Cloud Computing Risks and Considerations for a Successful Implementation Andrew Ellsweig, Director Nicholas Zaky, Manager
Agenda Cloud Computing Defined Cloud Computing Benefits Top Cloud Security Threats and Risks Vendor Selection Due Diligence Database Security Considerations Implementation Questions and Answers 1
A Working Definition of Cloud Computing Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. Source: NIST 2
The NIST Cloud Definition Framework Hybrid Clouds Deployment Models Private Cloud Community Cloud Public Cloud Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) On Demand Self-Service Essential Characteristics Broad Network Access Resource Pooling Rapid Elasticity Measured Service Massive Scale Resilient Computing Common Characteristics Source: NIST Homogeneity Virtualization Low Cost Software Geographic Distribution Service Orientation Advanced Security 3
Cloud Deployment Models Private cloud - Enterprise owned, leased or managed - Internal virtualized servers that host a corporate intranet site, which is only accessible to users behind the corporate firewall Community cloud - Shared infrastructure for specific group or community - Google s Gov Cloud, which is a government specific offering of Google s cloud offerings such as Google apps Public cloud - Sold to the public, large-scale infrastructure - Includes capacity on demand - An example includes Amazon s simple storage service ( ES3 ) Hybrid cloud - Composition of two or more cloud models - Private cloud managing local data backups and replication of that data to a public cloud solution 4
Cloud Computing Benefits Rapid deployment of applications and resources - Great for dealing with seasonal demand or other spikes in business Available anywhere and anytime Cost savings due to reduction of capital expenditures and IT staff Operating expenses (vs. Capex) Reduce power consumption (aka: Green savings) Scalable Maintenance and availability become someone else s responsibility Source: NIST 5
Cloud Computing Benefits (Cont.) No more buying servers - Under-utilization and rapid depreciation No buying switches, routers, cabling, backup power, redundant bandwidth, and HVAC Reduce IT staff for server maintenance and server/computer rooms. They buy equipment, you rent - By the gigahertz, gigabyte, kilowatt, Mbps They hire IT staff, you rent their services Possible economies of scale. Lower capital expenditures and IT operating costs Source: Proformative 6
Cloud Computing Benefits Cost Savings Estimates vary widely on potential cost savings: Brian Gammage, Gartner Fellow - If you move your data center to a cloud provider, it will be a tenth of the cost. CTO of Washington D.C. - Use of cloud applications can reduce costs from 50% to 90% Preferred Hotel - Traditional: $210k server refresh and $10k/month - Cloud: $10k implementation and $16k/month (33 month break even) Ted Alford and Gwen Morton of Booz Allen Hamilton - Government agencies moving to public or private clouds can save from 50 to 67 percent. Merrill Lynch - Claimed that technology could make business applications 3 to 5 times cheaper, meaning that organizations could save anywhere from 67 to 80% William Forrest, McKinsey Analyst - In disputing some of the cost savings examples he indicated that: There would be few savings from cloud migrations and that moving to the cloud actually would cost 144 percent more than current expenditures. 7
Cloud Computing Risks There are a number of "hidden gotchas" when it comes to using cloud providers Not taking full account of financial commitments on existing hardware Not factoring in your unique requirements when signing up for a cloud service Signing an agreement that doesn't account for seasonal or variable demands Assuming you can move your apps to the cloud for free Assuming an incumbent vendor's new cloud offering is best for you Getting locked into a cloud solution Source: CFO.com 8
Cloud Computing Risks (Cont.) Moving PII and sensitive data off-premise - Privacy impact assessments Using SLAs for cloud security - Suggested requirements for cloud SLAs - Issues with cloud forensics Contingency planning, disaster recovery Handling compliance - FISMA - HIPAA - SOX - PCI - SAS 70/SSAE16 Audits Source: NIST 9
Cloud Computing Security Risks Trust vendor s security model Respond to audit findings Support forensic investigations Liable for third party administrator Vet proprietary implementations Lack physical control Know where data is Source: NIST 10
Cloud Computing Security Risks (Cont.) More than half of U.S. organizations are adopting cloud services, but only 47 percent believe that cloud services are evaluated for security prior to deployment. More than half of U.S. organizations are unaware of all the cloud services in use today Substantial concern in securing mission critical data and business processes in the cloud. The surveyed IT practitioners note some data is still too risky for the Cloud: - 68 percent thought it too risky to store financial information and intellectual property - 55 percent do not want to store health records - 43 percent are not in favor of storing credit card information Source: CA Technologies and the Ponemon Institute 11
Top Cloud Security Threats According to Cloud Security Alliance (CSA) the following are the top threats: - Abuse and Nefarious Use of Cloud Computing - Insecure Application Programming Interfaces (API) - Malicious Insiders - Shared Technology Vulnerabilities - Data Loss/Leakage - Account, Service, and Traffic Hijacking Matrixed to impact on specific cloud computing service models CSA s mission: promote best practices for security assurance within Cloud Computing, and provide education on Cloud Computing to help secure all other forms of computing 12
Moving to the Cloud Considerations Readiness Assessment Requirements Definition and Vendor Selection - Develop well defined business requirements - Identify vendors that can meet these requirements Due Diligence - Organize a committee that is composed of representatives from affected business areas - Develop structured methodology to better understand the use of cloud computing within the company and it s associated risks Implementation Plan - Identify each party s responsibilities - Develop a plan to test and evaluate data, interfaces, functionality, and systems that are migrated to the cloud - Ensure appropriate end-user involvement and training 13
Vendor Selection Considerations Develop a well-defined Request for Proposal ( RFP ) Prioritize business needs View and evaluate demonstrations and trials Perform reference checks and review search engine results Evaluate if the vendor s overall culture fits well with your company s Use questionnaires to evaluate the potential cloud provider that should address your company s requirements for: - Security - Availability - Regulatory compliance - Internal controls and monitoring - ROI - Auditability Source: Intacct 14
Vendor Selection Governance Define business and regulatory requirements to help identify specific security requirements and controls that need to be in place at the potential cloud provider - Allows a company to compare vendors via an apples-to-apples comparison to determine their strengths and weaknesses Source: Dark Reading 15
Provider Due Diligence Before entering into an agreement with a cloud (or any outsourced) provider, organizations need to perform due diligence procedures, which should be based on the type of data/processes being outsourced or moved to the Cloud Due diligence should be carried out by a multi-disciplinary team that could include members from the business area(s) affected, finance, legal, information security, privacy office, corporate security & audit Because it does not fit in their cost model, most cloud providers will not allow on-site audits If Type II SSAE16s (or other attestations or certifications) are not available (e.g., for smaller providers or new entrants into Cloud Computing), then an on-site audit is recommended Audits should be performed pre-contract execution where possible Should also evaluate the vendors health, including review of D&B reports Develop a structured methodology albeit through policy, procedure or questionnaire to assess a potential vendor s ability to meet the company s requirements for availability, security, privacy, controls, etc. 16
Provider Due Diligence (cont.) Vendor selection risk assessments should address the following: - What type of data is being stored and what are the associated compliance requirements - How should the data be protected, (e.g., IDS, firewalls, encryption, etc.) - Who should/will have access to stored data How does the provider perform background checks - Will the hosting provider allow the customer to perform independent audits or have third-party audits been completed, such as SSAE 16 exists - How will authorized users gain access to hosted data (secured protocol, direct DB access, application only) - Is there a database in the back end is the data and user credentials being encrypted - If the database is shared, how will the hosted provider ensure data is only viewable and accessible to a single customer 17
Provider Due Diligence (cont.) Vendor selection risk assessments should address/determine the following: Where is the data physically stored? Are there specific state laws that need to be complied with? Has the hosted provided considered its ability to comply with data privacy regulations (e.g., Privacy over donor information)? What are your companies quality-of-service (QoS) requirements? Can the hosting provider meet these? Does your company s existing Disaster Recovery Plan address the unique issues related to cloud services? Can the standard internal controls be applied to the hosted service Identify whether the service provider has a proven history of delivering security functionality via the Internet Does the hosting provider have proactive security intelligence? Ability to work with existing infrastructure Source: IBM 18
SAS70 Vs. SSAE16 & ISAE3402 Key Difference SSAE 16 replaced the SAS 70 auditing standard for reporting periods ending on or after June 15, 2011. 19
SOC1, SOC2 & SOC3 Under what professional standard is the engagement performed? SOC 1 Reports SOC 2 Reports SOC 3 Reports SSAE No. 16, Reporting on Controls at a Service Organization AICPA Guide, Applying SSAE No. 16, Reporting on Controls at a Service Organization. AT 101, Attestation Engagements AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. AT 101, Attestation Engagements AICPA Technical Practice Aid, Trust Services Principles, Criteria, and Illustrations What is the subject matter of the engagement? Controls at a service organization relevant to user entities internal control over financial reporting. Controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy. If the report addresses the privacy principle, the service organization s compliance with the commitments in its statement of privacy practices. Controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. If the report addresses the privacy principle, the service organization s compliance with the commitments in its statement of privacy practices What is the purpose of the report? To provide information to the auditor of a user entity s financial statements about controls at a service organization that may be relevant to a user entity s internal control over financial reporting. It enables the user auditor to perform risk assessment procedures, and if a type 2 report is provided, to assess the risk of material misstatement of financial statement assertions affected by the service organization s processing. To provide management of a service organization, user entities and other specified parties with information and a CPA s opinion about controls at the service organization that may affect user entities security, availability, processing integrity, confidentiality or privacy. A type 2 report that addresses the privacy principle, also provides a CPA s opinion about the service organization s compliance with the commitments in its statement of privacy practices To provide interested parties with a CPA s opinion about controls at the service organization that may affect user entities security, availability, processing integrity, confidentiality, or privacy. A report that addresses the privacy principle, also provides a CPA s opinion about the service organization s compliance with the commitments in its privacy notice. 20
SSAE16/SAS70s Cloud Computing Myth #1: My Provider is SSAE16 (or SAS70) Certified, so I do not have to worry about my data Most large providers are now performing SSAE16s or other attestations (e.g., Webtrust/Systrust or SOC-2 /SOC-3). SSAE16s are a good first step for gaining assurance that the provider has documented control procedures. Type I vs. Type II: Type I reports only provide a Service organization's description of controls and an auditors opinion on whether the controls were designed effectively. Type I reports do not include testing of the controls. Type II reports also include the results of an independent auditors testing of the controls. SAS70s were replaced by SSAE 16 (US standard) and all reports need to comply with the International Standard ISAE 3402. SOC-1 reporting, which uses the SSAE 16 professional standard, is geared toward reporting on controls relevant to financial reporting. SOC-2 and SOC-3 reports are designed for reporting on controls other than those likely to be relevant to user entities internal controls outside of financial reporting (e.g., security, availability, processing integrity, confidentiality, or privacy). In short, SOC 2 and SOC 3 reports are to be issued under the AT Section 101 attest standard. SOC-3 report does not include the detailed description of tests, controls and results that are included in a SOC-2 report. 21
SSEA16 Reliance & Limitations SSAE16 limitations included a general lack of security focus and the testing procedures are sometimes narrowly defined When reviewing SSAE16, organizations should consider the following: - Was it a Type I or a type II? - Who performed the SSAE16? - Did the entity receive a clean audit opinion? - What audit objectives & testing procedures were covered by the SSAE16? - Were there any findings and how were they addressed? - What Client Control Considerations were included? - Is this enough to cover the organizations regulatory requirements (e.g., PCI, SOX, GLBA, Privacy Laws)? - Did they cover sub-service organizations? 22
SSAE16s - The Bottom Line Organizations should look for additional assurances besides the SSAE16s, which can include: ISO 27001/27002 TRUSTe Verisign Safeharbor SOC2/SOC3 SSAE16s must be reviewed carefully to verify they are still applicable and that all areas that are important to your organization are covered 23
Other Certifications SalesForce.com 24
Due Diligence Leveraging the CCM The Cloud Security Alliance recently launched the Cloud Controls Matrix (CCM) 1.1 The CSA Governance, Risk Management and Compliance ( GRC ) Stack, is specifically designed to: - Provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. - Provide a controls framework that gives a detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance s 13 domains. - Strengthen existing information security control environments by emphasizing business information security control requirements. - Reduce and identify consistent security threats and vulnerabilities in the cloud. - Standardize security and operational risk management - Normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud. The foundations of the CSA CCM rest on its customized relationship to other industryaccepted security standards, regulations, and controls frameworks such as ISO 27001/27002, ISACA COBIT, PCI, and NIST. The matrix is now available for free download at: https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/ Source: 25
Cloud Security Alliance Cloud Controls Matrix https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/ 26
Cloud Security Alliance Cloud Controls Matrix 27
Database Security - Considerations What is the goal of database security? Protect data in use, in motion and at rest Approach Since some deployment models abstract the layers we would like to have control over let s focus on the data rather than the database. 28
Database Security - Considerations Review of deployment models: SaaS IaaS PaaS Public Private 29
Database Security - Considerations So Now What? Since cloud services look at resources in a modular fashion it makes sense to look at security in a modular fashion as well. 30
Database Security - Considerations IaaS Depending on the vendor you may configure everything yourself or go with pre-built virtual machines. Some even offer pre-built database implementations. You are responsible for managing everything relating to security Is this the same as managing in-house systems? You may still be a part of a multi-tenant environment. 31
Database Security - Considerations PaaS Can be thought of as database as a service. Vendor may provide OS and database software but you can typically alter the internal structure, change features and configure the DB to meet your needs. Vendor may perform maintenance as well as assist with configuration; this should be defined as part of the RFQ process Examples: MS SQL Azure Amazon Simple DB Google s Big Table Database.com by Salesforce.com You are still responsible for managing the DB, setting access and securing data. Auditing, vuln/pen testing is likely not allowed 32
Database Security - Considerations SaaS Examples Salesforce.com Oracle on Demand Google Apps Most if not all of SaaS vendors have DBs in the background supporting the application Storage is abstracted and hidden by design You are still responsible for setting up user accounts and authorization but other security is performed by the vendor SLA s are key with this type of deployment Review the vendor s security implementation (SSAE16 s etc) 33
Database Security - Considerations Security Most models focus on patching, configuration and access controls. Here we will look at the data this is what we have control over in the cloud and it is what we really care about anyway right? 34
Database Security - Considerations https://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf 35
Database Security - Considerations Data Creation Look at how data is classified as it is created or when you move it into the cloud service Data Loss Prevention (DLP) or Content discovery tools: RSA, Cisco, Symantec, McAfee all have products. Data crawlers can be used to scan DBs for sensitive information Label Security Options Labels and Schemas defined prior to implementation Post-insertion scripts to apply controls or verify labels are in place Digital Rights Management (DRM) or Encryption for more sensitive data Separate crypto keys for different access levels 36
Database Security - Considerations What if our data is already in the cloud? SaaS Determine if the provider will provide a database schema with column definitions. Manual Process Use data archives Encryption/label security or authorization mapping SLA s 37
Database Security - Considerations What if our data is already in the cloud? IaaS Column / Table encryption Structure, system catalog and content Use tags to designate classification Tagged file or ISAM Focus on finding and tagging data so you can protect it 38
Database Security - Considerations What if our data is already in the cloud? PaaS All of your discovery, classification and rights management tools should still work Find the data Understand the Data lifecycle 39
Database Security - Considerations Do your work up front to plan controls and think in terms of the data life-cycle prior to moving data into the cloud whenever possible. 40
Implementation - Considerations Include appropriate SLAs to ensure expectations are clearly defined. Data migration assurance (e.g., if you decide to switch vendors ensure that hosted provider can provide your data back in a workable format) Availability requirements Bonus structure for exceeding expectations and penalties for not meeting SLA Identify price caps for future services if steep discounts were provided during initial subscription Training requirements Notification of upgrades, modifications, service disruptions, etc. Cost of overages (e.g., if 10 users were subscribed but then 15 are required) Verify that prerequisites are identified and in place (e.g., If particular OS have to be used, if client side software needs to be installed) Source: IBM 41
Implementation Considerations (Cont.) Make sure end-user considerations and controls are reviewed and implemented Perform an analysis to determine if existing security services/licenses are redundant and can be removed Evaluate and be involved with testing of interfaces that may be implemented between systems Ensure a designated Point of Contract ( POC ) is defined for issues with the hosted service. Ensure an escalation plan exists so that the customer (including business users) are notified of incidents timely Source: IBM 42
Implementation Considerations Private Cloud Private Cloud implementation considerations - Use an incremental approach, to avoid service disruptions and minimize risk - Test the cloud technology in a development environment to allow IT and staff become accustomed to it - Determine which applications are cloud candidates and implement those that are into production - Review existing processes and determine if manual processes can be automated and if support groups have to be reorganized to use their knowledge and capabilities to the fullest 43
Implementation - Governance Make sure appropriate SLA and contractual agreements are in place to define and/or identify Type of data managed and ownership Monitoring and reporting requirements Security and privacy requirements (e.g., encryption standards, data separation/segregation, HIPPA, PCI DSS, SOX, etc.) Internal policies and procedures that need to be revisited and updated to include the use of cloud computing The monitoring program in place to ensure controls exist and remain in place Source: Intacct & IBM 44
Cloud Computing - Summary The cloud computing trend is gaining traction and provides management with a wonderful opportunity for reducing costs, reacting quickly to changing business needs and for freeing up their IT resources so they can focus on supporting the business. While security/privacy issues are some of the biggest concerns for management, these can be effectively mitigated via sound due diligence and vendor oversight. Management should ensure that they have the correct team in place when evaluating any new provider relationships to ensure that they have all the facts and that their ROI calculations are complete. 45
Selected References National Institute of Standards and Technology (NIST), http://www.nist.gov/index.html Cloud Security Alliance (CSA), http://www.cloudsecurityalliance.org/ Proformative, The Resource For Corporate Finance, Accounting & Treasury Professionals, http://www.proformative.com/ http://www.darkreading.com/ 46
Questions? Andrew Ellsweig, CPA, CGEIT Director RSM McGladrey, Inc. 212.372.1810 andy.ellsweig@mcgladrey.com Nicholas Zaky, MCP, CISSP Manager McGladrey & Pullen LLP 949.466.7565 nicholas.zaky@mcgladrey.com 47