Cloud assurance presentation for the Revenue Office


Published on

This is the first part of the presentation that we (Mike Chung, Serge Wallach and Vincent Damen) did for the Dutch Revenue office without any confidential information. The other two parts will be uploaded next week.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud assurance presentation for the Revenue Office

  1. 1. Cloud AssuranceChallenges, Developments andPracticesMarch 2013, Utrechtdrs. Mike Chung REPart 1
  2. 2. Objectives• Understanding the context of cloud computing from an assurance point of view• Addressing the perceived and real risks cloud computing• Sharing good practices and control frameworks• Any other expectations?
  3. 3. Context
  4. 4. ‘Tectonic plate shifts in the industry’• We are re-imagining every part of our software empire to run on and through the cloud Steve Ballmer• Cloud Computing is going to be one of things that enables Hewlett Packard to recover its leadership role in the ICT industry Meg Whitman
  5. 5. Volume and magnitude• Gmail• Dropbox• Facebook
  6. 6. Volume and magnitude• Gmail: 450 million users on more than 150,000 machines• Dropbox: 100 million users; services worth 5 billion EUR• Facebook: 1 billion users; 3 billion EUR turnover
  7. 7. Cloud as enterprise solution• 2012 turnover approaching 1.7 billion EUR• Amazon EC2: 30% of profit from cloud services• Office 365: Lowe, Shell, Nutreco, American Red Cross• Google Apps: 66 of 100 largest universities in the US are using Google Apps
  8. 8. Mnemonic• Zero• One• Infinity• 1 to N
  9. 9. Drivers to the cloud• Virtualisation• Web services• Broadband internet• Big data centres• Services
  10. 10. Cloud market evolution 2009 - 2010 2011 - 2012 2013 - 2014 • Non-business critical • Replacement of legacy • Business critical • Commodity • Flexibility • Strategic • Limited integration • Moderate-level integration • High-level integration • Storage • Datacentre • Cloud sourcing • CRM • ‘Office’ • Corporate mobile apps • Additional computing • PaaS • ERP power • HR • Government • SME • Traditional production • Financial services • Telcos • Retail • Healthcare • Universities • Entertainment & media
  11. 11. Recent developments• Google launches new IaaS: Google Compute Engine• Google Apps for small businesses no longer free• Oracle increases its presence in the cloud market (Oracle HCM)• Major CSPs lower their prices up to 30%• Cisco acquires Maraki (mobile device mgmt from the cloud)• OpenStack foundation includes IBM, Dell, Cisco, HP• PCI guidelines for the cloud
  12. 12. Profile of the cloud
  13. 13. Cloud computing vendors told me that my data at theirlocations was just as safe as my money in the bank. Sincethe credit crunch we all know how reliable the banks are. CISO of a firm in the public services sector
  14. 14. Key differences On-premisee Cloud Internal data processing and External data processing and storage storage Dedicated IT environment Multi-tenancy LAN, leased lines (Public) internet
  15. 15. On-premise versus cloud On-premise Cloud Reality Enterprise IT Enterprise IT Business user Business user Business user Mobile user External IT External IT
  16. 16. Multi-tenancy• Key attribute/principle of cloud computing• Single instance of software (single code-base on a common infrastructure) serving multiple clients• Different from virtualisation, yet using virtualisation• Per tenant metadata• Standardised instances and releases
  17. 17. Internet• Network of several millions of networks• Based on TCP/IP protocol suite• ICANN: IP addresses and DNS• IETF: TCP/IP, standards• Different layers: application, transport, internet, link• Internet exchanges: AMS-IX, DE-CIX• Heterogeneous
  18. 18. Internet Internet Internet ‘Random’ Own network providers providers CSP’s network networks network network
  19. 19. Internet
  20. 20. Assignment• Security risks• Privacy/legal risks• Operational risks• Financial risks• Vendor risks• Assurance risks
  21. 21. Risk• Risk = probability * impact
  22. 22. Approach• Per risk category• Per dimension• Threat/vulnerability-driven
  23. 23. Cloud computing risks: security• Data may be stored in cloud without proper customer segregation allowing possible accidental or malicious disclosure to third parties• Loss of governance of critical areas, e.g., vulnerability management, infrastructure hardening, or physical security• Weak logical access controls due to cloud vendor’s IAM immaturity• Cloud adoption opens the four Data Center walls to external IT Services providers, creating new risks
  24. 24. Cloud computing risks: privacy/legal• Data may be stored in cloud in a legal jurisdiction where the rights of data subject are not protected• Outdated laws and regulations create uncertainty when characterizing the various cloud transactions
  25. 25. Cloud computing risks: operational• Cloud adoption introduces rapid change in the organisation• Cloud sourcing may impact existing organisational roles and could require new skills or make others redundant• Business resiliency/disaster recovery needs and plans will change and require updating• Risk of creating independent silos of information perpetuate the problem of data integrity, quality, and insight• Business can bypass the IT function to implement technology solutions, posing challenges for IT governance
  26. 26. Cloud computing risks: financial• Movement from CapEx to OpEx model impacts existing budgeting, forecasting, and reporting processes• CapEx to OpEx model and changes in the character and source of service impacts tax considerations• Cloud ROI and cost/benefit analysis are complicated by need for knowledge of existing cost of delivery and future use of service
  27. 27. Cloud computing risks: vendor• Lack of clarity of ownership responsibilities between cloud vendor and user company• No prevalent standards for vendor interoperability• Extensive reliance on CSPs• Cloud delivery models dramatically change how IT delivers technology services to support business requirements
  28. 28. Cloud computing risks: assurance• Lack of visibility into the Cloud Service Providers (CSPs) operations inhibits analysis of its compliance with pertinent laws and regulations• Complexity of records management/records retention creates challenges• Lack of industry standards and certifications for cloud providers creates risks
  29. 29. Risk dimensions: external IT operations• Inadequate and/or insufficient data security measures at provider’s location(s) compromising data integrity and confidentiality• Issues with retracting data after termination of service• Discontinuation of business critical services due to failing disaster recovery at cloud service provider• Unclearly defined SLAs leading to unsatisfactory services• Compliance issues due to lack of assurance concerning the physical location of data• Location of data in different jurisdictions conflicting with local legislations applicable to the customer
  30. 30. Risk dimensions: multi-tenancy• Inadequate data segregation and process isolation leading to data contamination and/or breach of confidentiality• Inadequate Identity & Access controls causing illegitimate access to sensitive data such as intellectual property• Restricted/limited services due to insufficient allocation of resources and/or capacity• Standardized functionalities not meeting business requirements• Complexity to ensure compliance due to ‘black box’ nature of shared resources (monitoring & logging)
  31. 31. Risk dimensions: (public) internet• Unencrypted data getting lost of stolen in transfer• Clogged parts of the network causing unavailability of data• Dependency on internet access and availability for all cloud services• Uncontrolled access from unsecured/malware-infected client devices affecting services• Public internet is exceptionally hard to audit and to monitor• Accountability and responsibilities on internet traffic are difficult to assign and even more difficult to enforce• Lack of possibilities to influence technology on the internet• Governments can shut down parts of the internet (Egypt, China)
  32. 32. Incidents in the cloud: overview• Thousands of customers lost their data in the cloud due to the ‘Sidekick disaster’ of Microsoft/T-Mobile (2009)• Botnet incident at Amazon EC2 infected customer’s computers and compromised their privacy (2009)• Gmail was unavailable for several hours due to unspecified reasons (2010)• Hyves was unavailable for an hour due to UPS failure at Evoswitch (2010)• Linkup lost half of its customer data (2010)• GoGrid’s network problems had major impact on service availability (2011)• was partly unavailable for 30 minutes (2011)
  33. 33. Incidents in the cloud: Google• November/December 2010 – publicised during January 2010• Vulnerabilities in IE, Adobe software exploited to get access to Gmail accounts• ‘Elderwood’ (Chinese government?) – Operation Aurora• A number of Gmail accounts hacked• Vulnerabilities fixed
  34. 34. Incidents in the cloud: Amazon EC2• December 2010• WikiLeaks ‘kicked out’ by Amazon• Cablegate data protected from DDOS attacks• Pressure from Homeland Security• Back to Bahnhof (Sweden)• Data safely transferred
  35. 35. Incidents in the cloud: Sony Playstation• April 2011 – users notified 7 days later• Unpatched servers as entry point – database exploited via SQL injection – passwords not hashed• Anonymous or disgruntled former employee(s)?• Exposed personal information of 77 million Playstation network users – over 5 million USD direct damage• Security technology updated, servers patched, increased levels of encryption
  36. 36. Incidents in the cloud: Amazon WS• December 2012• Maintenance error by developers in production environment• Configuration error in access control system• Elastic Load Balancing Service affected for US-East region for almost 24 hours – performance degradation• No permanent loss or corruption of data• Amazon updated their procedures and access settings
  37. 37. Incidents in the cloud: Windows Azure I• December 2012• Software bug• Human error: node protection not turned on• Failure of monitoring, alerts and escalation• No failover in place• 1.8% of Azure storage accounts impacted for 32 hours• No permanent loss of data
  38. 38. Incidents in the cloud: Evernote• February 2013 – users notified 4 days later• Evernote detected breaches in their infrastructure themselves and suspicious activities on their network• Suspects unknown• 50 million password changes requested• No evidence user content was accessed, changed or lost• Two-factor authentication will be implemented (status Mar 2013)
  39. 39. Incidents in the cloud: Windows Azure II• February 2013• Certificates for SSL expired• Untimely renewal of certificates due to human error• Failure of monitoring and alerts• Azure Storage Blobs, Tables and Queues using HTTPS impacted for 12 hours – worldwide• No permanent loss of data
  40. 40. Incidents in the cloud: Zendesk• February 2013• Information on root cause as well as suspects not disclosed by Zendesk• Limited number of user data accessed by hackers• Procedures improved and vulnerable systems patched
  41. 41. Incidents into perspective• Low number of incidents compared with on-premises IT• Far better execution of security measures and architecture• Security as key factor for cloud service providers• Incidents are high impact and magnitude events• Blurring demarcation of responsibilities between cloud service providers, network providers and customers• Importance of browsers
  42. 42. Also notice that..• 10% of laptops with locally stored data gets stolen every year• 99% of data is unencrypted• 50% of business critical company data is unencrypted• Almost all big CSP are ISO27001 certified – only 15% of enterprises are able to match that
  43. 43. Cloud versus on-premise Source: AlertLogic
  44. 44. FUD and practice• FUD • Security: cloud is far less secure than on-premise IT • Privacy: everybody can access my data • Maturity: cloud is for kids only• Practice • Integration: cloud-on-premise integration is complex and often incompatible • Performance: cloud services obey the laws of physics too • Vendor lock-in: (open) standards are emerging, but it is a long road ahead
  45. 45. DDOS• (Distributed) Denial of Service leading to obstruction of communication• Flood services: resource consumption, disruption of configuration (e-mail bombs)• Crash services: triggering errors in components• Twitter, August 2009• Better firewall/switch/routers configuration; application front- end (data package analysis)
  46. 46. SQL injection• SQL query via the input data• Meta character into an input query; the query placed in SQL commands in the control plane• SQL databases on websites common• Sony PlayStation• Input/output validation; static code analysis
  47. 47. Guest-hopping• Exploiting vulnerabilities in hypervisors (VM separations)• Hack VM A to attack VM B via VM A• Some minor cases on AWS• Segmentation, VM hardening
  48. 48. Hyper-jacking• Taking control of the hypervisor• Directly obtaining control or running a rogue hypervisor• Theoretical scenario, but potentially extremely damaging• Cyclic redundancy check (CRC) – state value assigned by the underlying hardware
  49. 49. Man-in-the-middle• Independent connections with the victims and relaying messages between them• Session hijacking; hostname lookup; web proxy• Several internet banking applications• Strong mutual authentication, latency examination, second (secure) channel verification
  50. 50. Session replay• Stealing legitimate user’s session ID• Often session IDs as cookies, form field or URL• Not often with public cloud services
  51. 51. Eavesdropping• Sniffing networks; capturing network packages• Easy when hubs are used• Not often with public cloud services• Encryption, network segmentation, network access
  52. 52. Side-channel• Like guest-hopping – extracting information from the target VM from the ‘rogue’ VM• Amazon EC2, 2009 (Case study by MIT)• Virtual firewall appliance
  53. 53. Spoofing• IP, DNS, ARP spoofing attacks• IP spoofing often used for DDOS; DNS spoofing often used to spread viruses• Vulnerable with trusts/federations• Package filtering, spoofing detection software, secure communication protocols (HTTPS, SSH, TLS)
  54. 54. Cybercrime• US Army is investing heavily in three areas: Special Forces, drones and cyber security• Physical systems can be attacked from cyberspace (Stuxnet)• Transparency on cyber incidents and unintended consequences (widespread vulnerabilities)• The good guys are being outspent• Predominance of two mobile systems (iOS and Android)• Secure or prepare?
  55. 55. Cybercrime types• Organised cybercrime• Online espionage• Hactivism• State-backed cyber attacks• Internal computer fraud
  56. 56. Cybercrime challenges• Lack of information and obscurity (suspects, alliances, developments)• Much more professional (phishing e-mails, sophisticated attacks)• Non-technical and technical (harvesting of social data for targeted attacks)• Jurisdictional barriers
  57. 57. Cybercrime challenges• Cloud as partner in crime (botnets on Amazon)• Collateral damage of attacks (attacks are being copied, refined and used again: Stuxnet, FinFisher)
  58. 58. Challenges• Ecosystem and architecture• Technology• Frameworks and standards• ‘Right-to-audit’• IT auditors
  59. 59. Sliding scaleDataprocessing On-premise Off-premiseand storageResource use Single-tenant Multi-tenantPrimary network LAN (Public) internetinfrastructure Cloud On-premise IT SSC Hosting Outsourcing computing
  60. 60. Layers of services Business software IT management Middleware OS SaaS PaaS HW + network IaaS Facilities
  61. 61. Cloud ecosystem: enablers to integrators Cloud enablers Cloud service vendors Cloud service integrators  Provide the technology,  Provide the actual cloud  Provide cloud focused infrastructure, platforms services, spanning SaaS, technology services such as Value and Middleware to PaaS and IaaS, to customers system integration, cloud added enable provision of cloud migration and maintenance services H/W and S/W vendors IT & Services players (HW & SW Integrators vendors / IT distributors) Pure Cloud players (e-commerce, Internet giants, Hosting companies)Examples Telcos Telcos
  62. 62. Cloud ecosystem: niches and providers Different niches and service providers System Integrators Applications Application Development Platform Infrastructure Platform Software Virtualization Software Operating System Hardware
  63. 63. Third party providers• Increasing number of third party providers • Service providers • Co-operators and partners • Aggregators and brokers• Examples: • Twitter, DropBox and many mobile apps on Amazon • Salesforce on Equinix • Cloud services via Capgemini
  64. 64. Dynamic market place• Acquisitions • Google acquires Writely • Salesforce acquires Heroku • Wolters Kluwer acquires Twinfield• Bankruptcy (Cassatt)• Change of Strategy (Iron Mountain, Google Wave, Google Notebook)
  65. 65. Virtualisation 1/3• Essential element of cloud computing• VMware (market leader: VM Server, vSphere), MS Hyper-V, Cirtrix Xen)• Already on mainframes since 1960s OS OS OS OS OS Virtualisation Virtualisation Hardware Hardware
  66. 66. Virtualisation 2/3 Software SoftwareVirtualization layer This layer provides many virtual servers or software services but on itself also runs on an intelligent balanced pool of real (physical) servers, utilising the virtualised resourcesResource virtualisation This layer provides many virtual resources but on itself also consist of many components, potentially spread around the World or for example obtained from other Cloud vendors Shared network Large shared storage Large shared database
  67. 67. Virtualisation 3/3• More systems ‘virtually’ on one physical machine• Managed via the Hypervisor
  68. 68. Virtualisation risks• Single point of failure• Performance degradation (HW, network)• Licence conditions• Some applications’s performance degrade significantly• Unsecure deployment and configuration of VMs• No firewall between VMs (VM-to-VM undetected by network protection mechanisms)
  69. 69. Other types of virtualisation• Desktop virtualisation (e.g.. via Citrix and Hyper-V): Shell GID• Storage virtualisation• Application virtualisation for legacy apps: de-coupling of OS and HW – not always possible
  70. 70. Off-premise nature• Based on access from external/third parties, not on access to cloud services• Based on management of internally stored data (eventually managed by externals), not on externally stored data• Irrelevant and insufficient
  71. 71. Multi-tenancy• Marginal attention on (technical) architecture• Multi-tenancy virtually unobserved/unexposed• Mere focus on segregation of duties, facilities and networks
  72. 72. (Public) internet• Financial and legal issues (accountability, ownership) outside the domain of IT audits• Exceptionally difficult to audit• Only few existing principles and practices for e-mail usage and internet security applicable
  73. 73. Hybrid environment• Given the position of cloud computing, the future mode will be a hybrid environment• At large corporations, this hybrid environment will consist of on-premise IT, outsourced parts, parts on hosting providers, and parts in the cloud• The key risk resides in the organization’s inability to orchestrate the new paradigm of automation
  74. 74. Practices: cloud ecosystem• Define scope of services• Define scope of CSP and other (third) party providers• Identify components (physical, network, HW, SW, services)• Agree demarcation of responsibilities/accountabilities
  75. 75. Conceptual architecture of the cloud Third party (cloud) Data centre provider Cloud service provider Network Online identities Mobile use Customer organisation
  76. 76. Practices: data classification• Identify data• Assign ownership• Classify data (value, legal, sensitivity, importance)• Devise and implement procedures for data processing
  77. 77. Links••• om_cloud.pdf• security-DIGITAL.pdf•
  78. 78. Contact•• 06 – 1455 9916• Laan van Langerhuize 1, KPMG Amstelveen• Follow me on Twitter @MikeChung_KPMG