Along with accessibility and convenience, cloud-based IT resources also bring risk. This webinar provides you with a brief introduction on the development of cloud computing and the related business risks. Additionally, you will learn questions to ask to determine if your company is using cloud-based IT resources along with information on the formal assurance frameworks that exist and can be effectively employed by both cloud consumers and providers without specialized training.
1. CLOUD COMPUTING RISK
MANAGEMENT
SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
George Thomas, SVP Internal Audit – First Data Corp
Brian Dickard, Director Internal Audit – First Data Corp
2. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
AGENDA
• Introduction
• Terminology and Stats
• Major Public Cloud Services
• Assessing Public Cloud Risk
• Trends and Issues
• Concluding Remarks
2
3. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
INTRODUCTION
• First Data Vision
– To shape the future of global commerce by
delivering the world’s most secure and
innovative payment solutions
3
4. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
CLOUD COMPUTING – WHAT IS IT?
• Where did it come from?
• Why should I care as a business
manager?
• What types of risk are there?
• How does it work?
4
5. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
CLOUD COMPUTING – HOW DOES IT
WORK?
• Understanding Cloud Computing
• Managing the risks
5
6. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
POLLING QUESTION
• How familiar are you with the major Cloud
Service and Deployment models
– A. Very familiar
– B. Somewhat familiar
– C. I’ve heard of them
– D. Not familiar at all
6
7. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
ESSENTIAL CHARACTERISTICS
• Resource Pooling
• Broad Network Access
• Rapid Elasticity
• Measured Service
• On Demand Self Service
7
8. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
CLOUD SERVICE MODELS
• Infrastructure as a Service (IaaS)
– “Raw” Servers, Disk Space, Network
– Ex. Amazon Elastic Cloud Computing (EC2)
– Foundational to PaaS and SaaS
– Security (other than physical) provided by
cloud consumer
8
9. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
CLOUD SERVICE MODELS
• Platform as a Service (PaaS)
– Middleware and application development
frameworks supported by provider
– Cloud-deployed applications created and
supported by consumer
– Ex. Google App Engine
– Built on top of IaaS
– Security must be built in by developer
(provider or consumer)
9
10. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
CLOUD SERVICE MODELS
• Software as a Service (SaaS)
– “On Demand” application availability
– Software and data hosted by provider
– Accessed with a web browser
– Ex. Gmail
– Built on top of IaaS and PaaS
– Highest provider security level
10
11. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
CLOUD SERVICE LAYERS
Increasing SaaS
consumer
configuration
options
PaaS
Increasing
provider
security
IaaS
11
12. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
IN-HOUSE IT ASSETS VS. “SPI” SERVICES
In-House Attributes SPI Attributes
Fixed Elastic
Overhead or Chargeback Metered
Service Request Self Service
Private Network Accessible Internet Accessible
Dedicated Shared
12
13. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
DEPLOYMENT MODELS
• Public Cloud
– More than one organization shares common IT
resources
• Private Cloud
– An organization buys and deploys its own IT
resources - OR –
– Contracts exclusive arrangement with a 3rd party
• Community Cloud
– Usage of public cloud by common mission or cause
– Ex. State or Local governments
• Hybrid Cloud
– Some elements of all three
13
14. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
POTENTIAL BENEFITS
• Pay as you go model (low fixed cost)
• Remote access
• Rapid scalability
• Quicker deployment of IT-enabled
strategies
• Stay current on technology upgrades
• Resiliency / Redundancy
14
15. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
WHERE PRIVATE CLOUDS MAKE SENSE
• Large Corporate Data Center
– High rate of optimization through virtualization
– Diversity of apps are coded to run using
common O/S, database and network
– Apps are “swapped out” on common
hardware based on processing load
– Same hardware that runs mission critical app
may also run support app in non-peak time
– “Workload Agnostic Computing”
15
16. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
VIRTUALIZATION STATS
• InfoWeek Poll – Major Corporations
– 97% use Server Virtualization extensively or
on a limited basis (ex. VMWare vSphere)
– 57% use Storage Virtualization (ex. NetApp)
– 44% use Desktop Virtualization (ex. Citrix)
– 42% use Application Virtualization (ex.
Vmware ThinApp)
– 37% use I/O Virtualization (ex. Cisco VFrame)
– 30% use Network Virtualization (ex. Nicira
Networks “DVNI”)
16
17. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
WHERE PUBLIC CLOUDS MAKE SENSE
• Businesses of any size where captive IT resources
aren’t cost effective or available
– Fixed capital expense becomes variable operating
expense
– Can quickly level the playing field for small and
medium sized businesses
• “Cloud Bursting”
– Adding incremental capacity to meet peak or
seasonal demands
• Prototyping
– Running simulations to determine in-house data
center capacity needs
17
18. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
POLLING QUESTION
• Describe your usage of Public Cloud
infrastructure
– A. Active production deployment
– B. Evaluating or budgeted plans for
production deployment
– C. No plans for Public Cloud deployment
– D. Don’t know
18
19. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
PUBLIC CLOUD PLANS
• Infoweek Survey
– 26% plan to deploy in the next year
– 38% have no plans to deploy
– 11% already have public deployment
• Are you sure?
– DR scenario: private cloud becomes public
19
20. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
ESSENCE OF THE PUBLIC CLOUD
DECISION
• A thoughtfully considered* decision to
move one of the following into the public
cloud domain:
– Data
• Essential to map your data and understand
whether, and how, it flows in and out of the cloud
• Important to classify low value, high value
regulated and high value unregulated assets
– Transactions/Processing
20
21. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
THOUGHTFULLY CONSIDER - HOW?
• How would you be harmed if:
– The asset became widely public or widely
distributed?
– An employee of the cloud provider accessed the
asset?
– The process or function was manipulated by an
outsider?
– The process or function failed to provide the
expected results?
– The information/data was unexpectedly changed?
– The asset were unavailable for a period of time?
21
22. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
TOP PUBLIC CLOUD CONCERNS
• Data Security
– Assurance framework
• Reliability / Availability
• Integration with Existing Systems
• Loss of Control
22
23. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
A GROWING OPPORTUNITY
Revenue
70
60
50
40
30 Revenue
20
10
0
2008 2009 2010 2011 2012 2013
• Revenue from "public cloud" services, in billions of dollars. Source: Forrester Research
23
24. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
MAJOR PUBLIC CLOUD SERVICE PROVIDERS
24
25. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
POLLING QUESTION
• Do you see a vendor on the previous slide,
who is used by your company, but you
were unaware they were a provider of
cloud services?
– A. Yes
– B. No
25
26. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
APPLICABLE COMPLIANCE
CERTIFICATIONS
• SSAE-16, SOC-1,2,3
– Financial Reporting and service oriented controls
– Focused on integrity
• ISO 9002
– Quality oriented controls
– Focused on process
• ISO 27001 /27002
– Security oriented controls
– Focused on security
• TIA 942 (Telecommunications Industry Association)
– Data center fault tolerant controls
– Focused on resilience
26
27. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
PII BREACH BY CLOUD PROVIDER
• Could subject them to violations under the
following privacy laws:
– Privacy and safeguard rules under GLBA
– PCI-DSS data transmission and storage security
provisions
– HIPAA restrictions on sharing health care data
– Breach provisions under the HITECH Act
• Depends on provider’s contract provisions
• You can’t outsource your accountability for
information security
27
28. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
ASSURANCE FRAMEWORKS
• Cloud Security Alliance (CSA)
– Cloud Controls Matrix
– https://cloudsecurityalliance.org
• Information Systems Audit and Control Association (ISACA)
– Cloud Computing Management Audit/Assurance Program
– http://www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/Cloud-
Computing-Management-Audit-Assurance-Program.aspx
• European Network and Information Security Agency (ENISA)
– Cloud Computing Security Risk Assessment
– http://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-computing-risk-assessment
28
40. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
POLLING QUESTION
• Regarding the Cloud Security Alliance Cloud
Control Matrix:
– A. I am familiar with the CSA and CCM and have
used the framework to assess cloud service
providers.
– B. I am familiar with the framework but have yet
to use it.
– C. I have not previously heard of the framework
but think it might be useful.
– D. I don’t think this framework is applicable to my
company’s assessment of cloud service
providers.
40
41. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
INTEGRATION TRENDS / CONCERNS
• “Bring Your Own Device” (BYOD)
– Smartphone, tablet, laptop
• “Bring Your Own Cloud” (BYOC)
– Google Docs, Dropbox, iCloud, Skydrive
41
42. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
“DATA AWARE” SECURITY
• Information Security trend
• Knowing if a particular combination of
user, device, and software can be trusted
with access to specific information
• Challenge: Encoding this security
intelligence into your data before you store
it in the public cloud
42
43. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
RECAP
• Cloud computing has tangible benefits and
could be a strategic differentiator
• Your organization may be more actively
deployed to the “cloud” than you realize
• New risks are introduced, but can be
managed with assurance frameworks
43
44. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
QUESTIONS?
• George.Thomas@firstdata.com
• Brian.Dickard@firstdata.com
44
45. CLOUD COMPUTING RISK MANAGEMENT: SECURITY CONSIDERATIONS FROM AN ASSURANCE PERSPECTIVE
REFERENCES
• Cloud Security Alliance
– Security Guidance For Critical Areas of Focus in
Cloud Computing V3.0 (2011)
• https://cloudsecurityalliance.org/research/security-
guidance/
– Cloud Security Alliance GRC Stack (2011)
• https://cloudsecurityalliance.org/research/grc-stack/
– Cloud Security Alliance Cloud Controls Matrix
V1.1 (2010)
• https://cloudsecurityalliance.org/research/ccm/
• Information Week (Jan-Mar 2012)
• MIT Technology Review (Jan-Mar 2012)
45