BKD Risk Management Cloud Security

advertisement
CACUBO
Central Association of College & University
Business Officers
Kansas City
Winter Workshop
April 8, 2014
RISK
MANAGEMENT
AND CLOUD
SECURITY
Rodney A. Walsh, CGEIT, CRISC//Director of IT Risk Services
Paco Diaz//Senior Consultant II
Agenda
Define the cloud ecosystem
Business use of cloud services
Cloud service risks
Governance of the cloud – critical
policies, procedures & controls
Third-party management
considerations for the cloud
Risk Management &
Cloud Security
February 19, 2014
2
DEFINE THE CLOUD ECOSYSTEM
Risk Management &
Cloud Security
February 19, 2014
3
Define the Cloud Ecosystem
Cloud Computing: Cloud computing is a model for
enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications,
and services) that can be rapidly provisioned and
released with minimal management effort or service
provider interaction. This cloud model is composed of
five essential characteristics, three service models, and
four deployment models.
Source: NIST Special Publication 800-145 - The NIST Definition of Cloud Computing
(http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf)
Risk Management &
Cloud Security
February 19, 2014
4
Define the Cloud Ecosystem
Cloud Computing: Cloud computing is a model for
enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing
resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal management
effort or service provider interaction. This cloud model
is composed of five essential characteristics, three
service models, and four deployment models.
Source: NIST Special Publication 800-145 - The NIST Definition of Cloud Computing
(http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf)
Risk Management &
Cloud Security
February 19, 2014
5
Define the Cloud Ecosystem
Essential Characteristics
 On demand self service
 Broad network access
 Resource pooling
 Rapid elasticity
 Measured service
Risk Management &
Cloud Security
February 19, 2014
6
Define the Cloud Ecosystem
Service Models
 Software as a Service (SaaS)
 Platform as a Service (PaaS)
 Infrastructure as a Service (IaaS)
Risk Management &
Cloud Security
February 19, 2014
7
Define the Cloud Ecosystem
SaaS
PaaS
IaaS
Software as a Service
Platform as a Service
Infrastructure as a Service
Apps for Business
Adobe Creative
Cloud
Risk Management &
Cloud Security
February 19, 2014
8
Define the Cloud Ecosystem
Deployment Models
 Private cloud
 Community cloud
 Public cloud
 Hybrid cloud
Risk Management &
Cloud Security
February 19, 2014
9
Define the Cloud Ecosystem
Private Cloud
 Provisioned for single organization
 May exist on or off site
 May be managed by organization or
outsourced
Risk Management &
Cloud Security
February 19, 2014
10
Define the Cloud Ecosystem
Community Cloud
 Provisioned for exclusive use by a specific
community
 May be managed by one or more of the
community organizations
 May be managed by community organization
or outsourced
Risk Management &
Cloud Security
February 19, 2014
11
Define the Cloud Ecosystem
Public Cloud
 Provisioned for general public
 Exists on the premise of the cloud provider
 May be owned, managed & operated by a
business, academic or government
organization or a combination
Risk Management &
Cloud Security
February 19, 2014
12
Define the Cloud Ecosystem
Hybrid Cloud
 Combination of two or more distinct cloud
infrastructures
 Combines characteristics of private, public &
community clouds
Risk Management &
Cloud Security
February 19, 2014
13
Just Imagine
It will take over 132 billion 64GB iPads to
hold all of the world’s electronic data by
2015?
2011 Digital Universe Study: Extracting Value from Chaos
Placing that many 64GB iPads end-to-end, it
would go around the world over 790 times.
You could create two stacks of that many 64GB
iPads that would reach the moon and a 3rd stack
that would be 129,606 miles high.
That many 64GB iPads would cost $92.76 trillion
dollars.
Risk Management &
Cloud Security
February 19, 2014
14
BUSINESS USE OF CLOUD SERVICES
Risk Management &
Cloud Security
February 19, 2014
15
Business Use of Cloud Services
“By 2016, the average personal cloud
will synchronize and orchestrate at
least six different device types.
Gartner Predicts 2013: Cloud Computing Becomes an Integral Part of IT.
Issue #3– Developing a campus-wide
cloud strategy.
EDUCAUSE “Top 10 IT Issues”, 2013
Risk Management &
Cloud Security
February 19, 2014
16
Business Use of Cloud Services
Financial Savings
 Equipment
 Personnel
 Infrastructure
 Space & utilities
 Reduced obsolescence
 Reduced capital expenditures
 Reduced implementation costs
Risk Management &
Cloud Security
February 19, 2014
17
Business Use of Cloud Services
Increased Flexibility
 Rapid deployment
 Ability to add or reduce capacity
 On-demand provisioning
 Disaster recovery
 Business expansion (across town or across
the globe)
Risk Management &
Cloud Security
February 19, 2014
18
Business Use of Cloud Services
Streamlined business development
 Focus on innovation & research
 Reduced effort on management,
maintenance & support
 Simplified entry into or exiting from
business initiatives
 Increased access to technical expertise
Risk Management &
Cloud Security
February 19, 2014
19
Business Use of Cloud Services
“Slow transition to the Clouds continues.”
Kenneth C. Green- Campus Computing Project,
EDUCAUSE Annual Conference 10/17/2013.
Higher Education Institutions With Cloud Computing
Strategic Plan
27%
30%
24%
25%
21%
20%
15%
15%
9%
10%
5%
0%
2009
2010
2011
Risk Management &
Cloud Security
February 19, 2014
20
2012
2013
Business Use of Cloud Services
Slow transition to the Clouds continues.
Kenneth C. Green- Campus Computing Project,
EDUCAUSE Annual Conference 10/17/2013.
Why so slow?
 Absence of provider offerings.
 Can’t visualize moving to the Cloud.
 Want to retain command, control &
computing.
 Let others make the journey first.
Risk Management &
Cloud Security
February 19, 2014
21
CLOUD SERVICE RISKS
Risk Management &
Cloud Security
February 19, 2014
22
Cloud Service Risks
Number of Records Breached
Privacy Rights Clearing House--As of 12/31/2013
8,000,000
7,000,000
6,000,000
Non-Profit
Records
5,000,000
Health Care
4,000,000
Gov/Military
3,000,000
Education
2,000,000
1,000,000
0
2005
2006
2007
2008
2009
2010
Risk Management &
Cloud Security
February 19, 2014
23
2011
2012
2013
Cloud Service Risks
Security
 Physical access to infrastructure,
systems & data
 Physical location of systems, data
 Logical access to the network, OS,
applications & databases
 Network & data segregation
Risk Management &
Cloud Security
February 19, 2014
24
Cloud Service Risks
Availability
 Cloud provider service interruptions
 Data location/availability for restoration
 Network/connectivity interruptions
 Failure of the provider to adhere to SLAs
 Service provider disaster recovery
Risk Management &
Cloud Security
February 19, 2014
25
Cloud Service Risks
Processing Integrity
 Adherence to change management
procedures
 Incident management
 Failure of the provider to adhere to SLAs
•
•
•
•
Timeliness
Accuracy
Authorization
Completeness
Risk Management &
Cloud Security
February 19, 2014
26
Cloud Service Risks
Confidentiality
 Comingling of data & other assets
 Unauthorized access to sensitive or
trade secret information
Privacy
 International laws affecting service provider
location
 Regulatory compliance/legal liability
 Breach & incident management
Risk Management &
Cloud Security
February 19, 2014
27
GOVERNANCE OF THE CLOUD
Critical Policies, Procedures & Controls
Risk Management &
Cloud Security
February 19, 2014
28
Governance of the Cloud
 Governance
 Risk Management
 Tools
Risk Management &
Cloud Security
February 19, 2014
29
Governance of the Cloud
 Governance
 Risk Management
Information Security
 Tools
• Data life cycle
• Data classification
• Formal policies &
procedures
Risk Management &
Cloud Security
February 19, 2014
30
Governance of the Cloud
 Governance
 Risk Management
Metrics
 Tools
• Objectives
• Define metrics
• Periodic assessment &
Review
Risk Management &
Cloud Security
February 19, 2014
31
Governance of the Cloud
 Governance
 Risk Management
SLAs
• Access to data
• Appropriate Controls
• Management, counsel,
IT & business owners
involved
 Tools
Risk Management &
Cloud Security
February 19, 2014
32
Governance of the Cloud
 Governance
 Risk Management
Data Flow Analysis
• Understand life cycle
• Develop data-flow
schematics
• Policies to
review/update data
flow documentation
 Tools
Risk Management &
Cloud Security
February 19, 2014
33
Governance of the Cloud
 Governance
 Risk Management
Managing Computing
Risk
 Tools
• App & Tech Inventory
• In conjunction with data
flow analysis
• Address each layer of
cloud “stack” risk.
Risk Management &
Cloud Security
February 19, 2014
34
Governance of the Cloud
 Governance
 Risk Management
Audit & Compliance
• Regulatory implications
• Use risk assessment
tools and control
frameworks
• Assess control maturity
• Vendor management
 Tools
Risk Management &
Cloud Security
February 19, 2014
35
Governance of the Cloud
 Governance
 Risk Management
Control Frameworks
(NIST, COBIT, CSA)
CIS Security Metrics
v1.0.0
Cloud Security Alliance
NIST SP 800-146
NIST SP 500-293
 Tools
Risk Management &
Cloud Security
February 19, 2014
36
Governance of the Cloud
Procedures/Tools Links
NIST Guidance
•
http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf
•
http://www.nist.gov/itl/cloud/upload/SP_500_293_volumeII.pdf
Cloud Security Alliance (CSA)
•
https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
•
https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3/
Information System Audit and Control Association (ISACA)
•
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/CloudComputing-Management-Audit-Assurance-Program.aspx
The Center for Internet Security (CIS)
•
https://benchmarks.cisecurity.org/tools2/metrics/CIS_Security_Metrics_v1.1.0.pdf
Risk Management &
Cloud Security
February 19, 2014
37
THIRD-PARTY MANAGEMENT
CONSIDERATIONS FOR THE CLOUD
Risk Management &
Cloud Security
February 19, 2014
38
Third-Party Management
Use of the cloud
 Transfers risk
 Reduces control
Requires new control considerations
 Service-level management
 Third-party management
Risk Management &
Cloud Security
February 19, 2014
39
Third-Party Management
What Can You Do?
• Define service levels for financial report systems
• Create a framework to manage service level agreements KPIs
• A designated individual responsible monitoring & reporting
service level performance
• Organization vendor management policy for the selection of
outsources services
• Determines that, before selection, potential third parties are
qualified on 1) capability to deliver the service and 2) a
review of their financial viability
Risk Management &
Cloud Security
February 19, 2014
40
Third-Party Management
What Can You Do?
• Third-party service contracts address risks, security controls &
procedures for information systems &
• Procedures ensure that a formal contract is defined & agreed
upon for all third-party services before work is initiated,
including definition of internal control requirements &
acceptance of the organization’s policies & procedures
• A regular review of security, availability & processing integrity
is performed for service-level agreements & related contracts
with third-party service providers
Risk Management &
Cloud Security
February 19, 2014
41
Service Organization Control Reports
SOC 1
SOC 2
SOC 3
Purpose
Report on controls Report on controls
relevant to user
related to
compliance &
entities ICFR 1
operations
Report on controls
related to
compliance &
operations
Use of Report
Restricted 2
Restricted 3
General
Report Detail
Includes Testing
Detail
Includes Testing
Detail
No Testing Detail
AICPA
Interpretive
Guidance
SSAE 16
& AICPA Guide
AT 101,
Trust Services
Principles, &
AICPA Guide
AT 101 &
Trust Services
Principles
1Internal
Control Over Financial Reporting
Organization Management, Users, Users Auditor
3Service Organization Management, Users, Knowledgeable Parties
2Service
Risk Management &
Cloud Security
February 19, 2014
42
RISK MANAGEMENTAND CLOUD SECURITY
Thank
You
Rodney A. Walsh, CGEIT, CRISC
Director of IT Risk Services
Paco Diaz, CISA
Senior Consultant II
Risk Management &
Cloud Security
February 19, 2014
43
Related documents
Download