The document discusses cloud computing and related security and audit issues. It provides definitions of cloud computing models and technologies. It identifies key security concerns around cloud adoption such as data location, access control, and compliance. It outlines responsibilities for ISACA members to educate organizations, assess security risks of cloud applications and data, and strengthen identity and access management programs. Overall standards and auditing are still needed to address security issues in cloud computing.
3. Cloud Computing 101 Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. - NIST Definition of Cloud Computing 3 Rapp Consulting peet.rapp@yahoo.com
4. Cloud Computing 101 History - Definitions Distributed Centralized De-Centralized Re-Centralized Applications System Platform Hardware 1970 2010 Per Novell Cloud Presentation 09/09 4 Rapp Consulting peet.rapp@yahoo.com
6. Basic Concepts – Cloud Enabling Technologies / Functions Cloud Computing is the attemtped commercialization of Virtual computing 6 Rapp Consulting peet.rapp@yahoo.com
7. Basic Concepts – Cloud Enabling Technologies / Functions SOA - XML – API Hypervisor Dynamic Partitioning API - Application Programming Interface Server Optimization OS / Application / Data Server Migration Client CPU/Memory Utilization Monitoring 7 Rapp Consulting peet.rapp@yahoo.com
8. Basic Concepts – Enabling Technologies Dynamic Partitioning – the variable allocation of cpu processing and memory to multiple OS’s, applications, and data within one server Rapp Consulting peet.rapp@yahoo.com
10. Cloud Computing 101ASPs vs SaaS ASPs are traditional, single-tenant applications, hosted by a third party. SaaS applications are multi-tenant, user facing, web-based applications hosted by a vendor 10 Rapp Consulting peet.rapp@yahoo.com
11. Cloud Computing 101PaaS A Development Environment (Platform) as a Service. Developer Tool Kits provided. “Pay as you develop/test” business model Rapid Propagation of Software Applications – Low Cost of Entry 11 Rapp Consulting peet.rapp@yahoo.com
12.
13. Cloud Computing 101 - Service Delivery Models SaaS Software as a Service PaaS Platform as a Service IaaS Infrastructure as a Service 13 Rapp Consulting peet.rapp@yahoo.com
14. Cloud Deployment Models Public cloud Sold to the public, mega-scale infrastructures Private cloud Enterprise-owned or leased to a Single Client Community cloud Shared infrastructure for a Specific Community Hybrid cloud Composition of two or more Cloud Models 14 Rapp Consulting peet.rapp@yahoo.com
16. Reality Check The Cloud Is and Will Happen Current Major Players – IaaS, PaaS Amazon Web Services, ATT, IBM Rackspace, Terramark, Savvis Current Major Players - SaaS FaceBook, Salesforce.com, Google (Gmail), Netsuite 16 Rapp Consulting peet.rapp@yahoo.com
19. Claimed Cloud Computing Business Advantages Optimizes Server Utilization Cost Savings Dynamic Scalability Time Savings for New Programs Right-sizes your enterprise Outsources IT Transitions CAPEX to OPEX 19 Rapp Consulting peet.rapp@yahoo.com
21. A Disruptive Technology The Cloud Reshuffles the IT deck Shrink Wrapped Application s and Enterprise-Sized will migrate to Online Apps, Possibly Open-Sourced OS will tend towards web-partial systems Desktops and Notebooks Lose Hard Drives Businesses’ IT Staffing Requirements Will Drop 21 Rapp Consulting peet.rapp@yahoo.com
22. Current Press Status The Majority of Press Coverage supports Service Providers attempting to gain mindshare. Most IT Analysis is very positive about (hyping) the merits of the cloud. Very little is written of Cloud Security or its Audit- ability 22 Rapp Consulting peet.rapp@yahoo.com
24. Reality Check Greatest concerns surrounding cloud adoption at your company (per CIO) Security 45% 24 Rapp Consulting peet.rapp@yahoo.com
25. Security Issues “Cyber Crime in 2008 measured more to be a larger societal loss than illegal drugs. “The main objective of most attackers is to make money. The underground prices for stolen bank login accounts range from $10–$1000 (depending on the available amount of funds), $0.40–$20 for credit card numbers, $1–$8 for online auction site accounts and $4–$30 for email passwords.” Symantec Global Internet Security Threat Report – April 2009 25 Rapp Consulting peet.rapp@yahoo.com
26. Security Issues “Cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century. The digital infrastructure’s architecture was driven more by considerations of interoperability and efficiency than of security.” White House Cyberspace Security Review May 2009 26 Rapp Consulting peet.rapp@yahoo.com
28. Reality Check Greatest concerns surrounding cloud adoption at your company (per CIO) Security 45% Integration with existing systems 26% Loss of control over data 26% Availability concerns 25% Performance issues 24% IT governance issues 19% Regulatory/compliance concerns 19% 28 Rapp Consulting peet.rapp@yahoo.com
29. Cloud Security & Control Groups ENISA Cloud Security Alliance – CSA ISACA DMTF NIST Jericho Forum Apps.gov OWASP Rapp Consulting peet.rapp@yahoo.com 29
35. Security Issues Data Location SaaS Clients’ data co-mingled Accuracy and Authenticity of both Data and Applications transferred between servers Penetration Detection & Multi-Client UA Public Cloud-Server Owner – Due Diligence? Data Erasure? 35 Rapp Consulting peet.rapp@yahoo.com
38. ISACA Member Responsibilities – Opportunities Greatest concerns surrounding cloud adoption at your company (per CIO) Security 45% Integration with existing systems 26% Loss of control over data 26% Availability concerns 25% Performance issues 24% IT governance issues 19% Regulatory/compliance concerns 19% 38 Rapp Consulting peet.rapp@yahoo.com
39. ISACA Member Responsibilities – Opportunities Ensure Organization’s Key Players Aware of Cloud Security Issues Audit Data / Applications targeted for Cloud Computing Input / Review Cloud Provider’s SLA Agreement Strengthen internal IAM Program Rapp Consulting 39 Rapp Consulting peet.rapp@yahoo.com
40. ISACA Member Responsibilities – Opportunities Ensure Organization’s Key Players Aware of Cloud Security Issue Target respected type “A”champions Business Application Owners Corporate Attorneys CxOs HR 40 Rapp Consulting peet.rapp@yahoo.com
41. ISACA Member Responsibilities – Opportunities Audit Data/Applications targeted for Cloud Computing Data Mapping What is the application data’s internal security level? Who are the Data Owners? What Type of Cloud (public, private, etc) is targeted? 41 Rapp Consulting peet.rapp@yahoo.com
42. ISACA Member Responsibilities – Opportunities Input / Review Cloud Provider’s SLA Open Sourced API’s, etc XACML-based IAM program Security Transparency Ownership of Data Audit at Will DR/BC policy and practice Return of application and data policy 42 Rapp Consulting peet.rapp@yahoo.com
43. ISACA Member Responsibilities – Opportunities Strengthen IAM Program 43 Rapp Consulting peet.rapp@yahoo.com
44. ISACA Member Responsibilities – Opportunities Strengthen Identity – Access Management Program XACML Based IAM program Federated User Access – integrated across both cloud and internal enterprise Aligned with compliance requirements SSO – (Single Sign On) IAM Security Monitoring – Reporting Oppty to implement risk-based provisioning Rapp Consulting Rapp Consulting peet.rapp@yahoo.com
45. ISACA Member Responsibilities – Opportunities KEY TAKE-AWAY #1 Cloud Computing should provide organizations sufficient- enough costs-savings to afford investments in required best – practice IS security measures. 45 Rapp Consulting peet.rapp@yahoo.com
46. ISACA Member Responsibilities – Opportunities KEY TAKE-AWAY #2 Employ the same best-practice audit and risk management principles for cloud computing as you have been trained for and have used (or should be using) your entire career. 46 Rapp Consulting peet.rapp@yahoo.com
47. ISACA Member Responsibilities – Opportunities Key Take Away #3 Develop an Overarching Business Impact Analysis Moving an Application / Data to the cloud 47 Rapp Consulting peet.rapp@yahoo.com
48. ISACA Member Responsibilities – Opportunities Cloud computing can be evaluated much in the same way as a new operating system. And yet, it's somethng more as well. It has the usual system services but also some fantastic ones -- unlimited memory, unlimited storage, unlimited network bandwidth, unlimited (and on-demand) scalability and parallelism http://www.ddj.com/web-development/220300736?pgno=4 48 Rapp Consulting peet.rapp@yahoo.com
49. ISACA Member Responsibilities – Opportunities This fundamental difference between probabilistic risk and risk introduced by an intelligent adversary (or adaptive threats) leads to the conclusion that more understanding of the cyber security issues and impacts that are possible on the electric grid is needed. Indeed, there really is no statistical norm for the behavior of cyber attackers and information systems and components failure, and their potential impacts to grid reliability. NERC - 2009 Long-Term Reliability Assessment 49 Rapp Consulting peet.rapp@yahoo.com
51. ISACA Member Responsibilities – Opportunities Stock Opt CRM Cloud App HR Suppliers Internal Enterprise ERP Cloud App Cust Service Distribution Resellers Advrtz 51 Rapp Consulting peet.rapp@yahoo.com
52. ISACA Member Responsibilities – Opportunities There needs to be rock-solid security, and annual (or when changes occure) audit-to-certification standards developed for Cloud Service Providers (CSPs) 52 Rapp Consulting peet.rapp@yahoo.com
61. Insist on “SAS70” type audit from partners and outsource providers of their cloud enterprises54 Rapp Consulting peet.rapp@yahoo.com
62. What’s Still Needed Commercial Cloud Applications Security Standards. Training & Certification requirements for Individual Cloud Developers Cloud Service Providers Cloud Security Tool Providers 55 Rapp Consulting peet.rapp@yahoo.com
63. What’s Still Needed Best Practice Standards for Internal Audits of Enterprises Employing Cloud Applications. Combination of the ENISA cloud risk assessment with the financial Shared Assessment program Implement an annual Know Your Client (KYC) type audit/certification for all clients and cloud services providers. 56 Rapp Consulting peet.rapp@yahoo.com
Extensible Markup Language – Service Oriented Architecture – The basic tools for web-based applications- XML is the basic language for specifying data or documents into web apps. -SOA describes the method of interconnecting various pre-designed applets or application building blocks into one contiguous programHypervisor - A software/hardware platform virtualization system that allows multiple operating systems to run on a host computer concurrently.Dynamic Partitioning - In a symmetric multiprocessing (SMP) system, the ability to reassign processors , memory and I/O to specific applications on the fly without shutting down the machine Application Programming Interface - is an interface in computer science that defines the ways by which an application program may request services from libraries and/or operating systems part of the Service Oriented Architecture
Extensible Markup Language – Service Oriented Architecture – The basic tools for web-based applications- XML is the basic language for specifying data or documents into web apps. -SOA describes the method of interconnecting various pre-designed applets or application building blocks into one contiguous programHypervisor - A software/hardware platform virtualization system that allows multiple operating systems to run on a host computer concurrently.Dynamic Partitioning - In a symmetric multiprocessing (SMP) system, the ability to reassign processors , memory and I/O to specific applications on the fly without shutting down the machine Application Programming Interface - is an interface in computer science that defines the ways by which an application program may request services from libraries and/or operating systems part of the Service Oriented Architecture
Cloud Computing and Cloud Service Providers (CSPs) are recognized as logical extensions of the Internet Service Providers (ISPs) ISP1.0 – ISPs provided internet access to individuals and organizations via dial up or dedicated lines early 1990’sISP2.0 – ISPs provided email, and connectivity to early clients’ web sight servers, primarily promotional information early-mid 1990’sISP3.0 – Cohosting – multiple clients’ webservers connected to broadband access at one facility late-mid1990’sISP 4.0 – the birth of ASPs. Dedicated instances of applications on dedicated servers for each customer. 2000ISP 5.0 ASPs evolved into SaaSs, which are applications based on IaaSs, which are based on PaaSs
ASP applications are traditional, single-tenant applications, but are hosted by a third party. They are client/server applications with HTML front ends added to allow remote access to the application. They do not make use of SOA-applets. Their user interface may be crude, often slow and upgrades are often no better than what an end user could provide for themselves.SaaS applications are multitenant applications that are hosted by a vendor with expertise in the applications and that have been designed as Net-native applications, employing SOA’ applets and are updated on an ongoing basis.
PaaS is a variation of SaaS whereby the development environment is offered as a service. The developers use the building blocks (e.g., predefined blocks of code) of the vendor’s development environment to create their own applications.In a platform-as-a-service (PaaS) model, the vendor offers a development environment to application developers, who develop applications and offer those services through the provider’s platform. The provider typically develops toolkits and standards for development, and channels for distribution and payment. The provider typically receives a payment for providing the platform and the sales and distribution services. This enables rapid propagation of software applications, given the low cost of entry and the leveraging of established channels for customer acquisition.The benefits of PaaS lie in greatly increasing the number of people who can develop, maintain, and deploy web applications. In short, PaaS offers to democratize the development of web applications, allowing many developers a chance to enter the SW apps market.
In a platform-as-a-service (PaaS) model, the vendor offers a development environment toapplication developers, who develop applications and offer those services through theprovider’s platform. The provider typically develops toolkits and standards for development,and channels for distribution and payment. The provider typically receives a payment forproviding the platform and the sales and distribution services. This enables rapid propagationof software applications, given the low cost of entry and the leveraging of established channelsfor customer acquisition.
A public cloud is hosted, operated, and managed by a third-party vendor from one or moredata centers. The service is offered to multiple customers (the cloud is offered to multipletenants) over a common infrastructurePrivate clouds differ from public clouds in that the network, computing, and storageinfrastructure associated with private clouds is dedicated to a single organization and is notshared with any other organizations (i.e., the cloud is dedicated to a single organizationaltenant). As such, a variety of private cloud patterns have emerged:
According to a May 2008 forecast by Merrill Lynch, the volume of the cloud computing marketopportunity will amount to $160 billion by 2011, including $95 billion in business andproductivity applications and $65 billion in online advertising.†According to a March 2009 forecast by Gartner, worldwide cloud services are on pace to surpass$56.3 billion in 2009, a 21.3% increase from 2008 revenues of $46.4 billion. The market isexpected to reach $150.1 billion in 2013.‡
In 2008-2009NASDQ and NYT made use of public cloud processing to digitize their entire printer history.Salesforce w/o question the most successful ASP, transitioned to SaaS to better optimize performance and cost savings.Signiant – takes informational data and configures it for delivery to various end-viewer outlets , ie TV, PCs, smart phones, PDA’s with the correct format, correct language dialogue, and targeted advertizing in near real time. They process data in huge bursts.ThinLaunch (partnered with CITRIX) directs users at signon to the determined web browser only – intranet based. Users are able only to view the desktop provided to them. MS Office, email, then applications assigned, and what ever websites assigned.Intuit is a internally hosted excel/access like application.Webroot is one of many web based email security providers
IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
The cloud oppty is for us to undo the Rodney Dangerfield opinion enterprises typically afford us.The cloud offers ISACA members an unprecedented oppty to positively impact your employer organization. Typically most ISACA members I have met are not “A” type personas. Now you need to become one.We are and could be facing something similar to what our peers at Enron / Worldcom / Tyco were seeing in 2001. Initially the threat will not be from internal to the organization, but will be from a too rapid adoption of cloud technologies. However, if clouds become imbedded into your enterprise without adequate controls, then the internal threats are more likely than ever before. Which will likely then have external threats following.Now is the time to earn your organizational respect. From my research there are many currently-considered best practice IT controls just not in place with CSPs. This is the area and time where you can make a significant impact inot the success of cloud engagements.You can lead two goals – adequate security and audit-ability of the program as well as an avoidance in the use of proprietary tey technologies.chIAM – Research New Best of Breed IAM programs such as Symplified, Ping Identity, Conformity, and TriCipher. For large organizations, with much interdependencies in data /application access between disparate groups, evolve IAM towards the Federation model. Organizations need to implement robust fundamental technologies
Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
There are many A types, who enjoy learning new business technologies especially if it is perceived to be an aid in their career goals. Let them take ownership of this issue. You can be the behind-the-scenes information source advisory. Work with them from the get-go.Feed them information at a level they will understand, perhaps in WSJ-speak. The Cloud Security Alliance is a great source at this level. Bring in an outside Cloud Security authority.You will likely move to the clouds – in time. But attempt to develop a uniformly agreed-upon list of requirements between the company champion/players for the CSP before jumping on. Look to possible leverage the cloud to improve the internal enterprise. Look to require best practice security controls which are now just evolving ieexternalization of authentication and authorization components from applications (loosely coupled) as this can aid in the rapid adoption of cloud-based services including cloud identity services, policy-based authentication, centralized logging, and auditing (e.g., OpenSSO from Sun Microsystems and Microsoft’s Geneva claimsbased authentication framework can help externalize authentication).
REVERT to BEST PRACTICE IT Audit PracticesThe first order of business is an internal audit of all the data and applications being considered for Cloud Computing. What data, with what internal security levels are being considered for the Cloud?What are the compliance implications?Who are the data owners?Will these data owners accept these new risks? All this needs to be documented
Try to find the CSP who will meet your company’s established Enterprise Security level. Do not lower your established security standards.Ask to review the CSPs written internal security policies. Are they current? Are they updated & reviewed annually. They should be tighter than yours. And once gaining a comprehension of the CSP’s agreed-to responsibilities, you will then come to understand the scope of IT system management and monitoring responsibilities that fall on you the customer’s shoulders, including access, change, configuration, patch, and vulnerability management.
Organizations need to implement robust fundamental technologies in the IAM space - Thru use of SAML, SPML and XACML, achieve Federated user access priviledges across multiple web based and internally hosted applications with SSOs.Most cloud services support at least dual roles (privileges): administrator and end user. It is a normal practice among CSPs to provision the administrator role with administrative privileges. These privileges allow administrators to provision and deprovision identities, basic attributeprofiles, and, in some cases, to set access control policies such as password strength and trusted networks from which connections are accepted.IAM (user access management) is a key control group for many compliance requirements (SOX, HIPIAA, PII etc). For both the customer and CSP, IAM integration considerations at the early stage of service design will help avoid costly retrofitsEnterprise IAM requirements include:• Provisioning of cloud service accounts to users, including administrators.• Provisioning of cloud services for service-to-service integration (e.g., private [internal]cloud integration with a public cloud).• SSO support for users based on federation standards (e.g., SAML supportSupport for internal- and regulatory-policy compliance requirements, includingsegregation of duties using RBAC, rules, or claims-based authentication methodology.RBAC features promote a least-privilege-based access model where a user is granted theright number of privileges required to perform the job. Claims-based methodology enablessome important privacy use cases because it allows for only the user’s entitlements, nother actual identity, to flow with messages, which allows for fine-grained authorizationwithout the requirement to actually embed the user’s identity into messages.• User activity monitoring, logging, and reporting dictated by internal policies andregulatory compliance, such as SOX, PCI, and HIPAA.You should strive for CSP to provide XACML-compliant entitlement management even if thishas not been implemented internally. In your own enterprise. XACML programs will be readily adopted.CSPs should communicate the account management policies including account lock-outs(after many login failures), account provisioning methods, and privilege accountmanagement roles.Enterprises need to have a strategy for employing risk-based IAM methodsincluding strong authentication, automated provisioning, deprovisioning, auditing, andmonitoring to address risks specific to a CSP.If IAM controls can only be provided by the CSP and they are determined to be inadequate for your determined risk and compliance requirements, then your applications and data containing this critical information has no business in the clouds.
Organizations need to implement robust fundamental technologies - Thru use of SAML, SPML and XACML, achieve Federated user access priviledges across multiple web based and internally hosted applications with SSOs.Most cloud services support at least dual roles (privileges): administrator and end user. It is a normal practice among CSPs to provision the administrator role with administrative privileges. These privileges allow administrators to provision and deprovision identities, basic attributeprofiles, and, in some cases, to set access control policies such as password strength and trusted networks from which connections are accepted.IAM (user access management) is a key control group for many compliance requirements (SOX, HIPIAA, PII etc). For both the customer and CSP, IAM integration considerations at the early stage of service design will help avoid costly retrofitsEnterprise IAM requirements include:• Provisioning of cloud service accounts to users, including administrators.• Provisioning of cloud services for service-to-service integration (e.g., private [internal]cloud integration with a public cloud).• SSO support for users based on federation standards (e.g., SAML supportSupport for internal- and regulatory-policy compliance requirements, includingsegregation of duties using RBAC, rules, or claims-based authentication methodology.RBAC features promote a least-privilege-based access model where a user is granted theright number of privileges required to perform the job. Claims-based methodology enablessome important privacy use cases because it allows for only the user’s entitlements, nother actual identity, to flow with messages, which allows for fine-grained authorizationwithout the requirement to actually embed the user’s identity into messages.• User activity monitoring, logging, and reporting dictated by internal policies andregulatory compliance, such as SOX, PCI, and HIPAA.You should strive for CSP to provide XACML-compliant entitlement management even if thishas not been implemented internally. In your own enterprise. XACML programs will be readily adopted.CSPs should communicate the account management policies including account lock-outs(after many login failures), account provisioning methods, and privilege accountmanagement roles.Enterprises need to have a strategy for employing risk-based IAM methodsincluding strong authentication, automated provisioning, deprovisioning, auditing, andmonitoring to address risks specific to a CSP.If IAM controls can only be provided by the CSP and they are determined to be inadequate for your determined risk and compliance requirements, then your applications and data containing this critical information has no business in the clouds.
Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.