CONTROL AND
ASSURANCE ISSUES IN
CLOUD ADOPTION
EVERY CLOUD
HAS A SILVER
LINING
INDRANIL MUKHERJEE
14th August 2012
ISACA SINGAPORE
Cloud Computing
- a genealogy perspective
-Born for CLOUD
Computing
“Indra” in Indian culture is
the god of the Clouds, which
supply rain and thunder, and
the weather is at his
command. As controller of
the megha (cloud), he is
master of the clouds and is
also known as Maghavan.
“Nil” means Cloud or or
champion, in Gaelic
DISCLAIMER
Any views or opinions presented in this
Presentation are solely those of the author
and do not necessarily represent those of
his employers, past or present.
Any images used in this presentation are
either i)free of copyright or
ii) ISACA Copyright materials for free
distribution within the ISACA community.
Control & Assurance Issues
in Cloud Adoption I
4,000 business and IT managers across 7 countries
-Cloud Survey by the Ponemon Institute
- commissioned by Thales
- July 2012 survey on perceptions and current
practices relating to sensitive or confidential data in the cloud.
-  Who is considered responsible for protecting this valuable and often
regulated class of data – the cloud service provider or cloud service
consumer. ?
-  The findings are also significant in explaining where data encryption
is applied inside and outside the cloud and, most importantly who
manages the associated encryption keys.
# Specifically addresses questions about whether organizations apply
encryption themselves before data leaves the organization’s environment
or whether encryption is expected to be a component of the cloud
services they use.
Control & Assurance Issues
in Cloud Adoption II
What proportion of organizations are already transferring sensitive
data to the cloud?
-  About 50% currently transfer sensitive or confidential data to cloud
-  Another 33% are very likely to transfer sensitive or confidential data
to the cloud within the next 2 years.
Has the use of cloud computing for sensitive data increased or
decreased overall security?
39% believe cloud adoption has decreased their companies’ security
Who is responsible for data security in the cloud?
64% that currently transfer sensitive or confidential data to the cloud
believe the cloud provider has primary responsibility for protecting it
How much visibility do decision makers have regarding cloud
security?
Nearly two thirds of respondents say they do not know what cloud
providers are actually to protect their sensitive confidential data
Control & Assurance Issues
in Cloud Adoption III
Where is data encryption applied?
Almost half the respondents who say their organization applies
persistent encryption to data before it is transferred to the cloud
provider and the other half say they rely on encryption that is applied
within the cloud environment.
Who manages the encryption keys when data is transferred to the
cloud?
-36% say their organization has primary responsibility for managing
the keys.
-22% say the cloud provider has primary responsibility for encryption
key management.
Even in cases where encryption is performed inside the enterprise, more than 50%
hand over control of the keys to the cloud provider.
# Encryption is used for protecting stored data as well as application-based
encryption, which applies protection more selectively usually , potentially
protecting individual data items
CONTROLS, CLOUDS & CONTENT
1
•  Cloud Computing-The
Basics
2
•  Practical Challenges in a
Cloud Environment
3
•  ISACA‘s Control
Objectives for Cloud
Computing
Cloud Computing –
the Basics
WHAT IS CLOUD
COMPUTNG
Enormous Computing Resources,
deployed among virtual data centres,
dynamically allocated to specific users &
tasks and
Accessed as a service via a user-Interface,
such as an Internet Browser.
Cloud computing is nothing but saving your worked data in
the clouds (i.e. on third party server) not a local hard disk.
WHAT IS CLOUD
COMPUTNG- the Lighter Side
CLOUD
CATEGORIES
Software as a Service (SaaS) is software offered by a third party
provider, available on demand, usually via Internet configurable
remotely
Examples: Salesforce CRM, Google Docs
Platform as a Service (PaaS) allows customers to develop new
applications using APIs deployed and Configurable remotely, includes
Development tools,configuration Management & deployment platforms
Examples : Microsoft Azure, Force, Google App Engine
Infrastructure as a Service (IaaS) provides virtual machines and
other abstracted hardware and operating systems which may be
controlled through a service API.
Examples: Amazon EC2/S3,Windows Live Skydrive, Rackspace Cloud
Cloud Computing - Categories
Infrastructure as a service
Software as a service
Platform
as a service
CLOUD TYPESthe Lighter Side
CLOUD DEPLOYMENT
MODELS ( ISACA Definition)
Private cloud:
– Operated solely for an organization
– May be managed by the organization or a third party
– May exist on or off premise
• Community cloud:
– Shared by several organizations
– Supports a specific community that has a shared mission/ interest
– May be managed by the organizations or a third party
– May reside on or off premise
• Public cloud:
– Made available to the general public or a large industry group
– Owned by an organization that sells cloud services
• Hybrid cloud:
– Composed of two or more clouds (private, community or public) that remain
unique entities, but are bound together by standardized or proprietary
technology that enables data and application portability (e.g., cloud bursting for
load balancing between clouds) Source: ISACA : page 122 of IT Control Objectives for Cloud Computing, 2011
CLOUD QUIZ
Which Cloud Framework
is named after the
Creator’s son’s toy
elephant?
HADOOP after Doug Cutting
son’s Toy elephant
Control & Assurance Issues - A case of
How to lose your Cloud based data
Last week, on 7th August 2012, A large Enterprise that is synonymous with smartphones has
suspended its password resets following the hack of journalist Mat Honan's Cloud account
-
-
Support staff not to process password change requests that come in via the phones.
Customer service representative that it was halting all password resets by phone.
The password freeze lasted at least 24 hours while the company performs system-wide
"maintenance updates"
Related Content - It is still possible to change passwords of this vendor ONLINE !
The Company says that its "internal policies were not followed completely" in the case that
enabled hackers. (http://www.macworld.co.uk/macsoftware/news/?newsid=3374449)
According to Honan, the hackers called the company , gave his name, address and the last four
digits of his credit card (which they got from the Cloud Provider.
The Company’s technical support reset his Cloud account & issued a temporary password.
The Cloud Provider has also made security changes following the hack.
Previously it was possible for a hacker to access an account with just the name, email address, and
mailing address of a customer. The changes have closed this loophole.
PRACTICAL
CHALLENGES
IN A CLOUD
ENVIRONMENT
Cloud Computing
-an Auditor's View
•  Increased demand for Cloud Audits
•  Current third party controls may not be effective for Cloud
ownership, insurance, project management & reporting /Incident
Best Practice : 1)COBIT 5 – ISACA (http://isaca.org/COBIT/)
2) Cloud Audit Working Groups and Forums
-Cloud Security Alliance (http://cloudsecurityalliance.org/) & ITIL
Tip:Use ITAF Guidelines for preparing the Cloud Audit Report
CLOUD RISKS- I
Policy and Organizational Risks
-  Lock –in with a single Provider
-  Loss of Governance
-  Compliance Challenges e.g MAS Circular dated 14th July 2011
http://www.nortonrose.com/knowledge/publications/54960/monetary-authority-of-singapore-circular-regarding-its-outsourcing-and-cloud-computing
-
-
-
-
Loss of Business Reputation due to co-tenant activities
Cloud service termination or failure
Cloud Provider acquisition
Supply Chain Failure
Legal Risks
-  Sub-poena and e-discovery
-  Risk from changes in jurisdiction
-  Data Protection risks
-  Licensing risks
CLOUD RISKS-II
Technical Risks
-  Resource exhaustion (under or over provisioning)
-  Isolation Failure – resulted the first documented Cloud security hack
-  Cloud provider malicious insider-abuse of high privilege roles
-  Management interface compromise (manipulation, availability of infrastructure)
-  Intercepting data in transit
-  Data leakage on up/download, intra-cloud
-  Insecure or ineffective deletion of data
-  Distributed Denial of Service (DDOS)
-  Economic Denial Of Service (EDOS)
-  Loss of Encryption keys
-  Undertaking Malicious probes or scans
-  Compromise service engine
-  Conflicts between customer hardening procedures and cloud
environment
-
-
-
-
-
-
-
-
-
RISKS NOT CLOUD
SPECIFIC
(that
affect
it)
Network breaks
Network Management (ie: network congestion/ mis-connection/ non optimal use)
Modifying network traffic
Privilege escalation
Social Engineering attacks (ie, impersonation)
Loss or compromise of operational logs
Loss or compromise of security logs (manipulation of forensic investigation)
Backups lost/ stolen
Unauthorised access to premises (including physical access to machines and
other facilities)
-  Theft of computer equipment
-  Natural disasters
Reference Source: ENISA - Cloud Computing- Benefits, Risks and
Recommendations for Information Security,November 2009
ISACA
CONTROL
OBJECTIVES
FOR
CLOUD COMPUTING
Copyright
IT CONTROL OBJECTIVES
for the Cloud -Introduction
- Consists of 5 Sections
- has 2 Appendixes
- only 193 pages !
- Glossary has been updated over conventional ENISA / CSA
definitions to include the concept of “Community Cloud”
The 5 Sections are
Preface -which includes the Cloud Computing Service Models (IaaS/
PaaS/ SaaS) and the Cloud Deployment Models.
Key updates – include the Community Cloud model which could be
Business-process Specific, Industry -specific
Cloud Computing Fundamentals discusses cloud evolution, rovides
technical building blocks, Cloud characteristics, cloud drivers and
cloud computing Challenges
IT CONTROL OBJECTIVES
for Cloud Governance
The third Sections covers
Governance -which has the Cloud Computing IT Benefits/ Value
Enablement Risk and how to leverage Risk IT / Val IT/ COBIT for the
Cloud.
Key updates – include the “Outcome of Good Governance” and the
Mapping of ISACA’s COBIT , Risk IT and Val IT Frameworks to
Cloud Governance
IT CONTROL OBJECTIVES for
Security & Assurance in Cloud Computing
Section 4 covers
Whether Businesses are ready for the Cloud,
Risk Considerations,
Graduated Risk Responsibilities,
IAM (Identity and Access management),
Physical security, Operational Risk,
Security concerns and Secure Code
Section 5 includes
1) Common Framework CSP Applicability for Third-party Certification/
Examination – page 62/63,
2) Key elements of a Unified IT Compliance program – page 65
3) Assurance through the Vendor management process- page 66-68
Appendix A on page 69 has the IT Control objectives for Cloud
Computing
Appendix B –8 useful Templates/Frameworks for Audit & Assurance
Cloud Controls
-Summary/Recommendations
•  Requests for third party Cloud Audits would get more
common
Ø  IT Control Objectives for Cloud Computing from ISACA
serves as a useful reference guide
Ø  Risk assessment / Risk based IT Audit aligned to the
COBIT 5 should be a good starting point
Ø  Check Compliance with local standards and guidelines
(MAS)
Ø  Map Business Goals to IT Processes and the maturity of
each Cloud deployment model against these attributes using
the Templates in the Appendix (Figure 3.8 , page 37, Page
169, Page 176)
REFERENCES/ ACKNOWLEDGEMENTS
Author
Source
Samuel GreenGard
A Clear View of Cloud Security, August 2012
ISACA
IT Control Objectives for Cloud Computing, 2011
V 1.0 Controls and Assurance in the Cloud
ISACA
IT Audits for Clouds and SaaS,
Information Systems Control Journal,
Volume 3, 2010
ENISA
Cloud Computing- Benefits, Risks and
(European Network and Recommendations for Information Security,
Information Agency)
November 2009
QUESTIONS?
THANK YOU
FOR FEEDBACK/ COMMENTS
EMAIL : im0512@gmail.com