• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cloud Computing Risk Management (IIA Webinar)
 

Cloud Computing Risk Management (IIA Webinar)

on

  • 838 views

Along with accessibility and convenience, cloud-based IT resources also bring risk. This webinar provides you with a brief introduction on the development of cloud computing and the related business ...

Along with accessibility and convenience, cloud-based IT resources also bring risk. This webinar provides you with a brief introduction on the development of cloud computing and the related business risks. Additionally, you will learn questions to ask to determine if your company is using cloud-based IT resources along with information on the formal assurance frameworks that exist and can be effectively employed by both cloud consumers and providers without specialized training.

Statistics

Views

Total Views
838
Views on SlideShare
834
Embed Views
4

Actions

Likes
0
Downloads
16
Comments
0

1 Embed 4

http://www.linkedin.com 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cloud Computing Risk Management (IIA Webinar) Cloud Computing Risk Management (IIA Webinar) Presentation Transcript

    • CLOUD COMPUTING RISKMANAGEMENTSECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVEGeorge Thomas, SVP Internal Audit – First Data CorpBrian Dickard, Director Internal Audit – First Data Corp
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE AGENDA• Introduction• Terminology and Stats• Major Public Cloud Services• Assessing Public Cloud Risk• Trends and Issues• Concluding Remarks 2
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE INTRODUCTION• First Data Vision – To shape the future of global commerce by delivering the world’s most secure and innovative payment solutions 3
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CLOUD COMPUTING – WHAT IS IT?• Where did it come from?• Why should I care as a business manager?• What types of risk are there?• How does it work? 4
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CLOUD COMPUTING – HOW DOES IT WORK?• Understanding Cloud Computing• Managing the risks 5
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE POLLING QUESTION• How familiar are you with the major Cloud Service and Deployment models – A. Very familiar – B. Somewhat familiar – C. I’ve heard of them – D. Not familiar at all 6
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE ESSENTIAL CHARACTERISTICS• Resource Pooling• Broad Network Access• Rapid Elasticity• Measured Service• On Demand Self Service 7
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CLOUD SERVICE MODELS• Infrastructure as a Service (IaaS) – “Raw” Servers, Disk Space, Network – Ex. Amazon Elastic Cloud Computing (EC2) – Foundational to PaaS and SaaS – Security (other than physical) provided by cloud consumer 8
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CLOUD SERVICE MODELS• Platform as a Service (PaaS) – Middleware and application development frameworks supported by provider – Cloud-deployed applications created and supported by consumer – Ex. Google App Engine – Built on top of IaaS – Security must be built in by developer (provider or consumer) 9
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CLOUD SERVICE MODELS• Software as a Service (SaaS) – “On Demand” application availability – Software and data hosted by provider – Accessed with a web browser – Ex. Gmail – Built on top of IaaS and PaaS – Highest provider security level 10
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CLOUD SERVICE LAYERSIncreasing SaaSconsumerconfigurationoptions PaaS Increasing provider security IaaS 11
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE IN-HOUSE IT ASSETS VS. “SPI” SERVICES In-House Attributes SPI Attributes Fixed Elastic Overhead or Chargeback Metered Service Request Self Service Private Network Accessible Internet Accessible Dedicated Shared 12
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE DEPLOYMENT MODELS• Public Cloud – More than one organization shares common IT resources• Private Cloud – An organization buys and deploys its own IT resources - OR – – Contracts exclusive arrangement with a 3rd party• Community Cloud – Usage of public cloud by common mission or cause – Ex. State or Local governments• Hybrid Cloud – Some elements of all three 13
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE POTENTIAL BENEFITS• Pay as you go model (low fixed cost)• Remote access• Rapid scalability• Quicker deployment of IT-enabled strategies• Stay current on technology upgrades• Resiliency / Redundancy 14
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE WHERE PRIVATE CLOUDS MAKE SENSE• Large Corporate Data Center – High rate of optimization through virtualization – Diversity of apps are coded to run using common O/S, database and network – Apps are “swapped out” on common hardware based on processing load – Same hardware that runs mission critical app may also run support app in non-peak time – “Workload Agnostic Computing” 15
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE VIRTUALIZATION STATS• InfoWeek Poll – Major Corporations – 97% use Server Virtualization extensively or on a limited basis (ex. VMWare vSphere) – 57% use Storage Virtualization (ex. NetApp) – 44% use Desktop Virtualization (ex. Citrix) – 42% use Application Virtualization (ex. Vmware ThinApp) – 37% use I/O Virtualization (ex. Cisco VFrame) – 30% use Network Virtualization (ex. Nicira Networks “DVNI”) 16
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE WHERE PUBLIC CLOUDS MAKE SENSE• Businesses of any size where captive IT resources aren’t cost effective or available – Fixed capital expense becomes variable operating expense – Can quickly level the playing field for small and medium sized businesses• “Cloud Bursting” – Adding incremental capacity to meet peak or seasonal demands• Prototyping – Running simulations to determine in-house data center capacity needs 17
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE POLLING QUESTION• Describe your usage of Public Cloud infrastructure – A. Active production deployment – B. Evaluating or budgeted plans for production deployment – C. No plans for Public Cloud deployment – D. Don’t know 18
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE PUBLIC CLOUD PLANS• Infoweek Survey – 26% plan to deploy in the next year – 38% have no plans to deploy – 11% already have public deployment• Are you sure? – DR scenario: private cloud becomes public 19
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE ESSENCE OF THE PUBLIC CLOUD DECISION• A thoughtfully considered* decision to move one of the following into the public cloud domain: – Data • Essential to map your data and understand whether, and how, it flows in and out of the cloud • Important to classify low value, high value regulated and high value unregulated assets – Transactions/Processing 20
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE THOUGHTFULLY CONSIDER - HOW?• How would you be harmed if: – The asset became widely public or widely distributed? – An employee of the cloud provider accessed the asset? – The process or function was manipulated by an outsider? – The process or function failed to provide the expected results? – The information/data was unexpectedly changed? – The asset were unavailable for a period of time? 21
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE TOP PUBLIC CLOUD CONCERNS• Data Security – Assurance framework• Reliability / Availability• Integration with Existing Systems• Loss of Control 22
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE A GROWING OPPORTUNITY Revenue 70 60 50 40 30 Revenue 20 10 0 2008 2009 2010 2011 2012 2013• Revenue from "public cloud" services, in billions of dollars. Source: Forrester Research 23
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE MAJOR PUBLIC CLOUD SERVICE PROVIDERS 24
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE POLLING QUESTION• Do you see a vendor on the previous slide, who is used by your company, but you were unaware they were a provider of cloud services? – A. Yes – B. No 25
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE APPLICABLE COMPLIANCE CERTIFICATIONS• SSAE-16, SOC-1,2,3 – Financial Reporting and service oriented controls – Focused on integrity• ISO 9002 – Quality oriented controls – Focused on process• ISO 27001 /27002 – Security oriented controls – Focused on security• TIA 942 (Telecommunications Industry Association) – Data center fault tolerant controls – Focused on resilience 26
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE PII BREACH BY CLOUD PROVIDER• Could subject them to violations under the following privacy laws: – Privacy and safeguard rules under GLBA – PCI-DSS data transmission and storage security provisions – HIPAA restrictions on sharing health care data – Breach provisions under the HITECH Act• Depends on provider’s contract provisions• You can’t outsource your accountability for information security 27
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE ASSURANCE FRAMEWORKS• Cloud Security Alliance (CSA) – Cloud Controls Matrix – https://cloudsecurityalliance.org• Information Systems Audit and Control Association (ISACA) – Cloud Computing Management Audit/Assurance Program – http://www.isaca.org/Knowledge- Center/Research/ResearchDeliverables/Pages/Cloud- Computing-Management-Audit-Assurance-Program.aspx• European Network and Information Security Agency (ENISA) – Cloud Computing Security Risk Assessment – http://www.enisa.europa.eu/activities/risk- management/files/deliverables/cloud-computing-risk-assessment 28
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CLOUD SECURITY ALLIANCE• GRC “Stack” – Cloud Controls Matrix – Consensus Assessments Initiative – Cloud Audit – Cloud Trust Protocol – Designed to support both cloud consumers and cloud providers – Created to capture value from the cloud as well as support compliance and control within the cloud © 2011 Cloud Security Alliance, Inc. All rights reserved 29
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE GRC STACK• Cloud Controls Matrix – Fundamental security principles in specifying the overall security needs of a cloud consumer and assessing the overall security risk of a cloud provider – What control requirements should I have as a cloud consumer or cloud provider?• Consensus Assessments Initiative – Industry-accepted ways to document what security controls exist – How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)? © 2011 Cloud Security Alliance, Inc. All rights reserved 30
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE GRC STACK• Cloud Audit – Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance of cloud environments – How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations?• Cloud Trust Protocol – Common technique and nomenclature to request and receive evidence and affirmation of current cloud service operating circumstances from cloud provider – How do I know that the controls I need are working for me (consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)? © 2011 Cloud Security Alliance, Inc. All rights reserved 31
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CLOUD CONTROLS MATRIXControls base-lined and mapped to: – BITS Shared Assessments – COBIT – FedRAMP – HIPAA/HITECH Act – ISO/IEC 27001-2005 – Jericho Forum – NERC CIP – NIST SP800-53 – PCI DSSv2.0 © 2011 Cloud Security Alliance, Inc. All rights reserved 32
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CLOUD CONTROL MATRIX - DOMAINS 1. Compliance (CO) 7. Operations Management (OM) 2. Data Governance (DG) 8. Risk Management (RI) 3. Facility Security (FS) 9. Release Management (RM) 4. Human Resources (HR) 10. Resiliency (RS) 5. Information Security (IS) 11. Security Architecture (SA) 6. Legal (LG) © 2011 Cloud Security Alliance, Inc. All rights reserved 33
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CCM - CONTROLS © 2011 Cloud Security Alliance, Inc. All rights reserved 34
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CCM – CONTROLS (CONT.) © 2011 Cloud Security Alliance, Inc. All rights reserved 35
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CCM – CONTROLS (CONT.) © 2011 Cloud Security Alliance, Inc. All rights reserved 36
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CCM – CONTROLS (CONT.) © 2011 Cloud Security Alliance, Inc. All rights reserved 37
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE CLOUD CONTROL MATRIX - SAMPLE 38 © 2011 Cloud Security Alliance, Inc. All rights reserved
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE WHAT DO YOU DO WITH A COMPLETED CCM?• Consumer: As an internal assessment tool – Log exceptions and draft a report of provider’s level of control maturity or a gap analysis• Provider: As a public assertion of control maturity – CSA STAR (Security, Trust and Assurance Registry) – Trusted Cloud Initiative • www.cloudsecurityalliance.org/trustedcloud.html © 2011 Cloud Security Alliance, Inc. All rights reserved 39
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE POLLING QUESTION• Regarding the Cloud Security Alliance Cloud Control Matrix: – A. I am familiar with the CSA and CCM and have used the framework to assess cloud service providers. – B. I am familiar with the framework but have yet to use it. – C. I have not previously heard of the framework but think it might be useful. – D. I don’t think this framework is applicable to my company’s assessment of cloud service providers. 40
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE INTEGRATION TRENDS / CONCERNS• “Bring Your Own Device” (BYOD) – Smartphone, tablet, laptop• “Bring Your Own Cloud” (BYOC) – Google Docs, Dropbox, iCloud, Skydrive 41
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE “DATA AWARE” SECURITY• Information Security trend• Knowing if a particular combination of user, device, and software can be trusted with access to specific information• Challenge: Encoding this security intelligence into your data before you store it in the public cloud 42
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE RECAP• Cloud computing has tangible benefits and could be a strategic differentiator• Your organization may be more actively deployed to the “cloud” than you realize• New risks are introduced, but can be managed with assurance frameworks 43
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE QUESTIONS?• George.Thomas@firstdata.com• Brian.Dickard@firstdata.com 44
    • CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE REFERENCES• Cloud Security Alliance – Security Guidance For Critical Areas of Focus in Cloud Computing V3.0 (2011) • https://cloudsecurityalliance.org/research/security- guidance/ – Cloud Security Alliance GRC Stack (2011) • https://cloudsecurityalliance.org/research/grc-stack/ – Cloud Security Alliance Cloud Controls Matrix V1.1 (2010) • https://cloudsecurityalliance.org/research/ccm/• Information Week (Jan-Mar 2012)• MIT Technology Review (Jan-Mar 2012) 45