Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

cloud_computing_risks

advertisement 
Cloud Computing Risk
Assessments
Donald Gallien
March 31, 2011
www.isaca.org
Overview
• Cloud Computing Refresher
• Assessing Cloud Computing Universe
Completeness
• Using a Cloud Computing Risk Ranking
Model
• Risk Ranking Case Study
www.isaca.org
2
Quiz
• What do the following have in common?
– Paisley GRC
– Salesforce.com
– Amazon EC2
– Google Apps
– Microsoft Business Productivity Online Suite
(BPOS)
– Rackspace
– WebEx
www.isaca.org
3
Cloud Computing Refresher
www.isaca.org
Cloud Computing Basics
• Internet-based computing, whereby shared
resources, software and information are
provided to computers and other devices ondemand, like the electricity grid (Source:
Wikipedia)
• Based on virtualization and abstraction of the
underlying infrastructure
• IT Audit Risk is largely driven by:
– Deployment Model
– Service Model
– Nature of Applications & Data in Cloud
www.isaca.org
5
Deployment Models
Model
Definition
Example
Public
Available to the general public
or a large industry group
Community Shared by several
organizations and supports a
specific community that has
shared concerns
Private
Operated solely for an
organization
Source: NIST
www.isaca.org
6
Google Apps
(Free)
Google Apps
for Government
Microsoft BPOS
for a Business
Service Models
Model
Definition
Example
Infrastructure Fundamental computing
as a Service resources to deploy software,
(IaaS)
including OS and applications
Rackspace
Cloud
Platform as a Applications based on
Service
programming languages and
(PaaS)
tools supported by the cloud
provider
Force.com
Software as a Cloud provider applications
Service
running on a cloud infrastructure
(SaaS)
Salesforce.
com (CRM)
Source: NIST
www.isaca.org
7
Provider Control
Another Way to Look as Service
Models
www.isaca.org
SaaS
Example
WebEx
PaaS
BPOS
IaaS
Amazon EC2
8
Deployment Model Risk Profile
Public
Higher
www.isaca.org
Community
Likelihood of
Data Security,
Privacy, and
Control Breach
9
Private
Lower
Service Model Risk Profile
IaaS
Higher
www.isaca.org
PaaS
Impact of Loss of
Control & Security
Breach
10
SaaS
Lower
Cloud Refresher Summary
• Public clouds are inexpensive, but provide
less security and service
• Private clouds are expensive, but align better
with technology and security standards
• IaaS models are very broad in scope, but
organizations maintain more control
• SaaS models are narrow in scope, but
organizations relinquish almost all control
What is the impact of cloud computing on
the IT audit function?
www.isaca.org
11
But one thing never changes
• All IT Audit and Governance groups must:
1. Identify an Universe
2. Risk Rank the Universe
3. Provide Appropriate Coverage based on Risk
www.isaca.org
12
Assessing Cloud Computing
Universe Completeness
www.isaca.org
The Cloud Universe Challenge
Transient
Flexible
Dynamic
www.isaca.org
Abstract
Cloud
14
Rapidly
Deployed
Finding the Clouds
Technology
Governance
Firewalls & Encryption
Certificates
Control
Points
Invoices / Time &
Expense Reporting
www.isaca.org
Process Walkthroughs
15
Technology Governance
•Oversight
•Technology Approvals
•Partner Approvals
How does your organization
promote controlled cloud
computing?
www.isaca.org
16
Firewalls and Encryption Certificates
•Firewall & VPN Rule
Changes
•Firewall Logs
•Encryption Certificate
Requests
Cloud computing
environments are unlikely
to stand-alone.
www.isaca.org
17
Invoices / T&E Reporting
•
•Vendor Master
•Invoice Lists
•T&E Reporting
How much does it cost
to deploy cloud based
e-mail service at
Google?
www.isaca.org
18
Process Walkthroughs
•Business Process
•Data Flow
•Technology Overview
Has anyone discovered
cloud based computing in a
walkthrough meeting?
www.isaca.org
19
Summary – Universe Completeness
• Cloud computing can be difficult to identify
• Traditional technology governance, security,
and procurement controls can be used to
identify cloud computing
• Users and business analysts could be your
best source of cloud computing information
What else can you do to identify cloud
computing?
www.isaca.org
20
Using a Cloud Computing Risk
Ranking Model
www.isaca.org
A few thoughts before we start
• Risk models include elements of judgment
and must fit the organization
• Some model assumptions may be
completely wrong for your organization
– We should have a lot of debate on this topic
• Risk ranking scores must drive governance
requirements and audit activities
www.isaca.org
22
Cloud Risk Ranking Example
Attribute
Deployment Model
Service Model
Data Security level
Physical Hosting Site
SOX Critical
Dependent Apps
Recovery Time
Region Supported
www.isaca.org
High (5)
Med (3)
Community
PaaS
Restricted
Int'l Location
Public
IaaS
Secret
Undefined
Yes
Greater than 10
4 Hours
Europe or Global
4 to 10
7 Days
US
23
Low (1)
Private
SaaS
Unclassified
Domestic Location
No
0 to 3
31 Days
All other
Potential Governance & Audit
Requirements
Cloud Risk
Category
Score
High
>25
Medium
11-24
Low
<10
www.isaca.org
Audit
Requirements /
Frequency
Full Scope /
SAS 70 Type II
Annual
Limited Scope /
SAS 70 Type I
Bi – Annual
Risk Assess
None
Only
Governance
Requirements
24
Deployment Model Considerations
High
Public
Deploy
Model
Public
Medium
Community
- Security and privacy are not a priority
- Service level agreements may not exist
- Private environments provide
adequate security and privacy
- Service level agreements should exist
www.isaca.org
Low
Private
25
Private
Service Model Considerations
High
IaaS
Service
Model
IaaS
Medium
PaaS
- Issues may impact all hosted applications
and data
- No control over foundational general
controls
- PaaS - Impact limited to outsourced platform
- SaaS - Impact limited to applications and data
www.isaca.org
Low
SaaS
26
SaaS
Data Security Considerations
High
Secret
Security
Level
Secret
Medium
Restricted
- Difficult to enforce security standards when
outsourcing
- Difficult to demonstrate compliance with
regulations like GLBA
- Security and privacy is not a concern
(good candidate for cloud computing)
www.isaca.org
Low
Unclassified
27
Unclassified
Physical Hosting Site
Considerations
Hosting
Site
High
Undefined
Undefined
Medium
International
Location
- May result in cross border data protection
regulatory issues
- Difficult to demonstrate compliance with
regulations like GLBA
- Minimizes concerns about cross
border data protection regulations
www.isaca.org
Low
Domestic
Location
28
Domestic
Location
SOX Criticality Considerations
High
Yes
SOX
Critical
Yes
Medium
- SAS 70 reports may not cover SOX critical
application controls
- Business units may not have visibility or
access to test SOX controls
- Non SOX critical applications may be good
candidates for cloud computing
www.isaca.org
Low
No
29
No
Dependent Applications
Number
of Apps
High
Greater than 10
> 10
Medium
4 to 9
- Implies complexity and greater organizational
significance
- Implies simplicity and less organizational
significance
www.isaca.org
Low
Less than 3
30
<3
Recovery Time Objectives (RTO)
Considerations
High
4 Hours
RTO
4 Hours
Medium
7 days
Implies increased business importance
Cloud provider may lack geographic diversity
Single points of failure may exist in network
Implies lower business importance - good
candidate for cloud computing
www.isaca.org
Low
31 Days
31
31 Days
Regions Supported Considerations
High
Europe or
Global
Region
Europe
/ Global
Medium
United States
- Strictest cross border data protection
regulations – can be at odds with abstract
cloud computing
- “Other” countries may have less
restrictive cross border data protection
regulations
www.isaca.org
Low
All Other
32
All Other
Summary – Cloud Risk Ranking
Models
• Cloud risk ranking attributes and scoring
must vary based on environment and need
• Risk attributes and scoring require alignment
with organizational standards
What other risk attributes might you use, and how would your
rank them on a high, medium, low basis?
www.isaca.org
33
Risk Ranking Case Study
www.isaca.org
Conclusions
• Business and technology leaders are
embracing cloud computing - it is here to
stay and growing
• Cloud computing standards and risk ranked
cloud universes are foundational
requirements for governance
• We must adjust our approach to remain
relevant
www.isaca.org
35
Questions
Contact Information:
donald.w.gallien@aexp.com
www.isaca.org
36
Related documents
Slide - People
Slide - People
More on the project
More on the project
Document
Document
TACUA 2010 IT Risk
TACUA 2010 IT Risk
Document
Document
Van as-a-Service naar at-your-Service
Van as-a-Service naar at-your-Service
Chapter 11: Ascending and Descending Air
Chapter 11: Ascending and Descending Air
Download
advertisement