Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Computing Risk Management (Multi Venue)

  • Login to see the comments

Cloud Computing Risk Management (Multi Venue)

  1. 1. Cloud Computing RiskManagementSecurity Considerations from an AssurancePerspectiveBrian Dickard – Director, Enterprise RiskManagement© Copyright 2012 | First Data Corporation
  2. 2. • Introduction • Terminology • Major Public Cloud ServicesAgenda • Assessing Public Cloud Risk • Trends and Issues • Concluding Remarks © Copyright 2012 | First Data Corporation | 2
  3. 3. Introduction• First Data Vision •To shape the future of global commerce by delivering the world’s most secure and innovative payment solutions . © Copyright 2012 | First Data Corporation | 3
  4. 4. Introduction• First Data Business • First Data provides a single source for payment processing virtually anywhere and any way our customers want to pay. We deliver innovative, data-driven solutions that help merchants, financial institutions, businesses and government agencies across the globe reduce costs and drive revenue.. © Copyright 2012 | First Data Corporation | 4
  5. 5. Cloud computing – what is it?• Where did it come from?• Why should I care as a business manager?• What types of risk are there?• How does it work? . © Copyright 2012 | First Data Corporation | 5
  6. 6. © Copyright 2012 | First Data Corporation | 6
  7. 7. How familiar are you with the major CloudService and Deployment models ? •A. Very familiar •B. Somewhat familiar •C. I’ve heard of them •D. Not familiar at all © Copyright 2012 | First Data Corporation | 7
  8. 8. Essential Characteristics•Resource Pooling•Broad Network Access•Rapid Elasticity•Measured Service•On Demand Self Service © Copyright 2012 | First Data Corporation | 8
  9. 9. Cloud Service Models• Infrastructure as a Service (IaaS) •“Raw” Servers, Disk Space, Network •Ex. Amazon Elastic Cloud Computing (EC2) •Foundational to PaaS and SaaS •Security (other than physical) provided by cloud consumer © Copyright 2012 | First Data Corporation | 9
  10. 10. Cloud Service Models• Platform as a Service (PaaS) •Middleware and application development frameworks supported by provider •Cloud-deployed applications created and supported by consumer •Ex. Google App Engine •Built on top of IaaS •Security must be built in by developer (provider or consumer) © Copyright 2012 | First Data Corporation | 10
  11. 11. Cloud Service Models• Software as a Service (SaaS) •“On Demand” application availability •Software and data hosted by provider •Accessed with a web browser •Ex. Gmail •Built on top of IaaS and PaaS •Highest provider security level © Copyright 2012 | First Data Corporation | 11
  12. 12. Cloud Service LayersIncreasing SaaSconsumerconfigurationoptions PaaS Increasing IaaS provider security © Copyright 2012 | First Data Corporation | 12
  13. 13. In-House IT Assets vs. “SPI” Services In-House Attributes SPI Attributes Fixed Elastic Overhead or Chargeback Metered Service Request Self Service Private Network Accessible Internet Accessible Dedicated Shared © Copyright 2012 | First Data Corporation | 13
  14. 14. Deployment Models• Public Cloud • More than one organization shares common IT resources• Private Cloud • An organization buys and deploys its own IT resources - OR – • Contracts exclusive arrangement with a 3rd party• Community Cloud • Usage of public cloud by common mission or cause • Ex. State or Local governments• Hybrid Cloud • Some elements of all three © Copyright 2012 | First Data Corporation | 14
  15. 15. Potential Benefits• Pay as you go model (low fixed cost)• Remote access• Rapid scalability• Quicker deployment of IT-enabled strategies• Stay current on technology upgrades• Resiliency / Redundancy © Copyright 2012 | First Data Corporation | 15
  16. 16. © Copyright 2012 | First Data Corporation | 16
  17. 17. Where Private Clouds Make Sense• Large Corporate Data Center •High rate of optimization through virtualization •Diversity of apps are coded to run using common O/S, database and network •Apps are “swapped out” on common hardware based on processing load •Same hardware that runs mission critical app may also run support app in non-peak time •“Workload Agnostic Computing” © Copyright 2012 | First Data Corporation | 17
  18. 18. Virtualization Stats• InfoWeek Poll – Major Corporations • 97% use Server Virtualization extensively or on a limited basis (ex. VMWare vSphere) • 57% use Storage Virtualization (ex. NetApp) • 44% use Desktop Virtualization (ex. Citrix) • 42% use Application Virtualization (ex. Vmware ThinApp) • 37% use I/O Virtualization (ex. Cisco VFrame) • 30% use Network Virtualization (ex. Nicira Networks “DVNI” – Acquired by VMWare) © Copyright 2012 | First Data Corporation | 18
  19. 19. Where Public Clouds Make Sense• Businesses of any size where captive IT resources aren’t cost effective or available • Fixed capital expense becomes variable operating expense • Can quickly level the playing field for small and medium sized businesses• “Cloud Bursting” • Adding incremental capacity to meet peak or seasonal demands• Prototyping • Running simulations to determine in-house data center capacity needs © Copyright 2012 | First Data Corporation | 19
  20. 20. Public Cloud Plans• Infoweek Survey •26% plan to deploy in the next year •38% have no plans to deploy •11% already have public deployment• Are you sure? •DR scenario: private cloud becomes public © Copyright 2012 | First Data Corporation | 20
  21. 21. © Copyright 2012 | First Data Corporation | 21
  22. 22. Essence of the Public Cloud Decision• A thoughtfully considered* decision to move one of the following into the public cloud domain: •Data •Essential to map your data and understand whether, and how, it flows in and out of the cloud •Important to classify low value, high value regulated and high value unregulated assets •Transactions/Processing © Copyright 2012 | First Data Corporation | 22
  23. 23. Thoughtfully Consider - How?• How would you be harmed if: • The asset became widely public or widely distributed? • An employee of the cloud provider accessed the asset? • The process or function was manipulated by an outsider? • The process or function failed to provide the expected results? • The information/data was unexpectedly changed? • The asset were unavailable for a period of time? © Copyright 2012 | First Data Corporation | 23
  24. 24. Top Public Cloud Concerns © Copyright 2012 | First Data Corporation | 24
  25. 25. A Growing Opportunity Revenue 70 60 50 40 30 Revenue 20 10 0 2008 2009 2010 2011 2012 2013Revenue from "public cloud" services, in billions of dollars. Source: Forrester Research © Copyright 2012 | First Data Corporation | 25
  26. 26. Major Public Cloud Service Providers © Copyright 2012 | First Data Corporation | 26
  27. 27. © Copyright 2012 | First Data Corporation | 27
  28. 28. Applicable Compliance Certifications• SSAE-16, SOC-1,2,3 • Financial Reporting and service oriented controls • Focused on integrity• ISO 9002 • Quality oriented controls • Focused on process• ISO 27001 /27002 • Security oriented controls • Focused on security• TIA 942 (Telecommunications Industry Association) • Data center fault tolerant controls • Focused on resilience © Copyright 2012 | First Data Corporation | 28
  29. 29. PII Breach by Cloud Provider• Could subject them to violations under the following privacy laws: • Privacy and safeguard rules under GLBA • PCI-DSS data transmission and storage security provisions • HIPAA restrictions on sharing health care data • Breach provisions under the HITECH Act• Depends on provider’s contract provisions• You can’t outsource your accountability for information security © Copyright 2012 | First Data Corporation | 29
  30. 30. Assurance Frameworks• Cloud Security Alliance (CSA) • Cloud Controls Matrix • https://cloudsecurityalliance.org• Information Systems Audit and Control Association (ISACA) • Cloud Computing Management Audit/Assurance Program • http://www.isaca.org/Knowledge- Center/Research/ResearchDeliverables/Pages/Cloud-Computing- Management-Audit-Assurance-Program.aspx• European Network and Information Security Agency (ENISA) • Cloud Computing Security Risk Assessment • http://www.enisa.europa.eu/activities/risk- management/files/deliverables/cloud-computing-risk-assessment © Copyright 2012 | First Data Corporation | 30
  31. 31. Cloud Security Alliance• GRC “Stack” • Cloud Controls Matrix • Consensus Assessments Initiative • Cloud Audit • Cloud Trust Protocol • Designed to support both cloud consumers and cloud providers • Created to capture value from the cloud as well as support compliance and control within the cloud © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 31
  32. 32. © Copyright 2012 | First Data Corporation | 32
  33. 33. Cloud Controls MatrixControls base-lined and mapped to: • BITS Shared Assessments • COBIT • FedRAMP • HIPAA/HITECH Act • ISO/IEC 27001-2005 • Jericho Forum • NERC CIP • NIST SP800-53 • PCI DSSv2.0 © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 33
  34. 34. Cloud Control Matrix - Domains1. Compliance (CO) 7. Operations Management (OM)2. Data Governance (DG) 8. Risk Management (RI)3. Facility Security (FS) 9. Release Management (RM)4. Human Resources (HR) 10. Resiliency (RS)5. Information Security (IS) 11. Security Architecture (SA)6. Legal (LG) 100 Individual Controls © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 34
  35. 35. Cloud Control Matrix - Sample © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 35
  36. 36. Key CCM Controls Compliance• Compliance - Independent Audits • Independent reviews and assessments shall be performed at least annually, or at planned intervals, to ensure the organization is compliant with policies, procedures, standards and applicable regulatory requirements (i.e., internal/external audits, certifications, vulnerability and penetration testing)• Compliance - Third Party Audits • Third party service providers shall demonstrate compliance with information security and confidentiality, service definitions and delivery level agreements included in third party contracts. Third party reports, records and services shall undergo audit and review, at planned intervals, to govern and maintain compliance with the service delivery agreements.• Compliance - Intellectual Property • Policy, process and procedure shall be established and implemented to safeguard intellectual property and the use of proprietary software within the legislative jurisdiction and contractual constraints governing the organization. © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 36
  37. 37. Key CCM Controls Data Governance• Data Governance – Classification • Data, and objects containing data, shall be assigned a classification based on data type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints, contractual constraints, value, sensitivity, criticality to the organization and third party obligation for retention and prevention of unauthorized disclosure or misuse.• Data Governance - Retention Policy • Policies and procedures for data retention and storage shall be established and backup or redundancy mechanisms implemented to ensure compliance with regulatory, statutory, contractual or business requirements. Testing the recovery of backups must be implemented at planned intervals.• Data Governance - Information Leakage • Security mechanisms shall be implemented to prevent data leakage. © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 37
  38. 38. Key CCM Controls Facility Security• Facility Security - Controlled Access Points • Physical security perimeters (fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) shall be implemented to safeguard sensitive data and information systems.• Facility Security - Off-Site Authorization • Authorization must be obtained prior to relocation or transfer of hardware, software or data to an offsite premises. © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 38
  39. 39. Key CCM Controls Information Security• Information Security - Baseline Requirements • Baseline security requirements shall be established and applied to the design and implementation of (developed or purchased) applications, databases, systems, and network infrastructure and information processing that comply with policies, standards and applicable regulatory requirements. Compliance with security baseline requirements must be reassessed at least annually or upon significant changes.• Information Security - User Access Reviews • All levels of user access shall be reviewed by management at planned intervals and documented. For access violations identified, remediation must follow documented access control policies and procedures.• Information Security – Encryption • Policies and procedures shall be established and mechanisms implemented for encrypting sensitive data in storage (e.g., file servers, databases, and end- user workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging). © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 39
  40. 40. Key CCM Controls Information Security• Information Security - Vulnerability / Patch Management • Policies and procedures shall be established and mechanism implemented for vulnerability and patch management, ensuring that application, system, and network device vulnerabilities are evaluated and vendor-supplied security patches applied in a timely manner taking a risk-based approach for prioritizing critical patches.• Information Security - Incident Reporting • Contractors, employees and third party users shall be made aware of their responsibility to report all information security events in a timely manner. Information security events shall be reported through predefined communications channels in a prompt and expedient manner in compliance with statutory, regulatory and contractual requirements.• Information Security - eCommerce Transactions • Electronic commerce (e-commerce) related data traversing public networks shall be appropriately classified and protected from fraudulent activity, unauthorized disclosure or modification in such a manner to prevent contract dispute and compromise of data. © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 40
  41. 41. Key CCM Controls Operations Management• Operations Management - Capacity / Resource Planning • The availability, quality, and adequate capacity and resources shall be planned, prepared, and measured to deliver the required system performance in accordance with regulatory, contractual and business requirements. Projections of future capacity requirements shall be made to mitigate the risk of system overload.• Operations Management - Equipment Maintenance • Policies and procedures shall be established for equipment maintenance ensuring continuity and availability of operations. © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 41
  42. 42. © Copyright 2012 | First Data Corporation | 42
  43. 43. Key CCM Controls Risk Management• Risk Management – Assessments • Aligned with the enterprise-wide framework, formal risk assessments shall be performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk should be determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance).• Risk Management - Third Party Access • The identification, assessment, and prioritization of risks posed by business processes requiring third party access to the organizations information systems and data shall be followed by coordinated application of resources to minimize, monitor, and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls derived from the risk analysis shall be implemented prior to provisioning access. © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 43
  44. 44. Key CCM Controls Release Management• Release Management - Production Changes • Changes to the production environment shall be documented, tested and approved prior to implementation. Production software and hardware changes may include applications, systems, databases and network devices requiring patches, service packs, and other updates and modifications.• Release Management - Unauthorized Software Installations • Policies and procedures shall be established and mechanisms implemented to restrict the installation of unauthorized software. © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 44
  45. 45. Key CCM Controls Resiliency• Resiliency - Business Continuity Planning • A consistent unified framework for business continuity planning and plan development shall be established, documented and adopted to ensure all business continuity plans are consistent in addressing priorities for testing and maintenance and information security requirements.• Resiliency - Business Continuity Testing • Business continuity plans shall be subject to test at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness. © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 45
  46. 46. Key CCM Controls Security Architecture• Security Architecture - Network Security • Network environments shall be designed and configured to restrict connections between trusted and untrusted networks and reviewed at planned intervals, documenting the business justification for use of all services, protocols, and ports allowed, including rationale or compensating controls implemented for those protocols considered to be insecure. Network architecture diagrams must clearly identify high-risk environments and data flows that may have regulatory compliance impacts.• Security Architecture - Shared Networks • Access to systems with shared network infrastructure shall be restricted to authorized personnel in accordance with security policies, procedures and standards. Networks shared with external entities shall have a documented plan detailing the compensating controls used to separate network traffic between organizations. © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 46
  47. 47. Key CCM Controls Security Architecture• Security Architecture - Audit Logging / Intrusion Detection • Audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events shall be retained, complying with applicable policies and regulations. Audit logs shall be reviewed at least daily and file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents. Physical and logical user access to audit logs shall be restricted to authorized personnel. © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 47
  48. 48. What do you do with a completed CCM?• Consumer: As an internal assessment tool • Log exceptions and draft a report of provider’s level of control maturity or a gap analysis• Provider: As a public assertion of control maturity • CSA STAR (Security, Trust and Assurance Registry) • Trusted Cloud Initiative • www.cloudsecurityalliance.org/trustedcloud.html © 2011 Cloud Security Alliance, Inc. All rights reserved © Copyright 2012 | First Data Corporation | 48
  49. 49. Are Assessments Being Done? © Copyright 2012 | First Data Corporation | 49
  50. 50. © Copyright 2012 | First Data Corporation | 50
  51. 51. Integration Trends / Concerns• “Bring Your Own Device” (BYOD) •Smartphone, tablet, laptop• “Bring Your Own Cloud” (BYOC) •Google Docs, Dropbox, iCloud, Skydrive © Copyright 2012 | First Data Corporation | 51
  52. 52. “Data Aware” Security• Information Security trend• Knowing if a particular combination of user, device, and software can be trusted with access to specific information• Challenge: Encoding this security intelligence into your data before you store it in the public cloud © Copyright 2012 | First Data Corporation | 52
  53. 53. Recap• Cloud computing has tangible benefits and could be a strategic differentiator• Your organization may be more actively deployed to the “cloud” than you realize• New risks are introduced, but can be managed with assurance frameworks © Copyright 2012 | First Data Corporation | 53
  54. 54. © Copyright 2012 | First Data Corporation | 54
  55. 55. Questions?• Brian.Dickard@firstdata.com © Copyright 2012 | First Data Corporation | 55
  56. 56. References• Cloud Security Alliance • Security Guidance For Critical Areas of Focus in Cloud Computing V3.0 (2011) • https://cloudsecurityalliance.org/research/security-guidance/ • Cloud Security Alliance GRC Stack (2011) • https://cloudsecurityalliance.org/research/grc-stack/ • Cloud Security Alliance Cloud Controls Matrix V1.1 (2010) • https://cloudsecurityalliance.org/research/ccm/• Information Week (Jan-Mar 2012)• MIT Technology Review (Jan-Mar 2012) © Copyright 2012 | First Data Corporation | 56

×