Cloud and GRC ( Audit)
advertisement
Bangkok Thailand Cloud Governance : Cloud and GRC ( Audit) Moderator : Mr. Jirapon Tubtimhin Panelist : Mr. Metha Suvanasarn [Slide attached] : Mr. Wee Tan Yeong : Mr. Russell Pipe 7 February 2013 1 Abstract Cloud computing is a flexible, cost-effective, and proven delivery platform for providing business or consumer IT services over the Internet. Cloud resources can be rapidly deployed and easily scaled, with all processes, applications, and services provisioned "on demand", regardless of user location or device. As a result, cloud computing gives organizations the opportunity to increase their service delivery efficiencies, streamline IT management, and better align IT services with dynamic business requirements. In many ways, cloud computing offers the "best of both worlds", providing solid support for core business functions along with the capacity to develop new and innovative services. In addition to the usual challenges of developing secure IT systems, cloud computing presents an added level of risk, because essential services are often outsourced to a third party. The "externalized" aspect of outsourcing makes it harder to maintain data integrity and privacy, support data and service availability, and demonstrate compliance. The security measures discussed in this IBM Redpapers™ publication represent best practice implementations for cloud security. 2 2 Cloud Governance : Cloud and GRC ( Audit) Cloud and Risk Management Process->Decision Making 3 Cloud and Integrated GRC and Risk Appetite How many color in the Cloud -> White / Black / White and Black Cloud and Change enablement • • • • Where do we want to be? What needs to be done? How do we get there? What is risk appetite to be concerned? 4 Cloud and GRC (Audit) Criterion and Success Factors for Management and Audit 1. Objective<->Risk<->Controls<->Audit<->Reports<-> Monitor 2. Incorporate conditions and right to audit in contract vs. events. 3. Set Gap analysis with AS-IS and Standards[ To-Be] to identify potential solutions and proper actions 4. look for ways to integrate framework and approaches to/for Cloud 5. Match evidence via Audit and document review of service provide Process, People and Technology with required Enterprise and IT- Related goals and levels to be concerned. 6. Manage expectations and follow Vision-Mission-Policy-Strategy + Actions and Metrics.->Break down the overall project into achievable projects.++ 7.Focus on implementations that enable business value. And ensure adequate insight into the business environment. 8.Focus on change enablement planning and Enterprise goals.[Cont.] 5 5 Cloud and GRC (Audit) Challenges for Management and Auditors and how do we get there.? How to making 9. Cleary explain and sell business/Stakeholders benefits. final decisions? 10. Raise issues with the Audit Committee. 11. Consider how the culture might need to be changed. 12. Raise the issue with the CEO and Board. 13. Ensure that Risk management is and impact applied across the enterprise. 14. Apply management and governance principles. 15. Ensure adequate insight into the business environment. 16. Be careful on overly optimistic goals, and underestimation to effort required. 17. Be careful IT in fire-fighting mode and focused on Operational issues. 18. Lack of dedicated resources or capacity. 19.Insufficient insight into the business environment and Business overall objectives.++ 20.Set clear, measurable and realistic goals. 21.Make sure roles and responsibilities are clear and accepted, changing roles, and jobs descriptions if required. 22. ++++ 23. Do we get there? Or, Solutions too complex or impractical. Then, What to do? 66 Cloud and Integrated GRC and Risk Appetite Evaluate different models of cloud computing Different models of cloud computing have various ways of exposing their underlying infrastructure to the user. This influences the degree of direct control over the management of the computing infrastructure and the distribution of responsibilities for managing its security. With the Software as a Service (SaaS) model, most of the responsibility for security management lies with the cloud provider. SaaS provides a number of ways to control access to the Web portal, such as the management of user identities, application level configuration,and the ability to restrict access to specific IP address ranges or geographies. 7 Cloud and Integrated GRC and Risk Appetite Cloud models like Platform as a Service allow clients to assume more responsibilities for managing the configuration and security for the middleware, database software, and application runtime environments. The Infrastructure as a Service (IaaS) model transfers even more control, and responsibility for security, from the cloud provider to the client. In this model, access is available to the operating system that supports virtual images, networking, and storage. Organizations are intrigued with these cloud computing models because of their flexibility and costeffectiveness, but they are also concerned about security. Recent cloud adoption studies by industry analysts and articles in the press have confirmed these concerns, citing the lack of visibility and control, concerns about the protection of sensitive information, and storage of regulated information in a shared, externally managed environment. 8 Cloud and Integrated GRC and Risk Appetite In the near term, most organizations are looking at ways to leverage the services of external cloud providers. These clouds would be used primarily for workloads with a low-risk profile, where a one-size-fits-all approach to security with few assurances is acceptable, and where price is the main differentiator. For workloads with a medium-to-high-risk profile involving highly regulated or proprietary information, organizations are choosing private and hybridclouds that provide a significant level of control and assurance. These workloads will be shifting into external clouds as they start offering tighter and more flexible security. 9 Cloud and Integrated GRC and Risk Appetite Take a closer look at thisframework to better understand the different aspects of a holistic security architecture. Security Framework Security GRC Governance, Risk management, and Compliance Organizations require visibility into the security posture of their cloud. This includes broad-based visibility into change, image, and incident management, as well as incident reporting for tenants and tenantspecific log and audit data. The above Security Framework was developed to describe security in terms of the business resources that need to be protected, and it looks at the different resource domains from a business point of view. 10 Security GRC Governance, Risk management, and Compliance Organizations require visibility into the security posture of their cloud. Visibility can be especially critical for compliance. The Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), European privacy laws, and many other regulations require comprehensive auditing capabilities. Since public clouds are by definition a black box to the subscriber, potential cloud subscribers may not be able to demonstrate compliance. (A private or hybrid cloud, on the other hand, can be configured to meet those requirements.) In addition, providers sometimes are required to support third-party audits, and their clients can be directed to support eDiscovery and forensic investigations when a breach is suspected. This adds even more importance to maintaining proper visibility into the cloud. In general, organizations often cite the need for flexible Service Level Agreements (SLAs) that can be adapted to their specific situation, building on their experiences with strategic outsourcing and traditional, managed services. 11 Guide To Implementing A Secure Cloud The following security measures represent general best practice implementations for cloud security. At the same time, they are not intended to be interpreted as a guarantee of success. Guidance for your specific implementation requirements. -Implement and maintain a security program. -Build and maintain a secure cloud infrastructure. -Ensure confidential data protection. Implement strong access and identity management. -Establish application and environment provisioning. -Implement a governance and audit management program. -Implement a vulnerability and intrusion management program. -Maintain environment testing and validation. 12 A secure application development and testing program should be implemented Develop software applications based on best practices, with security being a conscious component of the initiative. :a. Validation of all security patches prior to production deployment. b. Ensure that test and production environments are separate. c. Ensure separation of duties between test, development, and administration personnel. d. Do not use production data that contains confidential or PII information in a test environment. e. Ensure removal of all test data and administrative information from the test environment prior to conversion to production. f. Ensure that all test accounts and custom accounts have been removed prior to production activation. g. Perform security code reviews on all code prior to release into production. 13 CSA Cloud Controls Matrix The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for SAS 70 attestations provided by cloud providers. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud. The Cloud Controls Matrix is part of the CSA GRC Stack. 14 GRC Stack : Cloud Security Alliance Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary supporting data. Whether implementing private, public or hybrid clouds, the shift to compute as a service presents new challenges across the spectrum of GRC requirements. The Cloud Security Alliance GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements. 15 Value driver & Risk driver & Controls 16 IT Risk Management Audit / Assurance Program IT Governance, Risk and Control IT governance, risk and control are critical in the performance of any assurance management process. Governance of the process under review will be evaluated as part of the policies and management oversight controls. Risk plays an important role in evaluating what to audit and how management approaches and manages risk. Both issues will be evaluated as steps in the audit/assurance program. Controls are the primary evaluation point in the process. The audit/assurance program will identify the control objectives and the steps to determine control design and effectiveness. 17 IT Risk Management Audit / Assurance Program Responsibilities of IT Audit and Assurance Professionals IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This presentation is to be used as a review tool and starting point for Cloud-> GRC>Audit. It may be modified by the IT audit and assurance professional, assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the CISA designation and/or necessary subject matter expertise to adequately review the work performed. 18 IT Risk Management Audit / Assurance Program The primary view of IT is that of an operations or service delivery organization. In this capacity, IT risk addresses the ability to deliver the IT services that enable the enterprise to perform day-to-day operational processes. However, IT risk also addresses system development, acquisition and maintenance processes. This relates to ensuring the selection, development and maintenance of business processes that operate the revenue generation and fulfillment of the organization, and address business needs in a cost-effective manner. Finally, IT risk addresses the ability for IT to provide value and/or benefit to the enterprise through automation. 19 IT Risk Management Audit / Assurance Program 20 Maturity Assessment vs. Target Assessment This spider graph is an example of the assessment results and maturity target for an IT risk management assessment. Cloud Perspectives 21 Cloud and Integrated GRC and Audit Only with such unified platform can enterprise IT Leaders ensure that they have a highly consumable cloud that will not breakdown as workloads and complexity grow. Otherwise, enterprise will not gain the agility and efficiency that they seek from the cloud. 22 GRC Stack Initiatives Cloud Audit The goal of Cloud Audit is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology. Cloud Audit provides the technical foundation to enable transparency and trust in private and public cloud systems. 23 GRC Stack Initiatives Cloud Controls Matrix (CCM) The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The Cloud Controls Matrix provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Cloud Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA and NIST, and will augment or provide internal control direction for SAS 70 attestations provided by cloud providers. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud. 24 GRC Stack Initiatives Consensus Assessments Initiative Questionnaire (CAIQ) The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. We are focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency. This effort by design is integrated with and will support other projects from our research partners. The initial deliverable of this project is the Consensus Assessments Initiative Questionnaire (CAIQ). This questionnaire is available in spreadsheet format, and provides a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. It provides a series of “yes or no” control assertion questions which can then be tailored to suit each unique cloud customer’s evidentiary requirements. 25 GRC Stack Initiatives Cloud Trust Protocol (CTP) The Cloud Trust Protocol (CTP) is the mechanism by which cloud service consumers (also known as “cloud users” or “cloud service owners”) ask for and receive information about the elements of transparency as applied to cloud service providers. The primary purpose of the CTP and the elements of transparency is to generate evidence-based confidence that everything that is claimed to be happening in the cloud is indeed happening as described, …, and nothing else. This is a classic application of the definition of digital trust.4 And, assured of such evidence, cloud consumers become liberated to bring more sensitive and valuable business functions to the cloud, and reap even larger payoffs. With the CTP cloud consumers are provided a way to find out important pieces of information concerning the compliance, security, privacy, integrity, and operational security history of service elements being performed “in the cloud”. 26 Cloud Security Threats and How Government Agencies are Coping Cloud computing services exemplify a significant change in the way companies and organizations perceive IT infrastructure in terms of cost and productivity. Many of the functions and capabilities provided by cloud environments are typically very costly and laborintensive to implement in traditional data centers. For this reason many companies, organizations, and government agencies are rethinking IT infrastructure and opting for virtualization to reduce costs while maintaining productivity in a difficult economy. Although cloud computing represents many new opportunities to access state-of-the-art technology at a much lower cost, many are concerned about the risks associated with cloud computing systems and the loss of control over IT infrastructure which you otherwise have with a traditional IT infrastructure. This is especially true with government agencies that have countless security and compliance requirements to follow, most of which cannot be accessed on a cloud services platform. These are guidelines enforced by International Traffic in Arms Regulations and security controls and certifications such as ISO 27001, ISO 27002, SAS-70, SAS-70 Type 2, and regulations set forth by the Health Insurance Portability and Accountability Act. According to the Cloud Security Alliance cyber criminals continue to take advantage of new technologies to extend the reach of criminal activities and avoid detection. Cloud computing systems have been highly targeted due to the fact it is a relatively new technology without the security controls typically included in a traditional IT infrastructure. However, this is rapidly changing but in the meantime, the Cloud Security Alliance has highlighted some of the top cloud computing threats which CSPs face when providing cloud services to organizations. 27 Common Cloud Security Threats Criminals find ways to release new threats on a frequent basis just as viruses and malware are released on the Internet every day. Cloud computing is not immune to this fact which can make risk management an ongoing task for maintaining secure cloud computing systems. Iaas and Paas Attacks: Cloud computing systems which are offered as IaaS (Infrastructure as a Service) and PaaS (Platform as a Service) have been subject to password and key cracking in which criminals use sophisticated software to obtain passwords and key codes for unauthorized access. A more common form of Iaas and Paas attacks are botnets which take command of the cloud server environment for malicious purposes and Denial of Service attacks which breach server security before sending massive amounts of information packets in an effort to bring down a cloud server and gain unauthorized access to sensitive data. Inside Threats: Cloud service providers employ a staff of people to help monitor and maintain the infrastructure however, when you use some of the services the provider may not reveal who has access to the servers and vaults which are used with cloud computing infrastructure. In this case, there is a chance that a threat to sensitive data could come from the inside if the cloud service provider does not have policies in place for monitoring employees and policy compliance. Depending upon the process the cloud service provider (CSP) uses for hiring, confidential data could be subject to espionage, hacking, or someone working within organized crime. Hijacking: Phishing and software exploitation has been around for some time now however, cloud computing adds a new dimension to this crime. If a criminal obtains unauthorized access to your credentials through a phishing scheme or software vulnerability it is then possible for them to eavesdrop on cloud computing activities, redirect your clients to sites that look legitimate but are laced with criminal intentions, or alter the data and information which is stored in an account on the cloud server. 28 Common Cloud Security Threats (cont.) Issues with Shared Technology: In a cloud environment which offers multi-tenancy the services are typically provided with scalability which is accomplished using a shared infrastructure. Sometimes the proper isolation and security properties are not in place which can create a gap between the virtualized server and the host operating system. This can cause problems with data breaches, network traffic, disk partitions, CPU caches, and other shared elements. Once the shared technology is accessed it can impact the security of others who are using the cloud services. These are a few of the general cloud security threats which can occur in a cloud computing environment. Government agencies are able to cope with these threats by using cloud service providers (CSPs) which have been certified by the FedRAMP assessment process which is a standardized approach set forth by the federal government to ensure security and compliance is being followed when using cloud computing systems. Government agencies are also choosing to use services such as GovCloud provided by Amazon Web Services which has been designed to meet government data security compliance and guidelines for different types of data classification. GovCloud also ensures access to data stays within the borders of the United States in accordance with the International Traffic in Arms Regulations. 29 Cloud Computing Service Audit Data Classification 30 Cloud Audit CloudAudit is a specification for the presentation of information about how a cloud computing service provider addresses control frameworks. The goal of CloudAudit is to provide cloud service providers with a way to make their performance and security data readily available for potential customers. The specification provides a standard way to present and share detailed, automated statistics about performance and security. Standardized information makes comparisons among providers easier, reducing the resources required to assemble documentation and analyze the data. CloudAudit is intended to benefit cloud computing providers as well. For example, the cost of responding to a potential customer's compliance controls may be minuscule for a large vendor. However, a small vendor may find it burdensome to provide that information to multiple prospective customers. With CloudAudit, vendors can provide information once and only update when there are changes. CloudAudit’s development codename was A6 (Automated Audit, Assertion, Assessment, and Assurance API). According to the Internet Engineering Task Force (IETF) draft document, CloudAudit provides “a common interface, naming convention, set of processes and technologies utilizing the HTTP protocol to enable cloud service providers to automate the collection and assertion of operational, security, audit, assessment, and assurance information.“ CSA released CloudAudit as part of a free tool suite for cloud-based Governance, Risk and Compliance (GRC) in November 2010. The tool consists of a directory or common namespace that serves as an organized repository. Cloud computing providers can put whatever they want within the directories (PDF files, text documents, links to websites, etc.) to indicate how they are addressing requirements within various control frameworks. The first set of namespaces is compliance-driven with a focus on PCI-DSS, HIPAA, COBIT, ISO 27002 and NIST 800-53. 31 IT Assurance Framework ISACA’s IT Assurance Framework™ (ITAF™) includes a section (3630.6) on outsourcing and third-party activities (see figure 1). Cross-references are included—COBIT® PO4, PO7, PO8, PO9, AI2 and AI5, and ISACA IT Audit and Assurance Guidelines (formerly IS Audit Guidelines) G4, G18, G32 and G37. These referenced documents provide useful technical assistance in conducting an IT audit for cloud computing. 32 IT Assurance Framework (cont.) Obviously, the fact that a third party is involved means direct auditing of the service entity may not be practical or even possible. ITAF also supplies a list of potential documents that could provide service audit information that should be relevant (see figure 2). 33 Information Security – International Standard (ISO 27001) 1. Security policy 2. Organization of information security ISO 27001 Objectives 3. Asset management Processes & Activities 4. Human resources security 5. Physical and environmental security 6. Communications and operations management 7. Access control 8. Information systems acquisition, development and maintenance 9. Information security incident management 10. Business continuity management 11. Compliance Interdependent Approaches / Consideration ... ... Domains Supervision / Monitoring / Across Criteria / Functions Consideration of common errors in identifying objectives – Identifying a means as an end. Failing to consider each type & all types of objectives. Failing to consider the relationships between objectives. 34 Developing the IT Audit Plan & Related Monitoring by management Understanding the Business + IT Risk Understanding the IT environment in a business context 35 35 36 36 Metha Suvanasarn : CGEIT;CRISC;CRMA; CIA;CPA www.itgthailand.com 37 37
