Mark E.S. Bernard Cloud Computing and Associated Risks based on ISO 27001 ISMS


Published on

In early 2010 I facilitated a Cloud Computing Risk Assessment for presentation at ISACA Victoria Chapter based on my own 22 years of experience on as both a customer and as a service provider. Over the course of the last 7 years I have been working almost exclusively with Cloud Computing Vendors, Suppliers, Cloud Computing Service Providers to adopt ISO 27001 – Information Security Management System (ISMS). The adoption of ISO 27001 ISMS has been very badly communicated because it is so new and so many consultants are jumping on the band wagon I felt that this would be useful. In 2010 I had no idea that ISO 27001 would become the De Facto security standard for Cloud Computing that it has. Since that time I have added additional slide share presentation to review what a typical statement of work would look like and the Human Resource Allocation might look like in attempts to raise awareness and knowledge of this rapidly growing profession. If you have any questions or require some of my expertise please contact me at or 250-812-7060. These day I have been traveling around the globe helping corporations and I know that I can help you too.

Published in: Business

Mark E.S. Bernard Cloud Computing and Associated Risks based on ISO 27001 ISMS

  1. 1. Compiled by Mark E.S. Bernard, CRISC, CGEIT, CISM, CISA, CISSP, PM, PA, CNA, ITIL, ISO27k Lead Auditor, SABSA F2,Information Security, Privacy & Governance Consultant,Mobile: 250-812-7060 or email:
  2. 2. •Cloud Predictions•eCommerce Evolution•Cloud Analysis•Risk Management•Terms
  3. 3. CPA/PA, PM, ISO27k Lead Auditor, CISSP, CISA, CISM, CGEIT, Mark E.S. Bernard Contact phone: 250-812-7060 ; e-Mail: Mark.Bernard@TechSecure.caEXPERIENCE: Mark has twenty-years of proven experience within the domain of Information Security, Privacy& Compliance within a broad range of industries including: Government, Financial Services, Credit Unions, Charter Banking, Insurance,Pharmaceutical, Telecommunications, Technology, Manufacturing and Academia. •In 2009 Mark led Canadian Financial Services ISO/IEC 27001 Registration/Certification of 1st Public Sector organization for the Ministry of Labour, Citizen Service, Common Business Service and more specifically - Corporate Accounting Services. •In 2009 Mark led the Transition-In Project of new Core Services Contractor to Corporate Accounting Services on behalf of the Province. •In 2009 Mark led the Technology and Operations workstream during Negotiated Request for Proposal for Corporate Accounting Services on behalf of the Province. •In 2008 Mark led Canadian Financial Services ISO/IEC 27001 Registration/Certification of 1st online banking system for Credit Union Central of British Columbia now Central1. • Mark Led Canadian Financial Services Privacy, Security, and Compliance Office work-stream during outsourcing of Ministry of Small Business and Revenue and contract refresh on behalf of EDS Advanced Solutions. • Mark Led International Food Manufacturer Information Security Program development and implementation of the Information Security Management System based on behalf of McCain Foods Limited a 6.7 billion-dollar global business. • Mark Led International Technology Services - Independent System Assurance Review against international financial systems located in Trinidad, Barbados, Nassau, Jamaica and Antigua and financial systems managed in Canada running on behalf of IBM Global Services. • Mark Led Canadian Insurance HRIS Business Unit for Zurich Insurance for 7 years as Manager of HRIS including in-house payroll systems. • Mark Led Canadian Financial Systems Project to upgrade IBM iSeries servers supporting the Toronto Stock Exchange and TD Bank Wealth Management Services. • Mark Led International Pharmaceutical Manufacturer Project to centralize Enterprise, Resource, Planning systems and ISO 9001 and 9002 re- certification of lab systems in compliance with FDA and Health Canada regulations for Taro Pharmaceuticals.VOLUNTEER: Mark has volunteered his time to participate and actively contribute to the local Information Systems Audit and Control Associationchapter and the High Technology Crime Investigation Association chapter. Mark was the founder of New Brunswick’s HTCIA chapter.MEDIA: Mark has published articles in magazines and contributed to the CISM Common body of knowledge inaddition to appearing as an expert source on Information Security and Privacy topics in local Conferences andNewspapers, on CBC Radio and Rogers Cable Television.
  4. 4. •Order Series (ORD) •Insurance/Health Series (INS)•Materials Handling Series (MAT) •Miscellaneous ANSI X12 Transactions•Tax Services Series (TAX) Series (MIS)•Warehousing Series (WAR) •Mortgage Series (MOR)•Financial Series (FIN) •Product Services Series (PSS)•Government Series (GOV) •Quality and Safety Series (QSS)•Manufacturing Series (MAN) •Student Information Series (STU)•Delivery Series (DEL) •Transportation:•Engineering Management & Contract -Air and Motor Series (TAM)Series (ENG) -Ocean Series (TOS) -Rail Series (TRS) -Automotive Series (TAS)
  5. 5. CICA is a new approach to message design aimed at resolving the costlyproliferation of differing (and often incompatible) XML messages used forbusiness-to-business data exchange. CICA gives developers access to reusablecomponents that can be used to construct interface standards to satisfy commonbusiness requirements as well as industry-specific needs.CICA is a syntax-neutral architecture that supports both business content andimplementation information. CICA messages ("documents") can currently beexpressed as XML schemata.
  6. 6. Government Ministries Suppliers Internet Intranet Cloud Cloud Value Added Network Internet Citizens Cloud
  7. 7. •Quality of Service standards?•Service Level Agreement?•Eliminating capital expenditures on hardware and software.•Transferring for Service Management to the Service Provider.•Access to broader ranges of applications at lower costs?•More functionality though their service offerings?•More flexibility with capital budget vs operating budget?•Improve the efficiency of their data center by transferring inefficient processes.•Who will champion the adoption of Cloud Computing?•Open standards that fuelled the rapid growth of Cloud Computing?
  8. 8. • Clouds are complex comprising highly specialized applications made up of even more granular, yet simple application procedures replicated thousands of times• Clouds can generate both security benefits and risks• How can we establish and maintain trust?• How can the virtualization of servers, and systems maintain acceptable levels of security?• How can encryption be successfully deployed and managed over extremely complex over millions and maybe billions of unique data streams and business channels?• How can we even hope to achieve mandatory compliance with statutes, regulations and contractual obligations?
  9. 9. •Tactically “Virtualization” is about saving money •Strategic “Virtualization” leads to flexible resourcing1). Enables economies of scale: Cloud providers maximize the usage of their resources to make money.2). Decouples users from implementation: Virtualization forces the relationship to change fromimplementation, to service level agreements.3). Speed, flexibility, agility: Early adopters of cloud computing talk about how quickly they can get newservers online. Compared to the 4-6 weeks it takes an average IT shop to deploy a server, just aboutanything is faster. However, virtual machines can be deployed roughly 30 times faster.4). Breaks software pricing and licensing: Software Manufacturers can’t charge users for physicalcapacity when only a small portion of that is used. Its also impossible to charge for every potential serverthe software might be running on.5). Enables, motivates chargeback: When servers can be delivered in minutes rather than weeks, IT usersask for more – roughly two times as much. IT needs to focus more on usage accounting, and chargeback.
  10. 10. The term "Web 2.0" (2004–present) is commonly associated with web applicationsthat facilitate interactive information sharing, interoperability, user-centered designand collaboration on the World Wide Web. Examples of Web 2.0 include web-based communities, hosted services, web applications, social-networking sites,video-sharing sites, wikis, blogs, mashups and folksonomies.A Web 2.0 site allows its users to interact with other users or to change websitecontent, in contrast to non-interactive websites where users are limited to thepassive viewing of information that is provided to them.
  11. 11. •Authority Attack (with or without artefact): using fake identification or badge, utility service, or law enforcementuniform, to gain access or identify a key individual by name/title as supposed friend or acquaintance or claimingauthority such as a lawyer or auditor and demanding information (impersonation).•Zero-Sum Knowledge Attack: Baiting someone to add, deny or clarify pieces of information or incorrectinformation, claiming to know more than they actual do, to solicit more information.•Persistent Attack: Continuous harassment using guilt, intimidation and other negative ways to reveal information.This could take place over days, weeks, months.•Stake-Out Attack: Analyze operational activity over a period of time including people, regular mail, or specialcourier, and/or supply deliveries, the patrol patterns of guards, location of CCTV, off hours activity.•“The boy who cried wolf” Attack: Setting off a series of false alarms, either physical or digital, until some getstied of responding and disables the alarm system.•Help Desk Attack: Impersonating a current or new end-use needing help with access to a network or server.•Fake Survey/Questionnaire Attack: Win a free trip to Hawaii, or somewhere special in exchangefor completing a survey and answering questions about work or you network.
  12. 12. •Quality of Service Standards •7 Product realization•Open Standards •7.1 Planning of product realization•Ajax (asynchronous JavaScript and •7.2 Customer-related processesXML) •7.3 Design and development•Java •7.4 Purchasing•Delphi •7.5 Production and service provision•Product Realization •7.6 Control of monitoring and•Software Development Life Cycle measuring equipment•Acceptance Criteria•Quality Management – ISO 9001:2008
  13. 13. •Distributed blob storage (aka S3)•Asynchronous, durable messagequeues (aka SQS)•Non-Relational-/non-transactionaldatabases (like SimpleDB, GoogleBigTable, Azure SQL Services)•Distributed background worker pool•Load-balanced, edge-service processeshandling user requests (often virtualized)•Distributed caches (like memcached)•CDN (content delivery network like Akamai)
  14. 14. •Kiosk Mode•Unauthenticated Access•(Un)Hidden Hotkeys•Restricted Desktop Access•Attack Microsoft Office
  15. 15. SCOPE: Review and assess proposed Cloud services for Software as a Service, Platform as aService and Infrastructure as a Service.RATIONALE: Consideration was given for the fact that Cloud services are a new servicedeliver approach that has not been fully implemented. More emphasis on patterning with serviceproviders and dependency on managing necessary controls through collaborative partnershipsand/or transferring risk completely to the service providers. Transparency of processes,consistency of outcomes, and quality of service and deliverables will become more and moreimportant and thus understanding of the potential issues important to its success.The threat-risk assessment was facilitated against existing best practices for information securitymanagement systems, ISO/IEC 27001:2005. These controls are based on industry best practicefor information handling based on known vulnerabilities and risks associated with mostbusinesses, however this standard was initially developed by and for government in the UK.
  16. 16.;
  17. 17. •Unauthorized and/or up coordinated and planned changes•Ineffective acceptance criteria•Ineffective application tests for malicious code•Broken or ineffective cryptographic controls•Unchecked technical vulnerabilities•Missing security requirements•Noncompliance with legal obligations•Missing audit requirements•Ineffective security in development and support processes•Missing confidentiality agreements•Ineffective or broken network access control•Unknown users accessing the network•Ineffective privilege management•Incomplete removal of access rights upon exits•Ineffective or missing fault logging•Weak external party service delivery management
  18. 18. •Missing or weak governance of external party services•Missing capacity management•Lack of information handling procedures•Missing or weak information exchange policies and procedures•No exchange agreements•Below standard network controls•Weak security of network services•No independent reviews of information security•Unchecked risks related to external parties•No flow down security and privacy obligations in external party agreements•Weak application and information access controls•No corrective and/or preventive actions for errors in processing of applications•Broken or weak electronic commerce services•Ineffective Audit logging•No security of log information•Inability to collect evidence•Ineffective Business Continuity planning
  19. 19. •Week or ineffective control of secure areas•Operating system access control•Unprotected system files•No reporting of information security incidents•No reporting of security weaknesses•Ineffective compliance with security policies and standards•Missing authorization process for information processing facilities•No communication concerning acceptable use of assets•Noncompliance with classification guidelines•Missing information labelling and handling•Ineffective employee/contractor security screening•Missing or ineffective information security awareness, education and training•No disciplinary process for employees or contractors
  20. 20. • Reduce risk by transferring it to Cloud Service Provider• Security auditing and testing could be simplified• Streamline the automation of security management• Built-in redundancy will improve disaster recovery and business continuity• Lower Total Cost of Ownership• Lower costs of services• Reduce the need for capital by as much as 40%• Provide a broader range of services• Provide an agile response to increases and decreases in service demands
  21. 21. • Establishing Trust?• Suppliers response to audit findings• Support for investigations and evidence gathering• System administrator accountability• Drawing the line between proprietary and nonproprietary for examination.• Virtualized servers and applications• Physical control of that data• Mandatory compliance with statutes, regulations and contractual obligations
  22. 22. Security Posture:•Equilibrium State (EQ): In this state the threats are identified and the appropriate safeguards are deemed to be in place .•Vulnerable State (VU): In this state the threats far outweigh the safeguards.•Excessive State (EX): In this state the safeguards far outweigh the threats. This can result in an overspending in the area of securitymeasures.Information Classification:•Low Sensitivity (L): a). limited financial losses, b). limited impact in service level, or, c). performance, embarrassment andinconvenience.•Medium Sensitivity (M): a). loss of competitive advantage, b). loss of confidence in the government program, c). significant financialloss, d). legal action, or, e). damage to partnerships, relationships and reputations.•High Sensitivity (H): a). extremely significant financial loss, b). loss of life or public safety, c). loss of confidence in the government, d).social hardship, or, e). major political or economic impact.•Unclassified (U): a) information of public knowledge that can be found on most government web sites and would include suchinformation as the government telephone books, advertisements for job opportunities in the various ministries, government-wideinitiatives such as Government-On-Line, public health information, job classification level and range of pay scale.
  23. 23. Compiled by Mark E.S. Bernard, CRISC, CGEIT, CISM, CISA, CISSP, PM, PA, CNA, ITIL, ISO27k Lead Auditor, SABSA F2,Information Security, Privacy & Governance Consultant,Mobile: 250-812-7060 or email: