Protecting Data in the Cloud by yaohongmeiyes

VIEWS: 8 PAGES: 86

									Central Jersey IIA Cloud
Computing: The Basics
and Beyond
Protecting Data in the Cloud



        Dr. Yonesy F. Nuñez, CISSP, CISM,
          ISSAP, ISSMP, CRISC, CGEIT,
          MCSE, ISSPCS
        Manager, NYM IT Risk & Security
         Assurance
 General Security Advantages


Shifting public data to a external cloud
 reduces the exposure of the internal
 sensitive data
Cloud homogeneity makes security
 auditing/testing simpler
Clouds enable automated security
 management
Redundancy / Disaster Recovery

                                           2
 PwC
Security Relevant Cloud Components

Cloud Provisioning Services
Cloud Data Storage Services
Cloud Processing Infrastructure
Cloud Support Services
Cloud Network and Perimeter Security
Elastic Elements: Storage, Processing, and
   Virtual Networks


                                             3
PwC
 Provisioning Service
Advantages
  • Rapid reconstitution of services
  • Enables availability
    - Provision in multiple data centers /
      multiple instances
  • Advanced honey net capabilities
Challenges
  • Impact of compromising the provisioning
    service
                                              4
 PwC
 Data Storage Services


Advantages
   •   Data fragmentation and dispersal
   •   Automated replication
   •   Provision of data zones (e.g., by country)
   •   Encryption at rest and in transit
   •   Automated data retention
Challenges
   • Isolation management / data multi-tenancy
   • Storage controller
       - Single point of failure / compromise?
   • Exposure of data to foreign governments
                                                    5
 PwC
 Cloud Processing Infrastructure


Advantages
  • Ability to secure masters and push out
    secure images
Challenges
  • Application multi-tenancy
  • Reliance on hypervisors
  • Process isolation / Application sandboxes


                                                6
 PwC
 Cloud Support Services


Advantages
  • On demand security controls (e.g.,
    authentication, logging, firewalls…)
Challenges
  • Additional risk when integrated with
    customer applications
  • Needs certification and accreditation as a
    separate application
  • Code updates
                                                 7
 PwC
 Cloud Network and Perimeter Security


Advantages
  • Distributed denial of service protection
  • VLAN capabilities
  • Perimeter security (IDS, firewall,
    authentication)
Challenges
  • Virtual zoning with application mobility


                                               8
 PwC
Cloud Security Advantages
Part 1

Data Fragmentation and Dispersal
Dedicated Security Team
Greater Investment in Security Infrastructure
Fault Tolerance and Reliability
Greater Resiliency
Hypervisor Protection Against Network Attacks
Possible Reduction of C&A Activities (Access to
   Pre-Accredited Clouds)
                                             9
 PwC
 Cloud Security Advantages
 Part 2

Simplification of Compliance Analysis
Data Held by Unbiased Party (cloud vendor
 assertion)
Low-Cost Disaster Recovery and Data Storage
 Solutions
On-Demand Security Controls
Real-Time Detection of System Tampering
Rapid Re-Constitution of Services
Advanced Honeynet Capabilities
                                              10
 PwC
Cloud Security Challenges Part 1


Data dispersal and international privacy laws
      •   EU Data Protection Directive and U.S. Safe Harbor
          program
      •   Exposure of data to foreign government and data
          subpoenas
      •   Data retention issues
Need for isolation management
Multi-tenancy
Logging challenges
Data ownership issues
Quality of service guarantees
                                                              11
PwC
Cloud Security Challenges Part 2

Dependence on secure hypervisors
Attraction to hackers (high value target)
Security of virtual OSs in the cloud
Possibility for massive outages
Encryption needs for cloud computing
      •   Encrypting access to the cloud resource control
          interface
      •   Encrypting administrative access to OS instances
      •   Encrypting access to applications
      •   Encrypting application data at rest
Public cloud vs.. internal cloud security
Lack of public SaaS version control
PwC
                                                             12
Additional Issues

Issues with moving PII and sensitive data to the cloud
      •   Privacy impact assessments
Using SLAs to obtain cloud security
      •   Suggested requirements for cloud SLAs
      •   Issues with cloud forensics
Contingency planning and disaster recovery for cloud
   implementations
Handling compliance
      •   FISMA
      •   HIPAA
      •   SOX
      •   PCI
      •   SAS 70 Audits
                                                    13
PwC
The ‘Why’ and ‘How’ of Cloud Migration

There are many benefits that explain why
 to migrate to clouds
  • Cost savings, power savings, green
    savings, increased agility in software
    deployment
Cloud security issues may drive and
 define how we adopt and deploy cloud
 computing solutions

                                             14
PwC
 Balancing Threat Exposure and Cost
 Effectiveness

Private clouds may have less threat
 exposure than community clouds which
 have less threat exposure than public clouds.
Massive public clouds may be more cost
 effective than large community clouds
 which may be more cost effective than small
 private clouds.
Doesn’t strong security controls mean that I
 can adopt the most cost effective approach?
                                                 15
 PwC
 Cloud Migration and Cloud Security
 Architectures

Clouds typically have a single security architecture but have
  many customers with different demands
    • Clouds should attempt to provide configurable security mechanisms

Organizations have more control over the security
 architecture of private clouds followed by community and
 then public
    • This doesn’t say anything about actual security

Higher sensitivity data is likely to be processed on clouds
 where organizations have control over the security model
                                                                      16
  PwC
 Putting it Together


Most clouds will require very strong security
 controls
All models of cloud may be used for differing
 tradeoffs between threat exposure and
 efficiency
There is no one “cloud”. There are many
 models and architectures.
How does one choose?

                                                17
 PwC
  Migration Paths for Cloud Adoption

Use public clouds
Develop private clouds
  • Build a private cloud
  • Procure an outsourced private cloud
  • Migrate data centers to be private clouds (fully
    virtualized)
Build or procure community clouds
  • Organization wide SaaS
  • PaaS and IaaS
  • Disaster recovery for private clouds
Use hybrid-cloud technology
  • Workload portability between clouds
                                                       18
  PwC
 What, When, How to Move to the Cloud


Identify the asset(s) for cloud deployment
  • Data
  • Applications/Functions/Process
Evaluate the asset
  • Determine how important the data or
    function is to the org



            19
 PwC
 Evaluate the Asset
How would we be harmed if
       ◦ the asset became widely public & widely distributed?
       ◦ An employee of our cloud provider accessed the asset?
       ◦ The process of function were manipulated by an
         outsider?
       ◦ The process or function failed to provide expected
         results?
       ◦ The info/data was unexpectedly changed?
       ◦ The asset were unavailable for a period of time?

                20
 PwC
Map Asset to Models

 4 Cloud Models
   • Public
   • Private, internal, on premise
   • Private, external
   • Community
     - Hybrid
 Which cloud model addresses your security
  concerns?

          21
PwC
 Map Data Flow

Map the data flow between your
 organization, cloud service, customers,
 other nodes
Essential to understand whether & HOW
 data can move in/out of the cloud
  • Sketch it for each of the models
  • Know your risk tolerance!



           22
 PwC
 Cloud Domains

Service contracts should address these 13 domains
Architectural Framework
Governance, Enterprise Risk Mgt
Legal, e-Discovery
Compliance & Audit
Information Lifecycle Mgt
Portability & Interoperability



               23
  PwC
Cloud Domains

Security, Business Continuity, Disaster
 Recovery
Data Center Operations
Incident Response Issues
Application Security
Encryption & Key Mgt
Identity & Access Mgt
Virtualization

          24
PwC
 Security Stack


IaaS: entire infrastructure from facilities to
 HW
PaaS: application, Middleware, database,
 messaging supported by IaaS
SaaS: self contained operating environment:
 content, presentation, apps, mgt



            25
 PwC
 Security Stack Concerns


Lower down the stack the cloud vendor
 provides, the more security issues the
 consumer has to address or provide
Who do you trust?




            26
 PwC
 Key Takeaways

SaaS
   • Service levels, security, governance, compliance,
     liability expectations of the service & provider are
     contractually defined
PaaS, IaaS
   • Customer sysadmins manage the same with
     provider handling platform, infrastructure security




               27
  PwC
 Security Pitfalls


How cloud services are provided confused
 with where they are provided
Well demarcated network security
 border is not fixed
Cloud computing implies loss of control




            28
 PwC
 Overall Security Concerns


Gracefully lose control while maintaining
 accountability even if operational
 responsibility falls upon 3rd parties
Provider, user security duties differ greatly
 between cloud models




            29
 PwC
 Key Challenges

We aren’t moving to the cloud.. We are reinventing within the
 cloud
Confluence of technology and economic innovation
    •   Disrupting technology and business relationships

    •   Pressure on traditional organizational boundaries

“Gold Rush” mentality, backing into 20 year platform choice
Challenges traditional thinking
    • How do we build standards?
    • How do we create architectures?
    • What is the ecosystem required to managed, operate, assess and audit cloud
  PwC   systems?
  Thinking about Threats
Technology
   •    Unvetted innovations within the S-P-I stack
   •    Well known cloud architectures
Business
   •    How cloud dynamism is leveraged by customers/providers
   •    E.g. provisioning, elasticity, load management
Old threats reinvented: “must defend against the accumulation of
  all vulnerabilities ever recorded”, Dan Geer-ism
Malware in the cloud, for the cloud
Lots of black box testing
  PwC
 Evolving Threats 1/2

Unprotected APIs / Insecure Service Oriented Architecture
Hypervisor Attacks
L1/L2 Attacks (Cache Scraping)
Trojaned AMI Images
VMDK / VHD Repurposing
Key Scraping
Infrastructure DDoS



  PwC
 Evolving Threats 2/2

Web application (mgt interface!)
    •   XSRF

    •   XSS

    •   SQL Injection

Data leakage
Poor account provisioning
Cloud provider insider abuse
Financial DDoS
"Click Fraud”
  PwC
 Lots of Governance Issues

Cloud Provider going out of business
Provider not achieving SLAs
Provider having poor business continuity planning
Data Centers in countries with unfriendly laws
Proprietary lock-in with technology, data formats
Mistakes made by internal IT security – several orders of
 magnitude more serious




  PwC
 Governance


Identify, implement process, controls to
 maintain effective governance, risk mgt,
 compliance
Provider security governance should be
 assessed for sufficiency, maturity,
 consistency with user ITSEC process



            35
 PwC
 3rd Party Governance


Request clear documents on how facility &
 services are assessed
Require definition of what provider considers
 critical services, info
Perform full contract, terms of use due
 diligence to determine roles, accountability



            36
 PwC
 Governance & ERM


A portion of cloud cost savings must be
 invested into provider scrutiny
Third party transparency of cloud provider
Financial viability of cloud provider.
Alignment of key performance indicators
Increased frequency of 3rd party risk
 assessments


 PwC
 Legal


Plan for both an expected and unexpected termination of the
  relationship and an orderly return of your assets.
Find conflicts between the laws the cloud provider must comply
  with and those governing the cloud customer
Gain a clear expectation of the cloud provider’s response to legal
  requests for information.
Secondary uses of data
Cross-border data transfers


  PwC
 Electronic Discovery


Cloud Computing challenges the presumption that organizations
  have control over the data they are legally responsible for.
Cloud providers must assure their information security systems are
  capable to preserve data as authentic and reliable. Metadata, log
  files, etc.
Mutual understanding of roles and responsibilities: litigation hold,
  discovery searches, expert testimony, etc.




  PwC
e-Discovery


  Functional: which functions & services in the
   Cloud have legal implications for both parties
  Jurisdictional: which governments administer
   laws and regulations impacting services,
   stakeholders, data assets
  Contractual: terms & conditions



           40
PwC
 e-Discovery


Both parties must understand each other’s
 roles
    - Litigation hold, Discovery searches
    - Expert testimony
Provider must save primary and secondary
 (logs) data
Where is the data stored?
  • laws for cross border data flows
           41
 PwC
 e-Discovery


Plan for unexpected contract termination and
 orderly return or secure disposal of assets
You should ensure you retain ownership of
 your data in its original form




           42
 PwC
Security Audit


- Hard to maintain with your
  security/regulatory requirements, harder
  to demonstrate to auditors
- Right to Audit clause
- Analyze compliance scope
- Regulatory impact on data security
- Evidence requirements are met
- Does the provider have SAS 70 Type II,
  ISO 27001/2 audit statements?
           43
PwC
 Information Management


Data security (CIA)
Data Location
  • All copies, backups stored only at location
    allowed by contract, SLA and/or
    regulation
  • Compliant storage (EU mandate) for
    storing e-health records


            44
 PwC
 Information Lifecycle Management


Understand the logical segregation of
 information and protective controls
 implemented
Understand the privacy restrictions inherent
 in data entrusted to your company, how it
 impacts legality of using cloud provider.
Data retention assurance easy, data
 destruction may be very difficult.
Recovering true cost of a breach: penalties vs.
 risk transference
 PwC
 Portability, Interoperability


When you have to switch cloud providers
Contract price increase
Provider bankruptcy
Provider service shutdown
Decrease in service quality
Business dispute



           46
 PwC
  Portability & Interoperability

Understand and implement layers of abstraction
For Software as a Service (SaaS), perform regular data extractions and
  backups to a usable format
For Infrastructure as a Service (IaaS), deploy applications in runtime in a
  way that is abstracted from the machine image.
For Platform as a Service (PaaS), careful application development
  techniques and thoughtful architecture should be followed to minimize
  potential lock-in for the customer. “loose coupling” using SOA
  principles
Understand who the competitors are to your cloud providers and what
  their capabilities are to assist in migration.
Advocate open standards.




  PwC
 Compliance & Audit


Classify data and systems to understand
 compliance requirements
Understand data locations, copies
Maintain a right to audit on demand
Need uniformity in comprehensive
 certification scoping to beef up SAS 70 II,
 ISO 2700X


 PwC
 Traditional, BCM/DR

Greatest concern is insider threat
Cloud providers should adopt as a security baseline the most
  stringent requirements of any customer.
Compartmentalization of job duties and limit knowledge of
  customers.
Onsite inspections of cloud provider facilities whenever
  possible.
Inspect cloud provider disaster recovery and business
  continuity plans.
Identify physical interdependencies in provider
  infrastructure.


  PwC
 Security, Business Continuity, Disaster
 Recovery

Centralization of data = greater insider threat
 from within the provider
Require onsite inspections of provider
 facilities
  • Disaster recovery, Business continuity,
    etc.
  • SAS 70 Type II, WebTrust, SysTrust


            50
 PwC
Data Center Operations


How does provider perform:
   • On-demand self service
   • Broad network access
   • Resource pooling
   • Rapid elasticity
   • Measured service



            51
 PwC
 Data Center Operations

Compartmentalization of systems, networks, management, provisioning
  and personnel.
Know cloud provider’s other clients to assess their impact on you
Understand how resource sharing occurs within your cloud provider to
  understand impact during your business fluctuations.
For IaaS and PaaS, the cloud provider’s patch management policies and
  procedures have significant impact
Cloud provider’s technology architecture may use new and unproven
  methods for failover. Customer’s own BCP plans should address
  impacts and limitations of Cloud computing.
Test cloud provider’s customer service function regularly to determine
  their level of mastery in supporting the services.



  PwC
Incident Response

 - Cloud apps aren’t always designed with data
   integrity andsecurity in mind
 - Does provider keep app, firewall, IDS logs?
 - Does provier deliver snapshots of your virtual
   environment?
 - Sensitive data must be encrypted for data breach
   regulations



            53
PwC
 Incident Response

Any data classified as private for the purpose of data breach
  regulations should always be encrypted to reduce the
  consequences of a breach incident.
Cloud providers need application layer logging frameworks to
  provide granular narrowing of incidents to a specific customer.
Cloud providers should construct a registry of application owners
  by application interface (URL, SOA service, etc.).
Cloud providers and customers need defined collaboration for
  incident response.

  PwC
 Application Security


Different trust boundaries for IaaS, PaaS,
 SaaS
What is the provider’s web application
 security?
Secure inter-host communication channel




            55
 PwC
 Application Security

Importance of secure software development lifecycle magnified
IaaS, PaaS and SaaS create differing trust boundaries for the
  software development lifecycle, which must be accounted for
  during the development, testing and production deployment of
  applications.
For IaaS, need trusted virtual machine images.
Apply best practices available to harden DMZ host systems to
  virtual machines.
Securing inter-host communications must be the rule, there can be
  no assumption of a secure channel between hosts
Understand how malicious actors are likely to adapt their attack
  techniques to cloud platforms



  PwC
 Storage

Understand the storage architecture and abstraction layers to verify that
  the storage subsystem does not span domain trust boundaries.
Ascertain if knowing storage geographical location is possible.
Understand the cloud provider’s data search capabilities.
Understand cloud provider storage retirement processes.
Understand circumstances under which storage can be seized by a third
  party or government entity.
Understand how encryption is managed on multi-tenant storage.
Can the cloud provider support long term archiving, will the data be
  available several years later?




  PwC
 Encryption

From a risk management perspective, unencrypted data existent in
  the cloud may be considered “lost” by the customer.
Application providers who are not controlling backend systems
  should assure that data is encrypted when being stored on the
  backend.
Use encryption to separate data holding from data usage.
Segregate the key management from the cloud provider hosting the
  data, creating a chain of separation.
When stipulating standard encryption in contract language




  PwC
 Encryption, Key Management

Encrypt data in transit, at rest, backup media
Secure key store
   • Protect encryption keys
   • Ensure encryption is based on
     industry/government standards.
        - NO proprietary standard
   • Limit access to key stores
   • Key backup & recoverability
        - Test these procedures
                 59
  PwC
  Identity & Access Management

Must have a robust federated identity management architecture and
  strategy internal to the organization.
Insist upon standards enabling federation: primarily SAML, WS-Federation
  and Liberty ID-FF federation
Validate that cloud provider either support strong authentication natively
  or via delegation and support robust password policies that meet and
  exceed internal policies.
Understand that the current state of granular application authorization on
  the part of cloud providers is non-existent or proprietary.
Consider implementing Single Sign-on (SSO) for internal applications, and
  leveraging this architecture for cloud applications.
Using cloud-based “Identity as a Service” providers may be a useful tool for
  abstracting and managing complexities such as differing versions of
  SAML, etc.



   PwC
 Identity and Access Management


Determine how provider handles:
  • Provisioning, de-provisioning
  • Authentication
  • Federation
  • Authorization, user profile mgt




            61
 PwC
 Virtualization

Virtualized operating systems should be augmented by third party security
  technology.
The simplicity of invoking new machine instances from a VM platform
  creates a risk that insecure machine images can be created. Secure by
  default configuration needs to be assured by following or exceeding
  available industry baselines.
Virtualization also contains many security advantages such as creating
  isolated environments and better defined memory space, which can
  minimize application instability and simplify recovery.
Need granular monitoring of traffic crossing VM backplanes
Provisioning, administrative access and control of virtualized operating
  systems is crucial




  PwC
 Virtualization


What type of virtualization is used by the
 provider?
What 3rd party security technology augments
 the virtual OS?
Which controls protect admin interfaces
 exposed to users?



           63
 PwC
      64
PwC
 Summary


There are many security implications to
 consider when utilizing a cloud
 environment.
Keeping your mind open and understanding
 the issues is essential to a protecting your
 data in the Cloud.



            65
 PwC
Section 2


Planning your Cloud Computing Audit




PwC                                   66
Planning Your Audit

• Defining your audit objectives
• Boundaries of review (e.g., cloud environment in-use or under consideration,
  types of cloud services, technical boundaries)
• Identify and document business risk associated with cloud solution
• Identification of audit resources requirement
      • Requisite knowledge in information governance, IT management, network,
        data, contingency and encryption controls
      • Proficient in risk assessment, information security components of IT
        architecture, threat & vulnerabilities and internet-based data processing
      • Knowledge of web services standards such as OASIS and WSS
• Define deliverables and communication (e.g. communication to various
  stakeholders, nature of deliverables, timing, etc.)



PwC                                                                                 67
PwC’s Cloud Assurance Framework


                                                                   Right to Audit & Third
                                        Data Governance
                                                                          Party Reviews

                  Portability and                                                                 Legal Compliance &
                    Interoperability                                                                     e-Discovery
                                                          e   nt               Inte
                                                       em                           r
                                                   nag                         Ma face
                                              Ma                                  nag
                                          A                                           em
                                        SL                                               e        nt
                                                                                                                   Contract Terms &
   Provider Continuity
                                                                                                                          Escrow



                                                                                          Pa
                                                                              Co




                                                                                                            Lic nagem
                                 nt




                                                                                                 aS
                                                                                m




                                                                                                             Ma
                                 e



                                              aS




                                                                                    m




                                                                                                               e ns
                              em




                                                                                     un
                                          Sa
                     Ma e n t




                                                                                          it y
                         n ag




                                                                                                                    e
                                                       ic
                            d




                                                                                                                                              Cloud Governance
                                                    bl
                     I n ci




                                                Pu




 Compliance




                                                                                                                      e nt
 •   FISMA
                                                            Technology                                                       Cloud Provider   Monitoring
 •   SOX
 •   GLBA                                                                                                                       Management
 •   ISO                                                       Process                                                                        Cloud Architecture
 •   PCI                                                       People
                                              Pr
                              o ar ng




                                                                                                               Us and
                                                iv




                                                                                                                      e
                           shb eporti
                                  d&




                                                  at




                                                                                                                   ag
                                                                                           id
                                                     e
                                         Ia




                                                                                                                in g



      Cloud Strategy &                                                                br
                                          aS




                                                                                    Hy
                                                                                                  aS




                                                                                                                     Enterprise Risk
                                                                                                             ter
                         Da R




            Business
                                                                                               a


                                                                                                          Me




                                                                                                                         Management
                                                                                            BP




              Case
                                              Ch
                                                 a
                                              Ma n g e                                       n   ing
                                                                                         lan
                                                n ag                              ty P
                                                     em
                                                        e                 p   ac i
                    Functional                                nt     Ca                               Information Risk
                                                                                                           Management
                      Implications
                                              Information     Metrics & SLA
                                                   Security
                                                Collaboration




PwC                                                                                                                                                                68
Assessing Technical Architecture

                                                                                                                      Application Security        P       F   T




                                                         Infrastructure Management Service Delivery
                                                                                                                    Data Security & Integrity     P       F   T

                                                                                                                Identity & Access Management P            F   T

                                                                                                                          Virtualization          P       F   T

                                                                                                                           Provisioning           P       F   T
                                            Pa




                                Co
                                                                                                                                                  P       F   T
                                                   aS




                                  m                                                                              Configuration Management
      aS




                                      m
                                       un
  Sa




                                            it y
              ic




                                                                                                                      Asset Management            P       F   T
           bl
       Pu




                   Technology                                                                                             Virtualization          P       F   T
                    Process
                                                                                                                            Anti Virus            P       F   T
                    People
      Pr




                                                                                                                                                  P   F       T
        iv




                                                                                                                      Patch Management
          at




                                             id
            e
 Ia




                                        br
  aS




                                      Hy
                                                    aS




                                                                                                                                                  P   F       T
                                                  a




                                                                                                                     Release Management
                                               BP




                                                                                                      Servers                Storage              Network
                                                              Infrastructure




                                                                                                                P     F     T                     P       F   T

                                                                                                                          Power/Cooling           P       F   T

                                                                                                       P
                                                                                                      People           F
                                                                                                                      Process Flow            T
                                                                                                                                             Technology




PwC                                                                                                                                                               69
#1 – ‘Shadow Cloud’ Practices Will Surface


 Audit Focus Areas                                               Data Governance
                                                                                            Right to Audit & Third
                                                                                                   Party Reviews

                                     Portability and                                                                       Legal Compliance &
                                       Interoperability                                                                           e-Discovery
                                                                                   e   nt               Inte
                                                                                em                           r
                                                                            nag                         Ma face
                                                                       Ma                                  nag
                                                                   A                                           em
                                                                 SL                                               e        nt
                                                                                                                                            Contract Terms &
                       Provider Continuity
                                                                                                                                                   Escrow




                                                                                                                   Pa
                                                                                                       Co




                                                                                                                                     Lic nagem
                                                        nt




                                                                                                                          aS
                                                                                                         m




                                                                                                                                      Ma
                                                     e



                                                                       aS
                                                                                                             m




                                                                                                                                        e ns
                                                  em
                                                                                                              un

                                                                   Sa
                                         Ma e n t

                                                                                                                   it y
                                             n ag




                                                                                                                                             e
                                                                                ic
                                                d




                                                                             bl
                                         I n ci




                                                                         Pu
                     Compliance




                                                                                                                                               e nt
                     •   FISMA
                     •   SOX                                                         Technology                                                       Cloud Provider
                     •   GLBA                                                                                                                            Management
                     •   ISO                                                            Process
                     •   PCI                                                            People
                                                                       Pr
                                                  b o a ti n g




                                                                                                                                        Us and
                                                                         iv




                                                                                                                                               e
                                                       rd &




                                                                           at




                                                                                                                                            ag
                                               ash epor




                                                                                                                    id
                                                                              e
                                                                  Ia




                                                                                                                                         in g
                        Cloud Strategy &                                                                       br
                                                                   aS




                                                                                                             Hy




                                                                                                                           aS
                                                                                                                                              Enterprise Risk




                                                                                                                                      ter
                                                   R




                              Business



                                                                                                                        a


                                                                                                                                   Me
                                                                                                                                                  Management

                                                                                                                     BP
                                Case
                                             D




                                                                       Ch
                                                                          a
                                                                       Ma n g e                                       n   ing
                                                                                                                  lan
                                                                         n ag                              ty P
                                                                              em
                                                                                 e                 p   ac i
                                       Functional                                      nt     Ca                               Information Risk
                                                                                                                                    Management
                                         Implications
                                                                       Information     Metrics & SLA
                                                                            Security
                                                                         Collaboration




PwC
#1 – ‘Shadow Cloud’ Practices Will Surface
 Risk Area                                      Governance over Cloud Adoption

 Scenario                                       Audit Considerations

 Unauthorized use of Public Cloud Services is   1.   Functional Implications
 a common problem. Client X was using over      •    Has the company establish a companywide
 25 different CSPs spanning across their ERP,        documented policy for appropriate use of Cloud
 HR, Fixed Assets, CRM, Support,                     Computing Services?
 Collaboration, Ticketing System, etc.          •    Has an information management liaison been
 Majority of these cloud services were               established to manage an inventory of CSPs,
 procured with the knowledge and approval            evaluate policies of on/off boarding? Including
 of IT / Procurement bypassing procedures            backout policy considerations?
 put in place by our client to manage and
 maintain security and data protection.         2.   Information Security Collaboration
                                                     • Has an education and awareness program to
                                                        communicate the risks associated with
                                                        unauthorized use of Public Cloud Services?
                                                     • Has IT performed an assessment on security?
                                                        interfaces?




PwC                                                                                                    71
#2 – Don’t just sign on the dotted line

 Risk Area                                    Cloud Provider Contract (Terms/Conditions)

 Scenario                                     Audit Considerations

 Contracts with Cloud Providers often lack    1.   Has all Cloud Services undergone a formal risk
 key security requirements important to the        assessment as a preliminary step to contract
 organization (e.g. security                       negotiation?
 breach, location of data, service
 termination). This is most prevalent when    2.   Have the following been considered as part of
 business users procure services outside of        contract negotiations -: Confidentiality, Limitation
 the normal channels in order to get the           of Liability, Indemnification, Service Termination,
 service up and running quickly.                   Service Level Agreements and Non-Performance
                                                   Clauses, Software Escrow, Security Incident
                                                   Procedures, Ownership Changes, Privacy,
                                                   Jurisdiction, Notification, and Modifications?

                                              3.   Is there a process in place to review the periodically
                                                   the commitment of the Cloud Provider throughout
                                                   the course of the contract?




PwC                                                                                                    72
#3 –You will need to retain Ownership for Access
Roles and Permissions

                                                                     Application Security




                          Service Delivery
                                                                   Data Security & integrity

                                                                Identity & Access Management

                                                                        Virtualization

                                                                         Provisioning




                          Infrastructure Management
                                                                 Configuration Management

                                                                     Asset Management

                                                                        Virtualization

                                                                          Anti Virus

                                                                     Patch Management

                                                                    Release Management

                                                      Servers              Storage             Network
                          Infrastructure




                                                                       Power/Cooling



 Audit Focus Areas
PwC
#3 –You will retain ownership for Roles and
Permissions

 Risk Area                                         Identity and Access Management

 Scenario                                          Audit Considerations

 Access control mechanisms for Cloud               1.   Provisioning
 Providers are typically separate from             •    Does the current access controls of the Cloud
 internal processes                                     service provider meet existing company
 and fall outside approved and documented               requirements for roles and permissions?
 methods to manage access.
                                                   2.   Identity and Access Management
 Client X utilized a CSP to perform and            •    Has the company determine if the company’s
 allowed contractors to perform some day-to-            Access Control Procedures require modification
 day finance functions. As part of their access,        to meet the needs of extending to a Cloud
 the contractors were also able to see quarter-         Provider e.g. IAM Federation.
 end and year-end information which should
 have been restricted.                             •    How have we evaluated the complexities of
                                                        auditing APIs, Hypervisors, Virtualized
                                                        environments?




PwC                                                                                                      74
#4 - Moving to the Cloud Doesn’t Mean Farming
Out Your IT Management Responsibilities

 Audit Focus Areas                                                               Application Security




                     Infrastructure Management Service Delivery
                                                                               Data Security & integrity

                                                                            Identity & Access Management

                                                                                    Virtualization

                                                                                     Provisioning

                                                                             Configuration Management

                                                                                 Asset Management

                                                                                    Virtualization

                                                                                      Anti Virus

                                                                                 Patch Management

                                                                                Release Management

                                                                  Servers              Storage             Network
                          Infrastructure




                                                                                   Power/Cooling



PwC                                                                                                                  75
#4 - Moving to the Cloud Doesn’t Mean Farming
Out Your IT Management Responsibilities

 Risk Area                                      Cloud Release and Configuration Management
 Scenario                                       Audit Considerations
 Client X adopted a cloud based ERP solution.   1.   Configuration management
 Change management processes have not                • Have a change management log been
 been established for changes made to scripts          established that requires change board
 and the 30 customizations they had made to            approvals?
 their ERP. In addition, a staging
 environment was not procured containing a      2.   Release management
 mirror of production data was not available         • Have policies for release management been
 to conduct sufficient testing.                        adequately established for to cloud-based ERP
                                                       solution? Does a change board exists?
                                                     • Has a QA environment that contains sufficient
                                                       data to conduct scenario testing is procured?

                                                3.   SOC Report
                                                     • Have all user control considerations from SOC
                                                       report have been fully considered?




PwC                                                                                               76
#5 – No One Will Care More About Your Data
Than You

 Audit Focus Areas                                               Data Governance
                                                                                            Right to Audit & Third
                                                                                                   Party Reviews

                                     Portability and                                                                       Legal Compliance &
                                       Interoperability                                                                           e-Discovery
                                                                                   e   nt               Inte
                                                                                em                           r
                                                                            nag                         Ma face
                                                                       Ma                                  nag
                                                                   A                                           em
                                                                 SL                                               e        nt
                                                                                                                                            Contract Terms &
                       Provider Continuity
                                                                                                                                                   Escrow




                                                                                                                   Pa
                                                                                                       Co




                                                                                                                                     Lic nagem
                                                        nt




                                                                                                                          aS
                                                                                                         m




                                                                                                                                      Ma
                                                     e



                                                                       aS
                                                                                                             m




                                                                                                                                        e ns
                                                  em

                                                                                                              un
                                                                   Sa
                                         Ma e n t



                                                                                                                   it y
                                             n ag




                                                                                                                                             e
                                                                                ic
                                                d




                                                                             bl
                                         I n ci




                                                                         Pu
                     Compliance




                                                                                                                                               e nt
                     •   FISMA
                     •   SOX                                                         Technology                                                       Cloud Provider
                     •   GLBA                                                                                                                            Management
                     •   ISO                                                            Process
                     •   PCI                                                            People
                                                                       Pr
                                                  b o a ti n g




                                                                                                                                        Us and
                                                                         iv




                                                                                                                                               e
                                                       rd &




                                                                           at




                                                                                                                                            ag
                                               ash epor




                                                                                                                    id
                                                                              e
                                                                  Ia




                                                                                                                                         in g
                        Cloud Strategy &                                                                       br
                                                                   aS




                                                                                                             Hy


                                                                                                                           aS
                                                                                                                                              Enterprise Risk




                                                                                                                                      ter
                                                   R




                              Business


                                                                                                                        a


                                                                                                                                   Me
                                                                                                                                                  Management
                                                                                                                     BP
                                Case
                                             D




                                                                       Ch
                                                                          a
                                                                       Ma n g e                                       n   ing
                                                                                                                  lan
                                                                         n ag                              ty P
                                                                              em
                                                                                 e                 p   ac i
                                       Functional                                      nt     Ca                               Information Risk
                                                                                                                                    Management
                                         Implications
                                                                       Information     Metrics & SLA
                                                                            Security
                                                                         Collaboration




PwC
#5 – No One Will Care More About Your Data
Than You

 Risk Area                                     Data Protection and Rights to Audit

 Scenario                                      Audit Considerations

 Data/information to be stored in the Cloud    1.   Data Protection Security
 should adhere                                 •    Has a Data Classification scheme to
 to the guidance provided for                       data/information considered for a Cloud
 information/data protection including the          Solution? Has the company evaluated the need
 risk of data being targeted by an Advanced         for a Digital Rights Management (DRM) or Data
 Persistent Threat.                                 Loss Prevention (DLP) solution been considered?

 Client X’s legal department had moved case    2.   Have the contracts been reviewed by legal (rights
 management to a CSP. The data is stored in         & obligations), internal audit (rights to audit) and
 a multi-tenancy environment. When                  IT (service level agreements)?
 internal audit requested for assurance over
 controls, the SAS70 for the data center
 where the application is hosted was
 provided.




PwC                                                                                                   78
#6 - Bad Processes Will Not Become Good
Processes By Just Moving To The Cloud

 Risk Area                                          Portability and Interoperability and Data Integrity

 Scenario                                           Audit Considerations

 Client X moved to a SaaS CRM solution 2            1.   Have we considered all our reporting
 years ago as the company was growing                    requirements in the context of the company prior
 significantly and they realized it was difficult        to moving to a CSP? What about the data
 to manage its customer data.                            architecture? Data governance and customer data
                                                         dictionary?
 Today, the company realizes that retrieval of
 customer data was a significantly manual           2.   Has integration and interfaces with existing
 process through compilation of spreadsheets             systems been fully considered?
 given the complexity of customer hierarchy
 and lack of integration between its ERP.




PwC                                                                                                       79
#7 – It’s like your phone bill. If you don’t review
your minutes, be prepared to pay the price

 Risk Area                                        Metering and Bursting Revenue

 Scenario                                         Audit Considerations

 Invoices provided by Cloud Provider for          1.   Are there processes in place to monitor the data
 bursting revenue is in excess of what is truly        usage and any bursting charges incurred?
 consumed by the company. In addition,
 there isn’t a process to monitor the monthly     2.   Has the company evaluated what the appropriate
 consumption of data used to determine if a            subscription package based on total company
 move to a higher subscription package is              consumption of bandwidth?
 required.
                                                  3.   Have we considered requesting an independent
                                                       assessment on the data provided by the company
                                                       or its internal controls?




PwC                                                                                                       80
#8 – Everybody wants to be in the cloud. It’s not
that simple…

 Risk Area                                     Project Risk and Third Party Management – CSP

 Scenario                                      Audit Considerations

 Client X had just completed building a        1.   What was the evaluation undertaken to
 successful SaaS based solution for it’s            determine fit in-terms of experience and skill set
 products . To meet the increased high              when selecting an system integrator for a Cloud
 transaction volume from this move, they            based solution? (e.g. integrations?, data
 decided to develop a private IaaS solution.        cleansing?)

 They had engaged the CSP to help
 implement the solution and after 6 months,
 found that while technically strong the CSP
 did not have the right process knowledge,
 change management expertise and sufficient
 understanding of the clients business.




PwC                                                                                                  81
Summary - Plan for Success




      Engage in the strategy for moving to the cloud
      Understand your company’s rationale for adopting cloud
      Review impacted business activities in ‘as is’ and ‘to be’ state
      Assess capabilities of existing personnel to manage transition and to perform
         roles in new state
      Treat the move as a “process” not a project
      Assess risk and build a plan to manage accordingly




PwC                                                                                   82
   Closing Comments – Cloud Reporting: What exists today
Cloud customers gather information through inefficient activities often
  led by vendor management or procurement functions:

         • Provider self-assessments, typically focus on security policies
         • Responses to customer-prepared questionnaires
         • Service level agreements (SLAs) describing the provider’s
           obligations
         • Third-party SAS 70 (now SSAE 16) reports
         • Other certifications – PCI, ISO 27002, HIPAA, FISMA, etc.

Do not address comprehensively address the service offering and the relevant compliance
  requirements from the perspective of the customer’s needs or expectations
Are not focused on the cloud provider’s unique service offering


   PwC                                                                                    83
  Closing Comments – Cloud Reporting: Looking forward
No globally recognized framework exists and may not for the foreseeable future

  Consideration           AICPA Service Organization Reports                                                           Custom Attest
  Point
                          SOC 1 / SSAE16                  SOC2                             SOC3
                          (Replacement for
                          SAS70 6/11)

  AICPA suggested scope   Controls over financial         Controls relevant to compliance or operations, which could   Management defined
                          reporting. Used in              include (*)
                          conjunction with an audit of    Security                                                     Can include controls
                          users’ financial statements     Availability and processing integrity                        relevant and unique to
                                                          Confidentiality                                              Operations,
                                                          Privacy                                                      Billing,
                                                          Data integrity and ownership                                 Technology
                                                                                                                       Security,
                                                          (*) Use of AICPA Trust Principles Required                   Privacy
                                                                                                                       and beyond

  Intended Audience       Restricted use                                                   General Use (with public    Generally restricted use
                                                                                           seal);                      but may be unrestricted

  Content of Report       Management’s assertion                                            Management assertion        Management assertion
                          Management’s description of service organization’s system         Unaudited system            PwC opinion on control
                          Description of controls                                          description                 effectiveness
                          Report may be Type 1 (Design only or Type 2 (Design and           PwC opinion of control
                          Operating Effectiveness)                                         effectiveness
                          PwC opinion on control effectiveness

  AICPA Attestation       SSAE 16                         AT 101, Attest Engagements
  Standard



  PwC                                                                                                                                           84
Stay Engaged as the Cloud Evolves


 • Cloud computing is fundamentally
   changing business across all industries
   and markets


 • Keeping pace with the change and
   adapting as it evolves is key for all cloud
   adopters, including IT compliance and
   audit professionals



 More resources
 http://www.pwc.com/us/en/issues/cloud-computing/publications.jhtml
 http://www.pwc.com/us/en/10minutes/cloud-computing.jhtml


PwC
                         Dr. Yonesy F. Nuñez
                         Manager
                         Contact Details:
                         Phone: 646-471-6531
                         E-Mail: yonesy.f.nunez@us.pwc.com
                         Background:
                         Yonesy is a Manager in the New York Metro IT Risk and Security Assurance Practice and has 14
                         years of experience delivering Information Security services. Yonesy has led efforts to create and
                         institute comprehensive information security programs for a variety of industries. He works with
                         various clients to balance security, risk, IT operations, threat-vector landscape, and business
Areas of Expertise       objectives to enable efficient business decisions in preparation of and during severe crisis events. He
                         has managed and successfully supported internal audit engagements as they relate to application
•   Security             security, outsourced development, network security, threat and vulnerability assessment, attack and
    Governance,          penetration, business impact analyses, incident management, multi-tenancy cloud environments
    Strategy and         reviews, business continuance and disaster recovery plans , Data Loss Prevention, and IT Risk
    Compliance           assessments. He is a nationally respected Speaker and Instructor for Information Security Strategy,
                         Industry Regulations and Compliance, Cloud Computing, Data Encryption, Virtual Computing, and
•   Data Privacy and     IT Audit. He holds numerous information security, risk, and governance certifications. He has a
    Protection           B.S. in Finance and Computer Information Systems from Manhattan College, an M.S. in Information
•   Security             Systems Engineering from The Polytechnic Institute of NYU, and a Doctorate in Computing,
                         Information Assurance and Security from Pace University.
    Frameworks and
    Regulatory           Relevant Projects and Experience:
    Compliance           • Led global efforts in IT Governance, Security and Compliance including:
                               - Global Data Privacy / Information Security Strategy
•   Security Risk
    Assessments                - Global SOX ITGC Testing
                               - Organizational Strategy
•   Payment Card               - ISO 27001:4 Control Framework
    Industry (PCI)
                               - Technical Remediation
    Strategy and
                               - Application security development / secure coding
    Compliance
                               - Japan PPI, European Data Directives, Safe Harbor, ITAR
    Readiness
                         • IT Audit
•   Secure Network       • External Audit Support
    Architecture and
                         • Security Framework Development
    Design
                         • Threat and vulnerability / Attack and Penetration / Application Security
•   Security             • Disaster Recovery / Data Center Reviews
    Information and      • Business Continuity Management
    Event Management     • TPA: Cloud Computing
    Systems              • FISMA
•   Emerging             • Virtualized Environments
    Technologies (i.e.   • Outsourcing Application Development Security
    Mobile Devices,      • Internet Vulnerability and Attack & Penetration Assessment
    Cloud Computing)     Current Certifications
                         • CGEIT - Certified in the Governance of Enterprise IT
                         • CRISC - Certified in Risk and Information Systems Control
                         • CISM - Certified Information Security Manager
                         • CISSP - Certified Information Systems Security Professional
                         • ISSAP - Information Systems Security Architecture Professional
                         • ISSMP - Information Systems Security Management Professional
                         • ISSPCS - International Systems Security Professional Certification Scheme
                         • MCSE:2003 - Microsoft Certified Systems Engineer
                         • MCSA:2003 - Microsoft Certified Systems Administrator
                         • Security + Subject Matter Expert
                         • Member of ISSA, ISACA, Infragard, and ALPFA

								
To top