Add to collection(s) Add to saved
  1. Business
  2. Management

Cloud Computing: Audit Challenges

advertisement 
Cloud Computing:
Implementation Challenges
Marco Ramos
KPMG
marcoramos@kpmg.com
787-367-9057
Stay-or-go: In-House vs. The Cloud
•
•
•
•
Power consumption
Data Center Management
Storage Management
Ensuring availability
– Redundancy = $$$$$ x 2
• Virtualization
• Carbon footprint
Service Organizations vs. The Cloud
Service Organization
The Cloud
Pay-per-user
Fixed Fee
Pay-as-you-go
Transactional Basis
Independent Auditor’s Report SSAE #16
(formerly known as SAS70)
Approaches
In-house
Salary
Hardware
+ Upgrade
+ Maintenance
Licenses
Backup
Off-site
Development
Configuration
Storage
Network
SaaS
PaaS
IaaS
Large scale
standardization
Cost-effective and
time saving to app
development
Cost-effective
Public vs. private:
collaboration
solutions
Faster set-up of
development and
testing
environments
Manage peak loads
Business can focus
on core activities
Green IT
Implementation Challenges
• Data Privacy
• Security
• CAPEX vs. OPEX (fixed costs
vs. variable costs)
• Tax-related issues
• Regulatory ambiguity
• Cross-country: transfer of
data across borders
• Reliability and availability
• Transition and execution
risks
• Limited scope for
customization
•
•
•
•
Cultural resistance (IT!)
SLAs
Ownership of data
What happens at the
end of the contract?
• What information The
Cloud provider returns,
on what format and if it
is readable
• Performance
(response time)
• Hardware
decommissioning
More Challenges…
• Limited IT Budget: initial set-up & upgrades
• Scalability of systems: manage peak demands
investing in additional hardware & software
under utilized in non-peak loads.
• Larger time setting up IT infrastructure
• Need for mobility
Larger benefits to
industry and market segments
•
•
•
•
Government
Healthcare
Education
SME/PyMes – competitive edge to reach IT
resources of global companies: affordable,
reliable, and flexible computing solutions,
enabling them to compete more effectively
with larger organizations
Cross-country Cloud:
Data transfer across borders
• Is the Cloud provider ensuring where data is
hosted? i.e. Data Centers in Chicago, LA & NY
or India, China, and Mexico?
• Canada’s Patriot Act does not allow IT projects
to use US-based hosting environments
• Germany and UK have regulations related to
email
Cloud DOES NOT MEAN
Dissolve IT staff!!!
The Company still needs:
• Technical support
• Network, provisioning, and user certification
• Increased bandwidth
• Training and On-boarding
Cloud Strategy
• Sponsored by the CIO
• Shift focus from configuration,
implementation, and maintenance of in-house
applications to implementing strategy and
meeting business needs
• It is a strategic business decision rather than a
purely technology decision
Green Computing:
Green IT
Axel E. Robert
Company
email@email.com
787-XXX-XXXX
Placeholder
• PLACEHOLDER
Cloud Computing:
Security Challenges
Rory Rivera, PE, MSEE, MSM
Deep Logistics
email@email.com
Security is the Major Issue
14
Analyzing Cloud Security
• Some key issues:
– trust, multi-tenancy, encryption, compliance
• Clouds are massively complex systems can
be reduced to simple primitives that are
replicated thousands of times and common
functional units
• Cloud security is a tractable problem
– There are both advantages and challenges
Former Intel CEO, Andy Grove: “only the paranoid survive”
15
General Security Challenges
•
•
•
•
•
•
Trusting vendor’s security model
Customer inability to respond to audit findings
Obtaining support for investigations
Indirect administrator accountability
Proprietary implementations can’t be examined
Loss of physical control
16
Security Relevant Cloud
Components
•
•
•
•
•
•
Cloud Provisioning Services
Cloud Data Storage Services
Cloud Processing Infrastructure
Cloud Support Services
Cloud Network and Perimeter Security
Elastic Elements: Storage, Processing, and
Virtual Networks
17
Cloud Network and Perimeter
Security
• Advantages
– Distributed denial of service protection
– VLAN capabilities
– Perimeter security (IDS, firewall, authentication)
• Challenges
– Virtual zoning with application mobility
18
Security and Data Privacy Across
IaaS, PaaS, SaaS
• Many existing standards
• Identity and Access Management (IAM)
– IdM federation (SAML, WS-Federation, Liberty ID-FF)
– Strong authentication standards (HOTP, OCRA, TOTP)
– Entitlement management (XACML)
• Data Encryption (at-rest, in-flight), Key Management
– PKI, PKCS, KEYPROV (CT-KIP, DSKPP), EKMI
• Records and Information Management (ISO 15489)
• E-discovery (EDRM)
19
Cloud Security Challenges
Part 1
•
Data dispersal and international privacy laws
–
–
–
•
•
•
•
•
EU Data Protection Directive and U.S. Safe Harbor
program
Exposure of data to foreign government and data
subpoenas
Data retention issues
Need for isolation management
Multi-tenancy
Logging challenges
Data ownership issues
Quality of service guarantees
20
Cloud Security Challenges
Part 2
•
•
•
•
•
Dependence on secure hypervisors
Attraction to hackers (high value target)
Security of virtual OSs in the cloud
Possibility for massive outages
Encryption needs for cloud computing
–
–
–
–
•
•
Encrypting access to the cloud resource control
interface
Encrypting administrative access to OS instances
Encrypting access to applications
Encrypting application data at rest
Public cloud vs internal cloud security
Lack of public SaaS version control
21
Additional Issues
•
Issues with moving PII and sensitive data to the
cloud
–
•
Using SLAs to obtain cloud security
–
–
•
•
Privacy impact assessments
Suggested requirements for cloud SLAs
Issues with cloud forensics
Contingency planning and disaster recovery for
cloud implementations
Handling compliance
–
–
–
–
–
FISMA
HIPAA
SOX
PCI
SAS 70 Audits
22
Cloud Migration and Cloud Security
Architectures
• Clouds typically have a single security architecture
but have many customers with different demands
– Clouds should attempt to provide configurable security
mechanisms
• Organizations have more control over the security
architecture of private clouds followed by
community and then public
– This doesn’t say anything about actual security
• Higher sensitivity data is likely to be processed on
clouds where organizations have control over the
security model
23
Putting it Together
• Most clouds will require very strong security
controls
• All models of cloud may be used for differing
tradeoffs between threat exposure and
efficiency
• There is no one “cloud”. There are many
models and architectures.
• How does one choose?
24
Cloud Computing:
Audit Challenges
John R. Robles
John R. Robles and Associates
www.johnrrobles.com
jrobles@coqui.net
787-647-3961
Cloud Computing: Audit Challenges
• Must
– Audit,
– Review, and
– Report
on the Internal Controls System surrounding the
implementation and operations of Cloud Technology
• You must have an ICS, so lets determine if it is
effective and efficient (effective & efficient
internal controls)
Cloud Computing: Audit Challenges
So you want to go to the Cloud or are already there? Then
• How did you identify the assets selected for cloud
deployment
• Did you evaluate risks related to those assets?
• For each asset, did you analyze risks to organization if:
–
–
–
–
–
–
Assets became widely public and widely distributed?
Employees of our cloud provider accessed the assets?
Cloud processes or functions were manipulated by an outsider?
Cloud processes or functions failed to provide expected results?
Information/data were unexpectedly changed?
Asset were unavailable for a period of time?
Cloud Challenges: Audit Challenges
• How did you map assets to potential cloud deployment models
–
–
–
–
Public
Private, internal/on-premises
Private, external (including dedicated or shared infrastructure)
Community; taking into account the hosting location, potential service
provider, and identification of other community members
– Hybrid. To effectively evaluate a potential hybrid deployment, you
must have in mind at least a rough architecture of where components,
functions, and data will reside
• Did you evaluate relevant potential cloud service models and
providers
• Did you documentation the potential data flow
Internal Control Framework
• Review internal control framework
– Control Environment (set up by BOD &
management)
– Organization's risk appetite
– Risk Assessments
– Control Activities
– Information and Communications Management
Systems
– Operations Monitoring
Cloud Computing – Maturity Model
Maturity Model for Internal Control
Maturity
Level
Status of the Internal Control
Environment
0 - Non- There is no recognition of
existent the need for internal control.
Control is not part of the
organization’s culture or
mission. There is a high risk
of control deficiencies and
incidents.
Establishment of Internal
Controls
There is no intent to assess
the need for internal
control. Incidents are dealt
with as they arise.
Cloud Computing – Maturity Model
Maturity Model for Internal Control
Maturity
Level
Status of the Internal Control
Environment
1Initial/ad
hoc
There is some recognition of the
need for internal control.
The approach to risk and control
requirements is ad hoc and
disorganized, without
communication or monitoring.
Deficiencies are not identified.
Employees are not aware of their
responsibilities.
Establishment of Internal
Controls
There is no awareness of the
need for assessment of what is
needed in terms of IT controls.
When performed, it is only on an
ad hoc basis, at a high level and
in reaction to significant
incidents. Assessment addresses
only the actual incident.
Cloud Computing – Maturity Model
Maturity Model for Internal Control
Maturity
Level
Status of the Internal
Control Environment
2Controls are in place but are
Repeatable not documented.
but
Intuitive
Their operation is dependent on
the knowledge and motivation
of individuals. Effectiveness is
not adequately evaluated. Many
control weaknesses exist and
are not adequately addressed;
the impact can be severe.
Establishment of Internal
Controls
Assessment of control needs occurs
only when needed for selected IT
processes to determine the current
level of control maturity, the target
level that should be reached and the
gaps that exist.
An informal workshop approach,
involving IT managers and the team
involved in the process, is used to
define an adequate approach to
controls for the process and to
motivate an agreed-upon action plan.
Cloud Computing – Maturity Model
Maturity Model for Internal Control
Maturity Status of the Internal Control Establishment of Internal Controls
Level
Environment
3 - Defined Controls are in place and
adequately documented.
Operating effectiveness is
evaluated on a periodic basis and
there is an average number of
issues. However, the evaluation
process is not documented. While
management is able to deal
predictably with most control
issues, some control weaknesses
persist and impacts could still be
severe
Critical IT processes are identified
based on value and risk drivers.
A detailed analysis is performed to
identify control requirements and the
root cause of gaps and to develop
improvement opportunities. In
addition to facilitated workshops, tools
are used and interviews are performed
to support the analysis and ensure
that an IT process owner owns and
drives the assessment and
improvement process.
Cloud Computing – Maturity Model
Maturity Model for Internal Control
Maturity
Level
Status of the Internal Control
Environment
4 - Managed There is an effective internal
and
control and risk management
Measurable environment.
A formal, documented evaluation
of controls occurs frequently. Many
controls are automated and
regularly reviewed. Management is
likely to detect most control issues,
but not all issues are routinely
identified.
Establishment of Internal
Controls
IT process criticality is regularly
defined with full support and
agreement from the relevant
business process owners.
Assessment of control requirements
is based on policy and the actual
maturity of these processes,
following a thorough and measured
analysis involving key stakeholders.
Cloud Computing – Maturity Model
Maturity Model for Internal Control
Maturity
Level
Status of the Internal Control
Environment
5An enterprise-wide risk and control
Optimized program provides continuous and
effective control and risk issues
resolution.
Internal control and risk management
are integrated with enterprise
practices, supported with automated
real-time monitoring with full
accountability for control monitoring,
risk management and compliance
enforcement.
Establishment of Internal Controls
Business changes consider the
criticality of IT processes and cover
any need to reassess process control
capability.
IT process owners regularly perform
self-assessments to confirm that
controls are at the right level of
maturity to meet business needs and
they consider maturity attributes to
find ways to make controls more
efficient and effective.
Cloud Computing: Now What?
• During the year, PRCCUG will:
– Have periodic meetings to discuss these
challenges
– Discuss solutions
– Present solutions from 1st Level vendors
– Provide networking among professionals
interested in Cloud Computing
Cloud Computing: Now What?
• Join us and the Puerto Rico Cloud Computing
and Green Computing User Group.
Questions and Answers!!
Related documents
Slide - People
Slide - People
Lisa Neal-Graves, Director Technology Insights, Intel
Lisa Neal-Graves, Director Technology Insights, Intel
Document
Document
More on the project
More on the project
Document
Document
Scott Brown, Octoshape - Distributed Computing Industry Association
Scott Brown, Octoshape - Distributed Computing Industry Association
Chapter 11: Ascending and Descending Air
Chapter 11: Ascending and Descending Air
Download
advertisement