Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Transcription

1 Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance

2 Presenters John Montoro President & CEO of RealTime Accounting Solutions, a cloud-based provider of accounting, payroll and financial reporting services 34 years as an auditor and consultant to local governments in Virginia Ted Brown Manager at Network Alliance, provider of cloud IT infrastructure and software support services 10 years experience developing and implementing innovative IT solutions to a diverse client base

3 Agenda Cloud Service Models Security Controls Your responsibilities and questions you need to ask Enterprise risk management and the cloud Cloud user experience

4 Presentation Goals Gain an overview of cloud services models and their pros and cons Review the basics of cloud security Obtain an understanding of ERM risks and responses Understand your responsibilities as a cloud user

5 Who is in the cloud? What is in the cloud? This is my cloud

6 Harnessing the Power of the Cloud Journal of Accountancy Article, April 2014 Technology continues to transform the accounting profession. Cloud computing and mobile devices have untethered CPAs from their desks and desktops, allowing them to do work and access data on a virtually anytime, anywhere basis. Technology continues to break down geographic and market barriers, creating unprecedented opportunities for CPA firms and for CPAs in business and government.

7 Harnessing the Power of the Cloud Journal of Accountancy Article, April 2014 The internet also brings danger. Security breaches such as those at Target and Nieman Marcus show how cybercriminals are ready to exploit weaknesses to gain access to confidential financial information. CPAs leveraging the web for their organizations need to be aware of the security concerns and protect themselves and their clients and companies data.

8 Cloud Service Models SaaS (Software as a service) SaaS is a cloud model where an application is hosted through a company, which typical resides at a datacenter, and allows a pay-per use model across the internet. Designed for end users, and is most common use of the cloud SaaS examples are: Salesforce, GoToMeeting, Google Apps, Office 365 Benefits of SaaS SaaS provider maintains and updates their product or products Ease of use with teams outside organization Mobile access is typically inherent in the system Use software where demand spikes (tax deadlines) with out having to pay for full license. Cons of SaaS Data of the application is not permitted to be hosted externally by legislation or other regulations.

9 Cloud Service Models PaaS (Platform as a service) A computing platform that typically include operating system, programming language, database and web server. Designed to create applications and typically used by developers PaaS examples: Heroku, OpenShift, force.com Benefits of PaaS No capital cost of building own solution PaaS provider maintains all underlying layers of hardware and software. Focus on work flow management Ease of development where external parties need to interact Cons of PaaS Applications requires specific hardware and software Program Language lock in User is responsible for managing the application and the data

10 Cloud Service Models IaaS (Infrastructure as a service) Computer infrastructure such as virtual /physical servers, storage, and networking are provided on a monthly subscription. Designed for virtualization of servers and desktops Examples: Rackspace, Amazon EC2, Windows Azure Benefits of IaaS No capital cost of building own solution (OP x vs Cap X) Service Provider owns the hardware and is responsible for housing, running and maintaining their infrastructure. Allows for dynamic Scaling Cons of IaaS Regulatory compliance of outsourcing data storage Good to know Users are responsible for patching, securing and maintaining servers they have subscribed to.

11 Cloud Service Models SaaS + IaaS =? (IT Outsourcing Model) Virtual desktop environment where virtual /physical servers, storage, and networking software and support are provided and maintained on a monthly basis. Basically an outsourced IT department Examples: Network Alliance, Proxios, others Benefits of IT Outsourcing model Service Provider owns the hardware and is responsible for housing, running and maintaining their infrastructure. Service provider installs and maintains all software applications Significantly reduces or eliminates the need for in house IT staff Cons of IT Outsourcing model Cost effectiveness is dependent on size of organization and extent of computer use

12 Network Security What security is in place today?

13 Top 20 Critical Security Controls

14 History of Critical Security Controls Critical Security Controls were created to improve risk posture against real-world threats.

15 Basics in Network Security Physical Security of Servers Physical Security of Data on Computers Firewall Intrusion Protection System AntiVirus Protection Up-to-date Operating System and AntiVirus

16 Does the Cloud provide better security for your data?

17 Who is Responsible for Cloud Security? Cloud security falls on both the provider and the end user Responsibility is different for each cloud computing models SaaS Responsibility of security the platform and infrastructure falls on the provider IaaS Shared responsibilities. User is required to secure provisioned services Provider is required to secure underlying hardware and datacenter IT Outsource - Responsibility of security the platform and infrastructure falls on the provider Identify the security gaps - know what you are buying, understand the contract and terms, and when in doubt - ask

18 6 Questions to ask 1. What is the encryption strategy? 2. How do you isolate data from other customers? 3. How is user access monitored? 4. What is the backup and disaster strategy? 5. What boundary defenses are in place? 6. What is the drive wiping policy?

19 End user Responsibilities Your data is your data and you are liable Understand the cloud model you are using Ask many questions and talk to references Understand insurance coverage for cloud stored data Have a backup plan End point Security Any device you use should be secured Malware Detection on end points Office should still have firewall and boundary defenses

20 End User Responsibilities Password enforcement Typically the weakest link in security chain Recommend Change every 45 days String of text 8 or more characters Combination of numbers, symbols, upper and lower case letters If possible deploy dual factor authentication into the cloud

21 The Cloud According to COSO Research commissioned by COSO Published in 2012

22 COSO: The Opportunities Cost savings: paying for what you use Speed of deployment Scalability and better alignment of technology resources Decreased effort in managing technology Environmental benefits

23 COSO: The Risks Disruptive force: by facilitating change and innovation Residing in same risk ecosystem as the CSP and other tenants Lack of transparency Reliability and performance Vendor lock-n and lack of application portability or interoperability Security and compliance concerns High-value cyber attack targets Risk of data leakage IT organizational changes Cloud service provider viability

24 COSO: Recommended Risk Responses Risk Unauthorized cloud activity Response Cloud policies and controls Lack of transparency Assessments of the CSP control environment Security, compliance data leakage and data jurisdiction Transparency and relinquishing direct control Data classification policies and processes Management oversight and operations monitoring controls

25 COSO: Recommended Risk Responses Risk Reliability, performance, high-value cyber attack target Noncompliance with regulations Response Incident management Monitoring of the external environment Vendor lock-in Preparation of an exit strategy Noncompliance with disclosure requirements New disclosures in financial reporting

26 Is your Cloud Provider HIPAA Ready? Source: IT Business Edge Article Policies People Access controls Encrypted data in transit Encrypted data at rest Monitoring Breach notification Disaster recovery Data location Experience and organization-wide awareness Security program that meet the specific policies and procedures required by HIPAA Dedicated person on-site Controls that include electronic identification and limit physical on-site data access For healthcare data, drives must be encrypted and accounted for, including backups Daily operational procedures that log and monitor looking for suspicious activities An incident response process Address the recovery or continuation of technology infrastructure Know where your cloud is! Should be stored in the US Provider with a proven track record.

27 User Perspective the Virtual Desktop Environment RealTime Accounting s IT structure No servers on site All employees work in a virtual desktop environment A paperless office (well, almost) Multiple ways to connect to the internet Provider owns server equipment, installs software and updates Provides customer support We manage password access

28 User Perspective the Virtual Desktop Environment RealTime Accounting s IT structure more complex Document manager is a SaaS and separately managed Payroll software syncs to on site server maintained by our payroll partner Several access points to software applications Several ways to transfer data to and from our clients Drop box Hot folder

29 User Perspective: Documents stored in the Cloud - Can you throw away the paper? Security clearly an issue Some considerations with document management Versioning Chain of evidence Ability to redact

30 Questions? Contact information John Montoro Ted Brown