AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT...
Transcript of AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT...
![Page 1: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/1.jpg)
www.marand.com
ISACA CSXSecurity Considerations for
Cloud Computing
Andrej OrelMarand d.o.o. & ISACA Slovenia Chapter
![Page 2: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/2.jpg)
ISACA, CSX, COBIT5, CLOUD, SECURITY…
2 www.marand.com
2ABOUT COBITABOUT ISACA
1COBIT 5 FOR INF. SEC.
3THE CLOUD
4SECURITY OF CLOUD
5DEPLOYMENT OF CLOUD
6THE END
7
![Page 3: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/3.jpg)
www.marand.comwww.marand.com3
ABOUT ISACA
![Page 4: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/4.jpg)
www.marand.comwww.marand.com
• ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions.
• ISACA® offers industry-leading knowledge, standards, credentialing and education, and thus enables professionals to apply technology so to prove confidence, address threats, drive innovation and create positive momentum.
• ISACA® is the creator of the COBIT® framework, which helps organizations effectively govern and manage their information and technology.
• ISACA® helps organizations develop skilled cyber workforces through its Cybersecurity Nexus – the CSX®
ISACA FACTS
4
![Page 5: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/5.jpg)
www.marand.comwww.marand.com
• Established in 1969, • ISACA is a global nonprofit association of 140,000 professionals
in 187 countries. • Its members include internal and external auditors, CEOs, CFOs,
CIOs, CTOs, CISOs, various educators, information security and control professionals, business managers, students, and IT consultants.
• ISACA has more than 215 chapters in more than 92 countries.• In Slovenia there is a “Slovenia Chapter”
founded more then 20 years ago consisting of about 150 members.
ISACA MEMBERSHIP AND CHAPTERS
5
![Page 6: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/6.jpg)
www.marand.comwww.marand.com
• Certified Information Systems Auditor(CISA), a designation for experienced IS audit, control and security professionals.
• Certified Information Security Manager (CISM), a designation for leading managers of information security.
• Certified in the Governance of Enterprise IT(CGEIT), for those who manage, provide advisory and/or assurance services, or otherwise support the IT governance
• Certified in Risk and Information Systems Control™ (CRISC™), for IT professionals who have experience with risk identification, assessment and evaluation; risk response…
ISACA ACTIVITIES & CERTIFICATIONS
6
![Page 7: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/7.jpg)
www.marand.comwww.marand.com
• Cybersecurity Nexus (CSX) (https://cybersecurity.isaca.org) includes:• Fundamental and skills-based
Cybersecurity CSX Certification and Training on various levels
• The Nexus—free monthly newsletter• CSX conferences—expanding globally• Cybersecurity research, guidance,
training, education and collaboration• Cybersecurity Career Road Map• Threats and Controls tool
• COBIT®5, a business framework to better manage and govern an organization’s information and technology
ISACA CORNERSTONES
7
![Page 8: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/8.jpg)
www.marand.comwww.marand.com8
ABOUT COBIT®5
![Page 9: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/9.jpg)
www.marand.comwww.marand.com
COBIT* was developed 20 years ago to help enterprises optimize the value of their critical information assets. Now
in version 5, COBIT helps enterprise leaders, managers and IT professionals protect the integrity of their
enterprise’s information and “get more” from their information systems, now and in the years to come.
COBIT – 20 YEARS ALREADY
9
An ISACA Professional Somebody from the ISACA Community
*COBIT ‐ Control Objectives for Information and related Technology
![Page 10: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/10.jpg)
www.marand.comwww.marand.com
• Simply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.
• COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.
• The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes,whether commercial, not-for-profit orin the public sector.
THE COBIT 5 FRAMEWORK
10
![Page 11: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/11.jpg)
www.marand.comwww.marand.com
COBIT 5 PRINCIPLES
11
![Page 12: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/12.jpg)
www.marand.comwww.marand.com
COBIT 5 ENABLERS
12
![Page 13: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/13.jpg)
www.marand.comwww.marand.com
• Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM).
• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
GOVERNANCE AND MANAGEMENT
13
![Page 14: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/14.jpg)
www.marand.comwww.marand.com
BUSINESS FRAMEWORK FROM ISACA
14
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
Audit
COBIT1
2005/720001998
Evo
lutio
n of
sco
pe
1996 2012
*Val IT 2.0(2008)
**Risk IT(2009)
*Val IT is a governance framework; can be used to create business value from IT investments (IT Govern. Institute)**Risk IT provides an end‐to‐end, comprehensive view of all risks related to the use of IT (ISACA)
www.isaca.org/cobit
![Page 15: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/15.jpg)
www.marand.comwww.marand.com15
COBIT 5 FOR INFORMATION SECURITY
![Page 16: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/16.jpg)
www.marand.comwww.marand.com
Information is a key resource for all enterprises.Information is created, used, retained, disclosed and destroyed.
Technology plays a key role in these actions.Technology is becoming pervasive in all aspects of business and
personal life.
INFORMATION!
16
A lot of unknown thinkers
What benefits do information and technology bring to organization? What benefits do information and technology bring to organization?
![Page 17: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/17.jpg)
www.marand.comwww.marand.com
Information security is something that ensures that within the *enterprise, information is protected against disclosure
to unauthorized users (confidentiality), improper modification (integrity) and non-access when required
(availability).
ISACA INFO SECURITY DEFINITION
17
ISACA
*ISACA refers to organization by the term enterprise! *ISACA refers to organization by the term enterprise!
![Page 18: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/18.jpg)
www.marand.comwww.marand.com
• Extended view of COBIT5• Explains each component
from info security perspective
COBIT 5 FOR INFORMATION SECURITY
18
![Page 19: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/19.jpg)
www.marand.comwww.marand.com
WHAT DOES COBIT5 CONTAIN?
Alignment with standards
Enablers for support
Principles from infosec perspective
Guidance on drivers, benefits
![Page 20: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/20.jpg)
www.marand.comwww.marand.com
• Major drivers of COBIT5 for Information Security:• Need to describe information security in enterprise context• Need for enterprises to keep risk at acceptable levels, maintain
availability to systems, and comply to relevant regulation.• Need to align and connect to major standards and frameworks• Need to link together relevant research and guidance
• Major benefits of COBIT5 for Information Security:• Reduced complexity and increased cost-effectiveness due to
improved integration of information security standards• Increased user satisfaction with information security • Improved integration of information security in the enterprise• Informed risk decisions and risk awareness• Improved prevention, detection and recovery
DRIVERS & BENEFITS OF COBIT5
20
![Page 21: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/21.jpg)
www.marand.comwww.marand.com
• COBIT 5 for Information Security provides specific guidance related to all enablers:• Information security policies, principles, and frameworks• Processes, including information security-specific details and
activities• Information security-specific organizational structures• In terms of culture, ethics and behavior, factors determining
the success of information security governance and management
• Information security-specific information types• Service capabilities required to provide information security
functions to an enterprise• People, skills and competencies specific for information
security
ENABLERS FOR IMPLEMENTATION
21
![Page 22: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/22.jpg)
www.marand.comwww.marand.com
• Principles, policies and frameworks enablers refer to the communication mechanisms put in place to convey the direction and instructions of the governing bodies and management.
PRINCIPLES, POLICIES & FRAMEWORKS
22
![Page 23: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/23.jpg)
www.marand.comwww.marand.com
• Information security principles communicate the rules of the enterprise (organization).
• These principles need to be limited in number and expressed in simple language.
• Policies provide more detailed guidance on how to put principles into practice. • Policies may include:• Information security policy• Access control policy• Personnel information security policy• Incident management policy• Asset management policy
PRINCIPLES & POLICIES + ATTRIBUTES
23
Policies attributes:• Scope
• Validity• Goals
![Page 24: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/24.jpg)
www.marand.comwww.marand.com
• The COBIT 5 process reference model subdivides IT-related practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes:• The Governance domain contains five governance
processes; within each process, evaluate, direct and monitor (EDM) practices are defined.
• The four Management domains are in line with the responsibility areas of plan, build, run and monitor (PBRM).
• COBIT 5 for Information Security examines each of theprocesses from an information security perspective.
PROCESSES - 1
24
![Page 25: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/25.jpg)
www.marand.comwww.marand.com
PROCESSES - 2
25
![Page 26: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/26.jpg)
www.marand.comwww.marand.com26
THE CLOUD
![Page 27: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/27.jpg)
www.marand.comwww.marand.com
DILBERT ON CLOUD COMPUTING
![Page 28: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/28.jpg)
www.marand.comwww.marand.com
The next stage of cloud computing is fog computing!When cloud drops into our computing environment
we have fog.
THE FUTURE OF THE CLOUD
28
A well known Slovenian professional who is working as the CTO in an advanced
Slovenian company
![Page 29: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/29.jpg)
www.marand.comwww.marand.com
Cloud computing is defined by the US National Institute of Standards and Technology (NIST) as “a model for
enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal management effort or service provider interaction.”
CLOUD COMPUTING – NIST DEFINITION
29
![Page 30: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/30.jpg)
www.marand.comwww.marand.com30
SECURITY CONSIDERATIONS FOR CLOUD COMPUTING
![Page 31: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/31.jpg)
www.marand.comwww.marand.com
• The essential characteristics of cloud computing are:• On-demand self-service - Computing capabilities can be
provisioned without human interaction from the service provider.
• Broad network access - Computing capabilities are available over the network and can be accessed by diverse client platforms.
• Resource pooling - Computer resources are pooled to support a multitenant model.
• Rapid elasticity - Resources can scale up or down rapidly and in some cases automatically in response to business demands.
• Measured service - Resource utilization can be optimized by leveraging charge-per-use capabilities.
ESSENTIAL CHARACTERISTICS
31
![Page 32: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/32.jpg)
www.marand.comwww.marand.com
• Infrastructure as a Service (IaaS) - In an IaaS solution, the CSP provides cloud users with processing, storage, networks and other fundamental computing resources. Operating systems and applications, however, are the responsibility of the user and are not included in the service offering of the CSP. Examples are: Rackspace®, Equinix®, Softlayer®, iomart Group plc, Amazon Web Services LLC, etc.
• Platforms as a Service (PaaS) - PaaS entails the CSP making available infrastructures and platforms on which cloud users deploy their own applications. This requires the CSP to support programming languages, libraries, services and tools. Examples are: Google App EngineTM, Microsoft® Windows AzureTM, OpenShift, Amazon Web Services LLC, etc.
• Software as a Service (SaaS) - When opting for SaaS, cloud users not only hire infrastructure and platforms from the CSP, but also run CSP-provided applications on them. Examples are: Computer Services Inc., Salesforce, NewRelic®, Logicworks, Apptix®, Google App Engine, Microsoft Windows Azure, Amazon Web Services LLC, etc.
CLOUD SERVICE MODELS
32
![Page 33: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/33.jpg)
www.marand.comwww.marand.com
• Public cloud - The infrastructure is made available to the general public (e.g., Google Apps, Amazon Elastic Compute Cloud (EC2TM), Apple® iCloud). It is deployed within the CSP infrastructure, offsite to the enterprise infrastructure.
• Community cloud - The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from enterprises or interest groups (e.g., vertical industries, schools, researchers, software developers) that have shared concerns. It can be deployed onsite (within the enterprise infrastructure) or offsite (within the CSP infrastructure, also called “outsourced”).
• Private cloud - The infrastructure can be used only by one single enterprise. As for community clouds, it can be deployed onsite or offsite enterprise premises.
• Hybrid cloud - The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community or public) that remain unique entities.
CLOUD DEPLOYMENT MODELS
33
![Page 34: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/34.jpg)
www.marand.comwww.marand.com
CLOUD SERVICE MODULES & RISK
34
![Page 35: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/35.jpg)
www.marand.comwww.marand.com
• Unavailability -The asset is unavailable and cannot be used or accessed by the enterprise. The cause can be accidental (failure of the infrastructure), intentional (distributed denial-of-service [DDoS] attacks) or legal (subpoena of database holding all data in a case of multitenancy architecture where one client’s data are subject to legal investigation).
• Loss - The asset is lost or destroyed. The cause can be accidental (natural disaster, wrong manipulation, etc.) or intentional (deliberate destruction of data).
• Theft - The asset has been intentionally stolen and is now in possession of another individual/enterprise. Theft is a deliberate action that can involve data loss.
• Disclosure—The asset has been released to unauthorized staff/enterprises/organizations or to the public. Disclosure can be accidental or deliberate. This also includes the undesired, but legal, access to data due to different regulations across international borders.
INFORMATION ASSETS AND RISK
35
![Page 36: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/36.jpg)
www.marand.comwww.marand.com
IMPACT OF RISK EVENTS ON ASSETS
36
We must not forget the Cost Considerations and Privacy Considerations!
![Page 37: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/37.jpg)
www.marand.comwww.marand.com
• The chief information security officer (CISO) or the information security manager (ISM) or chief technology officer (CTO) is responsible for being aware of the current risk affecting the assets of the enterprise and for understanding how the migration to the cloud will affect those assets and the current level of risk.
• The impact of a migration to the cloud depends on the cloud service model and deployment model being considered.
• The combination of service model and deployment model can help identify an appropriate balance for organizational assets (e.g., choosing a private cloud deployment model can help balance the risk related to multitenancy).
• The risk-decreasing and risk-increasing factors depending on service model are linked to actual threats and mitigating actions.
RISK ASSESSMENT WITH MIGRATION
37
![Page 38: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/38.jpg)
www.marand.comwww.marand.com
• With IaaS (Infrastructure as a Service), the CSP provides the enterprise with fundamental computing resources/equipment (storage, hardware, servers and network components) while the enterprise remains in control of the operating system (OS) and applications installed.
• Risk-decreasing factors:• Scalability and elasticity - Lack of physical resources is no
longer an issue… (Risk affected – Unavailability)• DRP and backup - CSPs should already have in place, as
common practice, disaster recovery and backup procedures… (Risk affected - Unavailability, loss)
• Patch management - Cloud infrastructures are commonly based on hypervisors which allow the necessary patches to be applied… (Risk affected - Unavailability, loss, theft, disclosure)
RISK BY SERVICE MODEL – IAAS - 1
38
![Page 39: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/39.jpg)
www.marand.comwww.marand.com
• Risk-increasing factors:• Legal transborder requirements - CSPs are often
transborder in different countries... (Risk affected - Disclosure)• Multitenancy and isolation failure - Common approach is a
multi-tenant environment…(Risk affected - Theft, disclosure)• Lack of visibility of technical security measures - An
intrusion.. (Risk affected - Unavailability, loss, theft, disclosure)• Absence of DRP and backup - The absence of a proper DRP
or backup procedures…(Risk affected - Unavailability, loss)• Physical security - In an IaaS model, physical computer
resources are shared with… (Risk affected - Theft, disclosure)• Offshoring infrastructure - Offshoring of key infrastructure
expands.. (Risk affected - Unavailability, loss, theft, disclosure)• …
RISK BY SERVICE MODEL – IAAS - 2
39
![Page 40: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/40.jpg)
www.marand.comwww.marand.com
• PaaS (Platforms as a Service) adds a layer to IaaS by providing the capability to deploy applications in a cloud infrastructure. The applications are developed using the programming languages and tools supported by the CSP. This service model entails the sameimpacts on risk as IaaS, plus some of the following factors:
• Risk-decreasing factors:• Short development time - Using the service oriented
architecture (SOA)… (Risk affected—Unavailability, loss)• Risk-increasing factors:
• Application mapping - If current applications are not perfectly aligned with the capabilities…(Risk affected - Theft, disclosure)
• SOA-related vulnerabilities - Security for SOA presents new challenge…(Risk affected - Unavailability, loss, theft, disclosure)
• Application disposal – (Risk affected—Theft, disclosure)
RISK BY SERVICE MODEL – PAAS
40
![Page 41: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/41.jpg)
www.marand.comwww.marand.com
• In a SaaS (Software as a Service) model, the CSP provides to the enterprise the capability to use applications running on the cloud infrastructure. The enterprise, in turn, provides to the CSP the data necessary to run the application. The whole infrastructure is the responsibility of the CSP. This service model entails the same impacts on risk as PaaS, plus some of the following factors:
• Risk-decreasing factors:• Improved security - CSPs depend on the good reputation of
their software capabilities… (Risk affected—Unavailability, loss)• Risk-increasing factors:
• Data ownership - The CSP provides the applications and cust. provides data. (Risk affected - Unavailability, loss, disclosure)
• Data disposal - In a case of a contract end, the data in the CSP’s app. must be erased (Risk affected - Theft, disclosure)
• …
RISK BY SERVICE MODEL – PAAS
41
![Page 42: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/42.jpg)
www.marand.comwww.marand.com
• In a public cloud, the CSP shares infrastructure and resources among various unrelated enterprises and individuals.
• Risk-decreasing factors:• Public reputation - Providers of public cloud services are
aware of being perceived as more “risky.” It is critical for them to ensure… (Risk affected - Unavailability, loss, theft, disclosure)
• Risk-increasing factors:• Full sharing of the cloud - Cloud infrastructure is shared by
multiple tenants of the CSP. These tenants have no relation to enterprise.(Risk affected—Unavailability, loss, theft, disclosure)
• Collateral damage - If one tenant of a public cloud is attacked, there could be an impact to the other tenants of the same CSP, even if they are not the intended target (e.g., DDoS). Another possibility is an attack exploiting vulnerabilities of SW installed by other… (Risk affected - Unavailability, loss, theft, disclosure)
RISK BY DEPLOYMENT– PUBLIC
42
![Page 43: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/43.jpg)
www.marand.comwww.marand.com
• In the community cloud, cloud services are deployed for the use of a group of entities who share an inherent level of “trust.” In some cases, all the entities are subject to a common security policy.
• Risk-decreasing factors:• Same group of entities—The component of “trust” among the
entities in a community cloud makes the level of risk lower than in a public...(Risk affected - Unavailability, loss, theft, disclosure)
• Dedicated access for the community - Dedicated access can be configured for authorized community users only. (Risk affected - Theft, disclosure)
• Risk-increasing factors:• Sharing of the cloud - Different entities may have different
security measures or security requirements in place, even if they belong to the same enterprise. It may render an entity at risk because of faulty... (Risk affected—Loss, theft, disclosure)
RISK BY DEPLOYMENT– COMMUNITY
43
![Page 44: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/44.jpg)
www.marand.comwww.marand.com
• In a private cloud, cloud services are deployed for the exclusive use of one enterprise. No interaction with other entities is allowed within the cloud. There are on-site and off-site private clouds.
• Risk-decreasing factors:• Can be built on-premises - Physical or location considerations
can be closely controlled by the enterprise as the cloud is located… (Risk affected - Unavailability, loss, theft, disclosure)
• Performance - Affects on-site private clouds. The private cloud is deployed inside the firewall on the enterprise’s intranet, transfer rates are increased. (Risk affected - Unavailability, loss)
• Risk-increasing factors:• Application compatibility - Applications that have already
been confirmed to be virtualization-friendly are likely to run well in a private cloud,… but…(Risk affected - Unavailability, loss)
• …
RISK BY DEPLOYMENT– PRIVATE
44
![Page 45: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/45.jpg)
www.marand.comwww.marand.com
• Hybrid cloud is a model that allows enterprises to create a mix of public, community and private clouds, depending on the level of “trust” required for their information assets. For example, an enterprise could decide that its web portals can be migrated to a public cloud; its main business application should be migrated to a private cloud, this combination will create a hybrid cloud model.
• Because hybrid clouds are a mix of the other three models, their risk-increasing or risk-decreasing factors are the same as those models. There is, however, one risk-increasing factor related: • Cloud-interdependency - If the enterprise mixes two or more
different types of clouds, strict identity controls and strong credentials will be needed to allow one cloud to have access to another. This is similar to a common network infrastructure problem: how to allow access from a low-level to a high-level security…(Risk affected - Unavailability, loss, theft, disclosure)
RISK BY DEPLOYMENT– HYBRID
45
![Page 46: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/46.jpg)
www.marand.comwww.marand.com46
CLOUD SERVICE DECISION
![Page 47: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/47.jpg)
www.marand.comwww.marand.com
CHOOSING A SERVICE MODEL
47
![Page 48: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/48.jpg)
www.marand.comwww.marand.com
CHOOSING A DEPLOYMENT MODEL
48
![Page 49: AOrel-ISACA Security v 1 · • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • ISACA® offers industry-leading](https://reader034.fdocuments.us/reader034/viewer/2022042114/5e9091eb267fa73c1406540e/html5/thumbnails/49.jpg)
www.marand.comwww.marand.com49
THE END