Cloud Security & Risk Adam Cravedi, CISA Senior IT Auditor acravedi@compassitc.com
Agenda About Compass Overcast - Cloud Overview Thunderheads - Risks in the Cloud The Silver Lining - Security Approaches Lifting the Fog - Guidance 6/7/2012
FOCUS AREAS Financial Industry Compliance Services Business Continuity Planning Services IT Auditing and Risk Assessment Services IT Security Assessment Services Payment Card Industry Services 6/7/2012
Overcast Cloud Overview What is Cloud Computing? - The on-demand use and provisioning of shared computing resources. Three Types of Cloud Services - IaaS delivers computer Infrastructure as a Service - SaaS delivers application Software as a Service - PaaS delivers a computer Platform as a Service Four Cloud Deployment Models - Private used primarily by a single entity* - Community used by a group of similar entities* - Public readily shared by many heterogeneous entities - Hybrid any combination of the above *In many cases these can be on-site or hosted by third parties 6/7/2012
Overcast Cloud Overview 6/7/2012
Thunderheads Risks Virtualization and Distributed Computing - Physical Security is being replaced by Logical Security Servers are just files/images that can be copied Memory can be accessed from the hypervisor Multi-Tenancy - Resources could be shared between many different organizations Data for many organizations may reside on the same physical storage One size does not fit all Relinquish Control - Configuration, Security & Operational control shifts as more services are provided by the cloud. Traditional IT IaaS PaaS SaaS 6/7/2012
Thunderheads Risks Cloud Security s 7 Deadly Sins - Data loss/leakage - Shared technology vulnerabilities - Malicious insiders - Account, service and traffic hijacking - Insecure application programming interfaces - Abuse of cloud computing - Unknown risk profile 6/7/2012
Silver Lining - Security 6/7/2012
Silver Lining - Security Define the Risks - What type of data will be stored? - What type of services will be used? - How will a security incident impact the business? Customers? Develop Strong Cloud-based Policies - Linked to Vendor Management - Considerations for Business Continuity How will you recover your data? Where are the Single Point of Failures? What contingencies are in place? The Business? The Provider? - Security Controls and Protection How does the provider safeguard the data? Who is responsible for the data? Who is responsible for access control? 6/7/2012
Silver Lining - Security As Control Shifts to the Cloud Provider: - Contract language becomes critical Clearly define the responsibilities of service, security and recovery Include provisions for logging, reporting, and vulnerability management - Identity and access management User access must equal user s responsibilities Administrative access must be logged and monitored Can the cloud provider access customers data? - Assurances of Data protection and removal Logical segregation of each customers data If services are terminated, what happens to your data? 6/7/2012
Lifting the Fog - Guidance FFIEC IT Handbook: Outsourcing Technology Services: Appendix A - In April of 2012 Appendix A was updated to include specific language related to Cloud Computing Is service hosted internally or outsourced? What type of Service is used: IaaS, PaaS, SaaS, DaaS What type of Deployment model is in place: Public, Private, Community Evaluate the Selection Process and the Contract in place Determine if inherent risks have been evaluated and addressed Ensure related policies have been updated to reflect the need for increased controls Review any material sub-contractor employed by the could provider delivering services related to PaaS, IaaS, or DaaS. 6/7/2012
Lifting the Fog - Guidance Other Guidance and Related References: - FFIEC: http://ithandbook.ffiec.gov/it-booklets/outsourcing-technologyservices/appendix-a-examination-procedures.aspx?prev=1 - NIST: http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf - Cloud Security Alliance: https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf - IBM: https://www.ibm.com/developerworks/cloud/library/clcloudservicerisks/ 6/7/2012
Questions? Adam Cravedi, CISA Compass IT Compliance, LLC (888) 246-7593 acravedi@compassitc.com
MANAGING IT RISK WITH CLOUD-BASED TECHNOLOGIES Joseph Larizza Chief Administrative Officer jlarizza@fieldpointprivate.com 203-413-9350 16
FIELDPOINT PRIVATE Intellectual capital & technology able to deliver the power of a behemoth, with the intimacy of a boutique. 31 Founders Several ran major Wall Street firms Full Service: Personal & Business Banking Wealth Management Family Office Ultra High-Net-Worth Families Free of conflicting interests Truly boutique, custom experience 17
May '08 Jan-09 Q1 '09 Q2 '09 Q3 '09 Q4 '09 Q1 '10 Q2 '10 Q3 '10 Q4 '10 Q1 '11 Q2 '11 Q3 '11 Q4 '11 Feb-12 FIELDPOINT PRIVATE S GROWTH Wealth Management Growth Bank Growth 4,000 3,500 3,563 600 616 3,000 2,985 500 464 490 2,500 2,000 1,500 1,000 500 - - 43 124 1,272 227 400 300 200 100-345 292 187 173 146 94-412 273 312 WM Assets Bank Assets Loans Deposits $$ in millions 18
EXTRAORDINARILY CROWDED SPACE Large established Regionals & Boutiques Emerging 19
SO, YOU WANT TO BUILD A FINANCIAL SERVICES FIRM Spring, 2008 to Today Bear Stearns & Lehman Brothers Too Big To Fail TARP Bernie Madoff Dodd Frank Wall Street Reform Financial Consumer Protection Act Volker Rule Credit Rating Agency Reform OTS-OCC Merger Banking* 30 Yr. Mortgage Rate -35.6% Housing Starts -35.4% Real Home Price Index -23.5% * = % change, spring 2008 present (Ycharts.com) Wealth Management* S&P 500 Total Return -34.1% 10 Year Treasury Rate -47.5% Venture Capital Investment -17.2% 20
REGULATORY ENVIRONMENT: ~65 Person Firm >39 Separate Audits & Regulatory Exams per Year 4+ Regulatory Bodies OCC, Fed, FFIEC, FINRA, SEC 2 Full-time Compliance Staff Several Part-time Roles (IT Security, BSA Officer, DR/BCP, FINOP, Series 24, etc.) External Auditor Firm Internal Auditor Firm Bank Compliance Consulting Firm Broker/Dealer Compliance Consulting Firm Lending / Loan Review Compliance Firm Several Financial Modeling Firms Outside Legal Council Separate IT Internal Audit Firm 21
CONSUMERS HAVE LOTS OF TRUST ISSUES Do You Have All the Capabilities Of My Current Firm? Do You Have All of My Products? How Safe is My Money? How Safe is My Privacy? = How Good Are Your Systems? 22
OUR IT APPROACH 23
IT S GUIDING PRINCIPLES Align Expenses to Revenue: CAPEX OPEX Focus on the Firm s Core Competencies Provide Best-of-Class IT Services 24
HOW WE LOOK AT THE CLOUD Services Vendor provides all encompassing services and administration Cloud-based Phone Systems Jack Henry Banking Core Software Vendor provides software and upgrades; We manage administration and configuration Salesforce.com Google Enterprise Mail Infrastructure Vendor provides IT infrastructure services only hardware, disk, network Rackspace Cloud Amazon AWS 25
EXPENSE MANAGEMENT Fixed Expenses Limit Your Ability to Manage A Large Financial Services Firm Management s Mandate: - Cut 10% of budget ($ 500,000,000) - Deliver All Committed Projects!! 2008 IT Budget: % Fixed Expense: Signed contracts (e.g. Software, Maintenance) Fixed Assets (e.g. Data Centers, Servers) Variable Portion of Budget: Employee Headcount Contractors / Consulting Travel and T&E $ 5,000,000,000 ~75% $ 1,250,000,000 Required Cut Budget Available $500,000,000 / $1,250,000,000 = ~40% Reduction in Variable Expense 26
INFRASTRUCTURE MANAGEMENT Lots of Effort, Little Business Value Produced 18 Months Typical Duration of a Server OS Upgrade Project 10% - 15% Average Server CPU Utilization 20% Percent of applications that are never used, yet remained switched on Three Years Duration of a project to count devises and figure out how to effectively charge back costs 27
DISASTER RECOVERY MANAGEMENT Disasters Happen And They Halt Your Entire Firm A Top U.S. Investment Bank August 11, 2001 Datacenter Flood Several significant applications down Temporary cooling & generation required September 11, 2001 9 / 11 Terrorist Attack Thousands of staff unable to get to work Major datacenters offline due to no power October 11, 2001 Virus infects every NT-based PC 1000 s of staff and 100 s of applications offline Weeks of IT staff time to manually disinfect 28
STAFFING MANAGEMENT If You re Not the Best, How are You Going to Hire the Best & Brightest? Raleigh, NC A credit card company from Boston (a candidate) IBM Cisco EMC Red Hat HQ A credit card company from Boston = Credit Suisse First Boston 29
SERVICE LEVEL MANAGEMENT This is NOT Control You re Fired!!! and FOX and its related entities. All rights reserved. 30
LESSONS & CHALLENGES 31
MUST RELY ON OUTSIDE REPORTS If its good enough for them, it should be good enough for us FFIEC Vendor Exams SSAE 16 or SAS70 Type II Financial Results 10K / 10Q s, CFO Letters, etc. DR/BCP Plans and Test Results Information Security Policies & Penetration Test (Pen Test) Results Standards-based Certifications PCI, HIPAA, ISO 27002, ITIL, COBIT, etc. Strong Contracts 32
WRITE YOUR BOOK REPORTS Don t Just Collect the Reports, Read & Summarize Them FFIEC Vendor Exams Any Exceptions Noted? SSAE 16 or SAS70 Type II Go Through the Matrix Thoroughly Financial Results Have Your Lending Team Review DR/BCP Plans and Test Results Ask if you Can Participate Information Security Policies Does it Match Your Standards? Contracts Have a Checklist of Requirements Non-disclosure Agreements Confidentiality Requirements Identity & Access Management Data Locations Data Encryption Standards (in movement & at rest) 33
ONGOING MONITORING IS REQUIRED Risk-Based Annual IT Audit Plan SLA Management Enterprise Systems Monitoring Conduct Your Own Pen Test DR Tests of Your Own (Loss of Technology) Risk Rate your Vendors (IT Security & Business Continuity) IT Risk must be Part of the Vendor Selection Process Ongoing Relationship Management with your Vendors 34