Post on 17-May-2015
description
Audit in the cloudSecurity audits versus cloud computing
drs. Mike Chung RE
KPMG Risk & Compliance
ADVISORY
2© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Cloud computing as phenomenon
� The IT service model of choice for 2010 and beyond
− The total revenue of cloud services is approaching 25 billion USD worldwide in
2010
− Cloud computing is growing by over 30% per year
− More than 50% of all Fortune500 enterprises are already using some form of
cloud computing
� Massive investments by leading software vendors and IT integrators
� Growing demand despite/thanks to the low economic tide and the perceptive ‘reliability’ of the internet
3© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Main questions
� How (un)secure is the cloud compared with on-premise IT?
− Integrity
− Confidentiality
− Availability
� How (ir)relevant are audit standards?
� How (in)competent are IT auditors?
4© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Definition of cloud computing
� Hosted services from the (inter)net, metaphorically depicted as a cloud
� Utilization of Web 2.0
� ‘ASP 2.0’
� Examples:
− Software-as-a-Service (Salesforce.com, Gmail, Microsoft Online)
− Platform-as-a-Service (GoogleApps, Force.com, 3tera AppLogic)
− Infrastructure-as-a-Service (Amazon EC2, Citrix Cloud Centre)
5© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Characteristics of cloud computing
� Multi-tenant
� External data storage
� Use of the (public) internet
� On-demand
� Subscription-based model
� Elastic
� Web based
6© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Security issues of cloud computing are real
� Google Web Service vulnerability leaked database usernames and passwords (2007)
� Hackers stole credentials of Salesforce.com’s customers via phishing attacks (2007)
� Thousands of customers lost their data in the cloud due to the ‘Sidekick disaster’ of Microsoft/T-Mobile (2009)
� Botnet incident at Amazon EC2 infected customer’s computers and compromised their privacy (2009)
� Thousands of hotmail accounts were hacked due to technical flaws in Microsoft’s software (2010)
7© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Security risks: specific factors concerning the cloud
� External data storage
� Multi-tenancy
� Use of the (public) internet
� Integration with the internal IT environment
8© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Security risks: external data storage
� Weak control of data (failing backup & recovery)
� Legal complications (privacy violation, conflicting/contradicting legislations)
� Uncertain viability (insufficient guarantees regarding continuity and availability of services)
� Single point of failure (failure of one cloud vendor/provider means disaster for many customers)
9© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Security risks: multi-tenancy
� Inadequate segregation of data between different customers
� Inadequate Identity & Access Management
� Insufficient logging & monitoring
� The weakest link is decisive (virtualization, shared databases)
10© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Security risks: use of the (public) internet
� Unclear and unaddressed accountability, ownership
� Loss, misuse and theft of data
� No access to data and/or services
� Non-repudiation issues
11© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Security risks: integration with the internal IT environment
� Unclear (network) perimeters
� No match with internal security measures, requirements and baselines
� Complexity of integration between the cloud and the internal IT
12© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Residual risks
� High, unforeseen, initial investments
− Legal costs
− Costs to perform risk analyses
− Costs of escrow arrangement
� Poor performance
� Additional IT management
− Identity & Access Management
− Key management
13© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Security benefits
� Centralized security
− Concentration of security expertise
− Economy-of-scale
� High accessibility
� ‘Nakedness leads to fitness’
14© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Audit standards
� Localized IT as starting point (ITIL)
� Strong focus on client-server/on-premise IT (ISO27001/2)
� Static (Cobit)
� Strong focus on processes (SOx)
15© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Audit standards versus external data storage
� Based on access from external/third parties, not on access to cloud services
� Based on management of internally stored data (eventually managed by externals)
� From the viewpoint of the customer: irrelevant
� From the viewpoint of the cloud computing vendor: insufficient
� New principles and practices
− 11 commandments of the Jericho Forum
− Cloud security initiatives from ISF
16© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Audit standards versus multi-tenancy
� Marginal attention on (technical) architecture
� Multi-tenancy virtually unobserved/unexposed
� Mere focus on segregation of duties, facilities and networks
� New principles and practices
− Cloud Security Alliance – Security guidance
− Liberty Alliance’s IAM ‘baselines’
17© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Audit standards versus use of the (public) internet
� Primarily financial-legal issues (accountability, ownership) outside the domain of IT audits
� Exceptionally difficult to audit
� Existing principles and practices for e-mail usage and internet security applicable
18© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Audit standards versus integration with the internal IT environment
� ‘Open standards’ – which one(s) to choose?
� ‘Open’ audit standards versus the reality of ‘proprietary’ cloud technologies
� New principles and practices
− ISF – The standard of Good Practice for Information Security
19© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Compliance
� Responsibility and risks are with the customer, not the cloud vendor
� Legislations versus the current state of (technical) affairs
� Compliance with different legislations from different countries (SOx, HIPAA, PCI DSS, WBP..)
� SAS70 as a way out?
20© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
SAS70: objections
� Free to choose the controls
� Fully dependent on the expertise and view point of the auditor
� Many variations on audit approach, set-out and level of (technical) detail
� Wide intervals between audits
21© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
SAS70 in practice
� Same standards used as for client-server/on-premise IT environments
� Hardly any attention on multi-tenancy, service integration and external data storage
� Superficially reviewed by (potential) customers and auditors
� Lacunas rarely raised
22© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
IT auditors
� Competent researchers and analysts
� High-level knowledge of architecture and technology
� Mostly educated in economics, accounting, business management
� Existing audit standards and baselines as starting points
23© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
IT audits in practice
� Use of partly irrelevant and insufficient controls for cloud computing
� Approach tailored for client-server/on-premise IT
� Emphasis on (service management) processes with paper evidences
� Recommendations only partly aimed to mitigate cloud specific risks
24© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Conclusion
� Cloud computing harbours specific security risks
� Audit standards and baselines are partly irrelevant and insufficient, but there are initiatives to actualize these
� While IT auditors are competent researchers, their (technical) knowledge on cloud computing needs to be updated
25© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Contact
Drs. Mike Chung RE
Manager
KPMG Advisory N.V.
E-mail: chung.mike@kpmg.nl
Mobile: +31 (0)6 1455 9916
26© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
About the painter & painting
� J.H. Weissenbruch was a 19th century Dutch painter famed for hisdepiction of clouds
� His style of painting is typical for the so-called Hague School (Haagse School)
� The title of the painting is Beach at Scheveningen (Strand bij Scheveningen)
� The picture as used for this presentation has been modified a bit