Cloud Security Issues 1.04.10

805 views

Published on

This is the presentation given to the ISACA NE breakfast meetings in downtown Boston 11.09, then metrowest 12.09

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
805
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Extensible Markup Language – Service Oriented Architecture – The basic tools for web-based applications- XML is the basic language for specifying data or documents into web apps. -SOA describes the method of interconnecting various pre-designed applets or application building blocks into one contiguous programHypervisor - A software/hardware platform virtualization system that allows multiple operating systems to run on a host computer concurrently.Dynamic Partitioning - In a symmetric multiprocessing (SMP) system, the ability to reassign processors , memory and I/O to specific applications on the fly without shutting down the machine Application Programming Interface - is an interface in computer science that defines the ways by which an application program may request services from libraries and/or operating systems part of the Service Oriented Architecture
  • Hypervisor - A software/hardware platform virtualization system that allows multiple operating systems to run on a host computer concurrently.Dynamic Partitioning - In a symmetric multiprocessing (SMP) system, the ability to reassign processors , memory and I/O to specific applications on the fly without shutting down the machine Application Programming Interface - is an interface in computer science that defines the ways by which an application program may request services from libraries and/or operating systems part of the Service Oriented Architecture
  • Cloud Computing and Cloud Service Providers (CSPs) are recognized as logical extensions of the Internet Service Providers (ISPs) ISP1.0 – ISPs provided internet access to individuals and organizations via dial up or dedicated lines early 1990’sISP2.0 – ISPs provided email, and connectivity to early clients’ web sight servers, primarily promotional information early-mid 1990’sISP3.0 – Cohosting – multiple clients’ webservers connected to broadband access at one facility late-mid1990’sISP 4.0 – the birth of ASPs. Dedicated instances of applications on dedicated servers for each customer. 2000ISP 5.0 ASPs evolved into SaaSs, which are applications based on IaaSs, which are based on PaaSs
  • ASP applications are traditional, single-tenant applications, but are hosted by a third party. They are client/server applications with HTML front ends added to allow remote access to the application. They do not make use of SOA-applets. Their user interface may be crude, often slow and upgrades are often no better than what an end user could provide for themselves.SaaS applications are multitenant applications that are hosted by a vendor with expertise in the applications and that have been designed as Net-native applications, employing SOA’ applets and are updated on an ongoing basis.
  • Cloud Computing and Cloud Service Providers (CSPs) are recognized as logical extensions of the Internet Service Providers (ISPs) ISP1.0 – ISPs provided internet access to individuals and organizations via dial up or dedicated lines early 1990’sISP2.0 – ISPs provided email, and connectivity to early clients’ web sight servers, primarily promotional information early-mid 1990’sISP3.0 – Cohosting – multiple clients’ webservers connected to broadband access at one facility late-mid1990’sISP 4.0 – the birth of ASPs. Dedicated instances of applications on dedicated servers for each customer. 2000ISP 5.0 ASPs evolved into SaaSs, which are applications based on IaaSs, which are based on PaaSs
  • PaaS is a variation of SaaS whereby the development environment is offered as a service. The developers use the building blocks (e.g., predefined blocks of code) of the vendor’s development environment to create their own applications.In a platform-as-a-service (PaaS) model, the vendor offers a development environment to application developers, who develop applications and offer those services through the provider’s platform. The provider typically develops toolkits and standards for development, and channels for distribution and payment. The provider typically receives a payment for providing the platform and the sales and distribution services. This enables rapid propagation of software applications, given the low cost of entry and the leveraging of established channels for customer acquisition.The benefits of PaaS lie in greatly increasing the number of people who can develop, maintain, and deploy web applications. In short, PaaS offers to democratize the development of web applications, allowing many developers a chance to enter the SW apps market.
  • In a platform-as-a-service (PaaS) model, the vendor offers a development environment toapplication developers, who develop applications and offer those services through theprovider’s platform. The provider typically develops toolkits and standards for development,and channels for distribution and payment. The provider typically receives a payment forproviding the platform and the sales and distribution services. This enables rapid propagationof software applications, given the low cost of entry and the leveraging of established channelsfor customer acquisition.
  • A public cloud is hosted, operated, and managed by a third-party vendor from one or moredata centers. The service is offered to multiple customers (the cloud is offered to multipletenants) over a common infrastructurePrivate clouds differ from public clouds in that the network, computing, and storageinfrastructure associated with private clouds is dedicated to a single organization and is notshared with any other organizations (i.e., the cloud is dedicated to a single organizationaltenant). As such, a variety of private cloud patterns have emerged:
  • According to a May 2008 forecast by Merrill Lynch, the volume of the cloud computing marketopportunity will amount to $160 billion by 2011, including $95 billion in business andproductivity applications and $65 billion in online advertising.†According to a March 2009 forecast by Gartner, worldwide cloud services are on pace to surpass$56.3 billion in 2009, a 21.3% increase from 2008 revenues of $46.4 billion. The market isexpected to reach $150.1 billion in 2013.‡
  • In 2008-2009NASDQ and NYT made use of public cloud processing to digitize their entire printer history.Salesforce w/o question the most successful ASP, transitioned to SaaS to better optimize performance and cost savings.Signiant – takes informational data and configures it for delivery to various end-viewer outlets , ie TV, PCs, smart phones, PDA’s with the correct format, correct language dialogue, and targeted advertizing in near real time. They process data in huge bursts.ThinLaunch (partnered with CITRIX) directs users at signon to the determined web browser only – intranet based. Users are able only to view the desktop provided to them. MS Office, email, then applications assigned, and what ever websites assigned.Intuit is a internally hosted excel/access like application.Webroot is one of many web based email security providers
  • IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
  • IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
  • IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
  • IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
  • IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
  • IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
  • The cloud oppty is for us to undo the Rodney Dangerfield opinion enterprises typically afford us.The cloud offers ISACA members an unprecedented oppty to positively impact your employer organization. Typically most ISACA members I have met are not “A” type personas. Now you need to become one.We are and could be facing something similar to what our peers at Enron / Worldcom / Tyco were seeing in 2001. Initially the threat will not be from internal to the organization, but will be from a too rapid adoption of cloud technologies. However, if clouds become imbedded into your enterprise without adequate controls, then the internal threats are more likely than ever before. Which will likely then have external threats following.Now is the time to earn your organizational respect. From my research there are many currently-considered best practice IT controls just not in place with CSPs. This is the area and time where you can make a significant impact inot the success of cloud engagements.You can lead two goals – adequate security and audit-ability of the program as well as an avoidance in the use of proprietary tey technologies.chIAM – Research New Best of Breed IAM programs such as Symplified, Ping Identity, Conformity, and TriCipher. For large organizations, with much interdependencies in data /application access between disparate groups, evolve IAM towards the Federation model. Organizations need to implement robust fundamental technologies
  • The cloud oppty is for us to undo the Rodney Dangerfield opinion enterprises typically afford us.The cloud offers ISACA members an unprecedented oppty to positively impact your employer organization. Typically most ISACA members I have met are not “A” type personas. Now you need to become one.We are and could be facing something similar to what our peers at Enron / Worldcom / Tyco were seeing in 2001. Initially the threat will not be from internal to the organization, but will be from a too rapid adoption of cloud technologies. However, if clouds become imbedded into your enterprise without adequate controls, then the internal threats are more likely than ever before. Which will likely then have external threats following.Now is the time to earn your organizational respect. From my research there are many currently-considered best practice IT controls just not in place with CSPs. This is the area and time where you can make a significant impact inot the success of cloud engagements.You can lead two goals – adequate security and audit-ability of the program as well as an avoidance in the use of proprietary tey technologies.chIAM – Research New Best of Breed IAM programs such as Symplified, Ping Identity, Conformity, and TriCipher. For large organizations, with much interdependencies in data /application access between disparate groups, evolve IAM towards the Federation model. Organizations need to implement robust fundamental technologies
  • Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
  • There are many A types, who enjoy learning new business technologies especially if it is perceived to be an aid in their career goals. Let them take ownership of this issue. You can be the behind-the-scenes information source advisory. Work with them from the get-go.Feed them information at a level they will understand, perhaps in WSJ-speak. The Cloud Security Alliance is a great source at this level. Bring in an outside Cloud Security authority.You will likely move to the clouds – in time. But attempt to develop a uniformly agreed-upon list of requirements between the company champion/players for the CSP before jumping on. Look to possible leverage the cloud to improve the internal enterprise. Look to require best practice security controls which are now just evolving ieexternalization of authentication and authorization components from applications (loosely coupled) as this can aid in the rapid adoption of cloud-based services including cloud identity services, policy-based authentication, centralized logging, and auditing (e.g., OpenSSO from Sun Microsystems and Microsoft’s Geneva claimsbased authentication framework can help externalize authentication).
  • REVERT to BEST PRACTICE IT Audit PracticesThe first order of business is an internal audit of all the data and applications being considered for Cloud Computing. What data, with what internal security levels are being considered for the Cloud?What are the compliance implications?Who are the data owners?Will these data owners accept these new risks? All this needs to be documented
  • Try to find the CSP who will meet your company’s established Enterprise Security level. Do not lower your established security standards.Ask to review the CSPs written internal security policies. Are they current? Are they updated & reviewed annually. They should be tighter than yours. And once gaining a comprehension of the CSP’s agreed-to responsibilities, you will then come to understand the scope of IT system management and monitoring responsibilities that fall on you the customer’s shoulders, including access, change, configuration, patch, and vulnerability management.
  • Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
  • Organizations need to implement robust fundamental technologies in the IAM space - Thru use of SAML, SPML and XACML, achieve Federated user access priviledges across multiple web based and internally hosted applications with SSOs.Most cloud services support at least dual roles (privileges): administrator and end user. It is a normal practice among CSPs to provision the administrator role with administrative privileges. These privileges allow administrators to provision and deprovision identities, basic attributeprofiles, and, in some cases, to set access control policies such as password strength and trusted networks from which connections are accepted.IAM (user access management) is a key control group for many compliance requirements (SOX, HIPIAA, PII etc). For both the customer and CSP, IAM integration considerations at the early stage of service design will help avoid costly retrofitsEnterprise IAM requirements include:• Provisioning of cloud service accounts to users, including administrators.• Provisioning of cloud services for service-to-service integration (e.g., private [internal]cloud integration with a public cloud).• SSO support for users based on federation standards (e.g., SAML supportSupport for internal- and regulatory-policy compliance requirements, includingsegregation of duties using RBAC, rules, or claims-based authentication methodology.RBAC features promote a least-privilege-based access model where a user is granted theright number of privileges required to perform the job. Claims-based methodology enablessome important privacy use cases because it allows for only the user’s entitlements, nother actual identity, to flow with messages, which allows for fine-grained authorizationwithout the requirement to actually embed the user’s identity into messages.• User activity monitoring, logging, and reporting dictated by internal policies andregulatory compliance, such as SOX, PCI, and HIPAA.You should strive for CSP to provide XACML-compliant entitlement management even if thishas not been implemented internally. In your own enterprise. XACML programs will be readily adopted.CSPs should communicate the account management policies including account lock-outs(after many login failures), account provisioning methods, and privilege accountmanagement roles.Enterprises need to have a strategy for employing risk-based IAM methodsincluding strong authentication, automated provisioning, deprovisioning, auditing, andmonitoring to address risks specific to a CSP.If IAM controls can only be provided by the CSP and they are determined to be inadequate for your determined risk and compliance requirements, then your applications and data containing this critical information has no business in the clouds.
  • Organizations need to implement robust fundamental technologies - Thru use of SAML, SPML and XACML, achieve Federated user access priviledges across multiple web based and internally hosted applications with SSOs.Most cloud services support at least dual roles (privileges): administrator and end user. It is a normal practice among CSPs to provision the administrator role with administrative privileges. These privileges allow administrators to provision and deprovision identities, basic attributeprofiles, and, in some cases, to set access control policies such as password strength and trusted networks from which connections are accepted.IAM (user access management) is a key control group for many compliance requirements (SOX, HIPIAA, PII etc). For both the customer and CSP, IAM integration considerations at the early stage of service design will help avoid costly retrofitsEnterprise IAM requirements include:• Provisioning of cloud service accounts to users, including administrators.• Provisioning of cloud services for service-to-service integration (e.g., private [internal]cloud integration with a public cloud).• SSO support for users based on federation standards (e.g., SAML supportSupport for internal- and regulatory-policy compliance requirements, includingsegregation of duties using RBAC, rules, or claims-based authentication methodology.RBAC features promote a least-privilege-based access model where a user is granted theright number of privileges required to perform the job. Claims-based methodology enablessome important privacy use cases because it allows for only the user’s entitlements, nother actual identity, to flow with messages, which allows for fine-grained authorizationwithout the requirement to actually embed the user’s identity into messages.• User activity monitoring, logging, and reporting dictated by internal policies andregulatory compliance, such as SOX, PCI, and HIPAA.You should strive for CSP to provide XACML-compliant entitlement management even if thishas not been implemented internally. In your own enterprise. XACML programs will be readily adopted.CSPs should communicate the account management policies including account lock-outs(after many login failures), account provisioning methods, and privilege accountmanagement roles.Enterprises need to have a strategy for employing risk-based IAM methodsincluding strong authentication, automated provisioning, deprovisioning, auditing, andmonitoring to address risks specific to a CSP.If IAM controls can only be provided by the CSP and they are determined to be inadequate for your determined risk and compliance requirements, then your applications and data containing this critical information has no business in the clouds.
  • Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
  • Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
  • Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
  • Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
  • Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
  • Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
  • Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
  • Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
  • Cloud Security Issues 1.04.10

    1. 1. Cloud Security and Audit Issues<br />1<br />Rapp Consulting peet.rapp@yahoo.com<br />
    2. 2. Agenda <br />Cloud Computing 101<br />Reality Check<br />Security Issues<br />ISACA Member Responsibilities<br />What’s Missing<br />2<br />Rapp Consulting peet.rapp@yahoo.com<br />
    3. 3. Cloud Computing 101 <br />Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. <br />- NIST Definition of Cloud Computing<br />3<br />Rapp Consulting peet.rapp@yahoo.com<br />
    4. 4. Cloud Computing 101 History - Definitions<br />Distributed<br />Centralized<br />De-Centralized<br />Re-Centralized<br />Applications<br />System <br />Platform<br />Hardware<br />1970<br />2010<br />Per Novell Cloud Presentation 09/09<br />4<br />Rapp Consulting peet.rapp@yahoo.com<br />
    5. 5. Cloud Computing 101 History - Definitions<br />5<br />Rapp Consulting peet.rapp@yahoo.com<br />
    6. 6. Basic Concepts – Cloud Enabling Technologies / Functions<br />SOA - XML – API<br />Hypervisor<br />Dynamic Partitioning <br />API - Application Programming Interface<br />Server Optimization<br />OS / Application / Data Server Migration<br />Client CPU/Memory Utilization Monitoring <br />6<br />Rapp Consulting peet.rapp@yahoo.com<br />
    7. 7. Basic Concepts – Enabling Technologies <br />Dynamic Partitioning – the variable allocation of cpu processing and memory to multiple OS’s, applications, and data within one server<br />Rapp Consulting peet.rapp@yahoo.com<br />
    8. 8. Basic Concepts – Cloud Enabling Technologies / Functions<br />SOA – XML -API<br />Hypervisor<br />Dynamic Partitioning <br />Load Balancing / Server Optimization<br />OS / Application / Data Server Migration<br />Client CPU/Memory Utilization Monitoring <br />8<br />Rapp Consulting peet.rapp@yahoo.com<br />
    9. 9. Cloud Computing 101 History - Definitions<br />9<br />Rapp Consulting peet.rapp@yahoo.com<br />
    10. 10. Cloud Computing 101ASPs vs SaaS<br />ASPs are traditional, single-tenant applications, hosted by a third party.<br />SaaS applications are multi-tenant, user facing, web-based applications hosted by a vendor <br />10<br />Rapp Consulting peet.rapp@yahoo.com<br />
    11. 11. Cloud Computing 101 History - Definitions<br />11<br />Rapp Consulting peet.rapp@yahoo.com<br />
    12. 12. Cloud Computing 101PaaS<br />A Development Environment (Platform) as a Service. <br />Developer Tool Kits provided. “Pay as you develop/test” business model<br />Rapid Propagation of Software Applications – Low Cost of Entry <br />12<br />Rapp Consulting peet.rapp@yahoo.com<br />
    13. 13. Cloud Computing 101IaaS<br />The “Bare Metal” Infrastructure as a Service <br /><ul><li>Clients provide all OS, security and</li></ul>application software<br /><ul><li>Used for quick-implementation, as-needed data processing / data storage</li></ul>13<br />Rapp Consulting peet.rapp@yahoo.com<br />
    14. 14. Cloud Computing 101 - Service Delivery Models<br />SaaS<br />Software as a Service<br />PaaS<br />Platform as a Service<br />IaaS<br />Infrastructure as a Service<br />14<br />Rapp Consulting peet.rapp@yahoo.com<br />
    15. 15. Cloud Deployment Models<br />Public cloud<br />Sold to the public, mega-scale infrastructures<br />Private cloud <br />Enterprise-owned or leased to a Single Client<br />Community cloud<br />Shared infrastructure for a Specific Community<br />Hybrid cloud<br />Composition of two or more Cloud Models<br />15<br />Rapp Consulting peet.rapp@yahoo.com<br />
    16. 16. Cloud Computing 101 <br />16<br />Rapp Consulting peet.rapp@yahoo.com<br />
    17. 17. Cloud Computing 101 <br />17<br />Rapp Consulting peet.rapp@yahoo.com<br />
    18. 18. Reality Check<br />The Cloud Is and Will Happen<br />Current Major Players – IaaS, PaaS<br />Amazon Web Services, ATT, IBM Rackspace, Terramark, Savvis<br />Current Major Players - SaaS<br />FaceBook, Salesforce.com, Google (Gmail), Netsuite<br />18<br />Rapp Consulting peet.rapp@yahoo.com<br />
    19. 19. Reality Check<br />19<br />Rapp Consulting peet.rapp@yahoo.com<br />
    20. 20. Reality Check<br />20<br />Rapp Consulting peet.rapp@yahoo.com<br />
    21. 21. Reality Check Spending Forecasts<br />21<br />Rapp Consulting peet.rapp@yahoo.com<br />
    22. 22. Claimed Cloud Computing Business Advantages<br />Optimizes Server Utilization<br />Cost Savings<br />Dynamic Scalability<br />Time Savings for New Programs<br />Right-sizes your enterprise<br />Outsources IT<br />Transitions CAPEX to OPEX<br />22<br />Rapp Consulting peet.rapp@yahoo.com<br />
    23. 23. Excellent Cloud Examples<br />NASDAQ / NYT<br />SalesForce.com<br />Signiant<br />ThinLaunch Software <br />Intuit QuickBase<br />Webroot<br />23<br />Rapp Consulting peet.rapp@yahoo.com<br />
    24. 24. A Disruptive Technology<br />The Cloud Reshuffles the IT deck<br />Shrink Wrapped Application s and Enterprise-Sized will migrate to Online Apps, Possibly Open-Sourced <br />OS will tend towards web-partial systems<br />Desktops and Notebooks Lose Hard Drives<br />Businesses’ IT Staffing Requirements Will Drop <br />24<br />Rapp Consulting peet.rapp@yahoo.com<br />
    25. 25. Claimed Cloud Computing Business Advantages<br />25<br />Rapp Consulting peet.rapp@yahoo.com<br />
    26. 26. Current Press Status<br />The Majority of Press Coverage supports Service Providers attempting to gain mindshare.<br />Most IT Analysis is very positive about (hyping) the merits of the cloud.<br />Very little is written of Cloud Security or its Audit- ability <br />26<br />Rapp Consulting peet.rapp@yahoo.com<br />
    27. 27. The Gartner Hype Curve<br />27<br />Rapp Consulting peet.rapp@yahoo.com<br />
    28. 28. The Gartner Hype Curve<br />28<br />Rapp Consulting peet.rapp@yahoo.com<br />
    29. 29. Company/Product Life Cycle: Key to Understanding Opportunities<br />Phase II<br />Rapid Market Growth Through Internal Expansion and Acquisition<br />Phase IV<br />Sustained Niche or<br />“Last One Standing”<br />Phase III<br />Maturation &<br />Consolidation<br />Phase I<br />Business Start-up <br />& Product Rollout<br />B<br />Output<br />A<br />C<br />D<br />Time<br />Start-up Capital &gt; Labor/Facilities/Capital &gt; Minimize Cost &gt; Sustained Market<br />Critical Decisions Made in Phase III<br />A: Attempt to go back to Phase II (new market expansion/product improvements)<br />B: Consolidate with competition to grow share in a shrinking market<br />C: Go/stay private with niche operation and proceed to Phase IV<br />D: Continue to enhance productivity to sustain margins (production improvements/cost takeouts)<br />Moran, Stahl & Boyer<br />29<br />Rapp Consulting peet.rapp@yahoo.com<br />
    30. 30. Current Press Status<br />The Majority of Press Coverage supports Service Providers attempting to gain mindshare.<br />Most IT Analysis is very positive about (hyping) the merits of the cloud.<br />Very little is written of Cloud Security or its Audit- ability <br />30<br />Rapp Consulting peet.rapp@yahoo.com<br />
    31. 31. Reality Check<br />Greatest concerns surrounding cloud adoption at your company (per CIO)<br />Security 45%<br />31<br />Rapp Consulting peet.rapp@yahoo.com<br />
    32. 32. Security Issues <br />“Cyber Crime in 2008 measured more to be a larger<br /> societal loss than illegal drugs.<br />“The main objective of most attackers is to make<br />money. The underground prices for stolen bank login<br /> accounts range from $10–$1000 (depending on the<br />available amount of funds), $0.40–$20 for credit card<br />numbers, $1–$8 for online auction site accounts and <br />$4–$30 for email passwords.” <br />Symantec Global Internet Security Threat Report – April 2009<br />32<br />Rapp Consulting peet.rapp@yahoo.com<br />
    33. 33. Security Issues <br />“Cybersecurity risks pose some of the most <br />serious economic and national security challenges<br />of the 21st Century. The digital infrastructure’s<br />architecture was driven more by considerations of<br />interoperability and efficiency than of security.”<br />White House Cyberspace Security Review May 2009<br />33<br />Rapp Consulting peet.rapp@yahoo.com<br />
    34. 34. Security Issues <br />34<br />Rapp Consulting peet.rapp@yahoo.com<br />
    35. 35. Reality Check<br />Greatest concerns surrounding cloud adoption at your company (per CIO)<br />Security 45%<br />Integration with existing systems 26%<br />Loss of control over data 26%<br />Availability concerns 25%<br />Performance issues 24%<br />IT governance issues 19%<br />Regulatory/compliance concerns 19%<br />35<br />Rapp Consulting peet.rapp@yahoo.com<br />
    36. 36. Cloud Security & Control Groups <br />ENISA<br />Cloud Security <br />Alliance – CSA<br />ISACA<br />DMTF<br />NIST<br />Jericho Forum<br />Apps.gov<br />OWASP<br />Rapp Consulting peet.rapp@yahoo.com<br />36<br />
    37. 37. Cloud Security Alliance Members<br />Rapp Consulting peet.rapp@yahoo.com<br />37<br />
    38. 38. Cloud Security Alliance Members<br />Rapp Consulting peet.rapp@yahoo.com<br />38<br />
    39. 39. Cloud Security Alliance<br />39<br />Rapp Consulting peet.rapp@yahoo.com<br />
    40. 40. ISACA<br />40<br />Rapp Consulting peet.rapp@yahoo.com<br />
    41. 41. ENISA<br />41<br />Rapp Consulting peet.rapp@yahoo.com<br />
    42. 42. DMTF<br />42<br />Rapp Consulting peet.rapp@yahoo.com<br />
    43. 43. DMTF<br />43<br />Rapp Consulting peet.rapp@yahoo.com<br />
    44. 44. Security Issues <br />Data Location<br />SaaS Clients’ data co-mingled<br />Forensics Possible?<br />Penetration Detection & Multi-Client UA<br />Public Cloud-Server Owner – Due Diligence?<br />Data Erasure?<br />44<br />Rapp Consulting peet.rapp@yahoo.com<br />
    45. 45. Current Regulations<br />PCI Compliance<br />States’ PII requirements<br />Sarbanes Oxley<br />HIPAA<br />45<br />Rapp Consulting peet.rapp@yahoo.com<br />
    46. 46. Current Regulations & Standards<br />46<br />Rapp Consulting peet.rapp@yahoo.com<br />
    47. 47. ISACA Member Responsibilities – Opportunities<br />Greatest concerns surrounding cloud adoption at your company (per CIO)<br />Security 45%<br />Integration with existing systems 26%<br />Loss of control over data 26%<br />Availability concerns 25%<br />Performance issues 24%<br />IT governance issues 19%<br />Regulatory/compliance concerns 19%<br />47<br />Rapp Consulting peet.rapp@yahoo.com<br />
    48. 48. ISACA Member Responsibilities – Opportunities<br />48<br />Rapp Consulting peet.rapp@yahoo.com<br />
    49. 49. ISACA Member Responsibilities – Opportunities<br />Ensure Organization’s Key Players Aware of Cloud Security Issues<br />Audit Data / Applications targeted for Cloud Computing<br />Input / Review Cloud Provider’s SLA Agreement<br />Strengthen internal IAM Program<br />Rapp Consulting<br />49<br />Rapp Consulting peet.rapp@yahoo.com<br />
    50. 50. ISACA Member Responsibilities – Opportunities<br />Ensure Organization’s Key Players Aware of Cloud Security Issue<br />Target respected type “A”champions<br />Business Application Owners<br />Corporate Attorneys<br />CxOs<br />HR<br />50<br />Rapp Consulting peet.rapp@yahoo.com<br />
    51. 51. ISACA Member Responsibilities – Opportunities<br />Audit Data/Applications targeted for Cloud Computing<br />Data Mapping<br />What is the application data’s internal security level? <br />Who are the Data Owners?<br />What Type of Cloud (public, private, etc) is targeted? <br />51<br />Rapp Consulting peet.rapp@yahoo.com<br />
    52. 52. ISACA Member Responsibilities – Opportunities<br />Input / Review Cloud Provider’s SLA<br />Open Sourced API’s, etc<br />XACML-based IAM program<br />Security Transparency <br />Ownership of Data<br />Audit at Will<br />DR/BC policy and practice<br />Return of application and data policy<br />52<br />Rapp Consulting peet.rapp@yahoo.com<br />
    53. 53. ISACA Member Responsibilities – Opportunities<br />Ensure Organization’s Key Players Aware of Cloud Security Issues<br />Audit Data / Applications targeted for Cloud Computing<br />Input / Review Cloud Provider’s SLA Agreement<br />Strengthen internal IAM Program<br />53<br />Rapp Consulting peet.rapp@yahoo.com<br />
    54. 54. ISACA Member Responsibilities – Opportunities<br />Strengthen IAM Program<br />54<br />Rapp Consulting peet.rapp@yahoo.com<br />
    55. 55. ISACA Member Responsibilities – Opportunities<br />Strengthen Identity – Access Management Program<br />XACML Based IAM program<br />Federated User Access – integrated across both cloud and internal enterprise<br />Aligned with compliance requirements<br />SSO – (Single Sign On) <br />IAM Security Monitoring – Reporting<br />Oppty to implement risk-based provisioning<br />Rapp Consulting<br />Rapp Consulting peet.rapp@yahoo.com<br />
    56. 56. ISACA Member Responsibilities – Opportunities<br />KEY TAKE-AWAY #1<br />Cloud Computing should provide organizations sufficient- enough costs-savings to afford investments in required best – practice IS security measures.<br />56<br />Rapp Consulting peet.rapp@yahoo.com<br />
    57. 57. ISACA Member Responsibilities – Opportunities<br />KEY TAKE-AWAY #2<br />Employ the same best-practice audit and risk management principles for cloud computing as you have been trained for and have used (or should be using) your entire career. <br />57<br />Rapp Consulting peet.rapp@yahoo.com<br />
    58. 58. ISACA Member Responsibilities – Opportunities<br />Key Take Away #3<br />Develop an Overarching Business Impact<br />Analysis Moving an Application / Data to the cloud<br />58<br />Rapp Consulting peet.rapp@yahoo.com<br />
    59. 59. ISACA Member Responsibilities – Opportunities<br />Cloud computing can be evaluated much in the same way as a new operating system. And yet, it&apos;s somethng more as well. It has the usual system services but also some fantastic ones -- unlimited memory, unlimited storage, unlimited network bandwidth, unlimited (and on-demand) scalability and parallelism<br />http://www.ddj.com/web-development/220300736?pgno=4<br />59<br />Rapp Consulting peet.rapp@yahoo.com<br />
    60. 60. Claimed Cloud Computing Business Advantages<br />60<br />Rapp Consulting peet.rapp@yahoo.com<br />
    61. 61. ISACA Member Responsibilities – Opportunities<br />This fundamental difference between probabilistic risk<br />and risk introduced by an intelligent adversary (or<br /> adaptive threats) leads to the conclusion that more <br />understanding of the cyber security issues and impacts<br />that are possible on the electric grid is needed. Indeed,<br />there really is no statistical norm for the behavior of <br />cyber attackers and information systems and <br />components failure, and their potential impacts to grid <br />reliability. <br />NERC - 2009 Long-Term Reliability Assessment<br />61<br />Rapp Consulting peet.rapp@yahoo.com<br />
    62. 62. ISACA Member Responsibilities – Opportunities<br />What are the pure goals of auditing?<br />62<br />Rapp Consulting peet.rapp@yahoo.com<br />
    63. 63. ISACA Member Responsibilities – Opportunities<br />What are the pure goals of auditing?<br />Transparency and Accountability<br />63<br />Rapp Consulting peet.rapp@yahoo.com<br />
    64. 64. ISACA Member Responsibilities – Opportunities<br />CRM Cloud App<br />Suppliers<br />Internal Enterprise<br />ERP Cloud App<br />Distribution<br />Resellers<br />64<br />Rapp Consulting peet.rapp@yahoo.com<br />
    65. 65. ISACA Member Responsibilities – Opportunities<br />Stock Opt<br />CRM Cloud App<br />HR<br />Suppliers<br />Internal Enterprise<br />ERP Cloud App<br />Cust Service<br />Distribution<br />Resellers<br />Advrtz<br />65<br />Rapp Consulting peet.rapp@yahoo.com<br />
    66. 66. ISACA Member Responsibilities – Opportunities<br />66<br />Rapp Consulting peet.rapp@yahoo.com<br />
    67. 67. ISACA Member Responsibilities – Opportunities<br />There needs to be rock-solid security, and annual (or when changes occure) audit-to-certification standards developed for Cloud Service Providers (CSPs)<br />67<br />Rapp Consulting peet.rapp@yahoo.com<br />
    68. 68. What’s Needed<br />The current US military “jeep” <br />68<br />Rapp Consulting peet.rapp@yahoo.com<br />
    69. 69. What’s Needed<br />The HUMVEE’s Replacement:<br />The M-ATV<br />69<br />Rapp Consulting peet.rapp@yahoo.com<br />
    70. 70. ISACA Member Responsibilities – Opportunities<br />Summary –<br /><ul><li>Audit CSP’s Security and DR/BC Policies
    71. 71. Is CSP promoting best security practices?
    72. 72. Upgrade Current Internal IAM program
    73. 73. Insist on “SAS70” type audit from partners and outsource providers of their cloud enterprises</li></ul>70<br />Rapp Consulting peet.rapp@yahoo.com<br />
    74. 74. What’s Still Needed<br />Commercial Cloud Applications Security Standards.<br />Training & Certification requirements for <br />Individual Cloud Developers <br />Cloud Service Providers<br />Cloud Security Tool Providers<br />71<br />Rapp Consulting peet.rapp@yahoo.com<br />
    75. 75. What’s Still Needed<br />Best Practice Standards for Internal Audits of Enterprises Employing Cloud Applications.<br />Combination of the ENISA cloud risk assessment with the financial Shared Assessment program<br />Implement an annual Know Your Client (KYC) type audit/certification for all clients and cloud services providers.<br />72<br />Rapp Consulting peet.rapp@yahoo.com<br />
    76. 76. Last Thought <br />73<br />Rapp Consulting peet.rapp@yahoo.com<br />Cloud Computing is about gracefully losing control, while maintaining accountability, even if the operational responsibility falls upon one or more third parties<br />CSA Guide V2.0<br />
    77. 77. questions<br />74<br />Rapp Consulting peet.rapp@yahoo.com<br />
    78. 78. Thank you <br />Peet Rapp – MBA, CISA<br />peet.rapp@yahoo.com<br />603-731-0494<br />75<br />Rapp Consulting peet.rapp@yahoo.com<br />

    ×