Post on 10-May-2015
description
Rapp Consulting peet.rapp@yahoo.com
1
Cloud Security and Audit Issues
Rapp Consulting peet.rapp@yahoo.com
2
Agenda Cloud Computing 101
Reality Check
Security Issues
ISACA Member Responsibilities
What’s Missing
Rapp Consulting peet.rapp@yahoo.com
3
Cloud Computing 101
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
- NIST Definition of Cloud Computing
Rapp Consulting peet.rapp@yahoo.com
4
Cloud Computing 101 History - Definitions
1970
Applications
System Platform
Hardware
Dis
trib
ute
d
Cen
traliz
ed
De-C
en
traliz
ed
Re-C
en
traliz
ed
2010
Per Novell Cloud Presentation 09/09
Rapp Consulting peet.rapp@yahoo.com
5
Cloud Computing 101 History - Definitions
Rapp Consulting peet.rapp@yahoo.com
6
Basic Concepts – Cloud Enabling Technologies / Functions
Cloud Computing is the attemtped
commercialization of Virtual computing
Server Partitioning #1
Server Partitioning #2
Rapp Consulting peet.rapp@yahoo.com
7
Basic Concepts – Cloud Enabling Technologies / Functions
SOA - XML – API Hypervisor Dynamic Partitioning API - Application Programming Interface Server Optimization OS / Application / Data Server Migration Client CPU/Memory Utilization Monitoring
Server Partitioning #1
Server Partitioning #2
Rapp Consulting peet.rapp@yahoo.com
Basic Concepts – Enabling Technologies
Dynamic Partitioning – the variable allocation of cpu processing and memory to multiple OS’s, applications, and data within one server
Server Partitioning #1
Lawson / UNIXHR / WINeCom / JAVAERP / Sun OS
Server Partitioning #2Lawson
/ UnixHR / WINeCom / JavaERP / SUN OS
Rapp Consulting peet.rapp@yahoo.com
9
Cloud Computing 101 History - Definitions
Rapp Consulting peet.rapp@yahoo.com
10
Cloud Computing 101ASPs vs SaaS
ASPs are traditional, single-tenant applications, hosted by a third party.SaaS applications are multi-tenant, user facing, web-based applications hosted by a vendor
Rapp Consulting peet.rapp@yahoo.com
11
Cloud Computing 101PaaS
A Development Environment (Platform) as a Service.
Developer Tool Kits provided. “Pay as you develop/test” business modelRapid Propagation of Software Applications – Low Cost of Entry
Rapp Consulting peet.rapp@yahoo.com
12
Cloud Computing 101IaaS
The “Bare Metal” Infrastructure as a Service
•Clients provide all OS, security andapplication software
•Used for quick-implementation, as-needed data processing / data storage
Rapp Consulting peet.rapp@yahoo.com
13
Cloud Computing 101 - Service Delivery Models
IAAS Infrastructure as a
Service
PaaSPlatform as a Service
SaaSSoftware as a Service
Rapp Consulting peet.rapp@yahoo.com
14
Cloud Deployment Models
Public cloud Sold to the public, mega-scale infrastructures
Private cloud Enterprise-owned or leased to a Single Client
Community cloud Shared infrastructure for a Specific
Community Hybrid cloud
Composition of two or more Cloud Models
Rapp Consulting peet.rapp@yahoo.com
15
Cloud Computing 101
Rapp Consulting peet.rapp@yahoo.com
16
Reality Check
The Cloud Is and Will Happen
Current Major Players – IaaS, PaaS Amazon Web Services, ATT, IBM Rackspace, Terramark, Savvis
Current Major Players - SaaS FaceBook, Salesforce.com, Google (Gmail), Netsuite
Rapp Consulting peet.rapp@yahoo.com
17
Reality Check
Not d
iscus
sing
the
cloud
Lear
ning
abo
ut th
e te
chno
logy
Desig
ning
a p
lan
Impl
emen
ting
a pl
an
Cloud
impl
emen
tatio
n in
pla
ce
Unsur
e0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
16%
46%
10%7%
13%
8%
21%
48%
8% 8%
13%
2%
Cloud Status in the US
US GovtIndustry
InternetNews.com, “Obama CIO: Government Can Lead in IT,”March 12, 2009
Rapp Consulting peet.rapp@yahoo.com
18
Reality Check Spending Forecasts
Rapp Consulting peet.rapp@yahoo.com
19
Claimed Cloud Computing Business Advantages
Optimizes Server Utilization Cost Savings Dynamic Scalability Time Savings for New Programs Right-sizes your enterprise Outsources IT Transitions CAPEX to OPEX
Rapp Consulting peet.rapp@yahoo.com
20
Excellent Cloud Examples
NASDAQ / NYT
SalesForce.com Signiant ThinLaunch Software Intuit QuickBase Webroot
Rapp Consulting peet.rapp@yahoo.com
21
A Disruptive Technology
The Cloud Reshuffles the IT deck
Shrink Wrapped Application s and Enterprise-Sized will migrate to Online Apps, Possibly Open-Sourced
OS will tend towards web-partial systems Desktops and Notebooks Lose Hard
Drives Businesses’ IT Staffing Requirements Will
Drop
Rapp Consulting peet.rapp@yahoo.com
22
Current Press Status
The Majority of Press Coverage supports Service Providers attempting to gain mindshare.
Most IT Analysis is very positive about (hyping) the merits of the cloud.
Very little is written of Cloud Security or its Audit- ability
Rapp Consulting peet.rapp@yahoo.com
23
The Gartner Hype Curve
Rapp Consulting peet.rapp@yahoo.com
24
Reality Check
Greatest concerns surrounding cloud adoption at your
company (per CIO) Security 45%
Rapp Consulting peet.rapp@yahoo.com
25
Security Issues
“Cyber Crime in 2008 measured more to be a larger societal loss than illegal drugs.
“The main objective of most attackers is to makemoney. The underground prices for stolen bank login accounts range from $10–$1000 (depending on theavailable amount of funds), $0.40–$20 for credit cardnumbers, $1–$8 for online auction site accounts and $4–$30 for email passwords.”
Symantec Global Internet Security Threat Report – April 2009
Rapp Consulting peet.rapp@yahoo.com
26
Security Issues
“Cybersecurity risks pose some of the most serious economic and national security challengesof the 21st Century. The digital infrastructure’sarchitecture was driven more by considerations ofinteroperability and efficiency than of security.”
White House Cyberspace Security Review May 2009
Rapp Consulting peet.rapp@yahoo.com
27
Security Issues
Rapp Consulting peet.rapp@yahoo.com
28
Reality Check
Greatest concerns surrounding cloud adoption at your
company (per CIO) Security 45% Integration with existing systems 26% Loss of control over data 26% Availability concerns 25% Performance issues 24% IT governance issues 19% Regulatory/compliance concerns 19%
Rapp Consulting peet.rapp@yahoo.com
29
Cloud Security & Control Groups
ENISACloud Security Alliance – CSA
ISACA
DMTF
NIST
Jericho Forum
Apps.gov
OWASP
Rapp Consulting peet.rapp@yahoo.com
30
Cloud Security Alliance Members
Rapp Consulting peet.rapp@yahoo.com
31
Cloud Security Alliance
Rapp Consulting peet.rapp@yahoo.com
32
ISACA
Rapp Consulting peet.rapp@yahoo.com
33
ENISA
Rapp Consulting peet.rapp@yahoo.com
34
DMTF
Rapp Consulting peet.rapp@yahoo.com
35
Security Issues Data Location
SaaS Clients’ data co-mingled
Accuracy and Authenticity of both Data and Applications transferred between servers
Penetration Detection & Multi-Client UA
Public Cloud-Server Owner – Due Diligence? Data Erasure?
Rapp Consulting peet.rapp@yahoo.com
36
Current Regulations
PCI Compliance
States’ PII requirements
Sarbanes Oxley
HIPAA
Rapp Consulting peet.rapp@yahoo.com
37
Current Regulations & Standards
Rapp Consulting peet.rapp@yahoo.com
38
ISACA Member Responsibilities – Opportunities
Greatest concerns surrounding cloud adoption at your
company (per CIO) Security 45% Integration with existing systems 26% Loss of control over data 26% Availability concerns 25% Performance issues 24% IT governance issues 19% Regulatory/compliance concerns 19%
Rapp Consulting peet.rapp@yahoo.com
39
ISACA Member Responsibilities – Opportunities
Ensure Organization’s Key Players Aware of Cloud Security Issues
Audit Data / Applications targeted for Cloud Computing
Input / Review Cloud Provider’s SLA Agreement
Strengthen internal IAM ProgramRapp Consulting
Rapp Consulting peet.rapp@yahoo.com
40
ISACA Member Responsibilities – Opportunities
Ensure Organization’s Key Players Aware of Cloud Security Issue
Target respected type “A”champions Business Application Owners Corporate Attorneys CxOs HR
Rapp Consulting peet.rapp@yahoo.com
41
ISACA Member Responsibilities – Opportunities
Audit Data/Applications targeted for Cloud ComputingData MappingWhat is the application data’s
internal security level? Who are the Data Owners?What Type of Cloud (public,
private, etc) is targeted?
Rapp Consulting peet.rapp@yahoo.com
42
ISACA Member Responsibilities – Opportunities
Input / Review Cloud Provider’s SLA
Open Sourced API’s, etcXACML-based IAM programSecurity Transparency Ownership of DataAudit at WillDR/BC policy and practiceReturn of application and data policy
Rapp Consulting peet.rapp@yahoo.com
43
ISACA Member Responsibilities – Opportunities
Strengthen IAM Program
Rapp Consulting peet.rapp@yahoo.com
ISACA Member Responsibilities – Opportunities
Rapp Consulting
Strengthen Identity – Access Management Program
XACML Based IAM program Federated User Access – integrated
across both cloud and internal enterprise
Aligned with compliance requirements SSO – (Single Sign On) IAM Security Monitoring – Reporting Oppty to implement risk-based
provisioning
Rapp Consulting peet.rapp@yahoo.com
45
ISACA Member Responsibilities – Opportunities
KEY TAKE-AWAY #1
Cloud Computing should provide organizations
sufficient- enough costs-savings to afford investments in required best – practice IS
security measures.
Rapp Consulting peet.rapp@yahoo.com
46
ISACA Member Responsibilities – Opportunities
KEY TAKE-AWAY #2
Employ the same best-practice audit and risk management
principles for cloud computing as you have been trained for and have used (or should be using)
your entire career.
Rapp Consulting peet.rapp@yahoo.com
47
ISACA Member Responsibilities – Opportunities
Key Take Away #3
Develop an Overarching Business Impact
Analysis Moving an Application / Data to the cloud
Rapp Consulting peet.rapp@yahoo.com
48
ISACA Member Responsibilities – Opportunities
Cloud computing can be evaluated much in the same way as a new operating system. And yet, it's somethng more as well. It has the usual system services but also some fantastic ones -- unlimited memory, unlimited storage, unlimited network bandwidth, unlimited (and on-demand) scalability and parallelism
http://www.ddj.com/web-development/220300736?pgno=4
Rapp Consulting peet.rapp@yahoo.com
49
ISACA Member Responsibilities – Opportunities
This fundamental difference between probabilistic riskand risk introduced by an intelligent adversary (or adaptive threats) leads to the conclusion that more understanding of the cyber security issues and impactsthat are possible on the electric grid is needed. Indeed,there really is no statistical norm for the behavior of cyber attackers and information systems and components failure, and their potential impacts to grid reliability.
NERC - 2009 Long-Term Reliability Assessment
Rapp Consulting peet.rapp@yahoo.com
50
ISACA Member Responsibilities – Opportunities
Internal Enterprise
Distribution Reseller
s
Suppliers
CRM Cloud App
ERP Cloud App
Rapp Consulting peet.rapp@yahoo.com
51
ISACA Member Responsibilities – Opportunities
Internal Enterprise
Distribution Reseller
s
Suppliers
HR
Stock Opt
Advrtz
CRM Cloud App
Cust Servic
eERP Cloud App
Rapp Consulting peet.rapp@yahoo.com
52
ISACA Member Responsibilities – Opportunities
There needs to be rock-solid security, and annual (or when
changes occure) audit-to-certification standards developed
for Cloud Service Providers (CSPs)
Rapp Consulting peet.rapp@yahoo.com
53
ISACA Member Responsibilities – Opportunities
Summary –
•Become a Weatherman – Learn the Clouds
•Educate Key Organization Decision makers
• Internal risk assessment of Apps and Data
•Insist on Seat in SDLC Group
•Insist on open source or open standard cloud tools
Rapp Consulting peet.rapp@yahoo.com
54
ISACA Member Responsibilities – Opportunities
Summary –
•Audit CSP’s Security and DR/BC Policies
•Is CSP promoting best security practices?
•Upgrade Current Internal IAM program
•Insist on “SAS70” type audit from partners and outsource providers of their cloud enterprises
Rapp Consulting peet.rapp@yahoo.com
55
What’s Still Needed
Commercial Cloud Applications Security Standards.
Training & Certification requirements for Individual Cloud Developers Cloud Service Providers Cloud Security Tool Providers
Rapp Consulting peet.rapp@yahoo.com
56
What’s Still Needed
Best Practice Standards for Internal Audits of Enterprises Employing Cloud Applications. Combination of the ENISA cloud risk
assessment with the financial Shared Assessment program
Implement an annual Know Your Client (KYC) type audit/certification for all clients and cloud services providers.
Rapp Consulting peet.rapp@yahoo.com
57
questions
Rapp Consulting peet.rapp@yahoo.com
58
Thank you
Peet Rapp – MBA, CISApeet.rapp@yahoo.com603-731-0494