cloud_computing_risks - isaca

meatcologneInternet and Web Development

Nov 3, 2013 (3 years and 11 months ago)

90 views

www.isaca.org


Cloud Computing Risk
Assessments

Donald
Gallien

March 31, 2011

www.isaca.org


2

Overview


Cloud Computing Refresher


Assessing Cloud Computing Universe
Completeness


Using a Cloud Computing Risk Ranking
Model


Risk Ranking Case Study

www.isaca.org


3

Quiz


What do the following have in common?


Paisley GRC


Salesforce.com


Amazon EC2


Google Apps


Microsoft Business Productivity Online Suite
(BPOS)


Rackspace


WebEx

www.isaca.org


Cloud Computing Refresher



www.isaca.org


5

Cloud Computing Basics


Internet
-
based computing, whereby shared
resources, software and information are
provided to computers and other devices on
-
demand, like the electricity grid (Source:
Wikipedia
)


Based on virtualization and abstraction of the
underlying infrastructure


IT Audit Risk is largely driven by:


Deployment Model


Service Model


Nature of Applications & Data in Cloud



www.isaca.org


6

Deployment Models

Model

Definition

Example

Public

Available to the general public
or a large industry group

Google Apps
(Free)

Community

Shared by several
organizations and supports a
specific community that has
shared concerns

Google Apps
for Government

Private

Operated solely for an
organization

Microsoft BPOS
for

a Business

Source: NIST

www.isaca.org


7

Service Models

Model

Definition

Example

Infrastructure
as a Service
(
IaaS
)

Fundamental computing
resources to deploy

software,
including OS and applications

Rackspace

Cloud

Platform as a
Service
(
PaaS
)

Applications based on
programming languages and
tools supported by the cloud
provider

Force.com

Software as a
Service
(
SaaS
)

Cloud provider applications
running on a cloud infrastructure

Salesforce.
com (CRM)

Source: NIST

www.isaca.org


8

Another Way to Look as Service
Models

SaaS

PaaS

IaaS

WebEx

BPOS

Amazon EC2

Provider Control

Example

www.isaca.org


9

Deployment Model Risk Profile

Higher

Lower

Public

Private

Community

Likelihood of
Data Security,
Privacy, and
Control Breach

www.isaca.org


10

Service Model Risk Profile

Higher

Lower

IaaS

SaaS

PaaS

Impact of Loss of
Control & Security
Breach

www.isaca.org


11

Cloud Refresher Summary


Public clouds are inexpensive, but provide
less security and service


Private clouds are expensive, but align better
with technology and security standards


IaaS models are very broad in scope, but
organizations maintain more control


SaaS models are narrow in scope, but
organizations relinquish almost all control

What is the impact of cloud computing on
the IT audit function?

www.isaca.org


12

But one thing never changes


All IT Audit and Governance groups must:

1.
Identify an Universe

2.
Risk Rank the Universe

3.
Provide Appropriate Coverage based on Risk

www.isaca.org


Assessing Cloud Computing
Universe Completeness



www.isaca.org


14

The Cloud Universe Challenge

Cloud

Dynamic

Flexible

Transient

Abstract

Rapidly
Deployed

www.isaca.org


15

Finding the Clouds

Technology
Governance

Firewalls & Encryption
Certificates

Invoices / Time &
Expense Reporting

Process Walkthroughs

Control
Points

www.isaca.org


16

Technology Governance




Oversight


Technology Approvals


Partner Approvals

How does your organization
promote controlled cloud
computing?

www.isaca.org


17

Firewalls and Encryption Certificates




Firewall & VPN Rule
Changes


Firewall Logs


Encryption Certificate
Requests

Cloud computing
environments are unlikely
to stand
-
alone.

www.isaca.org


18

Invoices / T&E Reporting





Vendor Master


Invoice Lists


T&E Reporting

How much does it cost
to deploy cloud based
e
-
mail service at
Google?

www.isaca.org


19

Process Walkthroughs


Business Process


Data Flow


Technology Overview

Has anyone discovered
cloud based computing in a
walkthrough meeting?

www.isaca.org


20

Summary


Universe Completeness


Cloud computing can be difficult to identify


Traditional technology governance, security,
and procurement controls can be used to
identify cloud computing


Users and business analysts could be your
best source of cloud computing information

What else can you do to identify cloud
computing?

www.isaca.org


Using a Cloud Computing Risk
Ranking Model



www.isaca.org


22

A few thoughts before we start


Risk models include elements of judgment
and must fit the organization


Some model assumptions may be
completely wrong for your organization



We should have a lot of debate on this topic


Risk ranking scores must drive governance
requirements and audit activities


www.isaca.org


23

Cloud Risk Ranking Example

www.isaca.org


24

Potential Governance & Audit
Requirements

www.isaca.org


25

Deployment Model Considerations

High

Medium

Low

Deploy

Model

Public

Community

Private

-

Security and privacy are not a priority

-

Service level agreements may not exist

-

Private environments provide
adequate security and privacy

-

Service level agreements should exist

Public

Private

www.isaca.org


26

Service Model Considerations

High

Medium

Low

Service
Model

IaaS

PaaS

SaaS

-

Issues may impact all hosted applications
and data

-

No control over foundational general
controls

-

PaaS

-

Impact limited to outsourced platform

-

SaaS

-

Impact limited to applications and data


IaaS

SaaS

www.isaca.org


27

Data Security Considerations

High

Medium

Low

Security
Level

Secret

Restricted

Unclassified

-

Difficult to enforce security standards when
outsourcing

-

Difficult to demonstrate compliance with
regulations like GLBA


-

Security and privacy is not a concern
(good candidate for cloud computing)

Secret

Unclassified

www.isaca.org


28

Physical Hosting Site
Considerations

High

Medium

Low

Hosting
Site

Undefined

International

Location

Domestic
Location

-

May result in cross border data protection
regulatory issues

-

Difficult to demonstrate compliance with
regulations like GLBA


-

Minimizes concerns about cross
border data protection regulations


Undefined

Domestic

Location

www.isaca.org


29

SOX Criticality Considerations

High

Medium

Low

SOX

Critical

Yes

No

-

SAS 70 reports may not cover SOX critical
application controls

-

Business units may not have visibility or
access to test SOX controls


-

Non SOX critical applications may be good
candidates for cloud computing


Yes

No

www.isaca.org


30

Dependent Applications

High

Medium

Low

Number
of Apps

Greater

than 10

4 to 9

Less than 3

-

Implies complexity and greater organizational
significance


-

Implies simplicity and less organizational
significance

> 10

< 3

www.isaca.org


31

Recovery Time Objectives (RTO)
Considerations

High

Medium

Low

RTO


4 Hours

7 days

31 Days

Implies increased business importance

Cloud provider may lack geographic diversity

Single points of failure may exist in network


Implies lower business importance
-

good
candidate for cloud computing


4 Hours

31 Days

www.isaca.org


32

Regions Supported Considerations

High

Medium

Low

Region

Europe or
Global

United States

All Other

-

Strictest cross border data protection
regulations


can be at odds with abstract
cloud computing


-

“Other” countries may have less
restrictive cross border data protection
regulations


Europe

/ Global

All Other

www.isaca.org


33

Summary


Cloud Risk Ranking
Models


Cloud risk ranking attributes and scoring
must vary based on environment and need


Risk attributes and scoring require alignment
with organizational standards

What other risk attributes might you use, and how would your
rank them on a high, medium, low basis?

www.isaca.org


Risk Ranking Case Study



www.isaca.org


35

Conclusions


Business and technology leaders are
embracing cloud computing
-

it is here to
stay and growing


Cloud computing standards and risk ranked
cloud universes are foundational
requirements for governance


We must adjust our approach to remain
relevant

www.isaca.org


36

Questions

Contact Information:

donald.w.gallien@aexp.com