Your SlideShare is downloading. ×
  • Like
It's the security, stupid! how it audits cope with cloud computing. mike chung KPMG security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

It's the security, stupid! how it audits cope with cloud computing. mike chung KPMG security

  • 362 views
Published

Black Hat Sessions VIII: Hacking the Cloud – Ede April 2010 by Mike Chung KPMG Security

Black Hat Sessions VIII: Hacking the Cloud – Ede April 2010 by Mike Chung KPMG Security

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
362
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
12
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Black Hat Sessions VIII: Hacking the Cloud – Ede April 2010It’s the security, stupid!How IT audits cope with cloud computingdrs. Mike Chung RE
  • 2. Cloud computing Cloud computing is putting your data on someone else’s hard disk and accessing it via a network..  Public cloud: ..with a lot of other people too  Private/dedicated cloud: ..alone  Infrastructure-as-a-Service: you have to install OS and software on that hard disk yourself  Platform-as-a-Service: you have to install software only  Software-as-a-Service: everything’s been installed © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 2
  • 3. Main questions What is the (ir)relevance of audits in the cloud? What are the specific factors concerning the cloud? How (ir)relevant are audit standards? How (in)competent are IT auditors? © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 3
  • 4. The relevance of IT audits Compliance with legislations, regulations and standards  SOx, HIPAA, PCI DSS..  No compliance means significant loss of business or even out of business  Due to / thanks to the credit crunch, regulations have been tightened IT audits as part of the annual statement of accounts Cloud computing is a matter of trust – current trust models are weak  You don’t trust what you don’t understand – perceptions, fairy tales and FUD  Why should decision-makers trust IT vendors and advisors?  Security is the biggest concern for decision-makers: according to KPMG’s 2010 cloud computing survey, security issues are the main concern of CIOs and managers (75%), followed by privacy, compliance and legal matters © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 4
  • 5. Security issues of cloud computing are real Hackers stole credentials of Salesforce.com’s customers via phishing attacks (2007) Thousands of customers lost their data in the cloud due to the ‘Sidekick disaster’ of Microsoft/T-Mobile (2009) Botnet incident at Amazon EC2 infected customer’s computers and compromised their privacy (2009) Security flaws in GoogleDocs gave erroneous permissions to its users (2009) Thousands of hotmail accounts were hacked due to technical flaws in Microsoft’s software (2010) Botnets are increasingly threatening access to internet services SPAM, excessive traffic of multimedia sites and P2P networks are clogging the internet’s arteries © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 5
  • 6. Security risks: specific factors concerning the cloud External data storage Multi-tenancy Use of the (public) internet Integration with the internal IT environment © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 6
  • 7. Specific factor concerning the cloud: external datastorage Weak control of data (failing backup, recovery, destruction) Legal complications (privacy violation, conflicting/contradicting and often unworkable/archaic legislations) Uncertain viability (insufficient guarantees regarding continuity and availability of services) Single point of failure (failure of one cloud vendor/provider means disaster for many customers) Vendor lock-in (difficulty in getting back the data in open formats and switching to other vendors) © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 7
  • 8. Specific factor concerning the cloud: multi-tenancy Inadequate segregation of data between different customers (data contamination) Inadequate Identity & Access Management (erroneous authentication, access and authorization to IT resources and data) Insufficient logging & monitoring The weakest link is decisive (virtualization, shared databases) © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 8
  • 9. Specific factor concerning the cloud: use of the (public)internet Unclear and unaddressed accountability, ownership Unclear demarcation of responsibilities and control Limited regulation A lot of clandestine traffic (Spam) and networks (Botnets) Exceptionally poorly protected for such an important infrastructure – the internet is commercially the most valuable infrastructure Extremely dependent on couple of optic fibers and electricity Threats are virtually unknown to most politicians and decision-makers © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 9
  • 10. Specific factor concerning the cloud: integration withthe internal IT environment Unclear (network) perimeters Difficulties/discrepancies in matching cloud computing vendor’s security measures with internal security measures, requirements and baselines Complexity of integration between the cloud and the internal IT © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 10
  • 11. Security benefits Centralized security  Concentration of security expertise  Economy-of-scale High accessibility ‘Nakedness leads to fitness’ © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 11
  • 12. Audit standards Localized IT as starting point (ITIL) Strong focus on client-server/on-premise IT (ISO27001/2) Static (Cobit) Strong focus on processes (SOx) © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 12
  • 13. Audit standards versus external data storage Based on access from external/third parties, not on access to cloud services Based on management of internally stored data (eventually managed by externals) From the viewpoint of the customer: irrelevant From the viewpoint of the cloud computing vendor: insufficient New principles and practices  11 commandments of the Jericho Forum  Cloud security initiatives from ISF © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 13
  • 14. Audit standards versus multi-tenancy Marginal attention on (technical) architecture Multi-tenancy virtually unobserved/unexposed Mere focus on segregation of duties, facilities and networks New principles and practices  Cloud Security Alliance – Security guidance  Liberty Alliance’s IAM ‘baselines’ for Federated IAM  Enisa – Cloud computing security framework © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 14
  • 15. Audit standards versus use of the (public) internet Primarily financial-legal issues (accountability, ownership) outside the domain of IT audits Exceptionally difficult to audit – there is no usable and accepted ‘atlas of the internet’ Existing principles and practices for e-mail usage and internet security partly applicable, but an audit framework for the internet is yet to be released © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 15
  • 16. Audit standards versus integration with the internal ITenvironment ‘Open standards’ – which one(s) to choose? ‘Open’ audit standards versus the reality of ‘proprietary’ cloud technologies New principles and practices  ISF – The standard of Good Practice for Information Security  OWASP frameworks © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 16
  • 17. Compliance Responsibility and risks are with the customer, not the cloud vendor Legislations versus the current state of (technical) affairs Compliance with different legislations from different countries (SOx, HIPAA, PCI DSS, WBP..) SAS70 as a way out? © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 17
  • 18. SAS70: objections Type I or Type II? Free to choose the controls Fully dependent on the expertise and view point of the auditor Many variations on audit approach, set-out and level of (technical) detail Wide intervals between audits © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 18
  • 19. SAS70 in practice Same standards used as for client-server/on-premise IT environments Hardly any attention on multi-tenancy, service integration and external data storage Superficially reviewed by (potential) customers and auditors Lacunas rarely raised © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19
  • 20. IT auditors Competent researchers and analysts High-level knowledge of architecture and technology Mostly educated in economics, accounting, business management Existing audit standards and baselines as starting points © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 20
  • 21. IT audits in practice Use of partly irrelevant and insufficient controls for cloud computing Approach tailored for client-server/on-premise IT Emphasis on (service management) processes with paper evidences Recommendations only partly aimed to mitigate cloud specific risks © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 21
  • 22. Steps forward Actualize existing standards and frameworks with relevant controls for the cloud Control (read: reduce) the many good initiatives of setting up new standards and frameworks – consolidate expertise More emphasis on architecture and technology with technical evidences Increase the share of technically educated auditors © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 22
  • 23. Conclusion IT audits are essential part of compliance and assurance Cloud computing harbours specific security risks Audit standards and baselines are partly irrelevant and insufficient, but there are (too) many initiatives to actualize these While IT auditors are competent researchers, their (technical) knowledge on cloud computing needs to be updated © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 23
  • 24. ContactDrs. Mike Chung REManagerKPMG Advisory N.V.E-mail: chung.mike@kpmg.nlMobile: +31 (0)6 1455 9916 © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 24
  • 25. About the spider The spider as depicted in this presentation is the European Garden Spider, also known as the Cross Spider (Araneus diadematus) The Garden Spider makes large webs Like most spiders, it possesses venom glands However, this spider is docile and its venom is harmless to humans © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 25