Black Hat Sessions VIII: Hacking the Cloud – Ede April 2010It’s the security, stupid!How IT audits cope with cloud computi...
Cloud computing   Cloud computing is putting your data on someone else’s hard disk and    accessing it via a network..   ...
Main questions   What is the (ir)relevance of audits in the cloud?   What are the specific factors concerning the cloud?...
The relevance of IT audits   Compliance with legislations, regulations and standards       SOx, HIPAA, PCI DSS..       ...
Security issues of cloud computing are real   Hackers stole credentials of Salesforce.com’s customers via phishing    att...
Security risks: specific factors concerning the cloud   External data storage   Multi-tenancy   Use of the (public) int...
Specific factor concerning the cloud: external datastorage   Weak control of data (failing backup, recovery, destruction)...
Specific factor concerning the cloud: multi-tenancy   Inadequate segregation of data between different customers (data   ...
Specific factor concerning the cloud: use of the (public)internet   Unclear and unaddressed accountability, ownership   ...
Specific factor concerning the cloud: integration withthe internal IT environment   Unclear (network) perimeters   Diffi...
Security benefits   Centralized security       Concentration of security expertise       Economy-of-scale   High acces...
Audit standards   Localized IT as starting point (ITIL)   Strong focus on client-server/on-premise IT (ISO27001/2)   St...
Audit standards versus external data storage   Based on access from external/third parties, not on access to cloud    ser...
Audit standards versus multi-tenancy   Marginal attention on (technical) architecture   Multi-tenancy virtually unobserv...
Audit standards versus use of the (public) internet   Primarily financial-legal issues (accountability, ownership) outsid...
Audit standards versus integration with the internal ITenvironment   ‘Open standards’ – which one(s) to choose?   ‘Open’...
Compliance   Responsibility and risks are with the customer, not the cloud vendor   Legislations versus the current stat...
SAS70: objections   Type I or Type II?   Free to choose the controls   Fully dependent on the expertise and view point ...
SAS70 in practice   Same standards used as for client-server/on-premise IT environments   Hardly any attention on multi-...
IT auditors   Competent researchers and analysts   High-level knowledge of architecture and technology   Mostly educate...
IT audits in practice   Use of partly irrelevant and insufficient controls for cloud computing   Approach tailored for c...
Steps forward   Actualize existing standards and frameworks with relevant controls for    the cloud   Control (read: red...
Conclusion   IT audits are essential part of compliance and assurance   Cloud computing harbours specific security risks...
ContactDrs. Mike Chung REManagerKPMG Advisory N.V.E-mail: chung.mike@kpmg.nlMobile: +31 (0)6 1455 9916              © 2010...
About the spider   The spider as depicted in this presentation is the European Garden    Spider, also known as the Cross ...
Upcoming SlideShare
Loading in...5
×

It's the security, stupid! how it audits cope with cloud computing. mike chung KPMG security

381

Published on

Black Hat Sessions VIII: Hacking the Cloud – Ede April 2010 by Mike Chung KPMG Security

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
381
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

It's the security, stupid! how it audits cope with cloud computing. mike chung KPMG security

  1. 1. Black Hat Sessions VIII: Hacking the Cloud – Ede April 2010It’s the security, stupid!How IT audits cope with cloud computingdrs. Mike Chung RE
  2. 2. Cloud computing Cloud computing is putting your data on someone else’s hard disk and accessing it via a network..  Public cloud: ..with a lot of other people too  Private/dedicated cloud: ..alone  Infrastructure-as-a-Service: you have to install OS and software on that hard disk yourself  Platform-as-a-Service: you have to install software only  Software-as-a-Service: everything’s been installed © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 2
  3. 3. Main questions What is the (ir)relevance of audits in the cloud? What are the specific factors concerning the cloud? How (ir)relevant are audit standards? How (in)competent are IT auditors? © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 3
  4. 4. The relevance of IT audits Compliance with legislations, regulations and standards  SOx, HIPAA, PCI DSS..  No compliance means significant loss of business or even out of business  Due to / thanks to the credit crunch, regulations have been tightened IT audits as part of the annual statement of accounts Cloud computing is a matter of trust – current trust models are weak  You don’t trust what you don’t understand – perceptions, fairy tales and FUD  Why should decision-makers trust IT vendors and advisors?  Security is the biggest concern for decision-makers: according to KPMG’s 2010 cloud computing survey, security issues are the main concern of CIOs and managers (75%), followed by privacy, compliance and legal matters © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 4
  5. 5. Security issues of cloud computing are real Hackers stole credentials of Salesforce.com’s customers via phishing attacks (2007) Thousands of customers lost their data in the cloud due to the ‘Sidekick disaster’ of Microsoft/T-Mobile (2009) Botnet incident at Amazon EC2 infected customer’s computers and compromised their privacy (2009) Security flaws in GoogleDocs gave erroneous permissions to its users (2009) Thousands of hotmail accounts were hacked due to technical flaws in Microsoft’s software (2010) Botnets are increasingly threatening access to internet services SPAM, excessive traffic of multimedia sites and P2P networks are clogging the internet’s arteries © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 5
  6. 6. Security risks: specific factors concerning the cloud External data storage Multi-tenancy Use of the (public) internet Integration with the internal IT environment © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 6
  7. 7. Specific factor concerning the cloud: external datastorage Weak control of data (failing backup, recovery, destruction) Legal complications (privacy violation, conflicting/contradicting and often unworkable/archaic legislations) Uncertain viability (insufficient guarantees regarding continuity and availability of services) Single point of failure (failure of one cloud vendor/provider means disaster for many customers) Vendor lock-in (difficulty in getting back the data in open formats and switching to other vendors) © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 7
  8. 8. Specific factor concerning the cloud: multi-tenancy Inadequate segregation of data between different customers (data contamination) Inadequate Identity & Access Management (erroneous authentication, access and authorization to IT resources and data) Insufficient logging & monitoring The weakest link is decisive (virtualization, shared databases) © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 8
  9. 9. Specific factor concerning the cloud: use of the (public)internet Unclear and unaddressed accountability, ownership Unclear demarcation of responsibilities and control Limited regulation A lot of clandestine traffic (Spam) and networks (Botnets) Exceptionally poorly protected for such an important infrastructure – the internet is commercially the most valuable infrastructure Extremely dependent on couple of optic fibers and electricity Threats are virtually unknown to most politicians and decision-makers © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 9
  10. 10. Specific factor concerning the cloud: integration withthe internal IT environment Unclear (network) perimeters Difficulties/discrepancies in matching cloud computing vendor’s security measures with internal security measures, requirements and baselines Complexity of integration between the cloud and the internal IT © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 10
  11. 11. Security benefits Centralized security  Concentration of security expertise  Economy-of-scale High accessibility ‘Nakedness leads to fitness’ © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 11
  12. 12. Audit standards Localized IT as starting point (ITIL) Strong focus on client-server/on-premise IT (ISO27001/2) Static (Cobit) Strong focus on processes (SOx) © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 12
  13. 13. Audit standards versus external data storage Based on access from external/third parties, not on access to cloud services Based on management of internally stored data (eventually managed by externals) From the viewpoint of the customer: irrelevant From the viewpoint of the cloud computing vendor: insufficient New principles and practices  11 commandments of the Jericho Forum  Cloud security initiatives from ISF © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 13
  14. 14. Audit standards versus multi-tenancy Marginal attention on (technical) architecture Multi-tenancy virtually unobserved/unexposed Mere focus on segregation of duties, facilities and networks New principles and practices  Cloud Security Alliance – Security guidance  Liberty Alliance’s IAM ‘baselines’ for Federated IAM  Enisa – Cloud computing security framework © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 14
  15. 15. Audit standards versus use of the (public) internet Primarily financial-legal issues (accountability, ownership) outside the domain of IT audits Exceptionally difficult to audit – there is no usable and accepted ‘atlas of the internet’ Existing principles and practices for e-mail usage and internet security partly applicable, but an audit framework for the internet is yet to be released © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 15
  16. 16. Audit standards versus integration with the internal ITenvironment ‘Open standards’ – which one(s) to choose? ‘Open’ audit standards versus the reality of ‘proprietary’ cloud technologies New principles and practices  ISF – The standard of Good Practice for Information Security  OWASP frameworks © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 16
  17. 17. Compliance Responsibility and risks are with the customer, not the cloud vendor Legislations versus the current state of (technical) affairs Compliance with different legislations from different countries (SOx, HIPAA, PCI DSS, WBP..) SAS70 as a way out? © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 17
  18. 18. SAS70: objections Type I or Type II? Free to choose the controls Fully dependent on the expertise and view point of the auditor Many variations on audit approach, set-out and level of (technical) detail Wide intervals between audits © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 18
  19. 19. SAS70 in practice Same standards used as for client-server/on-premise IT environments Hardly any attention on multi-tenancy, service integration and external data storage Superficially reviewed by (potential) customers and auditors Lacunas rarely raised © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19
  20. 20. IT auditors Competent researchers and analysts High-level knowledge of architecture and technology Mostly educated in economics, accounting, business management Existing audit standards and baselines as starting points © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 20
  21. 21. IT audits in practice Use of partly irrelevant and insufficient controls for cloud computing Approach tailored for client-server/on-premise IT Emphasis on (service management) processes with paper evidences Recommendations only partly aimed to mitigate cloud specific risks © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 21
  22. 22. Steps forward Actualize existing standards and frameworks with relevant controls for the cloud Control (read: reduce) the many good initiatives of setting up new standards and frameworks – consolidate expertise More emphasis on architecture and technology with technical evidences Increase the share of technically educated auditors © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 22
  23. 23. Conclusion IT audits are essential part of compliance and assurance Cloud computing harbours specific security risks Audit standards and baselines are partly irrelevant and insufficient, but there are (too) many initiatives to actualize these While IT auditors are competent researchers, their (technical) knowledge on cloud computing needs to be updated © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 23
  24. 24. ContactDrs. Mike Chung REManagerKPMG Advisory N.V.E-mail: chung.mike@kpmg.nlMobile: +31 (0)6 1455 9916 © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 24
  25. 25. About the spider The spider as depicted in this presentation is the European Garden Spider, also known as the Cross Spider (Araneus diadematus) The Garden Spider makes large webs Like most spiders, it possesses venom glands However, this spider is docile and its venom is harmless to humans © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 25
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×