Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Security


Published on

This is the ISACANE - Metrowest Breakfast Meeting held on December 18, 2009.

Published in: Technology
  • Be the first to comment

Cloud Security

  1. 1. Cloud Security and Audit Issues<br />1<br />Rapp Consulting<br />
  2. 2. Agenda <br />Cloud Computing 101<br />Reality Check<br />Security Issues<br />ISACA Member Responsibilities<br />What’s Missing<br />2<br />Rapp Consulting<br />
  3. 3. Cloud Computing 101 <br />Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. <br />- NIST Definition of Cloud Computing<br />3<br />Rapp Consulting<br />
  4. 4. Cloud Computing 101 History - Definitions<br />Distributed<br />Centralized<br />De-Centralized<br />Re-Centralized<br />Applications<br />System <br />Platform<br />Hardware<br />1970<br />2010<br />Per Novell Cloud Presentation 09/09<br />4<br />Rapp Consulting<br />
  5. 5. Cloud Computing 101 History - Definitions<br />5<br />Rapp Consulting<br />
  6. 6. Basic Concepts – Cloud Enabling Technologies / Functions<br />Cloud Computing is the attemtped commercialization of Virtual computing<br />6<br />Rapp Consulting<br />
  7. 7. Basic Concepts – Cloud Enabling Technologies / Functions<br />SOA - XML – API<br />Hypervisor<br />Dynamic Partitioning <br />API - Application Programming Interface<br />Server Optimization<br />OS / Application / Data Server Migration<br />Client CPU/Memory Utilization Monitoring <br />7<br />Rapp Consulting<br />
  8. 8. Basic Concepts – Enabling Technologies <br />Dynamic Partitioning – the variable allocation of cpu processing and memory to multiple OS’s, applications, and data within one server<br />Rapp Consulting<br />
  9. 9. Cloud Computing 101 History - Definitions<br />9<br />Rapp Consulting<br />
  10. 10. Cloud Computing 101ASPs vs SaaS<br />ASPs are traditional, single-tenant applications, hosted by a third party.<br />SaaS applications are multi-tenant, user facing, web-based applications hosted by a vendor <br />10<br />Rapp Consulting<br />
  11. 11. Cloud Computing 101PaaS<br />A Development Environment (Platform) as a Service. <br />Developer Tool Kits provided. “Pay as you develop/test” business model<br />Rapid Propagation of Software Applications – Low Cost of Entry <br />11<br />Rapp Consulting<br />
  12. 12. Cloud Computing 101IaaS<br />The “Bare Metal” Infrastructure as a Service <br /><ul><li>Clients provide all OS, security and</li></ul>application software<br /><ul><li>Used for quick-implementation, as-needed data processing / data storage</li></ul>12<br />Rapp Consulting<br />
  13. 13. Cloud Computing 101 - Service Delivery Models<br />SaaS<br />Software as a Service<br />PaaS<br />Platform as a Service<br />IaaS<br />Infrastructure as a Service<br />13<br />Rapp Consulting<br />
  14. 14. Cloud Deployment Models<br />Public cloud<br />Sold to the public, mega-scale infrastructures<br />Private cloud <br />Enterprise-owned or leased to a Single Client<br />Community cloud<br />Shared infrastructure for a Specific Community<br />Hybrid cloud<br />Composition of two or more Cloud Models<br />14<br />Rapp Consulting<br />
  15. 15. Cloud Computing 101 <br />15<br />Rapp Consulting<br />
  16. 16. Reality Check<br />The Cloud Is and Will Happen<br />Current Major Players – IaaS, PaaS<br />Amazon Web Services, ATT, IBM Rackspace, Terramark, Savvis<br />Current Major Players - SaaS<br />FaceBook,, Google (Gmail), Netsuite<br />16<br />Rapp Consulting<br />
  17. 17. Reality Check<br />17<br />Rapp Consulting<br />
  18. 18. Reality Check Spending Forecasts<br />18<br />Rapp Consulting<br />
  19. 19. Claimed Cloud Computing Business Advantages<br />Optimizes Server Utilization<br />Cost Savings<br />Dynamic Scalability<br />Time Savings for New Programs<br />Right-sizes your enterprise<br />Outsources IT<br />Transitions CAPEX to OPEX<br />19<br />Rapp Consulting<br />
  20. 20. Excellent Cloud Examples<br />NASDAQ / NYT<br /><br />Signiant<br />ThinLaunch Software <br />Intuit QuickBase<br />Webroot<br />20<br />Rapp Consulting<br />
  21. 21. A Disruptive Technology<br />The Cloud Reshuffles the IT deck<br />Shrink Wrapped Application s and Enterprise-Sized will migrate to Online Apps, Possibly Open-Sourced <br />OS will tend towards web-partial systems<br />Desktops and Notebooks Lose Hard Drives<br />Businesses’ IT Staffing Requirements Will Drop <br />21<br />Rapp Consulting<br />
  22. 22. Current Press Status<br />The Majority of Press Coverage supports Service Providers attempting to gain mindshare.<br />Most IT Analysis is very positive about (hyping) the merits of the cloud.<br />Very little is written of Cloud Security or its Audit- ability <br />22<br />Rapp Consulting<br />
  23. 23. The Gartner Hype Curve<br />23<br />Rapp Consulting<br />
  24. 24. Reality Check<br />Greatest concerns surrounding cloud adoption at your company (per CIO)<br />Security 45%<br />24<br />Rapp Consulting<br />
  25. 25. Security Issues <br />“Cyber Crime in 2008 measured more to be a larger<br /> societal loss than illegal drugs.<br />“The main objective of most attackers is to make<br />money. The underground prices for stolen bank login<br /> accounts range from $10–$1000 (depending on the<br />available amount of funds), $0.40–$20 for credit card<br />numbers, $1–$8 for online auction site accounts and <br />$4–$30 for email passwords.” <br />Symantec Global Internet Security Threat Report – April 2009<br />25<br />Rapp Consulting<br />
  26. 26. Security Issues <br />“Cybersecurity risks pose some of the most <br />serious economic and national security challenges<br />of the 21st Century. The digital infrastructure’s<br />architecture was driven more by considerations of<br />interoperability and efficiency than of security.”<br />White House Cyberspace Security Review May 2009<br />26<br />Rapp Consulting<br />
  27. 27. Security Issues <br />27<br />Rapp Consulting<br />
  28. 28. Reality Check<br />Greatest concerns surrounding cloud adoption at your company (per CIO)<br />Security 45%<br />Integration with existing systems 26%<br />Loss of control over data 26%<br />Availability concerns 25%<br />Performance issues 24%<br />IT governance issues 19%<br />Regulatory/compliance concerns 19%<br />28<br />Rapp Consulting<br />
  29. 29. Cloud Security & Control Groups <br />ENISA<br />Cloud Security <br />Alliance – CSA<br />ISACA<br />DMTF<br />NIST<br />Jericho Forum<br /><br />OWASP<br />Rapp Consulting<br />29<br />
  30. 30. Cloud Security Alliance Members<br />Rapp Consulting<br />30<br />
  31. 31. Cloud Security Alliance<br />31<br />Rapp Consulting<br />
  32. 32. ISACA<br />32<br />Rapp Consulting<br />
  33. 33. ENISA<br />33<br />Rapp Consulting<br />
  34. 34. DMTF<br />34<br />Rapp Consulting<br />
  35. 35. Security Issues <br />Data Location<br />SaaS Clients’ data co-mingled<br />Accuracy and Authenticity of both Data and Applications transferred between servers<br />Penetration Detection & Multi-Client UA<br />Public Cloud-Server Owner – Due Diligence?<br />Data Erasure?<br />35<br />Rapp Consulting<br />
  36. 36. Current Regulations<br />PCI Compliance<br />States’ PII requirements<br />Sarbanes Oxley<br />HIPAA<br />36<br />Rapp Consulting<br />
  37. 37. Current Regulations & Standards<br />37<br />Rapp Consulting<br />
  38. 38. ISACA Member Responsibilities – Opportunities<br />Greatest concerns surrounding cloud adoption at your company (per CIO)<br />Security 45%<br />Integration with existing systems 26%<br />Loss of control over data 26%<br />Availability concerns 25%<br />Performance issues 24%<br />IT governance issues 19%<br />Regulatory/compliance concerns 19%<br />38<br />Rapp Consulting<br />
  39. 39. ISACA Member Responsibilities – Opportunities<br />Ensure Organization’s Key Players Aware of Cloud Security Issues<br />Audit Data / Applications targeted for Cloud Computing<br />Input / Review Cloud Provider’s SLA Agreement<br />Strengthen internal IAM Program<br />Rapp Consulting<br />39<br />Rapp Consulting<br />
  40. 40. ISACA Member Responsibilities – Opportunities<br />Ensure Organization’s Key Players Aware of Cloud Security Issue<br />Target respected type “A”champions<br />Business Application Owners<br />Corporate Attorneys<br />CxOs<br />HR<br />40<br />Rapp Consulting<br />
  41. 41. ISACA Member Responsibilities – Opportunities<br />Audit Data/Applications targeted for Cloud Computing<br />Data Mapping<br />What is the application data’s internal security level? <br />Who are the Data Owners?<br />What Type of Cloud (public, private, etc) is targeted? <br />41<br />Rapp Consulting<br />
  42. 42. ISACA Member Responsibilities – Opportunities<br />Input / Review Cloud Provider’s SLA<br />Open Sourced API’s, etc<br />XACML-based IAM program<br />Security Transparency <br />Ownership of Data<br />Audit at Will<br />DR/BC policy and practice<br />Return of application and data policy<br />42<br />Rapp Consulting<br />
  43. 43. ISACA Member Responsibilities – Opportunities<br />Strengthen IAM Program<br />43<br />Rapp Consulting<br />
  44. 44. ISACA Member Responsibilities – Opportunities<br />Strengthen Identity – Access Management Program<br />XACML Based IAM program<br />Federated User Access – integrated across both cloud and internal enterprise<br />Aligned with compliance requirements<br />SSO – (Single Sign On) <br />IAM Security Monitoring – Reporting<br />Oppty to implement risk-based provisioning<br />Rapp Consulting<br />Rapp Consulting<br />
  45. 45. ISACA Member Responsibilities – Opportunities<br />KEY TAKE-AWAY #1<br />Cloud Computing should provide organizations sufficient- enough costs-savings to afford investments in required best – practice IS security measures.<br />45<br />Rapp Consulting<br />
  46. 46. ISACA Member Responsibilities – Opportunities<br />KEY TAKE-AWAY #2<br />Employ the same best-practice audit and risk management principles for cloud computing as you have been trained for and have used (or should be using) your entire career. <br />46<br />Rapp Consulting<br />
  47. 47. ISACA Member Responsibilities – Opportunities<br />Key Take Away #3<br />Develop an Overarching Business Impact<br />Analysis Moving an Application / Data to the cloud<br />47<br />Rapp Consulting<br />
  48. 48. ISACA Member Responsibilities – Opportunities<br />Cloud computing can be evaluated much in the same way as a new operating system. And yet, it&apos;s somethng more as well. It has the usual system services but also some fantastic ones -- unlimited memory, unlimited storage, unlimited network bandwidth, unlimited (and on-demand) scalability and parallelism<br /><br />48<br />Rapp Consulting<br />
  49. 49. ISACA Member Responsibilities – Opportunities<br />This fundamental difference between probabilistic risk<br />and risk introduced by an intelligent adversary (or<br /> adaptive threats) leads to the conclusion that more <br />understanding of the cyber security issues and impacts<br />that are possible on the electric grid is needed. Indeed,<br />there really is no statistical norm for the behavior of <br />cyber attackers and information systems and <br />components failure, and their potential impacts to grid <br />reliability. <br />NERC - 2009 Long-Term Reliability Assessment<br />49<br />Rapp Consulting<br />
  50. 50. ISACA Member Responsibilities – Opportunities<br />CRM Cloud App<br />Suppliers<br />Internal Enterprise<br />ERP Cloud App<br />Distribution<br />Resellers<br />50<br />Rapp Consulting<br />
  51. 51. ISACA Member Responsibilities – Opportunities<br />Stock Opt<br />CRM Cloud App<br />HR<br />Suppliers<br />Internal Enterprise<br />ERP Cloud App<br />Cust Service<br />Distribution<br />Resellers<br />Advrtz<br />51<br />Rapp Consulting<br />
  52. 52. ISACA Member Responsibilities – Opportunities<br />There needs to be rock-solid security, and annual (or when changes occure) audit-to-certification standards developed for Cloud Service Providers (CSPs)<br />52<br />Rapp Consulting<br />
  53. 53. ISACA Member Responsibilities – Opportunities<br />Summary –<br /><ul><li>Become a Weatherman – Learn the Clouds
  54. 54. Educate Key Organization Decision makers
  55. 55. Internal risk assessment of Apps and Data
  56. 56. Insist on Seat in SDLC Group
  57. 57. Insist on open source or open standard cloud tools</li></ul>53<br />Rapp Consulting<br />
  58. 58. ISACA Member Responsibilities – Opportunities<br />Summary –<br /><ul><li>Audit CSP’s Security and DR/BC Policies
  59. 59. Is CSP promoting best security practices?
  60. 60. Upgrade Current Internal IAM program
  61. 61. Insist on “SAS70” type audit from partners and outsource providers of their cloud enterprises</li></ul>54<br />Rapp Consulting<br />
  62. 62. What’s Still Needed<br />Commercial Cloud Applications Security Standards.<br />Training & Certification requirements for <br />Individual Cloud Developers <br />Cloud Service Providers<br />Cloud Security Tool Providers<br />55<br />Rapp Consulting<br />
  63. 63. What’s Still Needed<br />Best Practice Standards for Internal Audits of Enterprises Employing Cloud Applications.<br />Combination of the ENISA cloud risk assessment with the financial Shared Assessment program<br />Implement an annual Know Your Client (KYC) type audit/certification for all clients and cloud services providers.<br />56<br />Rapp Consulting<br />
  64. 64. questions<br />57<br />Rapp Consulting<br />
  65. 65. Thank you <br />Peet Rapp – MBA, CISA<br /><br />603-731-0494<br />58<br />Rapp Consulting<br />