Incident Handling in the Cloud and Audit s Role David Cole, CPA, CISA ISACA National Capital Area Chapter Cloud Computing Conference March 17, 2015 1
Outline Cloud Service Models Cloud Types Summary of Controls Incident Scenario Example Audit Involvement and Role IH Standards Audit Involvement in the IH Process IH Example with Audit Involved Post Incident Audit Value Wrap Up 2
Cloud Service Models Software as a Service (SaaS) The capability provided to the consumer by using the cloud provider s applications running on a cloud infrastructure Applications are accessible through a thin client interface, such as a web browser (e.g., web-based email), or a program interface Consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or applications SaaS is termed a turn-key service for various applications Main benefits are reducing the total cost of hardware and software development, maintenance, and operations Security provisions are carried out by the cloud provider Cloud consumer does not manage or control the underlying cloud infrastructure or applications Some limited administrative application settings 3
Cloud Service Models Platform as a Service (PaaS) Capability provided to deploy on the cloud infrastructure consumer- created or acquired applications created using programming languages, libraries, services, and tools supported by the provider Consumer does not manage or control the cloud infrastructure network, servers, operating systems, or storage Consumer does control the deployed applications and configuration settings for the application-hosting environment Cloud consumer has control over applications and application platform settings Advantages are reducing the cost and complexity of buying, housing, and managing the underlying hardware and software components of the platform Security is shared by the cloud provider and the consumer 4
Cloud Service Models Infrastructure as a Service (IaaS) Processing provisioning of, storage, networks, and other resources Consumer is able to deploy and run arbitrary software Includes operating systems and applications Consumer does not manage or control the underlying cloud infrastructure Consumer does control operating systems, storage, and deployed applications; and control of select networking components -host firewalls Cloud consumer generally has broad choices of operating system and development environment for hosting Security is provisioned beyond the basic infrastructure and managed by the cloud consumer 5
Cloud Types Public Cloud Cloud infrastructure is provisioned for open use by the general public May be owned, managed, and operated by a business, academic, or government organization, or some combination of them Cloud provider owns infrastructure Deployment models broadly characterize the management and disposition of computational resources for delivery of services to consumers, as well as the differentiation between classes of consumers Infrastructure and computational resources are available to the general public over the Internet Owned and operated by cloud provider delivering cloud services to consumers Is external to the consumers organizations 6
Cloud Types Private Cloud Cloud infrastructure is provisioned exclusively for use by a single organization Used by multiple consumers - business units may be owned managed operated by the organization third party may exist on or off premises It may be managed by the organization or by a third party, and may be hosted within the organization s data center or outside of it Gives the organization greater control over the infrastructure, computational resources 7
Cloud Types Community Cloud The cloud infrastructure is provisioned for exclusively is to a specific community of consumers Organizations may have shared mission, business, security requirements, policy, and compliance considerations May be owned, managed, and operated by one or more organizations within the community or a third party, or some combination of them Can exist on or off premises A community cloud falls between public and private clouds with respect to the target set of consumers Similar to a private cloud except infrastructure and computational resources are exclusive to two or more organizations that share common privacy, security, and regulatory considerations, rather than a single organization 8
Cloud Types Hybrid Cloud Cloud infrastructure is a combination of two or more different cloud infrastructures -private, community, or public Each remain separate cloud entities Often bound together by standardized or proprietary technology that enables data and application portability Hybrid clouds are complex compared to other deployment models Involve a composition of two or more clouds -private, community, or public 9
Cloud Types 10
Summary of Controls **An organization can transfer workload to cloud, 11 but not the responsibility to protect.**
Incident Scenario Example Sales and Marketing have several apps in hybrid cloud and interconnected to in-house infrastructure environment Beaconing activity discovered and popping up daily, randomly, at different times and duration from sales and marketing dept. IPs Netflow analyses easily reveals months of beaconing activity coming from internal Sales and Marketing Systems, cloud IPs uncertain if beaconing Appear in firewall logs to have external IP activity Initial incident research reveals IPs from known APT addresses Initial network/app IDS and IPS are running and no event triggers sent Perimeter FW, DMZ, web servers, also not sent event trigger warnings No FW blocking decision made (deciding on whether memory capture or cut the network of subnets involved) As an IT Auditor you might get asked to support and participate in the IH/Event Do you accept the assignment? Why and why not? 12
Incident Scenario Example Audit Involvement Assume you re drafted you are participating and involved! Until further notice Audits Role and maintaining the office independence Audit Independence Audit Objectivity Audit as Risk Advisor 13
IH Standards - ITIL 14
IH Standards - ITIL 15
IH Standards - NIST 16
Audit Involvement in IH Process How and when to inject and retract from the IH process Initial Meeting: set the ground rules, always repeat the ground rules until completion Keep your independence, don t direct actions, don t criticize a fluid process, state the obvious risks when appropriate Establish and maintain a log of your participation and involvement your involvement and your feedback will be valued during Incident Response and during post mortem activities 17
Audit Involvement in IH Process How and when to inject and retract from the IH process Be prepared: know your organization business; know the business processes; know the business data, types, and flows; know the organization integration points; think out of the box of an auditor Keep your leadership informed and up-to-date; state the facts, caveat when uncertain recognize you won t have all information 18
IH Example with Audit Involved IH Program Exist and is it practiced IH Up-to-Date under Hybrid Cloud environment Who s in-charge of Incident Response (IR) What is communication plan during, internal, and external, plus media and law enforcement Is the IH team clearly communicating activity and status to date don t assume all is ok 19
IH Example with Audit Involved Cloud Security Risks Data in cloud loses some of its visibility to control What SAAS security controls is cloud provider providing? Data has moved to cloud Is there a Cloud Data Protection solution established? Data encryption- On-premise, in-transit, in-cloud Is there a cloud encryption gateway put in place? If so, on premise or in cloud? Does Cloud Provider capture activity logs and can we get them now! Have we been getting them? 20
IH Example with Audit Involved System Interconnections Are we in a hybrid cloud and sharing cloud services or cloud applications with partners, vendors, clients? Was the breach internal or through a third party? What does our interconnected service agreement say on notification responsibility both parties? Mobile Solutions Incident involves Sales, is there a mobile solution for Sales work force and how is it being assessed? 21
IH Example with Audit Involved Network Traffic Analyses When/how decision to stop/block the beaconing Have files been transferred into environment from external IPs? Was beaconing done through a SSL tunnel? Provides a level of sophistication. Why didn t monitoring tools trigger the event? Firewall and web services, have the configurations been altered? 22
Post Incident Audit Value Risk Advisor Business Technology Advisor Internal Control and Business Process Re-engineer Honest Broker to Senior Leadership What went well, what did not Post recovery verifier and validator 23
Wrap Up Questions? 24