R ISK M ANAGEMENT AND C LOUD S ECURITY Rodney A. Walsh, CGEIT, CRISC//Director of IT Risk Services...

RISK MANAGEMENT AND CLOUD SECURITYRodney A. Walsh, CGEIT, CRISC//Director of IT Risk Services

Paco Diaz//Senior Consultant II

CACUBOCentral Association of College & University Business Officers

Kansas CityWinter Workshop

April 8, 2014

Risk Management &Cloud SecurityFebruary 19, 2014 2

Define the cloud ecosystem

Business use of cloud services

Cloud service risks

Governance of the cloud – critical policies, procedures & controls

Third-party management considerations for the cloud

Agenda


DEFINE THE CLOUD ECOSYSTEM


Define the Cloud EcosystemCloud Computing: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

Source: NIST Special Publication 800-145 - The NIST Definition of Cloud Computing (http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf)


Define the Cloud EcosystemCloud Computing: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

Source: NIST Special Publication 800-145 - The NIST Definition of Cloud Computing (http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf)


Define the Cloud Ecosystem

Essential CharacteristicsOn demand self serviceBroad network accessResource poolingRapid elasticityMeasured service



Service Models Software as a Service (SaaS)Platform as a Service (PaaS)Infrastructure as a Service (IaaS)


SaaSSoftware as a Service

PaaSPlatform as a Service

IaaSInfrastructure as a Service


Apps for Business

Adobe Creative Cloud



Deployment ModelsPrivate cloud Community cloud Public cloudHybrid cloud



Private Cloud

Provisioned for single organizationMay exist on or off siteMay be managed by organization or outsourced



Community Cloud

Provisioned for exclusive use by a specific communityMay be managed by one or more of the community organizationsMay be managed by community organization or outsourced



Public Cloud

Provisioned for general publicExists on the premise of the cloud providerMay be owned, managed & operated by a business, academic or government organization or a combination



Hybrid Cloud

Combination of two or more distinct cloud infrastructuresCombines characteristics of private, public & community clouds


Just Imagine

2011 Digital Universe Study: Extracting Value from Chaos

It will take over 132 billion 64GB iPads to hold all of the world’s electronic data by 2015?

Placing that many 64GB iPads end-to-end, it would go around the world over 790 times.

You could create two stacks of that many 64GB iPads that would reach the moon and a 3rd stack that would be 129,606 miles high.

That many 64GB iPads would cost $92.76 trillion dollars.


BUSINESS USE OF CLOUD SERVICES


Business Use of Cloud Services

“By 2016, the average personal cloud will synchronize and orchestrate at least six different device types.

Gartner Predicts 2013: Cloud Computing Becomes an Integral Part of IT.Issue #3– Developing a campus-wide cloud strategy.

EDUCAUSE “Top 10 IT Issues”, 2013


Financial Savings Equipment Personnel Infrastructure Space & utilities Reduced obsolescence Reduced capital expenditures Reduced implementation costs



Increased Flexibility Rapid deployment Ability to add or reduce capacity On-demand provisioning Disaster recovery Business expansion (across town or across

the globe)



Streamlined business development Focus on innovation & research Reduced effort on management,

maintenance & support Simplified entry into or exiting from

business initiatives Increased access to technical expertise



“Slow transition to the Clouds continues.”Kenneth C. Green- Campus Computing Project,

EDUCAUSE Annual Conference 10/17/2013.



Slow transition to the Clouds continues.Kenneth C. Green- Campus Computing Project,

EDUCAUSE Annual Conference 10/17/2013.

Why so slow? Absence of provider offerings. Can’t visualize moving to the Cloud. Want to retain command, control &

computing. Let others make the journey first.



CLOUD SERVICE RISKS


Cloud Service Risks


Cloud Service Risks

Security Physical access to infrastructure,

systems & data Physical location of systems, data Logical access to the network, OS,

applications & databases Network & data segregation


Availability Cloud provider service interruptions Data location/availability for restoration Network/connectivity interruptions Failure of the provider to adhere to SLAs Service provider disaster recovery

Cloud Service Risks


Processing Integrity Adherence to change management

procedures Incident management Failure of the provider to adhere to SLAs

• Timeliness• Accuracy• Authorization• Completeness

Cloud Service Risks


Confidentiality Comingling of data & other assets Unauthorized access to sensitive or

trade secret information

Privacy International laws affecting service provider

location Regulatory compliance/legal liability Breach & incident management

Cloud Service Risks


GOVERNANCE OF THE CLOUDCritical Policies, Procedures & Controls


Governance of the Cloud

Governance

Risk Management

Tools



Governance

Risk Management

Tools

Information Security

• Data life cycle• Data classification• Formal policies &

procedures



Governance

Risk Management

Tools

Metrics

• Objectives• Define metrics• Periodic assessment &

Review



Governance

Risk Management

Tools

SLAs

• Access to data• Appropriate Controls• Management, counsel,

IT & business owners involved



Governance

Risk Management

Tools

Data Flow Analysis

• Understand life cycle• Develop data-flow

schematics• Policies to

review/update data flow documentation



Governance

Risk Management

Tools

Managing Computing Risk

• App & Tech Inventory• In conjunction with data

flow analysis • Address each layer of

cloud “stack” risk.



Governance

Risk Management

Tools

Audit & Compliance

• Regulatory implications• Use risk assessment

tools and control frameworks

• Assess control maturity• Vendor management



Governance

Risk Management

Tools

Control Frameworks (NIST, COBIT, CSA)

CIS Security Metrics v1.0.0

Cloud Security AllianceNIST SP 800-146NIST SP 500-293


Procedures/Tools LinksNIST Guidance•http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf•http://www.nist.gov/itl/cloud/upload/SP_500_293_volumeII.pdf

Cloud Security Alliance (CSA)•https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf•https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3/

Information System Audit and Control Association (ISACA)•http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cloud-Computing-Management-Audit-Assurance-Program.aspx

The Center for Internet Security (CIS)•https://benchmarks.cisecurity.org/tools2/metrics/CIS_Security_Metrics_v1.1.0.pdf



THIRD-PARTY MANAGEMENT

CONSIDERATIONS FOR THE CLOUD


Third-Party ManagementUse of the cloud

Transfers risk Reduces control

Requires new control considerations Service-level management Third-party management


Third-Party ManagementWhat Can You Do?•Define service levels for financial report systems•Create a framework to manage service level agreements KPIs•A designated individual responsible monitoring & reporting service level performance•Organization vendor management policy for the selection of outsources services•Determines that, before selection, potential third parties are qualified on 1) capability to deliver the service and 2) a review of their financial viability


Third-Party ManagementWhat Can You Do?•Third-party service contracts address risks, security controls & procedures for information systems & •Procedures ensure that a formal contract is defined & agreed upon for all third-party services before work is initiated, including definition of internal control requirements & acceptance of the organization’s policies & procedures •A regular review of security, availability & processing integrity is performed for service-level agreements & related contracts with third-party service providers


Service Organization Control ReportsSOC 1 SOC 2 SOC 3

1Internal Control Over Financial Reporting2Service Organization Management, Users, Users Auditor3Service Organization Management, Users, Knowledgeable Parties

SOC 1 SOC 2 SOC 3

Purpose Report on controls relevant to user entities ICFR 1

Report on controls related to compliance & operations


SOC 1 SOC 2 SOC 3




Use of Report Restricted 2 Restricted 3 General

SOC 1 SOC 2 SOC 3





Report Detail Includes Testing Detail

Includes Testing Detail

No Testing Detail

SOC 1 SOC 2 SOC 3





Report Detail Includes Testing Detail

Includes Testing Detail

No Testing Detail

AICPA Interpretive Guidance

SSAE 16& AICPA Guide

AT 101, Trust Services Principles, & AICPA Guide

AT 101 & Trust Services Principles


RISK MANAGEMENT AND CLOUD SECURITY

Rodney A. Walsh, CGEIT, CRISCDirector of IT Risk Services

Paco Diaz, CISASenior Consultant II

Thank You

Date post:	24-Dec-2015
Category:	Documents
Upload:	alannah-hubbard
View:	217 times
Download:	1 times

R ISK M ANAGEMENT AND C LOUD S ECURITY Rodney A. Walsh, CGEIT, CRISC//Director of IT Risk Services...

Documents