Cloud Computing - Introduction & Governance
-
Upload
prakashprabum -
Category
Documents
-
view
227 -
download
1
Transcript of Cloud Computing - Introduction & Governance
-
8/12/2019 Cloud Computing - Introduction & Governance
1/31
Cloud Computing& IT Governance
-
8/12/2019 Cloud Computing - Introduction & Governance
2/31
Agenda
What is Cloud computing
Cloud service delivery model
Cloud deployment model
Critical Security issues
Frameworks : COSCO ERM,ITIL,ISO27001,ENISA governance
Cloud risk case study
-
8/12/2019 Cloud Computing - Introduction & Governance
3/31
What is Cloud Computing ?
Simply put, cloud computing provides a variety of computing resources ,from servers and storage to enterprise applications such as email, security,backup/DR, voice, all delivered over the Internet.
The Cloud delivers a hosting environment that is immediate, flexible,scalable, secure, and available while saving corporations money, time andresources.
On demand solutions for your businessBased on pay-as-you-go model
-
8/12/2019 Cloud Computing - Introduction & Governance
4/31
Traditional Software Model
Large upfront licensing costs
Annual support costs
Depends on number of users
Not based on usage
Organization is responsible for hardware
Security is a consideration
Customized applications
-
8/12/2019 Cloud Computing - Introduction & Governance
5/31
Cloud Service Delivery ModelsService delivery in Cloud Computing comprises three different servicemodels:
-Infrastructure-as-a-Service (IaaS),
-Platform-as-a-Service (PaaS), and
-Software-as-a-Service (SaaS).
The three service models or layer are completed by an end user layer thatencapsulates the end user perspective on cloud services.
-
8/12/2019 Cloud Computing - Introduction & Governance
6/31
Cloud Service Delivery ModelSeveral Technologies work together Cloud access devices
Browsers and thin clients
High speed broad band access Data centers and Server farms
Storage devices
Virtualization technologies
APIs
Key Drivers
Small investment and low ongoing costs : pay-as-you-go basis Economies of scale
Open standards
Sustainability
-
8/12/2019 Cloud Computing - Introduction & Governance
7/31
Cloud Services Delivery Model
SaaS
- Rents software on a subscription basis- Service includes software, hardware and support
- Users access the service through authorized device
- Suitable for a company to outsource hosting of apps
PaaS- Vendor offers development environment to application developers
- Provide develops toolkits, building blocks, payment hooks
IaaS- Processing power and storage service
- Hypervisor is at this level
-
8/12/2019 Cloud Computing - Introduction & Governance
8/31
Cloud Service Delivery Models
-
8/12/2019 Cloud Computing - Introduction & Governance
9/31
Division of ResponsibilityDivision of Responsibility
-
8/12/2019 Cloud Computing - Introduction & Governance
10/31
Deployment Models of Cloud
Cloud infrastructure is available to the generalby organization selling cloud servicesPublic
Cloud infrastructure for single organization onmanaged by the organization or a 3rdparty, onPrivate
Cloud infrastructure shared by several organizhave shared concerns, managed by organizatioCommunity
Combination of more than one cloud deploymbound by standard or proprietary technologyHybrid
-
8/12/2019 Cloud Computing - Introduction & Governance
11/31
Deployment Models of Cloud (Cont
http://en.wikipedia.org/wiki/File:Cloud_computing_types.svg -
8/12/2019 Cloud Computing - Introduction & Governance
12/31
Deployment Models of Cloud (Cont
-
8/12/2019 Cloud Computing - Introduction & Governance
13/31
Critical Security Issues of CloPrivate clouds are not secure A cloud placed behind enterprise firewall is not inherently secureit needs to be imple
and managed with security in mind
Security is limited to the weakest linkbe that users, departments with less security seunprotected applications
Security visibility and risk awareness Monitoring not just resources, but the security state of a cloud is of utmost importance
Do not just gather metricsmake them easily accessible, displayed in a meaningful waypotential issues every day, not only during compliancy-required monthly reviews
Safely storing sensitive information Sensitive data must be encrypted with a strong industry-trusted encryption library. Do
your own
Very difficult to guarantee absolutely no eavesdropping in a cloud environment
Decide to encrypt data in the cloud, or before It gets to the cloud
-
8/12/2019 Cloud Computing - Introduction & Governance
14/31
Critical Security Issues of Cloud (CApplication Security
The shared environment and difference in security architecture of a cloud increases the im
application security Before migrating an application to the cloud, perform an architecture review and see wher
benefits can be leveraged
Migrating an application to the cloud is a unique chance to increase the security of the appthrough increased availability, ability to scale, and use of cloud APIs
Authentication and Authorization Should enterprise authentication be extended to the cloud? Depends on usage and so
of security program
Authentication system should be flexible enough to support different authentication mdifferent cloud services
Wide variety of commercial solutions available
Authentication and authorization system logs can provide insight into reconnaissance activity
-
8/12/2019 Cloud Computing - Introduction & Governance
15/31
COSO ERM Framework
COSO:
The frame
pathway in which eac
(starting with internain order to understan
and disadvantages th
candidate would brin
In cases w
already been implem
framework can be use
establish, refine, or p
assurance check of thprogram by ensuring
aspects of the progra
assessment, and risk
addressed with respe
managements requir
-
8/12/2019 Cloud Computing - Introduction & Governance
16/31
ITIL Framework
Information Technology Infrastructure Library (ITIL
It is a set of practices for IT service management
on aligning IT services with the needs of business
ITIL describes processes, procedures, tasks and c
These are not organization-specific,
ITIL is mainly used by an organization for establis
with the organization's strategy, delivering value
minimum level of competency. It allows the organization to establish a baseline f
plan, implement and measure.
It is used to demonstrate compliance and to mea
It is by this framework , through which processes
continuously improved to ensure that end users c
excellence on every service experience delivered
-
8/12/2019 Cloud Computing - Introduction & Governance
17/31
ISO 27001 Framework
ISO 27001:
It is a structured set of guidelines a
for assisting organizations in develo
information security framework The standard relates to all informat
organization regardless of the medi
stored, or where it is located.
ISO 27001 suggests development a
of a structured Information Security
System (ISMS), which governs the s
implementation and monitoring in It is designed to serve as a single 're
identifying the range of controls ne
situations where information system
-
8/12/2019 Cloud Computing - Introduction & Governance
18/31
ENISA Governance Framework
ENISA:
Based on COSCOs Internal Co
framework
In order to guarantee that all controand maintained properly, organizati
from ad-hoc activities to a planned
and monitoring system.
The Internal Control Systems is a to
attaining objectives of an organizati
An Internal Control System is define
process, effected by an entity's boamanagement and other personnel,
provide reasonable assurance regar
achievement of objectives in the fo
Effectiveness and efficiency of
Reliability of financial reporting
Compliance with applicable law
-
8/12/2019 Cloud Computing - Introduction & Governance
19/31
Cloud control
Accountability:
Preventive Controls
Detective Controls Procedural Measure
Technical Measures
Responsibility:
Customer vs. Provid
Compliance
Data Management
Forensics & Recove
-
8/12/2019 Cloud Computing - Introduction & Governance
20/31
CLOUD RISKCase Study
Cloud risk assessment
-
8/12/2019 Cloud Computing - Introduction & Governance
21/31
Cloud risk assessment
In 2009, the European Network and Information Security Agency (ENISA) produc
document titled Cloud Computing: Benefits, Risks and Recommendations
Information Security. This document collates 35 types of risk identified by
contributors, and identifies eight top security risks based on ENISAs view of indic
likelihood and impact
In March 2010, the Cloud Security Alliance (CSA) published Top Threats to C
Computing V1.0,which includes the top seven threats as identified by its members
in April 2011, the Open Web Application Security Project (OWASP) released a pre-a
list of its top 10 cloud security risks derived from a literature review of o
publications and sources
The ISO/IEC 9126 standard (Information technologySoftware product evaluati
Quality characteristics and guidelines for their use), when used in conjunction w
deep security assessment, is valuable for putting more structure and coherence aro
assessing the suitability of new vendors and new technologies, including cloud offeri
-
8/12/2019 Cloud Computing - Introduction & Governance
22/31
-
8/12/2019 Cloud Computing - Introduction & Governance
23/31
Case Study
-
8/12/2019 Cloud Computing - Introduction & Governance
24/31
Case Study
This case study considers moving a risk management business function ( a home
mortgage insurance calculation) to the cloud.
The business benefit of placing this function in the cloud is that it will allow branche
centres, brokers and other channels to use the same code base and avoid replicatincalculations in multiple places. The use of the cloud will also reduce paper handlin
host system access and the associated security required. There is also a potential bus
driver for allowing customers access to their own data if placed on the public cloud.
The first step in the framework is to formulate and communicate a vision for the clou
an enterprise and business-unit level.
Guiding principles
-
8/12/2019 Cloud Computing - Introduction & Governance
25/31
VisionWhat is the business vision and who will own the initiative?
VisibilityWhat needs to be done and what are the risks?
AccountabilityWho is accountable and to whom?
SustainabilityHow will it be monitored and measured?
Guiding principles
10 principles
-
8/12/2019 Cloud Computing - Introduction & Governance
26/31
VISION:
1.Executives must have oversight over the cloud
2.Management must own the risks in the cloud
VISIBILITY:
3. All necessary staff must have knowledge of the cloud
4. Management must know who is using the cloud
5. Management must authorise what is put in the cloud
p p
-
8/12/2019 Cloud Computing - Introduction & Governance
27/31
-
8/12/2019 Cloud Computing - Introduction & Governance
28/31
10 principles
-
8/12/2019 Cloud Computing - Introduction & Governance
29/31
ACCOUNTABILITY
6. Mature IT processes must be followed in the cloud
7. Management must buy or build management and security in the cloud
8. Management must ensure cloud use is compliant
SUSTAINABILITY
9. Management must monitor risk in the cloud
10. Best practices must be followed in the cloud
-
8/12/2019 Cloud Computing - Introduction & Governance
30/31
-
8/12/2019 Cloud Computing - Introduction & Governance
31/31
ReferencesAn article at www.csoonline.com/article/717307
By John Kinsella, Protected Industries www.protectedindustries.com
An article at http://www.csoonline.com/article/647128/five-cloud-securitfor-2011
ITIL framework : http://sysonline.net/content.php?id=53
ENISA framework : http://www.enisa.europa.eu/activities/risk-manageme
risk/business-process-integration/governance/ics ISO 27001 : http://www.simosindia.in/services/plan/?id=iso
http://www.csoonline.com/article/717307http://www.protectedindustries.com/http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://sysonline.net/content.php?id=53http://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://sysonline.net/content.php?id=53http://sysonline.net/content.php?id=53http://sysonline.net/content.php?id=53http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.protectedindustries.com/http://www.csoonline.com/article/717307