BKD Risk Management Cloud Security
advertisement
CACUBO Central Association of College & University Business Officers Kansas City Winter Workshop April 8, 2014 RISK MANAGEMENT AND CLOUD SECURITY Rodney A. Walsh, CGEIT, CRISC//Director of IT Risk Services Paco Diaz//Senior Consultant II Agenda Define the cloud ecosystem Business use of cloud services Cloud service risks Governance of the cloud – critical policies, procedures & controls Third-party management considerations for the cloud Risk Management & Cloud Security February 19, 2014 2 DEFINE THE CLOUD ECOSYSTEM Risk Management & Cloud Security February 19, 2014 3 Define the Cloud Ecosystem Cloud Computing: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Source: NIST Special Publication 800-145 - The NIST Definition of Cloud Computing (http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf) Risk Management & Cloud Security February 19, 2014 4 Define the Cloud Ecosystem Cloud Computing: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Source: NIST Special Publication 800-145 - The NIST Definition of Cloud Computing (http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf) Risk Management & Cloud Security February 19, 2014 5 Define the Cloud Ecosystem Essential Characteristics On demand self service Broad network access Resource pooling Rapid elasticity Measured service Risk Management & Cloud Security February 19, 2014 6 Define the Cloud Ecosystem Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Risk Management & Cloud Security February 19, 2014 7 Define the Cloud Ecosystem SaaS PaaS IaaS Software as a Service Platform as a Service Infrastructure as a Service Apps for Business Adobe Creative Cloud Risk Management & Cloud Security February 19, 2014 8 Define the Cloud Ecosystem Deployment Models Private cloud Community cloud Public cloud Hybrid cloud Risk Management & Cloud Security February 19, 2014 9 Define the Cloud Ecosystem Private Cloud Provisioned for single organization May exist on or off site May be managed by organization or outsourced Risk Management & Cloud Security February 19, 2014 10 Define the Cloud Ecosystem Community Cloud Provisioned for exclusive use by a specific community May be managed by one or more of the community organizations May be managed by community organization or outsourced Risk Management & Cloud Security February 19, 2014 11 Define the Cloud Ecosystem Public Cloud Provisioned for general public Exists on the premise of the cloud provider May be owned, managed & operated by a business, academic or government organization or a combination Risk Management & Cloud Security February 19, 2014 12 Define the Cloud Ecosystem Hybrid Cloud Combination of two or more distinct cloud infrastructures Combines characteristics of private, public & community clouds Risk Management & Cloud Security February 19, 2014 13 Just Imagine It will take over 132 billion 64GB iPads to hold all of the world’s electronic data by 2015? 2011 Digital Universe Study: Extracting Value from Chaos Placing that many 64GB iPads end-to-end, it would go around the world over 790 times. You could create two stacks of that many 64GB iPads that would reach the moon and a 3rd stack that would be 129,606 miles high. That many 64GB iPads would cost $92.76 trillion dollars. Risk Management & Cloud Security February 19, 2014 14 BUSINESS USE OF CLOUD SERVICES Risk Management & Cloud Security February 19, 2014 15 Business Use of Cloud Services “By 2016, the average personal cloud will synchronize and orchestrate at least six different device types. Gartner Predicts 2013: Cloud Computing Becomes an Integral Part of IT. Issue #3– Developing a campus-wide cloud strategy. EDUCAUSE “Top 10 IT Issues”, 2013 Risk Management & Cloud Security February 19, 2014 16 Business Use of Cloud Services Financial Savings Equipment Personnel Infrastructure Space & utilities Reduced obsolescence Reduced capital expenditures Reduced implementation costs Risk Management & Cloud Security February 19, 2014 17 Business Use of Cloud Services Increased Flexibility Rapid deployment Ability to add or reduce capacity On-demand provisioning Disaster recovery Business expansion (across town or across the globe) Risk Management & Cloud Security February 19, 2014 18 Business Use of Cloud Services Streamlined business development Focus on innovation & research Reduced effort on management, maintenance & support Simplified entry into or exiting from business initiatives Increased access to technical expertise Risk Management & Cloud Security February 19, 2014 19 Business Use of Cloud Services “Slow transition to the Clouds continues.” Kenneth C. Green- Campus Computing Project, EDUCAUSE Annual Conference 10/17/2013. Higher Education Institutions With Cloud Computing Strategic Plan 27% 30% 24% 25% 21% 20% 15% 15% 9% 10% 5% 0% 2009 2010 2011 Risk Management & Cloud Security February 19, 2014 20 2012 2013 Business Use of Cloud Services Slow transition to the Clouds continues. Kenneth C. Green- Campus Computing Project, EDUCAUSE Annual Conference 10/17/2013. Why so slow? Absence of provider offerings. Can’t visualize moving to the Cloud. Want to retain command, control & computing. Let others make the journey first. Risk Management & Cloud Security February 19, 2014 21 CLOUD SERVICE RISKS Risk Management & Cloud Security February 19, 2014 22 Cloud Service Risks Number of Records Breached Privacy Rights Clearing House--As of 12/31/2013 8,000,000 7,000,000 6,000,000 Non-Profit Records 5,000,000 Health Care 4,000,000 Gov/Military 3,000,000 Education 2,000,000 1,000,000 0 2005 2006 2007 2008 2009 2010 Risk Management & Cloud Security February 19, 2014 23 2011 2012 2013 Cloud Service Risks Security Physical access to infrastructure, systems & data Physical location of systems, data Logical access to the network, OS, applications & databases Network & data segregation Risk Management & Cloud Security February 19, 2014 24 Cloud Service Risks Availability Cloud provider service interruptions Data location/availability for restoration Network/connectivity interruptions Failure of the provider to adhere to SLAs Service provider disaster recovery Risk Management & Cloud Security February 19, 2014 25 Cloud Service Risks Processing Integrity Adherence to change management procedures Incident management Failure of the provider to adhere to SLAs • • • • Timeliness Accuracy Authorization Completeness Risk Management & Cloud Security February 19, 2014 26 Cloud Service Risks Confidentiality Comingling of data & other assets Unauthorized access to sensitive or trade secret information Privacy International laws affecting service provider location Regulatory compliance/legal liability Breach & incident management Risk Management & Cloud Security February 19, 2014 27 GOVERNANCE OF THE CLOUD Critical Policies, Procedures & Controls Risk Management & Cloud Security February 19, 2014 28 Governance of the Cloud Governance Risk Management Tools Risk Management & Cloud Security February 19, 2014 29 Governance of the Cloud Governance Risk Management Information Security Tools • Data life cycle • Data classification • Formal policies & procedures Risk Management & Cloud Security February 19, 2014 30 Governance of the Cloud Governance Risk Management Metrics Tools • Objectives • Define metrics • Periodic assessment & Review Risk Management & Cloud Security February 19, 2014 31 Governance of the Cloud Governance Risk Management SLAs • Access to data • Appropriate Controls • Management, counsel, IT & business owners involved Tools Risk Management & Cloud Security February 19, 2014 32 Governance of the Cloud Governance Risk Management Data Flow Analysis • Understand life cycle • Develop data-flow schematics • Policies to review/update data flow documentation Tools Risk Management & Cloud Security February 19, 2014 33 Governance of the Cloud Governance Risk Management Managing Computing Risk Tools • App & Tech Inventory • In conjunction with data flow analysis • Address each layer of cloud “stack” risk. Risk Management & Cloud Security February 19, 2014 34 Governance of the Cloud Governance Risk Management Audit & Compliance • Regulatory implications • Use risk assessment tools and control frameworks • Assess control maturity • Vendor management Tools Risk Management & Cloud Security February 19, 2014 35 Governance of the Cloud Governance Risk Management Control Frameworks (NIST, COBIT, CSA) CIS Security Metrics v1.0.0 Cloud Security Alliance NIST SP 800-146 NIST SP 500-293 Tools Risk Management & Cloud Security February 19, 2014 36 Governance of the Cloud Procedures/Tools Links NIST Guidance • http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf • http://www.nist.gov/itl/cloud/upload/SP_500_293_volumeII.pdf Cloud Security Alliance (CSA) • https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf • https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3/ Information System Audit and Control Association (ISACA) • http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/CloudComputing-Management-Audit-Assurance-Program.aspx The Center for Internet Security (CIS) • https://benchmarks.cisecurity.org/tools2/metrics/CIS_Security_Metrics_v1.1.0.pdf Risk Management & Cloud Security February 19, 2014 37 THIRD-PARTY MANAGEMENT CONSIDERATIONS FOR THE CLOUD Risk Management & Cloud Security February 19, 2014 38 Third-Party Management Use of the cloud Transfers risk Reduces control Requires new control considerations Service-level management Third-party management Risk Management & Cloud Security February 19, 2014 39 Third-Party Management What Can You Do? • Define service levels for financial report systems • Create a framework to manage service level agreements KPIs • A designated individual responsible monitoring & reporting service level performance • Organization vendor management policy for the selection of outsources services • Determines that, before selection, potential third parties are qualified on 1) capability to deliver the service and 2) a review of their financial viability Risk Management & Cloud Security February 19, 2014 40 Third-Party Management What Can You Do? • Third-party service contracts address risks, security controls & procedures for information systems & • Procedures ensure that a formal contract is defined & agreed upon for all third-party services before work is initiated, including definition of internal control requirements & acceptance of the organization’s policies & procedures • A regular review of security, availability & processing integrity is performed for service-level agreements & related contracts with third-party service providers Risk Management & Cloud Security February 19, 2014 41 Service Organization Control Reports SOC 1 SOC 2 SOC 3 Purpose Report on controls Report on controls relevant to user related to compliance & entities ICFR 1 operations Report on controls related to compliance & operations Use of Report Restricted 2 Restricted 3 General Report Detail Includes Testing Detail Includes Testing Detail No Testing Detail AICPA Interpretive Guidance SSAE 16 & AICPA Guide AT 101, Trust Services Principles, & AICPA Guide AT 101 & Trust Services Principles 1Internal Control Over Financial Reporting Organization Management, Users, Users Auditor 3Service Organization Management, Users, Knowledgeable Parties 2Service Risk Management & Cloud Security February 19, 2014 42 RISK MANAGEMENTAND CLOUD SECURITY Thank You Rodney A. Walsh, CGEIT, CRISC Director of IT Risk Services Paco Diaz, CISA Senior Consultant II Risk Management & Cloud Security February 19, 2014 43
