Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com
Learning Objectives Understand how to identify cloud computing Understand cloud computing service models Understand cloud computing deployment models Understand cloud computing risks Understand how to mitigate cloud computing risks
Cloud Computing Defined Cloud computing is a model for enabling ubiquitous, convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Source: The NIST Definition of Cloud Computing, SP 800 145 2
5 Essential Characteristics of the Cloud 1. On demand self service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. 2. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations). Source: The NIST Definition of Cloud Computing, SP 800 145 3
5 Essential Characteristics of the Cloud (Cont d) 3. Resource pooling. The provider s computing resources are pooled to serve multiple consumers using a multi tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth. Source: The NIST Definition of Cloud Computing, SP 800 145 4
5 Essential Characteristics of the Cloud (Cont d) 4. Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time. Source: The NIST Definition of Cloud Computing, SP 800 145 5
5 Essential Characteristics of the Cloud (Cont d) 5. Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. Source: The NIST Definition of Cloud Computing, SP 800 145 6
Cloud Computing is Nothing New The five characteristics of cloud computing have been around for quite some time: Mainframes and dumb terminals Servers and thin clients 3 rd party data centers The popularity of the cloud paradigm has been growing exponentially due to the strong value proposition and the many benefits of the cloud model: Reduce IT costs Reduce capital expenditures Increase efficiency Fast scalability 7
Learning Objectives Understand how to identify cloud computing Understand cloud computing service models Understand cloud computing deployment models Understand cloud computing risks Understand how to mitigate cloud computing risks 8
Infrastructure as a Service (IaaS) The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). Source: The NIST Definition of Cloud Computing, SP 800 145 9
Infrastructure as a Service (IaaS) Examples 10
Platform as a Service (PaaS) The capability provided to the consumer is to deploy onto the cloud infrastructure consumer created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application hosting environment. BUILD, DEPLOY, & MANAGE APPLICATIONS Development platforms for which the development tool itself is hosted in the cloud and accessed through a browser. Source: The NIST Definition of Cloud Computing, SP 800 145 11
Platform as a Service (PaaS) Examples 12
Software as a Service (SaaS) The capability provided to the consumer is to use the provider s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings. Source: The NIST Definition of Cloud Computing, SP 800 145 13
Software as a Service (SaaS) Examples 14
Learning Objectives Understand how to identify cloud computing Understand cloud computing service models Understand cloud computing deployment models Understand cloud computing risks Understand how to mitigate cloud computing risks 15
Cloud Deployment Models Private Cloud The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. Co location facility In house data center Outsourced data center 16
Cloud Deployment Models Community Cloud The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Different way of congregating users under an umbrella of services IGT Cloud Cloud space for casino game developers Optum Health Care Cloud Secure HIPAA compliant cloud space for the health system members and participants 17
Cloud Deployment Models Public Cloud The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Infrastructure components are shared among organizations, no segregation of data guarantee Hard to gain visibility over where the systems and data are stored Data center owns all infrastructure and access is via internet only 18
Cloud Deployment Models Hybrid Cloud The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). Cloud Bursting Organization using a private cloud computing infrastructure for normal usage, but utilize public cloud services for high/peak load requirements. Helps ensure that a sudden spike in computing requirements does not affect availability. 19
Learning Objectives Understand how to identify cloud computing Understand cloud computing service models Understand cloud computing deployment models Understand cloud computing risks Understand how to mitigate cloud computing risks 20
Why Should I Care? 21
Why Should I Care? 22
Why Should I Care? 23
Why Should I Care? 24
Cloud Computing Risks Technical Threat Vulnerable access management (infrastructure and application). Description Information assets could be accessed by unauthorized entities due to faulty or vulnerable access management measures or processes. This could result from a forgery/theft of legitimate credentials or a common technical practice (e.g., administrator permissions override). Risk Mitigation / Control Strategy Contractual agreements to clarify who is allowed access. Review identity access management controls of the cloud services provider (CSP), SOC 1, SOC2. Where possible use your own identity access management controls and systems and not the CSP s. 25
Cloud Computing Risks Technical Threat Data visible to other tenants when resources are allocated dynamically. Description This refers to data that have been stored in memory space or disk space that can be recovered by other entities sharing the cloud by using forensics techniques. Risk Mitigation / Control Strategy Contractual agreements to clarify who is allowed access Encrypt all sensitive assets and data Request the CSP s technical specs for wiping data from systems Use a private cloud model with no multitenancy 26
Cloud Computing Risks Technical Threat Multitenancy visibility. Due to the nature of multitenancy, some assets (e.g., routing tables, media access controls [MAC] addresses, internal IP addresses, local area network [LAN] traffic) can be visible to other entities in the same cloud. Description Malicious entities in the cloud could take advantage of the information; for example, by utilizing shared routing tables to map the internal network topology of an organization, preparing the way for an internal attack. Risk Mitigation / Control Strategy Contractual agreements to clarify who is allowed access Request a SOC 1, SOC2 report. Use a private cloud model with no multitenancy 27
Cloud Computing Risks Technical Threat Application vulnerability attacks Description Due to the nature of SaaS, the applications offered by a CSP are more broadly exposed. Because they can be the target of massive and elaborate application attacks, additional security measures (besides standard network firewalls) are required to protect them. Risk Mitigation / Control Strategy Request that the CSP implements application firewalls, antivirus and antimalware tools. SaaS developed using OWASP standards. SLAs or SOC reports must contain detailed specifications about vulnerability testing, classification and actions taken according to the severity level. 28
Cloud Computing Risks Technical Threat Collateral damage Description The organization can be affected by issues involving other entities sharing the cloud. For example, DDoS attacks affecting another entity in the cloud can leave the organization without access to business applications (for SaaS models) or extra computing resources to handle peak loads (for IaaS models). Risk Mitigation / Control Strategy Ask the CSP to include the organization in its incident management process that deals with notification. Ensure the contracted capacity is always available and cannot be directed to other tenants without approval. Use a private cloud model with no multitenancy. 29
Cloud Computing Risks Regulatory Threat Asset ownership Description Any asset (data, application or process) migrated to a CSP could be legally owned by the CSP based on contract terms. Thus, the organization can lose sensitive data or have data disclosed because the organization is no longer the sole legal owner of the asset. In the event of contract termination, the organization could even be subject (by contract) to pay fees to retrieve its own assets. Risk Mitigation / Control Strategy Include terms in the contract with the CSP that ensure that the organization remains the sole legal owner of any asset migrated to the CSP. Encrypt all sensitive assets being migrated to the CSP prior to the migration to prevent disclosure and ensure proper key management is in place. 30
Cloud Computing Risks Regulatory Threat Asset disposal Description In the event of contract termination, to prevent disclosure of the organization s assets, those assets should be removed from the cloud using tools and processes commensurate to data classification; forensic tools may be necessary to remove sensitive data (or other tools that ensure a complete wipeout). Risk Mitigation / Control Strategy Request CSP s technical specifications and controls that ensure that data are properly wiped and backup media are destroyed when requested. Include terms in the contract that require, upon contract expiration or any event ending the contract, a mandatory data wipe carried out under the organization s review. 31
Cloud Computing Risks Regulatory Threat Asset Location Description Information assets (i.e. data) are subject to the regulations of the country where they are stored or processed. A CSP may, without notification, migrate information assets to countries where regulations are less restrictive or their transmission is prohibited. Unauthorized entities that cannot have access to assets in one country may be able to obtain legal access in another country. Conversely, if assets are moved to countries with stricter regulations, the organization can be subject to legal actions and fines for noncompliance. Risk Mitigation / Control Strategy Request the CSP s list of infrastructure locations and verify that regulations in those locations are aligned with your organization s requirements. Include terms in the service contract to restrict the moving of organizational assets to only those areas known to be compliant with the organization s own regulatory concerns. To prevent disclosure, encrypt any asset prior to migration to the CSP, and ensure proper key management is in place. 32
Cloud Computing Risks Governance Threat Physical security on all premises where data/applicati ons are stored Description Physical security is required in any infrastructure. When the organization migrates assets to a cloud infrastructure, those assets are still subject to the corporate security policy, but they can also be physically accessed by the CSP s staff, which is subject to the CSP s security policy. There could be a gap between the security measures provided by the CSP and the requirements of the organization. Risk Mitigation / Control Strategy Request the CSP s physical security policy. CSP s independent security reviews or certification reports (e.g., SOC1, SOC 2 report, SOX, PCI DSS, HIPAA, ISO, etc.). Contract language that requires the CSP to be aligned with the organization's security policy. CSP s disaster recovery plans and ensure that they contain the necessary countermeasures to protect physical assets during and after a disaster. 33
Cloud Computing Risks Governance Threat Visibility of the security measures put in place by the CSP Description The cloud is similar to any infrastructure in that security measures (technology and processes) should be in place to prevent security attacks. The security measures provided by the CSP should be aligned with the requirements of the organization, including management of security incidents. Risk Mitigation / Control Strategy CSP s independent security reviews or certification reports (e.g., SOC1, SOC 2 report, SOX, PCI DSS, HIPAA, ISO, etc.). Contract language that requires the CSP to provide regular reporting on security (incident reports, intrusion detection system [IDS]/intrusion prevention system [IPS] logs, etc.). Request the CSP s security incident management process to be applied to the organization s assets and ensure that it is aligned with the organization s own security policy. 34
Cloud Computing Risks Governance Threat Media management Description Data media must be disposed in a secure way to avoid data leakage and disclosure. Data wipeout procedures must ensure data cannot be reproduced when data media is designated for recycle or disposal. Controls should be in place during transportation (encryption and physical security). This should be specified in the CSP security policy and contract SLA. Risk Mitigation / Control Strategy Request the CSP s process and techniques in place for data media disposal and evaluate whether they meet the requirements of the organization. Include in the contract language that requires the CSP to comply with the organization s security policy. 35
Cloud Computing Risks Regulatory Threat Secure software SDLC Description When using SaaS services, the organization must be sure that the applications will meet its security requirements. This will reduce the risk of theft, disclosure and unavailability. Risk Mitigation / Control Strategy Request the CSP s details about the software SDLC policy and procedures in place and ensure that the security measures introduced into the design are compliant with the requirements of the organization. CSP s independent security reviews or certification reports (e.g., SOC1, SOC 2 report, SOX, PCI DSS, HIPAA, ISO, etc.). 36
Cloud Computing Risks Governance Threat Service termination issues Description Currently, there is very little available in terms of tools, procedures or other offerings to facilitate data or service portability from CSP to CSP. This can make it very difficult for the organization to migrate from one CSP to another or to bring services back inhouse. It can also result in serious business disruption or failure should the CSP go bankrupt, face legal action, or be the potential target for an acquisition. Risk Mitigation / Control Strategy Ensure by contract or SLA with the CSP an exit strategy that specifies the terms that should trigger the retrieval of the organization s assets in the time frame required by the enterprise. Implement a DRP, taking into account the possibility of complete CSP disruption. 37
Cloud Computing Risks Governance Threat Support for audit and forensic investigations Description Security audits and forensic investigations are vital to the organization to evaluate the security measures of the CSP. Performing these actions requires extensive access to the CSP s infrastructure and monitoring capabilities, which are often shared with other CSP s customers. The organization should have the permission of the CSP to perform regular audits and to have access to forensic data without violating the contractual obligations of the CSP to other customers. Risk Mitigation / Control Strategy Request the CSP the right to audit as part of the contract or SLA. If this is not possible, request security audit reports by trusted third parties. Request that the CSP provide appropriate and timely support (logs, traces, hard disk images, etc.) for forensic analysis as part of the contract or SLA. If this is not possible, request to authorize trusted third parties to perform forensic analysis when necessary. 38
Next Steps in My Organization Identify and list out all cloud service providers Involve various departments, chances are there are cloud services providers you may not know about! Identify the service model for each Identify the deployment model for each Consider risks noted for each cloud service provider Identify controls in place to mitigate the risks Setup a plan to test the effectiveness of the controls in place 39
412 697 5285 ddesko@schneiderdowns.com www.schneiderdowns.com 40