Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | alannah-hubbard |
View: | 217 times |
Download: | 1 times |
RISK MANAGEMENT AND CLOUD SECURITYRodney A. Walsh, CGEIT, CRISC//Director of IT Risk Services
Paco Diaz//Senior Consultant II
CACUBOCentral Association of College & University Business Officers
Kansas CityWinter Workshop
April 8, 2014
Risk Management &Cloud SecurityFebruary 19, 2014 2
Define the cloud ecosystem
Business use of cloud services
Cloud service risks
Governance of the cloud – critical policies, procedures & controls
Third-party management considerations for the cloud
Agenda
Risk Management &Cloud SecurityFebruary 19, 2014 4
Define the Cloud EcosystemCloud Computing: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.
Source: NIST Special Publication 800-145 - The NIST Definition of Cloud Computing (http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf)
Risk Management &Cloud SecurityFebruary 19, 2014 5
Define the Cloud EcosystemCloud Computing: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.
Source: NIST Special Publication 800-145 - The NIST Definition of Cloud Computing (http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf)
Risk Management &Cloud SecurityFebruary 19, 2014 6
Define the Cloud Ecosystem
Essential CharacteristicsOn demand self serviceBroad network accessResource poolingRapid elasticityMeasured service
Risk Management &Cloud SecurityFebruary 19, 2014 7
Define the Cloud Ecosystem
Service Models Software as a Service (SaaS)Platform as a Service (PaaS)Infrastructure as a Service (IaaS)
Risk Management &Cloud SecurityFebruary 19, 2014 8
SaaSSoftware as a Service
PaaSPlatform as a Service
IaaSInfrastructure as a Service
Define the Cloud Ecosystem
Apps for Business
Adobe Creative Cloud
Risk Management &Cloud SecurityFebruary 19, 2014 9
Define the Cloud Ecosystem
Deployment ModelsPrivate cloud Community cloud Public cloudHybrid cloud
Risk Management &Cloud SecurityFebruary 19, 2014 10
Define the Cloud Ecosystem
Private Cloud
Provisioned for single organizationMay exist on or off siteMay be managed by organization or outsourced
Risk Management &Cloud SecurityFebruary 19, 2014 11
Define the Cloud Ecosystem
Community Cloud
Provisioned for exclusive use by a specific communityMay be managed by one or more of the community organizationsMay be managed by community organization or outsourced
Risk Management &Cloud SecurityFebruary 19, 2014 12
Define the Cloud Ecosystem
Public Cloud
Provisioned for general publicExists on the premise of the cloud providerMay be owned, managed & operated by a business, academic or government organization or a combination
Risk Management &Cloud SecurityFebruary 19, 2014 13
Define the Cloud Ecosystem
Hybrid Cloud
Combination of two or more distinct cloud infrastructuresCombines characteristics of private, public & community clouds
Risk Management &Cloud SecurityFebruary 19, 2014 14
Just Imagine
2011 Digital Universe Study: Extracting Value from Chaos
It will take over 132 billion 64GB iPads to hold all of the world’s electronic data by 2015?
Placing that many 64GB iPads end-to-end, it would go around the world over 790 times.
You could create two stacks of that many 64GB iPads that would reach the moon and a 3rd stack that would be 129,606 miles high.
That many 64GB iPads would cost $92.76 trillion dollars.
Risk Management &Cloud SecurityFebruary 19, 2014 16
Business Use of Cloud Services
“By 2016, the average personal cloud will synchronize and orchestrate at least six different device types.
Gartner Predicts 2013: Cloud Computing Becomes an Integral Part of IT.Issue #3– Developing a campus-wide cloud strategy.
EDUCAUSE “Top 10 IT Issues”, 2013
Risk Management &Cloud SecurityFebruary 19, 2014 17
Financial Savings Equipment Personnel Infrastructure Space & utilities Reduced obsolescence Reduced capital expenditures Reduced implementation costs
Business Use of Cloud Services
Risk Management &Cloud SecurityFebruary 19, 2014 18
Increased Flexibility Rapid deployment Ability to add or reduce capacity On-demand provisioning Disaster recovery Business expansion (across town or across
the globe)
Business Use of Cloud Services
Risk Management &Cloud SecurityFebruary 19, 2014 19
Streamlined business development Focus on innovation & research Reduced effort on management,
maintenance & support Simplified entry into or exiting from
business initiatives Increased access to technical expertise
Business Use of Cloud Services
Risk Management &Cloud SecurityFebruary 19, 2014 20
“Slow transition to the Clouds continues.”Kenneth C. Green- Campus Computing Project,
EDUCAUSE Annual Conference 10/17/2013.
Business Use of Cloud Services
Risk Management &Cloud SecurityFebruary 19, 2014 21
Slow transition to the Clouds continues.Kenneth C. Green- Campus Computing Project,
EDUCAUSE Annual Conference 10/17/2013.
Why so slow? Absence of provider offerings. Can’t visualize moving to the Cloud. Want to retain command, control &
computing. Let others make the journey first.
Business Use of Cloud Services
Risk Management &Cloud SecurityFebruary 19, 2014 24
Cloud Service Risks
Security Physical access to infrastructure,
systems & data Physical location of systems, data Logical access to the network, OS,
applications & databases Network & data segregation
Risk Management &Cloud SecurityFebruary 19, 2014 25
Availability Cloud provider service interruptions Data location/availability for restoration Network/connectivity interruptions Failure of the provider to adhere to SLAs Service provider disaster recovery
Cloud Service Risks
Risk Management &Cloud SecurityFebruary 19, 2014 26
Processing Integrity Adherence to change management
procedures Incident management Failure of the provider to adhere to SLAs
• Timeliness• Accuracy• Authorization• Completeness
Cloud Service Risks
Risk Management &Cloud SecurityFebruary 19, 2014 27
Confidentiality Comingling of data & other assets Unauthorized access to sensitive or
trade secret information
Privacy International laws affecting service provider
location Regulatory compliance/legal liability Breach & incident management
Cloud Service Risks
Risk Management &Cloud SecurityFebruary 19, 2014 28
GOVERNANCE OF THE CLOUDCritical Policies, Procedures & Controls
Risk Management &Cloud SecurityFebruary 19, 2014 29
Governance of the Cloud
Governance
Risk Management
Tools
Risk Management &Cloud SecurityFebruary 19, 2014 30
Governance of the Cloud
Governance
Risk Management
Tools
Information Security
• Data life cycle• Data classification• Formal policies &
procedures
Risk Management &Cloud SecurityFebruary 19, 2014 31
Governance of the Cloud
Governance
Risk Management
Tools
Metrics
• Objectives• Define metrics• Periodic assessment &
Review
Risk Management &Cloud SecurityFebruary 19, 2014 32
Governance of the Cloud
Governance
Risk Management
Tools
SLAs
• Access to data• Appropriate Controls• Management, counsel,
IT & business owners involved
Risk Management &Cloud SecurityFebruary 19, 2014 33
Governance of the Cloud
Governance
Risk Management
Tools
Data Flow Analysis
• Understand life cycle• Develop data-flow
schematics• Policies to
review/update data flow documentation
Risk Management &Cloud SecurityFebruary 19, 2014 34
Governance of the Cloud
Governance
Risk Management
Tools
Managing Computing Risk
• App & Tech Inventory• In conjunction with data
flow analysis • Address each layer of
cloud “stack” risk.
Risk Management &Cloud SecurityFebruary 19, 2014 35
Governance of the Cloud
Governance
Risk Management
Tools
Audit & Compliance
• Regulatory implications• Use risk assessment
tools and control frameworks
• Assess control maturity• Vendor management
Risk Management &Cloud SecurityFebruary 19, 2014 36
Governance of the Cloud
Governance
Risk Management
Tools
Control Frameworks (NIST, COBIT, CSA)
CIS Security Metrics v1.0.0
Cloud Security AllianceNIST SP 800-146NIST SP 500-293
Risk Management &Cloud SecurityFebruary 19, 2014 37
Procedures/Tools LinksNIST Guidance•http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf•http://www.nist.gov/itl/cloud/upload/SP_500_293_volumeII.pdf
Cloud Security Alliance (CSA)•https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf•https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3/
Information System Audit and Control Association (ISACA)•http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cloud-Computing-Management-Audit-Assurance-Program.aspx
The Center for Internet Security (CIS)•https://benchmarks.cisecurity.org/tools2/metrics/CIS_Security_Metrics_v1.1.0.pdf
Governance of the Cloud
Risk Management &Cloud SecurityFebruary 19, 2014 38
THIRD-PARTY MANAGEMENT
CONSIDERATIONS FOR THE CLOUD
Risk Management &Cloud SecurityFebruary 19, 2014 39
Third-Party ManagementUse of the cloud
Transfers risk Reduces control
Requires new control considerations Service-level management Third-party management
Risk Management &Cloud SecurityFebruary 19, 2014 40
Third-Party ManagementWhat Can You Do?•Define service levels for financial report systems•Create a framework to manage service level agreements KPIs•A designated individual responsible monitoring & reporting service level performance•Organization vendor management policy for the selection of outsources services•Determines that, before selection, potential third parties are qualified on 1) capability to deliver the service and 2) a review of their financial viability
Risk Management &Cloud SecurityFebruary 19, 2014 41
Third-Party ManagementWhat Can You Do?•Third-party service contracts address risks, security controls & procedures for information systems & •Procedures ensure that a formal contract is defined & agreed upon for all third-party services before work is initiated, including definition of internal control requirements & acceptance of the organization’s policies & procedures •A regular review of security, availability & processing integrity is performed for service-level agreements & related contracts with third-party service providers
Risk Management &Cloud SecurityFebruary 19, 2014 42
Service Organization Control ReportsSOC 1 SOC 2 SOC 3
1Internal Control Over Financial Reporting2Service Organization Management, Users, Users Auditor3Service Organization Management, Users, Knowledgeable Parties
SOC 1 SOC 2 SOC 3
Purpose Report on controls relevant to user entities ICFR 1
Report on controls related to compliance & operations
Report on controls related to compliance & operations
SOC 1 SOC 2 SOC 3
Purpose Report on controls relevant to user entities ICFR 1
Report on controls related to compliance & operations
Report on controls related to compliance & operations
Use of Report Restricted 2 Restricted 3 General
SOC 1 SOC 2 SOC 3
Purpose Report on controls relevant to user entities ICFR 1
Report on controls related to compliance & operations
Report on controls related to compliance & operations
Use of Report Restricted 2 Restricted 3 General
Report Detail Includes Testing Detail
Includes Testing Detail
No Testing Detail
SOC 1 SOC 2 SOC 3
Purpose Report on controls relevant to user entities ICFR 1
Report on controls related to compliance & operations
Report on controls related to compliance & operations
Use of Report Restricted 2 Restricted 3 General
Report Detail Includes Testing Detail
Includes Testing Detail
No Testing Detail
AICPA Interpretive Guidance
SSAE 16& AICPA Guide
AT 101, Trust Services Principles, & AICPA Guide
AT 101 & Trust Services Principles