Cloud Computing Security Audit

Transcription

1 Cloud Computing Security Audit Teddy Sukardi Indonesia IT Consultant Association IKTII Chairman

2 Agenda The data center and the cloud Concerns with cloud implementation The role of cloud audit as a solution Suggestions for implementation

3 Background Role of information technology continue to increase in the financial, commerce, public services, education and many other sectors The demand for data center has followed along and raised concern about eficiency and risk management Additional regulations about data center(s) will be issued and implemented nation wide in Indonesia Cloud computing has played a strategic role offering efficiency besides progress in the traditional data center role.

4 Traditional vs Cloud Data Center trends from Cisco Global Cloud Index By 2018, 78% of workloads will be processed by cloud data centers; 22% will be processed by traditional data centers. From 2013 to 2018 overall data center workloads will grow 190 % cloud workloads will grow 290 % Workload density (workload per physical server) growth from 2013 to 2018 for cloud data centers from 5.2 to 7.5 for traditional data centers from 2.2 to 2.5

5 Public vs Private Cloud Data Centers from Cisco Global Cloud Index In % will be in public cloud data centers, up from 22 per cent in 2013 In % will be in private cloud data centers, down from 78 percent in 2013

6 Cloud Computing Definition NIST model

7 Multi Tenancy Use of same resources or application by multiple consumers that may belong to same organization or different organization. Visibility of residual data or trace of operations by other user or tenant. Need for policy-driven enforcement, segmentation, isolation, governance, service levels, and chargeback/billing models for different consumer constituencies. Choices: public cloud providers service offering on an individual user basis private cloud hosting, an organization may segment users as different business units sharing a common infrastructure

8 Multi Tenancy From a provider s perspective An architectural and design approach to enable economies of scale, availability, management, segmentation, isolation, and operational efficiency. Leverage shared infrastructure, data, metadata, services, and applications across many different consumers.

9 Deployment Model

10 Mapping The Cloud Model to Control and Compliance

11 Cloud Security Risks Security controls in cloud computing are no different than security controls in any IT environment. Because of the cloud service models employed, the operational models, and the technologies used to enable cloud services, cloud computing may present different risks to an organization than traditional IT solutions. An organization s security posture is characterized by the maturity, effectiveness, and completeness of the risk-adjusted security controls implemented. These controls are implemented in layers ranging from the facilities (physical security), the network infrastructure (network security), the IT systems (system security) and the information & applications (application security) Controls are implemented at the people and process levels, such as separation of duties and change management, respectively. The security responsibilities of both the provider and the consumer greatly differ between cloud service models.

12 Compliance Issues 1) Regulatory implications for using a particular cloud service or providers, giving particular attention to any cross-border or multi-jurisdictional issues when applicable 2) Assignment of compliance responsibilities between the provider and customer, including indirect providers (i.e.,the cloud provider of your cloud provider) 3) Provider capabilities for demonstrating compliance, including document generation, evidence production, and process compliance, in a timely manner 4) Relationships between customer, providers and auditors (both the customer's and provider's) to ensure required (and appropriately restricted) access and alignment with governance requirements

13 Cloud Security Standards ISO/IEC 27017: Cloud Computing Security and Privacy Management System-Security Controls ISO/IEC x: Multipart standard for the information security of supplier relationship management that is planned to include a part relevant to the cloud supply chain

14 The Role of Audit Audit have been one method to provide assurance that operational risk management activities are thoroughly tested and reviewed. Audit for Cloud must be independently conducted and should be designed to reflect best practice, appropriate resources, and tested protocols and standards. Both internal and external audit and controls are important, for both the customer and provider.

15 Policy and Practise Suggestions To have a right to audit clause in the contract in order to give customers the ability to audit the cloud provider. To use a normative specification in the right to audit to ensure mutual understanding of expectations. To have a right to transparency clause with specified access rights especially in highly regulated industries For Providers to review, update, and publish their information security documents and GRC processes regularly (or as required), including vulnerability analysis and related remediation decisions and activities. For third-party auditors to be mutually disclosed or selected in advance, jointly by provider and customer. For all parties to agree to use a common certification assurance framework for IT governance and security controls.

16 References from: 1) Cloud Security Alliance 2) Cisco Global Cloud Index: Forecast and Methodology White Paper