Cloud Security Issues 1.04.10

812 views

Published on

This is the presentation given to the ISACA NE breakfast meetings in downtown Boston 11.09, then metrowest 12.09

  • Be the first to comment

Cloud Security Issues 1.04.10

  1. 1. Cloud Security and Audit Issues<br />1<br />Rapp Consulting peet.rapp@yahoo.com<br />
  2. 2. Agenda <br />Cloud Computing 101<br />Reality Check<br />Security Issues<br />ISACA Member Responsibilities<br />What’s Missing<br />2<br />Rapp Consulting peet.rapp@yahoo.com<br />
  3. 3. Cloud Computing 101 <br />Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. <br />- NIST Definition of Cloud Computing<br />3<br />Rapp Consulting peet.rapp@yahoo.com<br />
  4. 4. Cloud Computing 101 History - Definitions<br />Distributed<br />Centralized<br />De-Centralized<br />Re-Centralized<br />Applications<br />System <br />Platform<br />Hardware<br />1970<br />2010<br />Per Novell Cloud Presentation 09/09<br />4<br />Rapp Consulting peet.rapp@yahoo.com<br />
  5. 5. Cloud Computing 101 History - Definitions<br />5<br />Rapp Consulting peet.rapp@yahoo.com<br />
  6. 6. Basic Concepts – Cloud Enabling Technologies / Functions<br />SOA - XML – API<br />Hypervisor<br />Dynamic Partitioning <br />API - Application Programming Interface<br />Server Optimization<br />OS / Application / Data Server Migration<br />Client CPU/Memory Utilization Monitoring <br />6<br />Rapp Consulting peet.rapp@yahoo.com<br />
  7. 7. Basic Concepts – Enabling Technologies <br />Dynamic Partitioning – the variable allocation of cpu processing and memory to multiple OS’s, applications, and data within one server<br />Rapp Consulting peet.rapp@yahoo.com<br />
  8. 8. Basic Concepts – Cloud Enabling Technologies / Functions<br />SOA – XML -API<br />Hypervisor<br />Dynamic Partitioning <br />Load Balancing / Server Optimization<br />OS / Application / Data Server Migration<br />Client CPU/Memory Utilization Monitoring <br />8<br />Rapp Consulting peet.rapp@yahoo.com<br />
  9. 9. Cloud Computing 101 History - Definitions<br />9<br />Rapp Consulting peet.rapp@yahoo.com<br />
  10. 10. Cloud Computing 101ASPs vs SaaS<br />ASPs are traditional, single-tenant applications, hosted by a third party.<br />SaaS applications are multi-tenant, user facing, web-based applications hosted by a vendor <br />10<br />Rapp Consulting peet.rapp@yahoo.com<br />
  11. 11. Cloud Computing 101 History - Definitions<br />11<br />Rapp Consulting peet.rapp@yahoo.com<br />
  12. 12. Cloud Computing 101PaaS<br />A Development Environment (Platform) as a Service. <br />Developer Tool Kits provided. “Pay as you develop/test” business model<br />Rapid Propagation of Software Applications – Low Cost of Entry <br />12<br />Rapp Consulting peet.rapp@yahoo.com<br />
  13. 13. Cloud Computing 101IaaS<br />The “Bare Metal” Infrastructure as a Service <br /><ul><li>Clients provide all OS, security and</li></ul>application software<br /><ul><li>Used for quick-implementation, as-needed data processing / data storage</li></ul>13<br />Rapp Consulting peet.rapp@yahoo.com<br />
  14. 14. Cloud Computing 101 - Service Delivery Models<br />SaaS<br />Software as a Service<br />PaaS<br />Platform as a Service<br />IaaS<br />Infrastructure as a Service<br />14<br />Rapp Consulting peet.rapp@yahoo.com<br />
  15. 15. Cloud Deployment Models<br />Public cloud<br />Sold to the public, mega-scale infrastructures<br />Private cloud <br />Enterprise-owned or leased to a Single Client<br />Community cloud<br />Shared infrastructure for a Specific Community<br />Hybrid cloud<br />Composition of two or more Cloud Models<br />15<br />Rapp Consulting peet.rapp@yahoo.com<br />
  16. 16. Cloud Computing 101 <br />16<br />Rapp Consulting peet.rapp@yahoo.com<br />
  17. 17. Cloud Computing 101 <br />17<br />Rapp Consulting peet.rapp@yahoo.com<br />
  18. 18. Reality Check<br />The Cloud Is and Will Happen<br />Current Major Players – IaaS, PaaS<br />Amazon Web Services, ATT, IBM Rackspace, Terramark, Savvis<br />Current Major Players - SaaS<br />FaceBook, Salesforce.com, Google (Gmail), Netsuite<br />18<br />Rapp Consulting peet.rapp@yahoo.com<br />
  19. 19. Reality Check<br />19<br />Rapp Consulting peet.rapp@yahoo.com<br />
  20. 20. Reality Check<br />20<br />Rapp Consulting peet.rapp@yahoo.com<br />
  21. 21. Reality Check Spending Forecasts<br />21<br />Rapp Consulting peet.rapp@yahoo.com<br />
  22. 22. Claimed Cloud Computing Business Advantages<br />Optimizes Server Utilization<br />Cost Savings<br />Dynamic Scalability<br />Time Savings for New Programs<br />Right-sizes your enterprise<br />Outsources IT<br />Transitions CAPEX to OPEX<br />22<br />Rapp Consulting peet.rapp@yahoo.com<br />
  23. 23. Excellent Cloud Examples<br />NASDAQ / NYT<br />SalesForce.com<br />Signiant<br />ThinLaunch Software <br />Intuit QuickBase<br />Webroot<br />23<br />Rapp Consulting peet.rapp@yahoo.com<br />
  24. 24. A Disruptive Technology<br />The Cloud Reshuffles the IT deck<br />Shrink Wrapped Application s and Enterprise-Sized will migrate to Online Apps, Possibly Open-Sourced <br />OS will tend towards web-partial systems<br />Desktops and Notebooks Lose Hard Drives<br />Businesses’ IT Staffing Requirements Will Drop <br />24<br />Rapp Consulting peet.rapp@yahoo.com<br />
  25. 25. Claimed Cloud Computing Business Advantages<br />25<br />Rapp Consulting peet.rapp@yahoo.com<br />
  26. 26. Current Press Status<br />The Majority of Press Coverage supports Service Providers attempting to gain mindshare.<br />Most IT Analysis is very positive about (hyping) the merits of the cloud.<br />Very little is written of Cloud Security or its Audit- ability <br />26<br />Rapp Consulting peet.rapp@yahoo.com<br />
  27. 27. The Gartner Hype Curve<br />27<br />Rapp Consulting peet.rapp@yahoo.com<br />
  28. 28. The Gartner Hype Curve<br />28<br />Rapp Consulting peet.rapp@yahoo.com<br />
  29. 29. Company/Product Life Cycle: Key to Understanding Opportunities<br />Phase II<br />Rapid Market Growth Through Internal Expansion and Acquisition<br />Phase IV<br />Sustained Niche or<br />“Last One Standing”<br />Phase III<br />Maturation &<br />Consolidation<br />Phase I<br />Business Start-up <br />& Product Rollout<br />B<br />Output<br />A<br />C<br />D<br />Time<br />Start-up Capital &gt; Labor/Facilities/Capital &gt; Minimize Cost &gt; Sustained Market<br />Critical Decisions Made in Phase III<br />A: Attempt to go back to Phase II (new market expansion/product improvements)<br />B: Consolidate with competition to grow share in a shrinking market<br />C: Go/stay private with niche operation and proceed to Phase IV<br />D: Continue to enhance productivity to sustain margins (production improvements/cost takeouts)<br />Moran, Stahl & Boyer<br />29<br />Rapp Consulting peet.rapp@yahoo.com<br />
  30. 30. Current Press Status<br />The Majority of Press Coverage supports Service Providers attempting to gain mindshare.<br />Most IT Analysis is very positive about (hyping) the merits of the cloud.<br />Very little is written of Cloud Security or its Audit- ability <br />30<br />Rapp Consulting peet.rapp@yahoo.com<br />
  31. 31. Reality Check<br />Greatest concerns surrounding cloud adoption at your company (per CIO)<br />Security 45%<br />31<br />Rapp Consulting peet.rapp@yahoo.com<br />
  32. 32. Security Issues <br />“Cyber Crime in 2008 measured more to be a larger<br /> societal loss than illegal drugs.<br />“The main objective of most attackers is to make<br />money. The underground prices for stolen bank login<br /> accounts range from $10–$1000 (depending on the<br />available amount of funds), $0.40–$20 for credit card<br />numbers, $1–$8 for online auction site accounts and <br />$4–$30 for email passwords.” <br />Symantec Global Internet Security Threat Report – April 2009<br />32<br />Rapp Consulting peet.rapp@yahoo.com<br />
  33. 33. Security Issues <br />“Cybersecurity risks pose some of the most <br />serious economic and national security challenges<br />of the 21st Century. The digital infrastructure’s<br />architecture was driven more by considerations of<br />interoperability and efficiency than of security.”<br />White House Cyberspace Security Review May 2009<br />33<br />Rapp Consulting peet.rapp@yahoo.com<br />
  34. 34. Security Issues <br />34<br />Rapp Consulting peet.rapp@yahoo.com<br />
  35. 35. Reality Check<br />Greatest concerns surrounding cloud adoption at your company (per CIO)<br />Security 45%<br />Integration with existing systems 26%<br />Loss of control over data 26%<br />Availability concerns 25%<br />Performance issues 24%<br />IT governance issues 19%<br />Regulatory/compliance concerns 19%<br />35<br />Rapp Consulting peet.rapp@yahoo.com<br />
  36. 36. Cloud Security & Control Groups <br />ENISA<br />Cloud Security <br />Alliance – CSA<br />ISACA<br />DMTF<br />NIST<br />Jericho Forum<br />Apps.gov<br />OWASP<br />Rapp Consulting peet.rapp@yahoo.com<br />36<br />
  37. 37. Cloud Security Alliance Members<br />Rapp Consulting peet.rapp@yahoo.com<br />37<br />
  38. 38. Cloud Security Alliance Members<br />Rapp Consulting peet.rapp@yahoo.com<br />38<br />
  39. 39. Cloud Security Alliance<br />39<br />Rapp Consulting peet.rapp@yahoo.com<br />
  40. 40. ISACA<br />40<br />Rapp Consulting peet.rapp@yahoo.com<br />
  41. 41. ENISA<br />41<br />Rapp Consulting peet.rapp@yahoo.com<br />
  42. 42. DMTF<br />42<br />Rapp Consulting peet.rapp@yahoo.com<br />
  43. 43. DMTF<br />43<br />Rapp Consulting peet.rapp@yahoo.com<br />
  44. 44. Security Issues <br />Data Location<br />SaaS Clients’ data co-mingled<br />Forensics Possible?<br />Penetration Detection & Multi-Client UA<br />Public Cloud-Server Owner – Due Diligence?<br />Data Erasure?<br />44<br />Rapp Consulting peet.rapp@yahoo.com<br />
  45. 45. Current Regulations<br />PCI Compliance<br />States’ PII requirements<br />Sarbanes Oxley<br />HIPAA<br />45<br />Rapp Consulting peet.rapp@yahoo.com<br />
  46. 46. Current Regulations & Standards<br />46<br />Rapp Consulting peet.rapp@yahoo.com<br />
  47. 47. ISACA Member Responsibilities – Opportunities<br />Greatest concerns surrounding cloud adoption at your company (per CIO)<br />Security 45%<br />Integration with existing systems 26%<br />Loss of control over data 26%<br />Availability concerns 25%<br />Performance issues 24%<br />IT governance issues 19%<br />Regulatory/compliance concerns 19%<br />47<br />Rapp Consulting peet.rapp@yahoo.com<br />
  48. 48. ISACA Member Responsibilities – Opportunities<br />48<br />Rapp Consulting peet.rapp@yahoo.com<br />
  49. 49. ISACA Member Responsibilities – Opportunities<br />Ensure Organization’s Key Players Aware of Cloud Security Issues<br />Audit Data / Applications targeted for Cloud Computing<br />Input / Review Cloud Provider’s SLA Agreement<br />Strengthen internal IAM Program<br />Rapp Consulting<br />49<br />Rapp Consulting peet.rapp@yahoo.com<br />
  50. 50. ISACA Member Responsibilities – Opportunities<br />Ensure Organization’s Key Players Aware of Cloud Security Issue<br />Target respected type “A”champions<br />Business Application Owners<br />Corporate Attorneys<br />CxOs<br />HR<br />50<br />Rapp Consulting peet.rapp@yahoo.com<br />
  51. 51. ISACA Member Responsibilities – Opportunities<br />Audit Data/Applications targeted for Cloud Computing<br />Data Mapping<br />What is the application data’s internal security level? <br />Who are the Data Owners?<br />What Type of Cloud (public, private, etc) is targeted? <br />51<br />Rapp Consulting peet.rapp@yahoo.com<br />
  52. 52. ISACA Member Responsibilities – Opportunities<br />Input / Review Cloud Provider’s SLA<br />Open Sourced API’s, etc<br />XACML-based IAM program<br />Security Transparency <br />Ownership of Data<br />Audit at Will<br />DR/BC policy and practice<br />Return of application and data policy<br />52<br />Rapp Consulting peet.rapp@yahoo.com<br />
  53. 53. ISACA Member Responsibilities – Opportunities<br />Ensure Organization’s Key Players Aware of Cloud Security Issues<br />Audit Data / Applications targeted for Cloud Computing<br />Input / Review Cloud Provider’s SLA Agreement<br />Strengthen internal IAM Program<br />53<br />Rapp Consulting peet.rapp@yahoo.com<br />
  54. 54. ISACA Member Responsibilities – Opportunities<br />Strengthen IAM Program<br />54<br />Rapp Consulting peet.rapp@yahoo.com<br />
  55. 55. ISACA Member Responsibilities – Opportunities<br />Strengthen Identity – Access Management Program<br />XACML Based IAM program<br />Federated User Access – integrated across both cloud and internal enterprise<br />Aligned with compliance requirements<br />SSO – (Single Sign On) <br />IAM Security Monitoring – Reporting<br />Oppty to implement risk-based provisioning<br />Rapp Consulting<br />Rapp Consulting peet.rapp@yahoo.com<br />
  56. 56. ISACA Member Responsibilities – Opportunities<br />KEY TAKE-AWAY #1<br />Cloud Computing should provide organizations sufficient- enough costs-savings to afford investments in required best – practice IS security measures.<br />56<br />Rapp Consulting peet.rapp@yahoo.com<br />
  57. 57. ISACA Member Responsibilities – Opportunities<br />KEY TAKE-AWAY #2<br />Employ the same best-practice audit and risk management principles for cloud computing as you have been trained for and have used (or should be using) your entire career. <br />57<br />Rapp Consulting peet.rapp@yahoo.com<br />
  58. 58. ISACA Member Responsibilities – Opportunities<br />Key Take Away #3<br />Develop an Overarching Business Impact<br />Analysis Moving an Application / Data to the cloud<br />58<br />Rapp Consulting peet.rapp@yahoo.com<br />
  59. 59. ISACA Member Responsibilities – Opportunities<br />Cloud computing can be evaluated much in the same way as a new operating system. And yet, it&apos;s somethng more as well. It has the usual system services but also some fantastic ones -- unlimited memory, unlimited storage, unlimited network bandwidth, unlimited (and on-demand) scalability and parallelism<br />http://www.ddj.com/web-development/220300736?pgno=4<br />59<br />Rapp Consulting peet.rapp@yahoo.com<br />
  60. 60. Claimed Cloud Computing Business Advantages<br />60<br />Rapp Consulting peet.rapp@yahoo.com<br />
  61. 61. ISACA Member Responsibilities – Opportunities<br />This fundamental difference between probabilistic risk<br />and risk introduced by an intelligent adversary (or<br /> adaptive threats) leads to the conclusion that more <br />understanding of the cyber security issues and impacts<br />that are possible on the electric grid is needed. Indeed,<br />there really is no statistical norm for the behavior of <br />cyber attackers and information systems and <br />components failure, and their potential impacts to grid <br />reliability. <br />NERC - 2009 Long-Term Reliability Assessment<br />61<br />Rapp Consulting peet.rapp@yahoo.com<br />
  62. 62. ISACA Member Responsibilities – Opportunities<br />What are the pure goals of auditing?<br />62<br />Rapp Consulting peet.rapp@yahoo.com<br />
  63. 63. ISACA Member Responsibilities – Opportunities<br />What are the pure goals of auditing?<br />Transparency and Accountability<br />63<br />Rapp Consulting peet.rapp@yahoo.com<br />
  64. 64. ISACA Member Responsibilities – Opportunities<br />CRM Cloud App<br />Suppliers<br />Internal Enterprise<br />ERP Cloud App<br />Distribution<br />Resellers<br />64<br />Rapp Consulting peet.rapp@yahoo.com<br />
  65. 65. ISACA Member Responsibilities – Opportunities<br />Stock Opt<br />CRM Cloud App<br />HR<br />Suppliers<br />Internal Enterprise<br />ERP Cloud App<br />Cust Service<br />Distribution<br />Resellers<br />Advrtz<br />65<br />Rapp Consulting peet.rapp@yahoo.com<br />
  66. 66. ISACA Member Responsibilities – Opportunities<br />66<br />Rapp Consulting peet.rapp@yahoo.com<br />
  67. 67. ISACA Member Responsibilities – Opportunities<br />There needs to be rock-solid security, and annual (or when changes occure) audit-to-certification standards developed for Cloud Service Providers (CSPs)<br />67<br />Rapp Consulting peet.rapp@yahoo.com<br />
  68. 68. What’s Needed<br />The current US military “jeep” <br />68<br />Rapp Consulting peet.rapp@yahoo.com<br />
  69. 69. What’s Needed<br />The HUMVEE’s Replacement:<br />The M-ATV<br />69<br />Rapp Consulting peet.rapp@yahoo.com<br />
  70. 70. ISACA Member Responsibilities – Opportunities<br />Summary –<br /><ul><li>Audit CSP’s Security and DR/BC Policies
  71. 71. Is CSP promoting best security practices?
  72. 72. Upgrade Current Internal IAM program
  73. 73. Insist on “SAS70” type audit from partners and outsource providers of their cloud enterprises</li></ul>70<br />Rapp Consulting peet.rapp@yahoo.com<br />
  74. 74. What’s Still Needed<br />Commercial Cloud Applications Security Standards.<br />Training & Certification requirements for <br />Individual Cloud Developers <br />Cloud Service Providers<br />Cloud Security Tool Providers<br />71<br />Rapp Consulting peet.rapp@yahoo.com<br />
  75. 75. What’s Still Needed<br />Best Practice Standards for Internal Audits of Enterprises Employing Cloud Applications.<br />Combination of the ENISA cloud risk assessment with the financial Shared Assessment program<br />Implement an annual Know Your Client (KYC) type audit/certification for all clients and cloud services providers.<br />72<br />Rapp Consulting peet.rapp@yahoo.com<br />
  76. 76. Last Thought <br />73<br />Rapp Consulting peet.rapp@yahoo.com<br />Cloud Computing is about gracefully losing control, while maintaining accountability, even if the operational responsibility falls upon one or more third parties<br />CSA Guide V2.0<br />
  77. 77. questions<br />74<br />Rapp Consulting peet.rapp@yahoo.com<br />
  78. 78. Thank you <br />Peet Rapp – MBA, CISA<br />peet.rapp@yahoo.com<br />603-731-0494<br />75<br />Rapp Consulting peet.rapp@yahoo.com<br />

×