Your SlideShare is downloading. ×
0
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Cloud Computing - Security audits versus cloud computing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud Computing - Security audits versus cloud computing

11,080

Published on

Security audits versus cloud computing (English version). A presentation by Mike Chung, manager at KPMG Netherlands.

Security audits versus cloud computing (English version). A presentation by Mike Chung, manager at KPMG Netherlands.

1 Comment
10 Likes
Statistics
Notes
  • Since the risks in Cloud are very real, auditing must be even more important to keep things in place. I mean make sure everything is accounted for.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
11,080
On Slideshare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
969
Comments
1
Likes
10
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. KPMG Risk & Compliance Audit in the cloud Security audits versus cloud computing drs. Mike Chung RE ADVISORY
  • 2. Cloud computing as phenomenon The IT service model of choice for 2010 and beyond − The total revenue of cloud services is approaching 25 billion USD worldwide in 2010 − Cloud computing is growing by over 30% per year − More than 50% of all Fortune500 enterprises are already using some form of cloud computing Massive investments by leading software vendors and IT integrators Growing demand despite/thanks to the low economic tide and the perceptive ‘reliability’ of the internet © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 2
  • 3. Main questions How (un)secure is the cloud compared with on-premise IT? − Integrity − Confidentiality − Availability How (ir)relevant are audit standards? How (in)competent are IT auditors? © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 3
  • 4. Definition of cloud computing Hosted services from the (inter)net, metaphorically depicted as a cloud Utilization of Web 2.0 ‘ASP 2.0’ Examples: − Software-as-a-Service (Salesforce.com, Gmail, Microsoft Online) − Platform-as-a-Service (GoogleApps, Force.com, 3tera AppLogic) − Infrastructure-as-a-Service (Amazon EC2, Citrix Cloud Centre) © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 4
  • 5. Characteristics of cloud computing Multi-tenant External data storage Use of the (public) internet On-demand Subscription-based model Elastic Web based © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 5
  • 6. Security issues of cloud computing are real Google Web Service vulnerability leaked database usernames and passwords (2007) Hackers stole credentials of Salesforce.com’s customers via phishing attacks (2007) Thousands of customers lost their data in the cloud due to the ‘Sidekick disaster’ of Microsoft/T-Mobile (2009) Botnet incident at Amazon EC2 infected customer’s computers and compromised their privacy (2009) Thousands of hotmail accounts were hacked due to technical flaws in Microsoft’s software (2010) © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 6
  • 7. Security risks: specific factors concerning the cloud External data storage Multi-tenancy Use of the (public) internet Integration with the internal IT environment © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 7
  • 8. Security risks: external data storage Weak control of data (failing backup & recovery) Legal complications (privacy violation, conflicting/contradicting legislations) Uncertain viability (insufficient guarantees regarding continuity and availability of services) Single point of failure (failure of one cloud vendor/provider means disaster for many customers) © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 8
  • 9. Security risks: multi-tenancy Inadequate segregation of data between different customers Inadequate Identity & Access Management Insufficient logging & monitoring The weakest link is decisive (virtualization, shared databases) © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 9
  • 10. Security risks: use of the (public) internet Unclear and unaddressed accountability, ownership Loss, misuse and theft of data No access to data and/or services Non-repudiation issues © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 10
  • 11. Security risks: integration with the internal IT environment Unclear (network) perimeters No match with internal security measures, requirements and baselines Complexity of integration between the cloud and the internal IT © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 11
  • 12. Residual risks High, unforeseen, initial investments − Legal costs − Costs to perform risk analyses − Costs of escrow arrangement Poor performance Additional IT management − Identity & Access Management − Key management © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 12
  • 13. Security benefits Centralized security − Concentration of security expertise − Economy-of-scale High accessibility ‘Nakedness leads to fitness’ © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 13
  • 14. Audit standards Localized IT as starting point (ITIL) Strong focus on client-server/on-premise IT (ISO27001/2) Static (Cobit) Strong focus on processes (SOx) © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 14
  • 15. Audit standards versus external data storage Based on access from external/third parties, not on access to cloud services Based on management of internally stored data (eventually managed by externals) From the viewpoint of the customer: irrelevant From the viewpoint of the cloud computing vendor: insufficient New principles and practices − 11 commandments of the Jericho Forum − Cloud security initiatives from ISF © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 15
  • 16. Audit standards versus multi-tenancy Marginal attention on (technical) architecture Multi-tenancy virtually unobserved/unexposed Mere focus on segregation of duties, facilities and networks New principles and practices − Cloud Security Alliance – Security guidance − Liberty Alliance’s IAM ‘baselines’ © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 16
  • 17. Audit standards versus use of the (public) internet Primarily financial-legal issues (accountability, ownership) outside the domain of IT audits Exceptionally difficult to audit Existing principles and practices for e-mail usage and internet security applicable © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 17
  • 18. Audit standards versus integration with the internal IT environment ‘Open standards’ – which one(s) to choose? ‘Open’ audit standards versus the reality of ‘proprietary’ cloud technologies New principles and practices − ISF – The standard of Good Practice for Information Security © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 18
  • 19. Compliance Responsibility and risks are with the customer, not the cloud vendor Legislations versus the current state of (technical) affairs Compliance with different legislations from different countries (SOx, HIPAA, PCI DSS, WBP..) SAS70 as a way out? © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19
  • 20. SAS70: objections Free to choose the controls Fully dependent on the expertise and view point of the auditor Many variations on audit approach, set-out and level of (technical) detail Wide intervals between audits © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 20
  • 21. SAS70 in practice Same standards used as for client-server/on-premise IT environments Hardly any attention on multi-tenancy, service integration and external data storage Superficially reviewed by (potential) customers and auditors Lacunas rarely raised © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 21
  • 22. IT auditors Competent researchers and analysts High-level knowledge of architecture and technology Mostly educated in economics, accounting, business management Existing audit standards and baselines as starting points © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 22
  • 23. IT audits in practice Use of partly irrelevant and insufficient controls for cloud computing Approach tailored for client-server/on-premise IT Emphasis on (service management) processes with paper evidences Recommendations only partly aimed to mitigate cloud specific risks © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 23
  • 24. Conclusion Cloud computing harbours specific security risks Audit standards and baselines are partly irrelevant and insufficient, but there are initiatives to actualize these While IT auditors are competent researchers, their (technical) knowledge on cloud computing needs to be updated © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 24
  • 25. Contact Drs. Mike Chung RE Manager KPMG Advisory N.V. E-mail: chung.mike@kpmg.nl Mobile: +31 (0)6 1455 9916 © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 25
  • 26. About the painter & painting J.H. Weissenbruch was a 19th century Dutch painter famed for his depiction of clouds His style of painting is typical for the so-called Hague School (Haagse School) The title of the painting is Beach at Scheveningen (Strand bij Scheveningen) The picture as used for this presentation has been modified a bit © 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 26

×