Cloud assurance Mike Chung KPMG


Published on

Presentation march 2013 Mike Chung KPMG about cloud assurance

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud assurance Mike Chung KPMG

  1. 1. Cloud AssuranceChallenges, Developments andPracticesMarch 2013, Utrechtdrs. Mike Chung REPart 1
  2. 2. • Understanding the context of cloud computing from anassurance point of view• Addressing the perceived and real risks cloud computing• Sharing good practices and control frameworks• Any other expectations?Objectives
  3. 3. Context
  4. 4. • We are re-imagining every part of our software empire to runon and through the cloudSteve Ballmer• Cloud Computing is going to be one of things that enablesHewlett Packard to recover its leadership role in the ICTindustryMeg Whitman‘Tectonic plate shifts in the industry’
  5. 5. • Gmail• Dropbox• FacebookVolume and magnitude
  6. 6. • Gmail: 450 million users on more than 150,000 machines• Dropbox: 100 million users; services worth 5 billion EUR• Facebook: 1 billion users; 3 billion EUR turnoverVolume and magnitude
  7. 7. • 2012 turnover approaching 1.7 billion EUR• Amazon EC2: 30% of profit from cloud services• Office 365: Lowe, Shell, Nutreco, American Red Cross• Google Apps: 66 of 100 largest universities in the US areusing Google AppsCloud as enterprise solution
  8. 8. • Zero• One• Infinity• 1 to NMnemonic
  9. 9. • Virtualisation• Web services• Broadband internet• Big data centres• ServicesDrivers to the cloud
  10. 10. Cloud market evolution• Non-business critical• Commodity• Limited integration2009 - 2010• Storage• CRM• Additional computingpower• Replacement of legacy• Flexibility• Moderate-level integration2011 - 2012• Datacentre• ‘Office’• PaaS• HR• Business critical• Strategic• High-level integration2013 - 2014• Cloud sourcing• Corporate mobile apps• ERP• SME• Telcos• Universities• Traditional production• Retail• Entertainment & media• Government• Financial services• Healthcare
  11. 11. • Google launches new IaaS: Google Compute Engine• Google Apps for small businesses no longer free• Oracle increases its presence in the cloud market (OracleHCM)• Major CSPs lower their prices up to 30%• Cisco acquires Maraki (mobile device mgmt from the cloud)• OpenStack foundation includes IBM, Dell, Cisco, HP• PCI guidelines for the cloudRecent developments
  12. 12. Profile of the cloud
  13. 13. Cloud computing vendors told me that my data at theirlocations was just as safe as my money in the bank. Sincethe credit crunch we all know how reliable the banks are.CISO of a firm in the public services sector
  14. 14. Key differencesOn-premisee CloudInternal data processing andstorageExternal data processing andstorageDedicated IT environment Multi-tenancyLAN, leased lines (Public) internet
  15. 15. On-premise versus cloudEnterprise ITBusiness userExternal ITBusiness userEnterprise ITBusiness userExternal ITMobile userOn-premise Cloud Reality
  16. 16. • Key attribute/principle of cloud computing• Single instance of software (single code-base on a commoninfrastructure) serving multiple clients• Different from virtualisation, yet using virtualisation• Per tenant metadata• Standardised instances and releasesMulti-tenancy
  17. 17. • Network of several millions of networks• Based on TCP/IP protocol suite• ICANN: IP addresses and DNS• IETF: TCP/IP, standards• Different layers: application, transport, internet, link• Internet exchanges: AMS-IX, DE-CIX• HeterogeneousInternet
  18. 18. InternetOwn networkInternetprovidersnetwork‘Random’networksInternetprovidersnetworkCSP’s network
  19. 19. Internet
  20. 20. • Security risks• Privacy/legal risks• Operational risks• Financial risks• Vendor risks• Assurance risksAssignment
  21. 21. • Risk = probability * impactRisk
  22. 22. • Per risk category• Per dimension• Threat/vulnerability-drivenApproach
  23. 23. Cloud computing risks: security• Data may be stored in cloud without proper customer segregation allowingpossible accidental or malicious disclosure to third parties• Loss of governance of critical areas, e.g., vulnerability management,infrastructure hardening, or physical security• Weak logical access controls due to cloud vendor’s IAM immaturity• Cloud adoption opens the four Data Center walls to external IT Servicesproviders, creating new risks
  24. 24. Cloud computing risks: privacy/legal• Data may be stored in cloud in a legal jurisdiction where the rights of datasubject are not protected• Outdated laws and regulations create uncertainty when characterizing thevarious cloud transactions
  25. 25. Cloud computing risks: operational• Cloud adoption introduces rapid change in the organisation• Cloud sourcing may impact existing organisational roles and could requirenew skills or make others redundant• Business resiliency/disaster recovery needs and plans will change andrequire updating• Risk of creating independent silos of information perpetuate the problem ofdata integrity, quality, and insight• Business can bypass the IT function to implement technology solutions,posing challenges for IT governance
  26. 26. Cloud computing risks: financial• Movement from CapEx to OpEx model impacts existing budgeting,forecasting, and reporting processes• CapEx to OpEx model and changes in the character and source of serviceimpacts tax considerations• Cloud ROI and cost/benefit analysis are complicated by need for knowledgeof existing cost of delivery and future use of service
  27. 27. Cloud computing risks: vendor• Lack of clarity of ownership responsibilities between cloud vendor and usercompany• No prevalent standards for vendor interoperability• Extensive reliance on CSPs• Cloud delivery models dramatically change how IT delivers technologyservices to support business requirements
  28. 28. Cloud computing risks: assurance• Lack of visibility into the Cloud Service Providers (CSPs) operations inhibitsanalysis of its compliance with pertinent laws and regulations• Complexity of records management/records retention creates challenges• Lack of industry standards and certifications for cloud providers createsrisks
  29. 29. Risk dimensions: external IT operations• Inadequate and/or insufficient data security measures at provider’slocation(s) compromising data integrity and confidentiality• Issues with retracting data after termination of service• Discontinuation of business critical services due to failing disaster recoveryat cloud service provider• Unclearly defined SLAs leading to unsatisfactory services• Compliance issues due to lack of assurance concerning the physical locationof data• Location of data in different jurisdictions conflicting with local legislationsapplicable to the customer
  30. 30. Risk dimensions: multi-tenancy• Inadequate data segregation and process isolation leading to datacontamination and/or breach of confidentiality• Inadequate Identity & Access controls causing illegitimate access to sensitivedata such as intellectual property• Restricted/limited services due to insufficient allocation of resources and/orcapacity• Standardized functionalities not meeting business requirements• Complexity to ensure compliance due to ‘black box’ nature of sharedresources (monitoring & logging)
  31. 31. Risk dimensions: (public) internet• Unencrypted data getting lost of stolen in transfer• Clogged parts of the network causing unavailability of data• Dependency on internet access and availability for all cloud services• Uncontrolled access from unsecured/malware-infected client devicesaffecting services• Public internet is exceptionally hard to audit and to monitor• Accountability and responsibilities on internet traffic are difficult to assignand even more difficult to enforce• Lack of possibilities to influence technology on the internet• Governments can shut down parts of the internet (Egypt, China)
  32. 32. • Thousands of customers lost their data in the cloud due to the ‘Sidekickdisaster’ of Microsoft/T-Mobile (2009)• Botnet incident at Amazon EC2 infected customer’s computers andcompromised their privacy (2009)• Gmail was unavailable for several hours due to unspecified reasons (2010)• Hyves was unavailable for an hour due to UPS failure at Evoswitch (2010)• Linkup lost half of its customer data (2010)• GoGrid’s network problems had major impact on service availability (2011)• was partly unavailable for 30 minutes (2011)Incidents in the cloud: overview
  33. 33. • November/December 2010 – publicised during January 2010• Vulnerabilities in IE, Adobe software exploited to get accessto Gmail accounts• ‘Elderwood’ (Chinese government?) – Operation Aurora• A number of Gmail accounts hacked• Vulnerabilities fixedIncidents in the cloud: Google
  34. 34. • December 2010• WikiLeaks ‘kicked out’ by Amazon• Cablegate data protected from DDOS attacks• Pressure from Homeland Security• Back to Bahnhof (Sweden)• Data safely transferredIncidents in the cloud: Amazon EC2
  35. 35. • April 2011 – users notified 7 days later• Unpatched servers as entry point – database exploited viaSQL injection – passwords not hashed• Anonymous or disgruntled former employee(s)?• Exposed personal information of 77 million Playstationnetwork users – over 5 million USD direct damage• Security technology updated, servers patched, increasedlevels of encryptionIncidents in the cloud: Sony Playstation
  36. 36. • December 2012• Maintenance error by developers in production environment• Configuration error in access control system• Elastic Load Balancing Service affected for US-East regionfor almost 24 hours – performance degradation• No permanent loss or corruption of data• Amazon updated their procedures and access settingsIncidents in the cloud: Amazon WS
  37. 37. • December 2012• Software bug• Human error: node protection not turned on• Failure of monitoring, alerts and escalation• No failover in place• 1.8% of Azure storage accounts impacted for 32 hours• No permanent loss of dataIncidents in the cloud: Windows Azure I
  38. 38. • February 2013 – users notified 4 days later• Evernote detected breaches in their infrastructurethemselves and suspicious activities on their network• Suspects unknown• 50 million password changes requested• No evidence user content was accessed, changed or lost• Two-factor authentication will be implemented (status Mar2013)Incidents in the cloud: Evernote
  39. 39. • February 2013• Certificates for SSL expired• Untimely renewal of certificates due to human error• Failure of monitoring and alerts• Azure Storage Blobs, Tables and Queues using HTTPSimpacted for 12 hours – worldwide• No permanent loss of dataIncidents in the cloud: Windows Azure II
  40. 40. • February 2013• Information on root cause as well as suspects not disclosedby Zendesk• Limited number of user data accessed by hackers• Procedures improved and vulnerable systems patchedIncidents in the cloud: Zendesk
  41. 41. • Low number of incidents compared with on-premises IT• Far better execution of security measures and architecture• Security as key factor for cloud service providers• Incidents are high impact and magnitude events• Blurring demarcation of responsibilities between cloudservice providers, network providers and customers• Importance of browsersIncidents into perspective
  42. 42. • 10% of laptops with locally stored data gets stolen every year• 99% of data is unencrypted• 50% of business critical company data is unencrypted• Almost all big CSP are ISO27001 certified – only 15% ofenterprises are able to match thatAlso notice that..
  43. 43. Cloud versus on-premiseSource: AlertLogic
  44. 44. • FUD• Security: cloud is far less secure than on-premise IT• Privacy: everybody can access my data• Maturity: cloud is for kids only• Practice• Integration: cloud-on-premise integration is complex and oftenincompatible• Performance: cloud services obey the laws of physics too• Vendor lock-in: (open) standards are emerging, but it is a long road aheadFUD and practice
  45. 45. • (Distributed) Denial of Service leading to obstruction ofcommunication• Flood services: resource consumption, disruption ofconfiguration (e-mail bombs)• Crash services: triggering errors in components• Twitter, August 2009• Better firewall/switch/routers configuration; application front-end (data package analysis)DDOS
  46. 46. • SQL query via the input data• Meta character into an input query; the query placed in SQLcommands in the control plane• SQL databases on websites common• Sony PlayStation• Input/output validation; static code analysisSQL injection
  47. 47. • Exploiting vulnerabilities in hypervisors (VM separations)• Hack VM A to attack VM B via VM A• Some minor cases on AWS• Segmentation, VM hardeningGuest-hopping
  48. 48. • Taking control of the hypervisor• Directly obtaining control or running a rogue hypervisor• Theoretical scenario, but potentially extremely damaging• Cyclic redundancy check (CRC) – state value assigned by theunderlying hardwareHyper-jacking
  49. 49. • Independent connections with the victims and relayingmessages between them• Session hijacking; hostname lookup; web proxy• Several internet banking applications• Strong mutual authentication, latency examination, second(secure) channel verificationMan-in-the-middle
  50. 50. • Stealing legitimate user’s session ID• Often session IDs as cookies, form field or URL• Not often with public cloud servicesSession replay
  51. 51. • Sniffing networks; capturing network packages• Easy when hubs are used• Not often with public cloud services• Encryption, network segmentation, network accessEavesdropping
  52. 52. • Like guest-hopping – extracting information from the targetVM from the ‘rogue’ VM• Amazon EC2, 2009 (Case study by MIT)• Virtual firewall applianceSide-channel
  53. 53. • IP, DNS, ARP spoofing attacks• IP spoofing often used for DDOS; DNS spoofing often used tospread viruses• Vulnerable with trusts/federations• Package filtering, spoofing detection software, securecommunication protocols (HTTPS, SSH, TLS)Spoofing
  54. 54. • US Army is investing heavily in three areas: Special Forces,drones and cyber security• Physical systems can be attacked from cyberspace (Stuxnet)• Transparency on cyber incidents and unintendedconsequences (widespread vulnerabilities)• The good guys are being outspent• Predominance of two mobile systems (iOS and Android)• Secure or prepare?Cybercrime
  55. 55. • Organised cybercrime• Online espionage• Hactivism• State-backed cyber attacks• Internal computer fraudCybercrime types
  56. 56. • Lack of information and obscurity (suspects, alliances,developments)• Much more professional (phishing e-mails, sophisticatedattacks)• Non-technical and technical (harvesting of social data fortargeted attacks)• Jurisdictional barriersCybercrime challenges
  57. 57. • Cloud as partner in crime (botnets on Amazon)• Collateral damage of attacks (attacks are being copied,refined and used again: Stuxnet, FinFisher)Cybercrime challenges
  58. 58. • Ecosystem and architecture• Technology• Frameworks and standards• ‘Right-to-audit’• IT auditorsChallenges
  59. 59. Sliding scaleDataprocessingand storageOn-premiseResource use Single-tenant Multi-tenantPrimary networkinfrastructureLAN (Public) internetOn-premise IT SSC Hosting OutsourcingCloudcomputingOff-premise
  60. 60. Layers of servicesBusiness softwareMiddlewareOSHW + networkFacilitiesITmanagementIaaSPaaSSaaS
  61. 61. Cloud ecosystem: enablers to integratorsCloud service vendors Cloud service integratorsCloud enablersExamplesH/W and S/W vendors IT & Services players (HW & SWvendors / IT distributors)Pure Cloud players (e-commerce,Internet giants, Hosting companies)TelcosIntegratorsTelcosValueadded Provide the actual cloudservices, spanning SaaS,PaaS and IaaS, to customers Provide cloud focusedtechnology services such assystem integration, cloudmigration and maintenance Provide the technology,infrastructure, platformsand Middleware toenable provision of cloudservices
  62. 62. Cloud ecosystem: niches and providersHardwareOperating SystemVirtualization SoftwareApplication Development PlatformApplicationsInfrastructure Platform SoftwareSystem IntegratorsDifferent niches and service providers
  63. 63. • Increasing number of third party providers• Service providers• Co-operators and partners• Aggregators and brokers• Examples:• Twitter, DropBox and many mobile apps on Amazon• Salesforce on Equinix• Cloud services via CapgeminiThird party providers
  64. 64. • Acquisitions• Google acquires Writely• Salesforce acquires Heroku• Wolters Kluwer acquires Twinfield• Bankruptcy (Cassatt)• Change of Strategy (Iron Mountain, Google Wave, GoogleNotebook)Dynamic market place
  65. 65. • Essential element of cloud computing• VMware (market leader: VM Server, vSphere), MS Hyper-V,Cirtrix Xen)• Already on mainframes since 1960sVirtualisation 1/3OSHardwareOS OS OSVirtualisationOSHardwareVirtualisation
  66. 66. Virtualisation 2/3Large shared storage Large shared databaseShared networkResourcevirtualisationSoftwareThis layer provides many virtualresources but on itself alsoconsist of many components,potentially spread around theWorld or for example obtainedfrom other Cloud vendorsSoftwareThis layer provides many virtualservers or software services buton itself also runs on anintelligent balanced pool of real(physical) servers, utilising thevirtualised resourcesVirtualizationlayer
  67. 67. • More systems ‘virtually’ on one physical machine• Managed via the HypervisorVirtualisation 3/3
  68. 68. • Single point of failure• Performance degradation (HW, network)• Licence conditions• Some applications’s performance degrade significantly• Unsecure deployment and configuration of VMs• No firewall between VMs (VM-to-VM undetected by networkprotection mechanisms)Virtualisation risks
  69. 69. • Desktop virtualisation (e.g.. via Citrix and Hyper-V): Shell GID• Storage virtualisation• Application virtualisation for legacy apps: de-coupling of OSand HW – not always possibleOther types of virtualisation
  70. 70. • Based on access from external/third parties, not on access tocloud services• Based on management of internally stored data (eventuallymanaged by externals), not on externally stored data• Irrelevant and insufficientOff-premise nature
  71. 71. • Marginal attention on (technical) architecture• Multi-tenancy virtually unobserved/unexposed• Mere focus on segregation of duties, facilities and networksMulti-tenancy
  72. 72. • Financial and legal issues (accountability, ownership) outsidethe domain of IT audits• Exceptionally difficult to audit• Only few existing principles and practices for e-mail usageand internet security applicable(Public) internet
  73. 73. • Given the position of cloud computing, the future mode will bea hybrid environment• At large corporations, this hybrid environment will consist ofon-premise IT, outsourced parts, parts on hosting providers,and parts in the cloud• The key risk resides in the organization’s inability toorchestrate the new paradigm of automationHybrid environment
  74. 74. • Define scope of services• Define scope of CSP and other (third) party providers• Identify components (physical, network, HW, SW, services)• Agree demarcation of responsibilities/accountabilitiesPractices: cloud ecosystem
  75. 75. Conceptual architecture of the cloudCustomer organisationCloud serviceproviderThird party (cloud)providerData centreMobile useOnline identitiesNetwork
  76. 76. • Identify data• Assign ownership• Classify data (value, legal, sensitivity, importance)• Devise and implement procedures for data processingPractices: data classification
  77. 77. ••••• http://www.dataliberation.orgLinks
  78. 78. •• 06 – 1455 9916• Laan van Langerhuize 1, KPMG Amstelveen• Follow me on Twitter @MikeChung_KPMGContact