    CxOs
    HR
    40
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    Audit Data/Applications targeted for Cloud Computing
    Data Mapping
    What is the application data’s internal security level?
    Who are the Data Owners?
    What Type of Cloud (public, private, etc) is targeted?
    41
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    Input / Review Cloud Provider’s SLA
    Open Sourced API’s, etc
    XACML-based IAM program
    Security Transparency
    Ownership of Data
    Audit at Will
    DR/BC policy and practice
    Return of application and data policy
    42
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    Strengthen IAM Program
    43
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    Strengthen Identity – Access Management Program
    XACML Based IAM program
    Federated User Access – integrated across both cloud and internal enterprise
    Aligned with compliance requirements
    SSO – (Single Sign On)
    IAM Security Monitoring – Reporting
    Oppty to implement risk-based provisioning
    Rapp Consulting
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    KEY TAKE-AWAY #1
    Cloud Computing should provide organizations sufficient- enough costs-savings to afford investments in required best – practice IS security measures.
    45
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    KEY TAKE-AWAY #2
    Employ the same best-practice audit and risk management principles for cloud computing as you have been trained for and have used (or should be using) your entire career.
    46
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    Key Take Away #3
    Develop an Overarching Business Impact
    Analysis Moving an Application / Data to the cloud
    47
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    Cloud computing can be evaluated much in the same way as a new operating system. And yet, it's somethng more as well. It has the usual system services but also some fantastic ones -- unlimited memory, unlimited storage, unlimited network bandwidth, unlimited (and on-demand) scalability and parallelism
    http://www.ddj.com/web-development/220300736?pgno=4
    48
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    This fundamental difference between probabilistic risk
    and risk introduced by an intelligent adversary (or
    adaptive threats) leads to the conclusion that more
    understanding of the cyber security issues and impacts
    that are possible on the electric grid is needed. Indeed,
    there really is no statistical norm for the behavior of
    cyber attackers and information systems and
    components failure, and their potential impacts to grid
    reliability.
    NERC - 2009 Long-Term Reliability Assessment
    49
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    CRM Cloud App
    Suppliers
    Internal Enterprise
    ERP Cloud App
    Distribution
    Resellers
    50
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    Stock Opt
    CRM Cloud App
    HR
    Suppliers
    Internal Enterprise
    ERP Cloud App
    Cust Service
    Distribution
    Resellers
    Advrtz
    51
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    There needs to be rock-solid security, and annual (or when changes occure) audit-to-certification standards developed for Cloud Service Providers (CSPs)
    52
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    Summary –
    • Become a Weatherman – Learn the Clouds
    • Educate Key Organization Decision makers
    • Internal risk assessment of Apps and Data
    • Insist on Seat in SDLC Group
    • Insist on open source or open standard cloud tools
    53
    Rapp Consulting peet.rapp@yahoo.com
  • ISACA Member Responsibilities – Opportunities
    Summary –
    • Audit CSP’s Security and DR/BC Policies
    • Is CSP promoting best security practices?
    • Upgrade Current Internal IAM program
    • Insist on “SAS70” type audit from partners and outsource providers of their cloud enterprises
    54
    Rapp Consulting peet.rapp@yahoo.com
  • What’s Still Needed
    Commercial Cloud Applications Security Standards.
    Training & Certification requirements for
    Individual Cloud Developers
    Cloud Service Providers
    Cloud Security Tool Providers
    55
    Rapp Consulting peet.rapp@yahoo.com
  • What’s Still Needed
    Best Practice Standards for Internal Audits of Enterprises Employing Cloud Applications.
    Combination of the ENISA cloud risk assessment with the financial Shared Assessment program
    Implement an annual Know Your Client (KYC) type audit/certification for all clients and cloud services providers.
    56
    Rapp Consulting peet.rapp@yahoo.com
  • questions
    57
    Rapp Consulting peet.rapp@yahoo.com
  • Thank you
    Peet Rapp – MBA, CISA
    peet.rapp@yahoo.com
    603-731-0494
    58
    Rapp Consulting peet.rapp@yahoo.com