Cloud Computing Risks



Similar documents
Security Issues in Cloud Computing

Managed Solution Center s TSM Managed Services FAQ

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Computing and HIPAA Privacy and Security

Cloud Security and Managing Use Risks

Securing The Cloud With Confidence. Opinion Piece

Security Issues On Cloud Computing

How to ensure control and security when moving to SaaS/cloud applications

Cloud Computing Governance & Security. Security Risks in the Cloud

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Cloud Infrastructure Security

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Cloud Computing An Auditor s Perspective

Legal Issues in the Cloud: A Case Study. Jason Epstein

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Insights into Cloud Computing

LOCAL AREA NETWORK (LAN) SUPPORT SERIES

PCI Compliance for Cloud Applications

CPA Practical Experience Requirements

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

Risk Management of Outsourced Technology Services. November 28, 2000

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Managing Cloud Computing Risk

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Cloud security architecture

Cloud Computing in a Regulated Environment

Cloud Security:Threats & Mitgations

Security and Privacy in Cloud Computing

Internal Audit Takes On Emerging Technologies

Auditing Cloud Computing and Outsourced Operations

I.1 SERVICE LEVEL AGREEMENT MATRIX. Bidders must complete the following SLA Matrix as applicable to category bid.

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

SERVICE LEVEL AGREEMENT MATRIX

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

Cloud Computing: Legal Risks and Best Practices

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Technology Risk Management

KeyLock Solutions Security and Privacy Protection Practices

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Cisco Cloud Assessments. Justin Tang

Anatomy of a Cloud Computing Data Breach

Cloud Computing. Introduction

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Cloud Computing and Records Management

Client Security Risk Assessment Questionnaire

How To Secure Cloud Computing

How To Choose A Cloud Computing Solution

Cloud Computing: Risks and Auditing

Assessing Risks in the Cloud

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Security Threat Risk Assessment: the final key piece of the PIA puzzle

BYOD File Sharing - Go Private Cloud to Mitigate Data Risks. Whitepaper BYOD File Sharing Go Private Cloud to Mitigate Data Risks

Security & Trust in the Cloud

Cloud Computing Thunder and Lightning on Your Horizon?

White Paper: Librestream Security Overview

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Public Cloud Service Agreements: What to Expect & What to Negotiate. April 2013

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

LEGAL ISSUES IN CLOUD COMPUTING

Data Privacy, Security, and Risk Management in the Cloud

Cloud Security Who do you trust?

John Essner, CISO Office of Information Technology State of New Jersey

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Cloud Database Storage Model by Using Key-as-a-Service (KaaS)

Validating Enterprise Systems: A Practical Guide

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Cloud Computing Security Issues

BYOD File Sharing Go Private Cloud to Mitigate Data Risks

Strategies for assessing cloud security

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken )

{Moving to the cloud}

Transcription:

ISSA PREEMINENT TRUSTED GLOBAL INFORMATION SECURITY COMMUNITY Cloud Computing Risks By Richard Mosher ISSA member, Kansas City, USA Chapter Cloud computing risks still include data privacy, availability, service provisioning, malicious attack, and regulaty compliance. Mitigating the risks, now me than ever befe, requires a mature vend management program in which cloud s are tasked contractually with guaranteeing the infmation security requirements of their customers. Abstract The most recent development in infmation technology suppt f cpate business is the growing use of cloud computing. This trend presents a unique set of risks to cpate data that must be specifically addressed when considering this option. The issues involved are as old as infmation security. The risks still include data privacy, availability, service provisioning, malicious attack, and regulaty compliance. The venue has changed as technologies have mphed. Mitigating the risks, now me than ever befe, requires a mature vend management program in which cloud service providers are tasked contractually with guaranteeing the infmation security requirements of their customers. Background Cloud computing began years ago with the development of services such as online application offerings through application s (ASPs), infrastructure s such as Internet s (ISPs), and functional s such as managed security services providers (MSSPs). Following the development of virtual technology and other technological innovations, cloud computing services are now defined within three categies. Infrastructure as a Service (IaaS) A computing infrastructure is delivered as a service, although the infrastructure, platfms, applications within the environment may be managed and suppted either internally by the external entity. Platfm as a Service (PaaS) Computing platfms are delivered as a service; the infrastructure is managed by the, but platfms applications within the environment may be managed and suppted either internally by the external entity. Software as a Service (SaaS) Computing applications are delivered as a service, and the infrastructure and platfms are managed by the, but the application may be managed suppted either internally by the external entity. Of necessity, each of these involves the external management of particular functions by the external provider. F instance, an external IDS/IPS service generally involves an infrastructure, platfm, and application managed by the in providing the function. Likewise, the provisioning of HR services through an external application such as ADP must be suppted by, and may be managed by, personnel. This picture is clouded to some extent because the industry recognizes that cloud environments may be external to the ganization, entirely within the ganization (private), a hybrid (a mix of the two). An alternate option is a community cloud, which is an external cloud provided by a service provider designed and configured to suppt a specific type of application data requirement, as in, f instance, a medical industry cloud designed to provide a HIPAA-compliant service. This discussion is focused exclusively on the risks involved in the use of clouds provided by providers external to the ganization in either a pure external, community hybrid cloud environment. 34

As is true f all outsourcing arrangements, external cloud computing services share a set of risks that are derived from the decision to permit cpate data to be processed by reside upon devices outside of the cpate environment and under the control of an outside ganization. Some of these risks are increased due to the inherent nature of cloud computing. Data privacy risks Access control The decision to move cpate data and/ documents to an external cloud environment by its very nature requires that individuals within the ganization may have access to the data submitted to the cloud environment if personnel need access to the data stage area in suppt of the service. 1 require that the limit access to the data/files to essential personnel only; conduct background checks of those individuals to whom access will be granted; maintain proper recds of approval, removal, and review of internal access to the data; monit access to the data; train internal staff on requirements to protect the data; and if needed f compliance purposes, provide repts to the ganization regarding access to the data recds by suppt staff. Internally, the ganization can Contractually obligate the to these requirements; and Monit vend compliance with the requirements. Internal segmentation Any cloud is likely to suppt multiple ganizations. If not properly structured and configured, the data architecture underlying the service could put the ganization s data at risk of disclosure to other ganizations. 2 require that the implement internal barriers/segmentation between the data of different ganizations; and conduct audits of data stage to confirm that the barriers are effective. Once again, this requires that the ganization contractually obligate and monit vend compliance. Sub-contracts Many cloud s themselves are composed of multiple layers of cloud services, with the iginally contracted provider using other cloud providers to suppt their own services. The ganization must therefe be prepared to enfce its needs within multiple layers of s through the iginally contracted. This issue is especially troublesome if the ganization is under legal and/ regulaty compliance requirements. If this is the case, the ganization is often held responsible f ensuring the compliance of its sub-contracts. The ganization will therefe want to know the identities of sub-contracts in der to be able to track their compliance status. This can only be ensured through appropriate contract language. 3 if the ganization is under an obligation to satisfy regulaty requirements, discuss this with the cloud vend, and, if possible, require that the provide the identities of all sub-contracts in der to confirm their compliance status; if this level of compliance moniting is not required, request that the agree contractually to enfce all identified requirements on its service providers as appropriate; require that the implement a vend management program to monit the compliance of its vends; and monit the s compliance with this requirement. Data ownership In the past it was not unusual f cloud s to claim ownership of all data/files submitted to their care, and to publicly state the right to redistribute all submitted documentation at will. 4 ensure that the acknowledges the primacy of the ganization s rights to the data submitted; contractually obligate the to limit use of the data to that approved by the ganization; and contractually require that the ganization s data be returned and deleted upon severing the relationship. 1 Cloud Security Alliance, Top Threats to Cloud Computing V1.0, March 2010, Threat #3: Malicious Insiders, p. 10 https://cloudsecurityalliance.g/topthreats/ csathreats.v1.0.pdf. 2 Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage, Hey, You, Get Off of My Cloud: Expling Infmation Leakage in Third-Party Compute Clouds, ACM, November 2009 http://cseweb.ucsd.edu/~hovav/dist/cloudsec.pdf. 3 Giles Hogben, Perspectives on Cloud Security in the European Landscape, Cloud Security Delivery Imperatives 2011, ISACA Virtual Seminar, April 2011. 4 Carl Brooks, Cloud SLAs the next bugbear f enterprise IT, TechTarget.com http://searchcloudcomputing.techtarget.com/news/2240036361/cloud-slas-thenext-bugbear-f-enterprise-it?asrc=em_eda_14018952. 35

E-Discovery Because the data/files submitted are now suppted on systems belonging to an external entity (e.g., the cloud service provider), that data is now subject to discovery not only by legal actions targeting the ganization, but may also be at risk of discovery and disclosure by legal actions targeting the any one of its other customers service providers. The ganization s data may therefe be compromised due to legal actions that may may not directly involve the ganization. 5 6 To mitigate this, the ganization can ensure that the is bound contractually to notify the ganization of any required legal disclosure that may involve the ganization s data; and make internal plans to address e-disclosure needs in such an event. Data censship In some cases cloud providers retain to themselves the right to audit and cens any data submitted to the service. This can cause delays in the data posting process changes to the data itself that may be unacceptable. 7 contractually define any such activities on the part of the, and the process through which it is suppted; and require the to rept any such activities to the ganization. Encryption In the current state of the cloud processing industry, implementation of encryption f data at rest within the cloud remains relatively rare, is expensive when available. It has been identified within some cloud services that are designed to meet specific regulaty requirements, but is not available within me common cloud services. : use cloud services only f those data services that do not require data encryption f data privacy purposes; select a cloud that can provide encryption if required; confirm that the has implemented appropriate encryption controls; 5 Wendy Butler Curtis, Curtis Heckman, and Aaron Thp, Cloud Computing: ediscovery Issues and Other Risk, Orrick ediscovery Alert, June 28, 2010 http:// www.rick.com/fileupload/2740.pdf. 6 Lucas Mearian, How data security can vapize in the cloud, Computerwld, October 15, 2009 http://www.computerwld.com/s/article/9139404/how_data_ security_can_vapize_in_the_cloud_. 7 Joseph Granneman, Data Protection and Access Control in the Cloud, Security and Compliance in the Cloud, ISACA Virtual Seminar, December 2010. confirm that the regularly tests those encryption controls; and ensure that appropriate key management practices are in place to suppt the encryption. Availability risks Service degradation External services through a cloud provider involve connections over the Internet, any section of which is subject to congestion and outages on a periodic basis. In addition, the service may be degraded by a malicious attack, either due to the diversion of resources caused by an attack on the, by the diversion of resources due to an attack upstream from the (an attack on one of their service providers) and resulting congestion on the telecommunication lines, by diversion of resources caused by a successful penetration and use of the service itself as the base f further attacks on other sites. use cloud services only f those applications f which degradation of service is not a significant issue; obtain redundant lines to the through alternate carriers that can provide alternate connecting lines to the service; and implement appropriate and feasible alternatives f services during periods of service degradation. Service outage Similarly, all s will, f one reason another, incur service outages and perfmance issues on a periodic basis. confirm that the has designed the service with adequate capacity and multiple service sources to limit outages; require a service level agreement with the provider with contractual penalties f less than acceptable availability perfmance levels; ensure that the defined level of availability is acceptable f business purposes; confirm that the has an active backup program and recovery plan, confirm that the recovery plan is tested regularly; determine if alternate service options are available f periods in which the service is not available; and implement appropriate and feasible alternatives f services during an outage. 36

Service provisioning risks Service changes As all IT professionals know, technology firms come and go. Cloud s may fail, be acquired, change their business models and discontinue a service at any time. As a result, the ganization may lose access to its data to the service upon sht notice. contractually require a specified minimum period of notice f service changes; identify alternate service options that can be activated upon need; and maintain an updated internal copy of the data f emergency use. Cost changes As with any outside service, costs f cloud services will change over time. Such changes can make this type of service less cost effective, jeopardizing the purpose behind using the service in the first place. To mitigate this, the ganization can ensure that service costs and changes are defined in the service contract; and evaluate the cost/benefit/risk trade-offs of the relationship during each contract renewal. Malicious activity risks Likelihood of attack Because cloud s suppt multiple businesses and must have their services available on the open Internet, they are at increased risk of being attacked through their website ptals. After all, attackers tend to prefer target-rich environments, and cloud s concentrate multiple targets within their service areas. This situation is made wse by the fact that they must make web suppt and administration tools available to their customers as a part of the nmal business model through the web ptal, thereby leaving these tools accessible to attackers as well. As a result, the ganization s data/files are at increased risk of compromise through an outside attack. 8 confirm that the follows recommended security best practices in the development and coding of its web application, including code reviews and appropriate application security steps within each level of its infrastructure; confirm that the perfms vulnerability and penetration tests on a periodic basis and remediates any issues identified; and confirm that these practices have been audited and shown to be in place and operationally effective. Regulaty compliance risks Audit recds In many cases the systems suppting cloud services are managed by personnel through their internal processes. Service providers, as is true f most ganizations, usually decline to provide internal operational details to external customers. Obtaining auditable recds f the systems can therefe be difficult. In addition, the audit tools available through individual s vary significantly. The tools available f this purpose must be evaluated f each service provider. Because verifying the functionality and controls of all suppting systems may be required f compliance with regulaty requirements, this becomes a significant risk. negotiate with a mechanism through which suppting systems can be audited and verified, either through an audit perfmed by the ganization s audit team through a third party verification using SSAE 16 SOC 1 and SOC 3 repts, and include this in the contract; obtain copies of previous relevant SAS 70/SSAE 16 repts conduct regular audits of the provider; and ensure that appropriate audit repts are mandated contractually to meet the needs of the ganization. Stage location Verifying the functionality and controls of all suppting systems may be required f compliance with regulaty requirements, becoming a significant risk. Typically, the may ste all part of the data/files on servers where it is convenient f them. This may include transferring the data to servers outside of the region country of igin. Such a situation may may not be permissible, based upon regulations under which the ganization operates. 9 8 Cloud Security Alliance, Top Threats to Cloud Computing V1.0, March 2010, Threat #1: Abuse and Nefarious Use of Cloud Computing, p. 8 https:// cloudsecurityalliance.g/topthreats/csathreats.v1.0.pdf. 9 Dr. Thomas Helbing, How the New EU Rules on Data Expt Affect Companies Running Cloud Computing and SaaS, cloudcomputing-vision.com, April 16, 2010 http://cloudcomputing-vision.com/805/eu-rules-data-expt-affect-companiesrunning-cloud-computing-saas/. 37

require that the assess the ganization s legal and regulaty requirements, and determine if restrictions exist on whether it can permit its data to be sted outside of a specific legal jurisdiction; if the ganization faces this type of restriction, include a discussion of this issue with any s considered as s; if possible, agree contractually to stage location restrictions that will keep the ganization compliant with its regulaty needs; if this is not possible, exclude the from those to be considered f the service. Lack of breach notice In addition to all the other controls that are missing, the ganization using cloud services also loses insight into and control over mandated breach notifications. Me often than not, the ganization may not even know that a breach has occurred until it appears in the evening news. 10 use cloud resources f only those data applications that do not have regulaty compliance requirements; contract with a cloud that is willing to assert contractually that they will notify the ganization at once in the event of a possible breach. Compliance The issue of compliance validation f cloud computing applications is an open question. Little has been done in this area to date, and suppt f compliance requirements varies considerably between providers. 11 use cloud resources f only those data applications that do not have regulaty compliance requirements; contract with a cloud that is willing to assert contractually that they will maintain compliance with the regulation in question; and maintain a compliance verification program that validates the s compliance with the requirements. 10 Ariel Silverstone, Cloud Security: Danger (and Opptunity) Ahead, CSO Online, May 19, 2009 http://www.cio.com/article/492999/cloud_security_danger_and_ Opptunity_Ahead. 11 Cloud Computing: Benefits, risks and recommendations f infmation security, European Netwk and Infmation Security Agency (ENISA), November 2009 http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment. Mitigation summary The use of external resources f cloud computing in its current state involves a number of risks. The key to proper mitigation of the risks in cloud computing is to determine appropriate controls f all relevant security provider operations just as if they were internal, and then to contractually obligate the to comply with those controls. In the process of mitigating its risks, any ganization making use of cloud computing resources should take a number of key steps. 1. Evaluate the risks involved in the use of cloud computing f a specific data application, and determine if the benefits to be gained offset the risks and the costs. This is especially critical if any regulaty compliance requirements are involved. 2. Assess the available cloud computing s to determine if any can provide the needed service while providing appropriate suppt in mitigating the identified risks. 3. Perfm appropriate due diligence on the selected service provider to ensure their financial stability, and to confirm the promised suppt architecture is available. 4. Obtain copies of the SAS 70 the new SSAE 16 audit repts to confirm their controls, perfm an audit of the to confirm these details. 5. Ensure that the contract includes language specifying all required mitigating controls and repting. 6. Implement a vend management program to ensure ongoing compliance of the with all necessary controls and service levels. 7. Ensure that all other appropriate internal mitigating strategies and options are implemented. About the Auth Richard Mosher, CISSP, CBCP, CISA, CGEIT, QSA, is a professional consultant wking in infmation security, risk management, regulaty compliance, business continuity, and IT audit as a staff member of Experis, a ManpowerGroup company. He has 25 years of experience in infmation security, is a fmer ISSA chapter president, fmer ISSA International board member, and an ISSA Distinguished Fellow, and is a periodic contribut to the ISSA Journal. He may be reached at Richard.mosher@experis.com. 38

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information