1 La computación en nube Implicaciones para Auditoría y Seguridad d Ing. Miguel Angel Aranguren Romero Ing. Miguel Angel Aranguren Romero CISA, CISM, CGEIT, CRISC, CISSP, OSCP, Cobit FC, ITIL v3 FC
3 A smarter planet creates new opportunities, but also new risks. The planet is becoming more instrumented, interconnected and intelligent. New possibilities New complexities New risks We have seen more change in the last 10 years than in the previous 90. Ad J. Scheepbouwer, CEO, KPN Telecom Critical Privacy New and Cloud infrastructure and identity emerging threats security protection
4 De las cinco tecnologías evaluadas, las redes sociales, las plataformas móviles y la computación en nube presentan las mayores preocupaciones de riesgos Herramientas de redes sociales Plataformas móviles. Computación en nube 21% 15% 27% 19% 24% 35% 42% 54% 64% Estamos preocupados por tener capacidad para controlar de manera segura el flujo de datos hacia y desde los dispositivos móviles de los empleados y de almacenarlos con seguridad Fabricación, América del Norte 26% Virtualización 31% Arquitectura 25% orientada a servicios 34% 43% 42% Ya estamos examinando la computación en nube y aún no se ha perfeccionado la seguridad en nuestras propias redes locales. Asistencia Medica, América del Norte Extremadamente riesgoso / riesgoso Algo riesgoso Moderadamente riesgoso / sin ningún riesgo Fuentes: The Economist Intelligence Unit and IBM Institute for Business Value (556 encuestados). Q17 ( Cuán grande es el riesgo de las siguientes tecnologías y herramientas para su empresa?)
5 Regardless of the model public, private or hybrid security remains the top concern for cloud adoption percent How can we be assured that our data will not be of enterprises consider security the number one inhibitor to cloud adoptions leaked and that the vendors have the technology and the governance to control its employees from stealing data? 48 percent of enterprises are concerned about the reliability of clouds Security is the biggest concern. I don t worry much about the other ities reliability, availability, etc. 33 percent of respondents are concerned with cloud interfering with their ability to comply with regulations I prefer internal cloud to IaaS 1. When the service is kept internally, I am more comfortable with the security that it offers. 1 Driving Profitable Growth Through Cloud Computing, IBM Study (conducted by Oliver Wyman), March, 2010
7 Cloud defined: a consumption and delivery model optimized by workload. Cloud is an emerging style of computing that uses consumption and delivery models to provide applications, data and IT resources as services to users over the network Cloud allows: Self service Sourcing options Flexible payment models Economies of scale Cloud represents: The industrialization of delivery for IT supported services Cloud is: A business model An infrastructure and management methodology A user experience Cloud lets you manage large numbers of highly virtualized resources that resemble a single large resource which can be used to deliver services.
8 Cloud computing delivery models include private, hybrid and public. Private: Access limited to enterprise and its partner network Dedicated resources Single tenant Drives efficiency, standardization and best practices while retaining greater customization ti and control Might be managed or hosted by third party Cloud services Cloud computing model Hybrid: Private infrastructure, integrated with public cloud Public: Open access, subject to subscription Shared resources Multiple tenants Delivers select set of standardized business process, application or infrastructure services on a flexible price per use per basis Always managed and hosted by a third party Customization, efficiency, availability, resiliency, security and privacy Standardization, capital preservation, flexibility and time to deploy
9 Las bondades de la computación en nube
10 Las bondades de la computación en nube
11 Enterprises are benefitting from cloud computing in tangible and significant ways. Results from cloud computing engagements From: To: Increased speed and flexibility 1 Test provisioning Weeks Minutes Change management Months Days or hours Release management Weeks Minutes Service access Administered Self service Standardization Complex Reuse and share Metering and billing Fixed cost Variable cost Server and storage tili ti 10 to 20 t Reduced costs 1 utilization percent 70 to 90 percent Payback period Years Months 1 Based on IBM and client engagement experience
12 The View of Cloud Computing Cloud is a new consumption and delivery model inspired by consumer Internet services. Cloud is enabled by: Pooling and virtualization of resources Automation of service management Standardization of workloads Cloud Services Cloud enables: Self service Location independence d Flexible payment models Economies of scale Cloud represents: The industrialization of delivery for IT supported services Software Hardware Storage Networking
13 Las dificultades de implementación
14 Las dificultades de implementación
15 Control Manycompanies and governments are uncomfortable with the idea of their information located on systems they do not control. Providers must offer a high degree of security transparencyto to help put customersat ease. Compliance Complying with SOX 1, HIPAA 2 and other regulations may prohibit the use of clouds for some applications. Comprehensive auditing capabilities are essential. Data Migrating workloads to a shared network and compute infrastructure increases the potential for unauthorized exposure. Authentication and access technologies become increasingly important. Reliability High availability will be a key concern. IT departments will worry about a loss of service should outages occur. Mission critical applications may not run in the cloud without strong availability guarantees. Management Providers must supply easy controls to manage firewall and security settings for applications and runtime environments in the cloud.
16 One size does not fit all: Different cloud workloads have unique risk profiles. for security assurance Need High Low Training and testing with non sensitive data Analysis and simulation with public data Mission critical workloads, personal information Tomorrow s high value and high risk workloads need: Quality of protection adapted to risk Direct visibility and control Significant level of assurance Today s clouds are primarily here: Lower risk workloads One size fits all approach to data protection No significant assurance Price is key Low risk Mid risk High risk Business risk
17 Perspectiva de auditoría y seguridad Implicaciones i y recomendaciones
18 Preparing to Move to the Cloud Cloud Computing is complex where to begin: is complex where to begin: Cloud Computing Establish a set of objectives that clarify what a successful engagement in the cloud would look like. If externally hosting your cloud ensure that your vendor is reliable Identify what workloads you are most comfortable Identify what workloads you are most comfortable with don t just dive in. Determine the appropriate security for your workload, and leverage managed services where workload, and leverage managed services where possible
19 Multiple Delivery Models and Security Impacts Delivery Models provide context into who is responsible for each clouds security
21 Governance Jurisdiction and regulatory requirements Can data be accessed and stored at rest within regulatory constraints? Aredevelopment, test and operational clouds managing data within the required jurisdictions including backups? Complying with Export/Import controls Applying encryption software to data in the cloud, are these controls permitted in a particular country/jurisdiction? Can you legally operate with the security mechanisms being applied? Compliance of the infrastructure Are you buying into a cloud architecture/infrastructure/ service which is not compliant? Audit and reporting Can you provide the required evidence and reports to show compliance to regulations such as PCI and SOX? Can you satisfy legal requirements for information when operating in the cloud?
22 Data Data location and segregation Where does the data reside? d? How do you know? What happens when investigations require access to servers and possibly other people s data? Data footprints How do you ensure that the data is where you need it when you need it, yet not left behind? How is it deleted? Can the application code be exposed in the cloud? Backup and recovery How can you retrieve data when you need it? Can you ensure that the backup is maintained securely, in geographically separated locations? Administration How can you control the increased access administrators have working in a virtualized model? Can privileged access be appropriately p controlled in cloud environments?
23 Protection Architecture How do you protect against attack when you have a standard infrastructure and the same vulnerability exists in many places across that infrastructure? Hypervisor vulnerabilities How can you protect the hypervisor (a key component for cloud infrastructures) which interacts and manages multiple environments in the cloud? The hypervisor being a potential target to gain access to more systems, and hosted images. Multi tenant t tenvironments How do you ensure that systems and applications are appropriately and sufficiently isolated and protecting against malicious server to server communication? Security policies How do you ensure that security policies are accurately and fully implemented across the cloud architectures you are using and buying into? Identity Management How do you control passwords and access tokens in the cloud? How do you federate identity in the cloud? How can you prevent user IDs/passwords being passed and exposed in the cloud unnecessarily, increasing risk?
24 67% of all web application vulnerabilities had no patch in Source: IBMSecurity SolutionsX Force 2009 Trend and Risk Report, published Feb Applications Software Vulnerabilities How do you check and manage vulnerabilities in applications? How do you secure applications in the cloud that are increasing targets due to the large user population? Patch management How do you secure applications where patches are not available? How do you ensure images are patched and up to date when deployed in the cloud? Application devices How do you manage the new access devices using their own new application software? How do you ensure they are not introducing a new set of vulnerabilities and ways to exploit your data?
25 Assurance Operational oversight When logs no longer just cover your own environment do you need to retrieve and analyse audit logs from diverse systems potentially containing information with multiple customers? Audit and assurance What level ofassurance and how many providers will you need to deal with? Do you need to have an audit of every cloud service provider? Investigating an incident How much experience does your provider have of audit and investigation in a shared environment? How much experience do they have of conducting investigations without impacting service or data confidentiality? Experience of new cloud providers What will the security of data be if the cloud providers are no longer in business? Has business continuity been considered for this eventuality?
26 Mejores Prácticas
28 Propuesta Metodológica
29 Iniciando 1. Define a cloud strategy with security in mind Identify the different workloads and how they need to interact. Which models are appropriate based on their security and trust requirements and the systems they need to interface to? 2. Identify the security measures needed Using a framework Security, allows teams to capture the measures that are needed in areas such as governance, architecture, applications and assurance. 3. Enabling security for the cloud. The upfront set of assurance measures you will want to take. Assessing that the applications, infrastructure and other elements meet your security requirements, as well as operational security measures.
30 Propuesta Metodológica 1. Implement and maintain a security program. 2. Build and maintain a secure cloud infrastructure. 3. Ensure confidential data protection. 4. Implement strong access and identity management. 5. Establish application and environment provisioning. 6. Implement a governance and audit management program. 7. Implement a vulnerability and intrusion management program. 8. Maintain environment testing and validation.
31 Conclusiones y Reflexiones finales
32 Conclusiones y reflexiones finales Cloud computing offers new possibilities and new challenges. hll These challenges range from governance, through to securing application and infrastructure. Fundamentally it is important to be able to assure the security of these new models in order to build trust and confidence. The key to establishing trust in these new models is choosing the right cloud computing model for your organization. Place the right workloads in the right model with the right security mechanisms. For those planning to consume cloud services looking for trust and assurance from the cloud provider; understanding the service level agreements and the approaches to security is key. Assessing that this can be delivered, including what assurances can be provided will be important. For those providing or building a cloud infrastructure, using a proven methodology and technologies that can deliver appropriate security is key. This is not just a technical challenge but a challenge of governance and compliance; applications and infrastructure; and assurance.
33 GRACIAS!!! Ing. Miguel Angel Aranguren Romero CISA, CISM, CGEIT, CRISC Cobit Foundations Certificate CISSP, OSCP ITIL v3 Foundations Certificate
Thought Leadership Paper Cloud Computing in the Hedge Fund Industry About Eze Castle Integration Eze Castle Integration is the leading provider of IT solutions and private cloud services to more than 600
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
white paper Public or Private Cloud: The Choice is Yours Current Cloudy Situation Facing Businesses There is no debate that most businesses are adopting cloud services at a rapid pace. In fact, a recent
A Blueprint to the Future of Managed Services Direction of Managed Services with Cloud Initiatives Key Takeaways Economic pressures and the new expectations of users, which are being driven by the growth
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
WHITEPAPER CLOUD Possible Use of Cloud Technologies in Public Administration Version 1.0.0 2012 Euritas THE BEST WAY TO PREDICT THE FUTURE IS TO CREATE IT. [Willy Brandt] 2 PUBLISHER'S IMPRINT Publisher:
A new Breed of Managed Hosting for the Cloud Computing Age A Neovise Vendor White Paper, Prepared for SoftLayer Executive Summary Traditional managed hosting providers often suffer from issues that cause
White Paper Getting ahead in the cloud A White Paper by Bloor Research Author : Fran Howarth Publish date : March 2013 Users are demanding access to applications and services from wherever they are, whenever
CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill Toby Merrill, Thomas Kang April 2014 Cloud computing
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
Putting the cloud to work for your organization. A buyers guide to cloud solutions. What s in this guide for you? If you re thinking about bringing the cloud into your business but aren t sure where to
Convergence of Social, Mobile and Cloud: 7 Steps to Ensure Success June, 2013 Contents Executive Overview...4 Business Innovation & Transformation...5 Roadmap for Social, Mobile and Cloud Solutions...7
Five Hosted VoIP Features WHITEPAPER: hosted exchange BUYER S GUIDE www.megapath.com executive summary The adoption of cloud-based hosted services is gaining momentum among businesses interested in reducing
www.pwc.com PwC Advisory Oracle practice 2012 How to drive innovation and business growth Leveraging emerging technology for sustainable growth 1 Heart of the matter Top growth driver today is innovation
Advantages of Managed Security Services versus In-house Security Information Management (SIM) Introduction Proactively managing information security is a critical component to mitigating the risks to your
IT service management and cloud computing AXELOS.com White Paper September 2014 Contents 1 Overview 3 2 What is ITIL? 3 3 What is cloud computing? 3 4 Why is cloud computing important? 4 5 Why is IT service
Managed Hosting: Best Practices to Support Education Strategy in the Career College Sector Online learning is playing a critical role in the delivery of Teaching and Learning and the overall experience
Exploiting the Experience of Transformation IT Outsourcing 2006 IT World Limited on behalf of the BuyIT Best Practice Network Page 1 P12 IT Outsourcing May 2006 Forewords One of the prime objectives of
WHITE PAPER Adaptive Access Management: An ROI Study Sponsored by: Oracle Sally Hudson September 2010 Randy Perry EXECUTIVE SUMMARY Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
White Paper May 2006 Applying Electronic Records Management in the Document Management Environment: An Integrated Approach Written by: Bud Porter-Roth Porter-Roth Associates Table of Contents Introduction
Records Management Best Practices Guide A Practical Approach to Building a Comprehensive and Compliant Records Management Program Protecting and Managing the World s Information. Since 1951, Iron Mountain
Trend Micro Deep Security Server Security Protecting the Dynamic Datacenter A Trend Micro White Paper August 2009 I. SECURITY IN THE DYNAMIC DATACENTER The purpose of IT security is to enable your business,
A Requirement for Virtualization and Cloud Computing An ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) White Paper Prepared for FrontRange Solutions October 2012 IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS