Cloud Computing Audit Challenges

Document Sample
Cloud Computing Audit Challenges Powered By Docstoc
					    Cloud Computing:
Implementation Challenges

             Marco Ramos
Stay-or-go: In-House vs. The Cloud
•   Power consumption
•   Data Center Management
•   Storage Management
•   Ensuring availability
    – Redundancy = $$$$$ x 2
• Virtualization
• Carbon footprint
Service Organizations vs. The Cloud
Service Organization          The Cloud
      Fixed Fee            Pay-as-you-go
                         Transactional Basis
   Independent Auditor’s Report SSAE #16
          (formerly known as SAS70)
      In-house           SaaS                 PaaS                  IaaS
Salary           Large scale           Cost-effective and   Cost-effective
Hardware         standardization       time saving to app   Business can focus
                                       development          on core activities
+ Upgrade        Public vs. private:   Faster set-up of     Manage peak loads
+ Maintenance    collaboration         development and      Green IT
                 solutions             testing
Licenses                               environments
       Implementation Challenges
• Data Privacy                   • Cultural resistance (IT!)
• Security                       • SLAs
• CAPEX vs. OPEX (fixed costs    • Ownership of data
  vs. variable costs)            • What happens at the
• Tax-related issues               end of the contract?
• Regulatory ambiguity           • What information The
• Cross-country: transfer of       Cloud provider returns,
  data across borders              on what format and if it
• Reliability and availability     is readable
• Transition and execution       • Performance
  risks                            (response time)
• Limited scope for              • Hardware
  customization                    decommissioning
           More Challenges…
• Limited IT Budget: initial set-up & upgrades
• Scalability of systems: manage peak demands
  investing in additional hardware & software
  under utilized in non-peak loads.
• Larger time setting up IT infrastructure
• Need for mobility
           Larger benefits to
     industry and market segments
•   Government
•   Healthcare
•   Education
•   SME/PyMes – competitive edge to reach IT
    resources of global companies: affordable,
    reliable, and flexible computing solutions,
    enabling them to compete more effectively
    with larger organizations
        Cross-country Cloud:
     Data transfer across borders
• Is the Cloud provider ensuring where data is
  hosted? i.e. Data Centers in Chicago, LA & NY
  or India, China, and Mexico?
• Canada’s Patriot Act does not allow IT projects
  to use US-based hosting environments
• Germany and UK have regulations related to
        Cloud DOES NOT MEAN
           Dissolve IT staff!!!
The Company still needs:
• Technical support
• Network, provisioning, and user certification
• Increased bandwidth
• Training and On-boarding
               Cloud Strategy
• Sponsored by the CIO
• Shift focus from configuration,
  implementation, and maintenance of in-house
  applications to implementing strategy and
  meeting business needs
• It is a strategic business decision rather than a
  purely technology decision
Green Computing:
    Green IT

      Axel E. Robert
 Cloud Computing:
Security Challenges

     Rory Rivera, PE, MSEE, MSM
            Deep Logistics

Security is the Major Issue

      Analyzing Cloud Security
• Some key issues:
  – trust, multi-tenancy, encryption, compliance
• Clouds are massively complex systems can
  be reduced to simple primitives that are
  replicated thousands of times and common
  functional units
• Cloud security is a tractable problem
  – There are both advantages and challenges
     Former Intel CEO, Andy Grove: “only the paranoid survive”
     General Security Challenges
•   Trusting vendor’s security model
•   Customer inability to respond to audit findings
•   Obtaining support for investigations
•   Indirect administrator accountability
•   Proprietary implementations can’t be examined
•   Loss of physical control

         Security Relevant Cloud
•   Cloud Provisioning Services
•   Cloud Data Storage Services
•   Cloud Processing Infrastructure
•   Cloud Support Services
•   Cloud Network and Perimeter Security
•   Elastic Elements: Storage, Processing, and
    Virtual Networks

  Cloud Network and Perimeter
• Advantages
  – Distributed denial of service protection
  – VLAN capabilities
  – Perimeter security (IDS, firewall, authentication)
• Challenges
  – Virtual zoning with application mobility

    Security and Data Privacy Across
            IaaS, PaaS, SaaS
• Many existing standards
• Identity and Access Management (IAM)
  – IdM federation (SAML, WS-Federation, Liberty ID-FF)
  – Strong authentication standards (HOTP, OCRA, TOTP)
  – Entitlement management (XACML)
• Data Encryption (at-rest, in-flight), Key Management
• Records and Information Management (ISO 15489)
• E-discovery (EDRM)

    Cloud Security Challenges
             Part 1
•    Data dispersal and international privacy laws
    –   EU Data Protection Directive and U.S. Safe Harbor
    –   Exposure of data to foreign government and data
    –   Data retention issues
•    Need for isolation management
•    Multi-tenancy
•    Logging challenges
•    Data ownership issues
•    Quality of service guarantees
Cloud Security Challenges
         Part 2
•   Dependence on secure hypervisors
•   Attraction to hackers (high value target)
•   Security of virtual OSs in the cloud
•   Possibility for massive outages
•   Encryption needs for cloud computing
    –   Encrypting access to the cloud resource control
    –   Encrypting administrative access to OS instances
    –   Encrypting access to applications
    –   Encrypting application data at rest
•   Public cloud vs internal cloud security
•   Lack of public SaaS version control
                 Additional Issues
•   Issues with moving PII and sensitive data to the
    –   Privacy impact assessments
•   Using SLAs to obtain cloud security
    –   Suggested requirements for cloud SLAs
    –   Issues with cloud forensics
•   Contingency planning and disaster recovery for
    cloud implementations
•   Handling compliance
    –   FISMA
    –   HIPAA
    –   SOX
    –   PCI
    –   SAS 70 Audits
 Cloud Migration and Cloud Security
• Clouds typically have a single security architecture
  but have many customers with different demands
   – Clouds should attempt to provide configurable security
• Organizations have more control over the security
  architecture of private clouds followed by
  community and then public
   – This doesn’t say anything about actual security
• Higher sensitivity data is likely to be processed on
  clouds where organizations have control over the
  security model
           Putting it Together
• Most clouds will require very strong security
• All models of cloud may be used for differing
  tradeoffs between threat exposure and
• There is no one “cloud”. There are many
  models and architectures.
• How does one choose?

Cloud Computing:
Audit Challenges

           John R. Robles
   John R. Robles and Associates
Cloud Computing: Audit Challenges
• Must
  – Audit,
  – Review, and
  – Report
  on the Internal Controls System surrounding the
  implementation and operations of Cloud Technology
• You must have an ICS, so lets determine if it is
  effective and efficient (effective & efficient
  internal controls)
Cloud Computing: Audit Challenges
So you want to go to the Cloud or are already there? Then
• How did you identify the assets selected for cloud
• Did you evaluate risks related to those assets?
• For each asset, did you analyze risks to organization if:
   –   Assets became widely public and widely distributed?
   –   Employees of our cloud provider accessed the assets?
   –   Cloud processes or functions were manipulated by an outsider?
   –   Cloud processes or functions failed to provide expected results?
   –   Information/data were unexpectedly changed?
   –   Asset were unavailable for a period of time?
Cloud Challenges: Audit Challenges
• How did you map assets to potential cloud deployment models
   – Public
   – Private, internal/on-premises
   – Private, external (including dedicated or shared infrastructure)
   – Community; taking into account the hosting location, potential service
     provider, and identification of other community members
   – Hybrid. To effectively evaluate a potential hybrid deployment, you
     must have in mind at least a rough architecture of where components,
     functions, and data will reside

• Did you evaluate relevant potential cloud service models and

• Did you documentation the potential data flow
     Internal Control Framework
• Review internal control framework
  – Control Environment (set up by BOD &
  – Organization's risk appetite
  – Risk Assessments
  – Control Activities
  – Information and Communications Management
  – Operations Monitoring
    Cloud Computing – Maturity Model
                 Maturity Model for Internal Control
Maturity   Status of the Internal Control     Establishment of Internal
Level      Environment                      Controls
0 - Non- There is no recognition of         There is no intent to assess
existent the need for internal control.     the need for internal
         Control is not part of the         control. Incidents are dealt
         organization’s culture or          with as they arise.
         mission. There is a high risk
         of control deficiencies and
      Cloud Computing – Maturity Model
                   Maturity Model for Internal Control
 Maturity      Status of the Internal Control      Establishment of Internal
  Level                Environment                          Controls

1-           There is some recognition of the   There is no awareness of the
Initial/ad   need for internal control.         need for assessment of what is
hoc                                             needed in terms of IT controls.
             The approach to risk and control
             requirements is ad hoc and         When performed, it is only on an
             disorganized, without              ad hoc basis, at a high level and
             communication or monitoring.       in reaction to significant
             Deficiencies are not identified.   incidents. Assessment addresses
             Employees are not aware of their   only the actual incident.
  Cloud Computing – Maturity Model
                 Maturity Model for Internal Control
Maturity    Status of the Internal              Establishment of Internal
Level       Control Environment               Controls
2-         Controls are in place but are      Assessment of control needs occurs
Repeatable not documented.                    only when needed for selected IT
but                                           processes to determine the current
Intuitive  Their operation is dependent on    level of control maturity, the target
           the knowledge and motivation       level that should be reached and the
           of individuals. Effectiveness is   gaps that exist.
           not adequately evaluated. Many
           control weaknesses exist and       An informal workshop approach,
           are not adequately addressed;      involving IT managers and the team
           the impact can be severe.          involved in the process, is used to
                                              define an adequate approach to
                                              controls for the process and to
                                              motivate an agreed-upon action plan.
   Cloud Computing – Maturity Model
                  Maturity Model for Internal Control
Maturity Status of the Internal Control Establishment of Internal Controls
 Level           Environment
3 - Defined Controls are in place and            Critical IT processes are identified
            adequately documented.               based on value and risk drivers.

            Operating effectiveness is           A detailed analysis is performed to
            evaluated on a periodic basis and    identify control requirements and the
            there is an average number of        root cause of gaps and to develop
            issues. However, the evaluation      improvement opportunities. In
            process is not documented. While     addition to facilitated workshops, tools
            management is able to deal           are used and interviews are performed
            predictably with most control        to support the analysis and ensure that
            issues, some control weaknesses      an IT process owner owns and drives
            persist and impacts could still be   the assessment and improvement
            severe                               process.
    Cloud Computing – Maturity Model
                   Maturity Model for Internal Control
 Maturity      Status of the Internal Control             Establishment of Internal
  Level                Environment                                 Controls
4 - Managed There is an effective internal           IT process criticality is regularly
 and        control and risk management              defined with full support and
 Measurable environment.                             agreement from the relevant
                                                     business process owners.
             A formal, documented evaluation
             of controls occurs frequently. Many     Assessment of control requirements
             controls are automated and              is based on policy and the actual
             regularly reviewed. Management is       maturity of these processes,
             likely to detect most control issues,   following a thorough and measured
             but not all issues are routinely        analysis involving key stakeholders.
      Cloud Computing – Maturity Model
                   Maturity Model for Internal Control
Maturity      Status of the Internal Control        Establishment of Internal Controls
 Level                Environment
5-        An enterprise-wide risk and control       Business changes consider the
Optimized program provides continuous and           criticality of IT processes and cover
          effective control and risk issues         any need to reassess process control
          resolution.                               capability.

           Internal control and risk management     IT process owners regularly perform
           are integrated with enterprise           self-assessments to confirm that
           practices, supported with automated      controls are at the right level of
           real-time monitoring with full           maturity to meet business needs and
           accountability for control monitoring,   they consider maturity attributes to
           risk management and compliance           find ways to make controls more
           enforcement.                             efficient and effective.
   Cloud Computing: Now What?
• During the year, PRCCUG will:
  – Have periodic meetings to discuss these
  – Discuss solutions
  – Present solutions from 1st Level vendors
  – Provide networking among professionals
    interested in Cloud Computing
   Cloud Computing: Now What?
• Join us and the Puerto Rico Cloud Computing
  and Green Computing User Group.

           Questions and Answers!!

Shared By: