Cloud Computing Security and

basheddockDéveloppement de logiciels

21 févr. 2014 (il y a 3 années et 4 mois)

68 vue(s)

Cloud Computing Security and
Governance

What Auditors Need to Know?


AICPA Upcoming Webcasts


May 25, 2011 (Wednesday) 2:00


3:30 EST


CITP Career Path


Jim Boomer, Jim Bourke, Ron Box, Chandni Sarawagi




2011 Top Technology Initiatives Webcast Series


Coming Soon!







www.aicpa.org/itinfocasts




2

Introductions

Introductions









Sarah Adams

Sarah is a Director at Deloitte &
Touche

LLP with more than 20 years of audit, risk, and controls experience in
both

operations
and technology with extensive experience in risk assessments, quality assurance reviews and
strategic

assurance
reviews. She has a strong background in IT and serves as the National Leader of Deloitte’s IT Internal
Audit

practice
. She supports the Internal Audit function of multiple large, global retail, publishing, and technology companies.









Rob Zanella

Rob Zanella is Vice President of IT Compliance & Security for CA and is responsible for all compliance and
security

activities
within Information Technology. Rob joined CA in 2005 as Director of Internal Audit to develop the
company’s

first
IT Audit practice
.
Rob has over 25 years of IT experience in operations, software development, project
management,

auditing
, compliance and
security












4

Agenda


Introductions


What is Cloud computing


Key attributes


Key drivers


Cloud


Risk Intelligence Map


Role of Internal Audit


Q & A

5

Poll Question # 1

What kind of entity do you work for?


A.

Consulting Firm

B.

Accounting Firm

C.

Business and Industry

D.

Government

E.

Nonprofit


6


Cloud computing has emerged based on
the convergence of Internet technologies,
virtualization, and IT standardization.

Network
-
based applications and data
services, decoupled from enterprise data
centers, has evolved into a growing "cloud"
of software services and methods of
computing.

Industry analysts have defined capabilities
and services offered by Cloud computing to
include three major qualities:

Abstracted hardware resources

Consumed as variable expense

Increased elastic capacity and capability

Cloud computing

Cloud computing represents a major shift in information technology architecture,
sourcing, and services delivery

“X
-
as
-
a
-
Service”
Cloud

Software
$15B

2012

Platform

Process

Testing

Infrastructure

Database

Management
/Governance

Security

Storage

Information

Integration

7

Cloud computing architectures

Vendor Cloud
(External)

Cloud computing services from vendors that can be accessed across
the Internet or a private network, using systems in one or more data
centers, shared among multiple customers, with varying degrees of
data privacy

control
.

Sometimes called “public” Cloud computing

Private Cloud
(Internal)

Computing architectures modeled after vendor Clouds, yet built,
managed, and used internally by an enterprise; uses a

shared
services model with variable usage of a common pool of
virtualized
computing resources. Data is controlled within the enterprise

Hybrid Cloud

(Mixed)

A mix of vendor Cloud services, internal Cloud computing
architectures, and classic IT infrastructure, forming a hybrid model
that uses the best
-
of
-
breed technologies to meet specific needs

Cloud computing technology is deployed in three general types, based on the
level of internal or external ownership and technical architectures

8

Poll Question # 2

How would you describe your level of
understanding of the cloud?


A.
None
-

want to understand Cloud

B.
Toe in the water

C.
All in

D.
I had nothing else to do today


9

Cloud computing services


X as a Service

Different types of Cloud computing services are grouped into specific categories:
Infrastructure, Platform and Software services

Infrastructure as a Service
(IaaS)

Definition


Delivers computer infrastructure,
typically a platform virtualization
environment as a service. Service
is typically billed on a utility
computing basis and amount of
resources consumed.

Customization


Customization where technology
being deployed requires minimal
configuration

Operational Notes


Easier to migrate applications



User of Cloud maintains a large
portion of the technical staff
(Developer, System Administrator,
and DBA)

Platform as a Service

(PaaS)

Definition


Delivers a computing platform as
a service. It facilitates deployment
of applications while limiting or
reducing the cost and complexity
of buying and managing the
underlying hardware and software
layers

Customization


Moderate customization
-

build
applications within the constraints
of the platform

Operational Notes


Applications may require to be re
-
written to meet the specifications
of the vendor


User of the Cloud maintains a
development staff

Software as a Service

(SaaS)

Definition


Delivers software as a service
over the Internet, avoiding the
need to install and run the
application on the customer's own
computers and simplifying
maintenance and support.

Customization


Limited customization


existing
applications will not be able to
migrate

Operational Notes


Applications may require to be re
-
written to meet the specifications
of the vendor


User utilizes the vendors IT staff
and has limited to no technical
staff

10

Software
-
as
-
a
-
Service:


Customer Relationship Management


salesforce.com


myERP.com


Oracle
OnDemand


RightNow


Business Intelligence


SAS Suite of On
-
Demand Applications


Vitria

M3O


Human Resources


Oracle
Peoplesoft


NetSuite

ePayroll


Workday


Productivity and Collaboration


Gmail, Google Apps


Zoho.com


Infrastructure
-
as
-
a
-
Service:


Amazon Web Services


Provide on
-
demand Cloud computing
services using variable cost model


Amazon Virtual Private Cloud


Provide fully private Cloud services
model using the Amazon cloud
infrastructure


Mozy.com


Provides backup services over the
Internet

Platform
-
as
-
a
-
Service:


Google Applications Engine


Allows Web applications to be
deployed on Google’s architecture


Microsoft Windows Azure


Cloud computing architecture that is
offered to host .NET applications

Sample services within the 3 categories of
Cloud computing

There is an evolving “ecosystem” of services providers

11

Key attributes of Cloud computing

Offsite

IT resources are accessed from an offsite data center that is not owned by you; thus yielding in cost of
ownership, licenses etc.

Virtual

Software stacks of databases, web servers, operating systems, storage, and networking are assembled
virtually and accessed via the web

On
-
demand

Use as needed, resources can be turned on or off quickly and as needed including storage capacity,
data bases, web servers and operating systems

Pay
-
per
-
use

Pay for what you need, not for unneeded capacity

Simple

Resources can be configured quickly and easily, e.g. leading Cloud computing platforms have open
API’s

Massive scale

Access to extremely large infrastructure that would be challenging to build as a single entity

Storage capacity

The use of Cloud computing for storage capacity can be ideal, especially for spikes in usage. Because
the use of the cloud entails low or no upfront capital cost and low ongoing operational costs, the ability to
take advantage of pools of resources on demand in real
-
time can yield business advantage

Elasticity and
resizability

Ability to be highly flexible


nearly instantaneously


to changes in load. With Cloud computing, an
infrastructure supporting an application, business, or business process can be easily resized and right
-
sized, depending upon conditions

Collaboration

Shared environment, IT resources can be consolidated, many users share a common network, allowing
costs to be managed

12

Poll Question # 3

What is the general status of your Cloud
computing environment?


A.

No Cloud at this time

B.
Cloud computing is in design/concept at this time

C.
Cloud is being developed/ pilot phase

D.
Cloud computing environment is established

E.
We use/have multiple cloud environments

F.
Don’t know/unsure


13

Reduce amounts of IT capital equipment spending


Lower implementation costs compared to on
-
premise solutions


Less hardware to purchase and support; few assets on the balance sheet


Fewer IT resources required in
-
house


Costs are treated as operating expense, not capital expenses

Gain flexibility and speed in implementations


Allows greater flexibility and shorter time to implementation


Shift IT from supporting the infrastructure to innovating


Software maintenance and upgrades may be handled by Cloud providers


Greater ability to flexibly respond to the business as needs change

Leverage IT technology evolution


Rapidly changing technology standards and practices are driving enterprise to
consider Cloud computing as a viable alternative

Cloud computing
-

drivers

Cloud computing is being driven by many urgent IT priorities:

14

Considerations around moving IT components into
the Cloud:


What corporate security policies are in place?


What type of configuration management is
used to protect against accidental changes
that could negatively affect security?


How is data backed up?


How will availability objectives, recovery time
objectives, and recovery point objectives be
met?


How will disaster recovery testing occur and
will clients have access to truthful results?


Who will have access to the data?


Where will the data be housed?


Will you have accessibility to the data for
audits, etc.?


Consumer users


Privacy, data usage


Enterprise users


Encryption, data integrity


Service providers


Cross
-
border issues,
regulations

Top Cloud consideration & risks

Security tops Cloud concerns

How concerned are you with following issues as they relate to cloud
computing?

Security

Control

Performance

Support

Vendor lock
-
in

Speed to activate new services/expand capacity

Configurability

A recent survey was conducted of 244 IT executives/CIOs about their
companies’ use of, and views about, IT Cloud services. Biggest Cloud
challenge reported was security.

Data:
InformationWeek

Analytics Cloud computing Survey of 453 business
technology professionals

15

Risks, Threats, Vulnerabilities (1/6)

Security
Category

Risks, Threats & Vulnerabilities

Availability


Service Availability and Recoverability


Cloud provider may not be able to match in
-
house IT service availability, recovery time
objectives (RTO), and recovery point objectives (RPO)


Cloud providers may drastically change business model or discontinue cloud services

Complexity


Complexity introduced by cloud computing environment results in more pieces that can
go wrong, and more complex recovery procedures

Single
-
Points
-
of
-
Failure


Even if the cloud environment is architecturally designed for high
-
availability, single
-
points
-
of
-
failure may exist in the access path to the cloud

Data Replication


Due to technical architecture complexity and potentially restrictions by the cloud
provider, replicating data back to the enterprise or to another provider may be difficult

Testing Constraints


Due to concerns about confidentiality and impact to other customers, cloud providers
may place heavy constraints on disaster recovery testing activities

Over
-
Subscription Risk


In the event of a disaster, other customers may receive higher priority in recovery
activities


As cloud providers shift from investment mode to capture market share to cost cutting
mode to reach profitability, capacity may become constrained

16

Risks, Threats, Vulnerabilities (2/6)

Security

Category

Risks,

Threats & Vulnerabilities

Access

Multi
-
Tenancy


Data is possibly exposed to 3rd parties due to lack of access controls on the cloud,
allowing unauthenticated parties access to confidential data

Data Access


Cloud stores data without proper customer segregation allowing possible disclosure to
3rd parties

Secure Data Deletion


Company data that was deleted is still be retained on servers or storage located on the
cloud without knowing

17

Risks, Threats, Vulnerabilities (3/6)

Security
Category

Risks,

Threats & Vulnerabilities

Authentication

External Authentication



Ownership and maintenance of credential repositories is the responsibility of an
external party. Security leading practices cannot be guaranteed

Federated Authentication


Organizations implement single sign on applications used by multiple business partners
but the SSO also grants access to sensitive internal information due to authentication
mashups

Key Management


Any activity related to key generation, exchange, storage, safeguarding, use, vetting,
and replacement that results in disclosure will provide access to infrastructure and data

Cloud to Cloud Authentication


One cloud provider will

r
ely

on a second

cloud provider to authenticate a user’s identity
based on the first cloud passing a SAML assertion to the second cloud at the request
of a user. Based strictly on the assertion, the second cloud provider will grant the user
access to cloud resources. SAML assertions are susceptible to the following attacks:
DoS, Man
-
in
-
the
-
Middle, Replay, and Session Hijacking

18

Poll Question # 4

What is the primary driver of your use/planned use
of cloud
?


A.

Cost savings

B.
Increased capacity/availability

C.
Flexibility to increase/decrease usage easily

D.
Minimal capital investment

E.
We don’t use the Cloud/Don’t plan to use the Cloud


19

Risks, Threats, Vulnerabilities (4/6)

Security
Category

Risks,

Threats & Vulnerabilities

Regulatory

Audit Rights


Organizational Rights to perform audits, and review performance against contracts or
SLA

Compliance


Migration to the cloud includes a more complex regulatory environment for some
corporations


Integrity

Shared Environments


Data in cloud is in a shared environment alongside data from other customers

Data Monitoring


Changes made to data without knowledge of the data owners, or accidental overwrites
due to collisions with data storage techniques of cloud provider

Data Encryption


Data at rest is not encrypted and accessed by 3rd parties unknowingly due to faulty
access controls

20

Risks, Threats, Vulnerabilities (5/6)

Security
Category

Risks,

Threats & Vulnerabilities

Privacy

Legal Uncertainties


Multiple jurisdictions increase regulatory complexity


C潮o汩lt楮朠汥条氠灲潶楳楯湳 c牥慴攠s楧湩i楣a湴 畮u敲ea楮iy 楮i慳s敳s楮i c潭灬楡湣e 慮搠
物rk


T桥h偲楶慣y 慮搠a慴愠偲潴散t楯渠汥条氠污湤lc慰攠c潮o楮略i t漠敶潬o攠慴 愠牡灩搠灡pe


a慴愠s桡物湧h慧牥敭敮es m慹 扥b牥煵楲敤r扥b潲攠m潶楮朠摡d愠t漠t桥hc汯畤


Business associate agreements (HIPAA)


Data controllers and third parties (EU DPD)

Individual Rights/Confidentiality


Strict terms of service are particularly important in the cloud to preserve individual
privacy/confidentiality and to meet regulatory requirements to which the user is subject


T桥hc汯畤lf慣楬楴慴敳 t桥h慢楬楴y t漠畳支sh慲攠摡d愠慣牯rs 潲条湩oat楯湳 慮搠t桥牥h潲o
楮i牥慳攠s散潮摡特 畳敳 潦 摡d愠t桡h m慹 牥煵楲攠慤摩瑩潮慬oc潮o敮eL慵t桯h楺慴楯i


a慴愠楳 敡e楬i 慣c敳s楢汥l批 愠污牧敲l杲潵瀠潦 畳敲e 慮搠m畳t 扥bst物rt汹 c潮o牯汬r搠
(Protect data at rest)

Breach/Disclosure


Centralized data stores are especially prone to security breaches


T業敬e 摩dc潶敲e 慮搠牥灯牴楮朠潦 t桥h扲敡b栠批 t桥hc汯畤l灲潶楤敲im慹 扥bc桡汬敮杩湧

21

Risks, Threats, Vulnerabilities (6/6)

Security
Category

Risks, Threats & Vulnerabilities

Operational
Security


Vulnerability Management


One vulnerability has the potential to expose large number of corporations critical
assets

Asset Management


Assets in the cloud are not properly managed and could leak critical company
information or cause data exposures

Incident Response


Ownership, responsibilities, and actions during incident response are not defined

22

Cloud Computing Risk Intelligence Map

23

Poll Question # 5

Which statement do you most agree with?


A.

There are no new risks with Cloud computing; this is
just a new version of what we've always dealt with

B.
Although there are new risks with Cloud computing,
we have reasonable mitigation strategies that can be
implemented

C.
There are significant new risks with Cloud computing


24

Implementation

Phases



Understanding
the business case



Vendor
evaluation and

selection



Update
business case



Prioritization
of migration



Vendor
contract



Network
Considerations



Select
area to pilot



Migrate
processes to test cloud



Build
infrastructure



Migrate
data and processes




Decommission
legacy systems



Incomplete
requirements



Poorly
designed business case



Requirements
are not aligned within
corporate policies and requirements



Incomplete
selection criteria



Controls
not considered



Insecure
design, no fault tolerant

Risks Involved

Role of Internal Audit (1/3)

Requirements

Vendor Selection

Implementation

Pilot / Test

Migration

Validate and
Monitor

Internal Audit can play a role of strategic advisor and assist the business to
understand and manage the risks associated with Cloud computing



Non
existent/ineffective controls



Inadequate
testing



Inadvertent
exposure of data



Inadvertent
exposure of data



Business
processes don’t work as expected



Loss
of financial records



Loss
due to inadequate monitoring



SAS70
, ISO reviews / Right to Audit





Develop
Requirements Specifications



Lack
of understanding vendor


internal controls



Excessive
Costs

25

Role of Internal Audit (2/3)

Sample support activities

Identify control requirements (requirements, vendor selection,
implementation phases)


Scope


identify controls to be implemented


Value


IA can help
understand
and manage the risks and therefore support
their business case

Vendor selection support (requirements, vendor selection phases)


Scope


support the evaluation of vendors and ensure balanced
assessment


Value


manages the significant risk that the selected vendor will not be
around tomorrow, internal technology won’t integrate, evidence of reliability

Vendor management review (vendor selection, implementation, validate
and monitor phases)


Scope


evaluate controls for managing vendor relationships (SLA’s/OLA’s),
invoice review, escalation etc


Value


ensures that appropriate processes are in place to manage the
significant new vendor relationship and maximize the value the company
gets from it

26

Role of Internal Audit (3/3)

Sample support activities

Data migration assessment (implementation, pilot, migration phases)


Scope


assess planned data migration scope and method as well as future
state data interface design


Value


helps the business and finance gain comfort around the plans for cut
over from old new systems and for the completeness and accuracy of data
transferred

PMO / Project management assessment
(implementation, pilot,
migration phases)


Scope


review project management / PMO capabilities


Value


ensures processes are in place that can support managing this
complex and high risk project to the greatest benefit in the shortest time

Controls review / assessment / test (all phases)


Scope


perform review of controls to be put in place, test controls and
provide advice on improvement


Value


ensures IT and business have taken appropriate steps to mitigate
implementation and business process risk that will arise as part of the
implementation

27

Poll Question # 6

Do we need to have data classification polices prior
to moving on the Cloud?


A.

Why worry, the Cloud provider will take care of my
data

B.
Yes, we should, but need to move to the Cloud
asap

to save costs

C.
Yes, however, we need to implement data
classification policies

D.
Don’t care



28

Service Organization Controls (SOC) Reports

Formerly


SAS70’s

The AICPA has outlined 3 types of SOC reports designed to help service
organizations meet User Entity objectives:



SOC 1 Report


Report on Controls at a Service Organization Relevant to User Entities’
Internal Control over Financial Reporting (ISAE 3402/SSAE 16)



SOC 2 Report


Report on Controls at a Service Organization Relevant to Security,
Availability, Processing Integrity, Confidentiality or Privacy (AT101


Attest Engagements)



SOC 3 Report


Trust Services Report for Service Organizations (
SysTrust
/
WebTrust
)

29


AICPA Products Related to Service Organization Controls

The AICPA recently developed resources for CPAs, service organizations and

user entities who need to build trust and confidence in outsourced services. The

sources include:


Online source center:
www.aicpa.org/SOC





www.aicpa.org/infotech


Online
brochure

to provide an introduction to the concept of Service
Organization Control (SOC) reports.


AICPA Alert
: Service Organizations: New Reporting Options

2010/11 (NEW
-

IT Section members receive 10% off the purchase starting 01/11/11!)


SSAE 16 Publication:
http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/AuditAttest/Standards/SSA
Es/PRDOVR~PC
-
023035/PC
-
023035.jsp



Two Service Organization Control (SOC) guides are under development



30

Q&A


More info is available at:
aicpa.org/soc or aicpa.org/infotech


31





More information is available at:
aicpa.org/soc or
aicpa.org/infotech


Also, for an overview of how guidance and reports have been
developed in response to the explosive growth in cloud
computing and outsourcing, watch the below video with
AICPA President & CEO Barry Melancon, CPA.


http://www.aicpa.org/NEWS/AICPATV/ACCOUNTINGAUDITI
NG/Pages/ServiceOrganizationControlReports.aspx








32

Poll Question # 7

If you had to determine what to accept from a Cloud
provider, what would you require?


A.

A SAS70 or SYSTRUST independent attestation

B.

An attestation against a new Standard
-

which should
be developed

C.
A review of the Provider’s controls by the User’s
Internal Audit function

D.
A self
-
assessment provided by the Provider

E.
Don’t know


33

Q&A

34

Rob Zanella

VP, IT Service Management

Robert.Zanella@ca.com



Questions, References and Contact Info

IT Community Benefits at a Glance

IT Section Members Receive:


Discounts on Educational programs, such as AICPA Tech +
Conference, National Advanced Accounting and Auditing Technical
Symposium (NAAATS), Controller’s Conference and IT Audit School
Program.


Discounts on valuable software and tools, including IDEA products.


Free monthly web seminars on topics critical to CPAs (plus an
opportunity for CPE discounts!)


Valuable technology content, including discussion papers, studies,
and practice aids.


Communications, including electronic newsletter, podcasts, featured
articles, profiles, and news about the profession and the IT
Community.


Networking groups and IT Community events at Tech + Conference

36

IT Community Benefits at a Glance

CITP Credential holders automatically receive IT Section

Membership, plus:


Differentiation from CPAs and other technology and financial
management professionals.


Customizable marketing materials, including targeted brochures that
highlight your ability to leverage technology for real business results.


CITP Networking Groups


Additional discounts, including $125 discount on conference
registration to Tech +, National Advanced Accounting and Auditing
Technical Symposium (NAAATS) and Controller’s conferences.

To find out more about the IT Section membership or the Certified

Information Technology Professional (CITP) Credentials, please go to

www.aicpa.org/infotech

for more details.



37