Cloud Security Issues 1.04.10

Cloud Security and Audit Issues 1 Rapp Consulting peet.rapp@yahoo.com

Agenda Cloud Computing 101 Reality Check Security Issues ISACA Member Responsibilities What’s Missing 2 Rapp Consulting peet.rapp@yahoo.com

Cloud Computing 101 Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. - NIST Definition of Cloud Computing 3 Rapp Consulting peet.rapp@yahoo.com

Cloud Computing 101 History - Definitions Distributed Centralized De-Centralized Re-Centralized Applications System Platform Hardware 1970 2010 Per Novell Cloud Presentation 09/09 4 Rapp Consulting peet.rapp@yahoo.com

Cloud Computing 101 History - Definitions 5 Rapp Consulting peet.rapp@yahoo.com

Basic Concepts – Cloud Enabling Technologies / Functions SOA - XML – API Hypervisor Dynamic Partitioning API - Application Programming Interface Server Optimization OS / Application / Data Server Migration Client CPU/Memory Utilization Monitoring 6 Rapp Consulting peet.rapp@yahoo.com

Basic Concepts – Enabling Technologies Dynamic Partitioning – the variable allocation of cpu processing and memory to multiple OS’s, applications, and data within one server Rapp Consulting peet.rapp@yahoo.com

Basic Concepts – Cloud Enabling Technologies / Functions SOA – XML -API Hypervisor Dynamic Partitioning Load Balancing / Server Optimization OS / Application / Data Server Migration Client CPU/Memory Utilization Monitoring 8 Rapp Consulting peet.rapp@yahoo.com

Cloud Computing 101ASPs vs SaaS ASPs are traditional, single-tenant applications, hosted by a third party. SaaS applications are multi-tenant, user facing, web-based applications hosted by a vendor 10 Rapp Consulting peet.rapp@yahoo.com

Cloud Computing 101PaaS A Development Environment (Platform) as a Service. Developer Tool Kits provided. “Pay as you develop/test” business model Rapid Propagation of Software Applications – Low Cost of Entry 12 Rapp Consulting peet.rapp@yahoo.com

Cloud Computing 101IaaS The “Bare Metal” Infrastructure as a Service ,[object Object],application software ,[object Object],13 Rapp Consulting peet.rapp@yahoo.com

Cloud Computing 101 - Service Delivery Models SaaS Software as a Service PaaS Platform as a Service IaaS Infrastructure as a Service 14 Rapp Consulting peet.rapp@yahoo.com

Cloud Deployment Models Public cloud Sold to the public, mega-scale infrastructures Private cloud Enterprise-owned or leased to a Single Client Community cloud Shared infrastructure for a Specific Community Hybrid cloud Composition of two or more Cloud Models 15 Rapp Consulting peet.rapp@yahoo.com

Cloud Computing 101 16 Rapp Consulting peet.rapp@yahoo.com

Cloud Computing 101 17 Rapp Consulting peet.rapp@yahoo.com

Reality Check The Cloud Is and Will Happen Current Major Players – IaaS, PaaS Amazon Web Services, ATT, IBM Rackspace, Terramark, Savvis Current Major Players - SaaS FaceBook, Salesforce.com, Google (Gmail), Netsuite 18 Rapp Consulting peet.rapp@yahoo.com

Reality Check 19 Rapp Consulting peet.rapp@yahoo.com

Reality Check 20 Rapp Consulting peet.rapp@yahoo.com

Reality Check Spending Forecasts 21 Rapp Consulting peet.rapp@yahoo.com

Claimed Cloud Computing Business Advantages Optimizes Server Utilization Cost Savings Dynamic Scalability Time Savings for New Programs Right-sizes your enterprise Outsources IT Transitions CAPEX to OPEX 22 Rapp Consulting peet.rapp@yahoo.com

Excellent Cloud Examples NASDAQ / NYT SalesForce.com Signiant ThinLaunch Software Intuit QuickBase Webroot 23 Rapp Consulting peet.rapp@yahoo.com

A Disruptive Technology The Cloud Reshuffles the IT deck Shrink Wrapped Application s and Enterprise-Sized will migrate to Online Apps, Possibly Open-Sourced OS will tend towards web-partial systems Desktops and Notebooks Lose Hard Drives Businesses’ IT Staffing Requirements Will Drop 24 Rapp Consulting peet.rapp@yahoo.com

Claimed Cloud Computing Business Advantages 25 Rapp Consulting peet.rapp@yahoo.com

Current Press Status The Majority of Press Coverage supports Service Providers attempting to gain mindshare. Most IT Analysis is very positive about (hyping) the merits of the cloud. Very little is written of Cloud Security or its Audit- ability 26 Rapp Consulting peet.rapp@yahoo.com

The Gartner Hype Curve 27 Rapp Consulting peet.rapp@yahoo.com

The Gartner Hype Curve 28 Rapp Consulting peet.rapp@yahoo.com

Company/Product Life Cycle: Key to Understanding Opportunities Phase II Rapid Market Growth Through Internal Expansion and Acquisition Phase IV Sustained Niche or “Last One Standing” Phase III Maturation & Consolidation Phase I Business Start-up & Product Rollout B Output A C D Time Start-up Capital > Labor/Facilities/Capital > Minimize Cost > Sustained Market Critical Decisions Made in Phase III A: Attempt to go back to Phase II (new market expansion/product improvements) B: Consolidate with competition to grow share in a shrinking market C: Go/stay private with niche operation and proceed to Phase IV D: Continue to enhance productivity to sustain margins (production improvements/cost takeouts) Moran, Stahl & Boyer 29 Rapp Consulting peet.rapp@yahoo.com

Current Press Status The Majority of Press Coverage supports Service Providers attempting to gain mindshare. Most IT Analysis is very positive about (hyping) the merits of the cloud. Very little is written of Cloud Security or its Audit- ability 30 Rapp Consulting peet.rapp@yahoo.com

Reality Check Greatest concerns surrounding cloud adoption at your company (per CIO) Security 45% 31 Rapp Consulting peet.rapp@yahoo.com

Security Issues “Cyber Crime in 2008 measured more to be a larger societal loss than illegal drugs. “The main objective of most attackers is to make money. The underground prices for stolen bank login accounts range from $10–$1000 (depending on the available amount of funds), $0.40–$20 for credit card numbers, $1–$8 for online auction site accounts and $4–$30 for email passwords.” Symantec Global Internet Security Threat Report – April 2009 32 Rapp Consulting peet.rapp@yahoo.com

Security Issues “Cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century. The digital infrastructure’s architecture was driven more by considerations of interoperability and efficiency than of security.” White House Cyberspace Security Review May 2009 33 Rapp Consulting peet.rapp@yahoo.com

Security Issues 34 Rapp Consulting peet.rapp@yahoo.com

Reality Check Greatest concerns surrounding cloud adoption at your company (per CIO) Security 45% Integration with existing systems 26% Loss of control over data 26% Availability concerns 25% Performance issues 24% IT governance issues 19% Regulatory/compliance concerns 19% 35 Rapp Consulting peet.rapp@yahoo.com

Cloud Security & Control Groups ENISA Cloud Security Alliance – CSA ISACA DMTF NIST Jericho Forum Apps.gov OWASP Rapp Consulting peet.rapp@yahoo.com 36

Cloud Security Alliance Members Rapp Consulting peet.rapp@yahoo.com 37

Cloud Security Alliance Members Rapp Consulting peet.rapp@yahoo.com 38

Cloud Security Alliance 39 Rapp Consulting peet.rapp@yahoo.com

ISACA 40 Rapp Consulting peet.rapp@yahoo.com

ENISA 41 Rapp Consulting peet.rapp@yahoo.com

DMTF 42 Rapp Consulting peet.rapp@yahoo.com

DMTF 43 Rapp Consulting peet.rapp@yahoo.com

Security Issues Data Location SaaS Clients’ data co-mingled Forensics Possible? Penetration Detection & Multi-Client UA Public Cloud-Server Owner – Due Diligence? Data Erasure? 44 Rapp Consulting peet.rapp@yahoo.com

Current Regulations PCI Compliance States’ PII requirements Sarbanes Oxley HIPAA 45 Rapp Consulting peet.rapp@yahoo.com

Current Regulations & Standards 46 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities Greatest concerns surrounding cloud adoption at your company (per CIO) Security 45% Integration with existing systems 26% Loss of control over data 26% Availability concerns 25% Performance issues 24% IT governance issues 19% Regulatory/compliance concerns 19% 47 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities 48 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities Ensure Organization’s Key Players Aware of Cloud Security Issues Audit Data / Applications targeted for Cloud Computing Input / Review Cloud Provider’s SLA Agreement Strengthen internal IAM Program Rapp Consulting 49 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities Ensure Organization’s Key Players Aware of Cloud Security Issue Target respected type “A”champions Business Application Owners Corporate Attorneys CxOs HR 50 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities Audit Data/Applications targeted for Cloud Computing Data Mapping What is the application data’s internal security level? Who are the Data Owners? What Type of Cloud (public, private, etc) is targeted? 51 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities Input / Review Cloud Provider’s SLA Open Sourced API’s, etc XACML-based IAM program Security Transparency Ownership of Data Audit at Will DR/BC policy and practice Return of application and data policy 52 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities Ensure Organization’s Key Players Aware of Cloud Security Issues Audit Data / Applications targeted for Cloud Computing Input / Review Cloud Provider’s SLA Agreement Strengthen internal IAM Program 53 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities Strengthen IAM Program 54 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities Strengthen Identity – Access Management Program XACML Based IAM program Federated User Access – integrated across both cloud and internal enterprise Aligned with compliance requirements SSO – (Single Sign On) IAM Security Monitoring – Reporting Oppty to implement risk-based provisioning Rapp Consulting Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities KEY TAKE-AWAY #1 Cloud Computing should provide organizations sufficient- enough costs-savings to afford investments in required best – practice IS security measures. 56 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities KEY TAKE-AWAY #2 Employ the same best-practice audit and risk management principles for cloud computing as you have been trained for and have used (or should be using) your entire career. 57 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities Key Take Away #3 Develop an Overarching Business Impact Analysis Moving an Application / Data to the cloud 58 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities Cloud computing can be evaluated much in the same way as a new operating system. And yet, it's somethng more as well. It has the usual system services but also some fantastic ones -- unlimited memory, unlimited storage, unlimited network bandwidth, unlimited (and on-demand) scalability and parallelism http://www.ddj.com/web-development/220300736?pgno=4 59 Rapp Consulting peet.rapp@yahoo.com

Claimed Cloud Computing Business Advantages 60 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities This fundamental difference between probabilistic risk and risk introduced by an intelligent adversary (or adaptive threats) leads to the conclusion that more understanding of the cyber security issues and impacts that are possible on the electric grid is needed. Indeed, there really is no statistical norm for the behavior of cyber attackers and information systems and components failure, and their potential impacts to grid reliability. NERC - 2009 Long-Term Reliability Assessment 61 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities What are the pure goals of auditing? 62 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities What are the pure goals of auditing? Transparency and Accountability 63 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities CRM Cloud App Suppliers Internal Enterprise ERP Cloud App Distribution Resellers 64 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities Stock Opt CRM Cloud App HR Suppliers Internal Enterprise ERP Cloud App Cust Service Distribution Resellers Advrtz 65 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities 66 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities There needs to be rock-solid security, and annual (or when changes occure) audit-to-certification standards developed for Cloud Service Providers (CSPs) 67 Rapp Consulting peet.rapp@yahoo.com

What’s Needed The current US military “jeep” 68 Rapp Consulting peet.rapp@yahoo.com

What’s Needed The HUMVEE’s Replacement: The M-ATV 69 Rapp Consulting peet.rapp@yahoo.com

ISACA Member Responsibilities – Opportunities Summary – ,[object Object]

Is CSP promoting best security practices?

Upgrade Current Internal IAM program

Insist on “SAS70” type audit from partners and outsource providers of their cloud enterprises70 Rapp Consulting peet.rapp@yahoo.com

What’s Still Needed Commercial Cloud Applications Security Standards. Training & Certification requirements for Individual Cloud Developers Cloud Service Providers Cloud Security Tool Providers 71 Rapp Consulting peet.rapp@yahoo.com

What’s Still Needed Best Practice Standards for Internal Audits of Enterprises Employing Cloud Applications. Combination of the ENISA cloud risk assessment with the financial Shared Assessment program Implement an annual Know Your Client (KYC) type audit/certification for all clients and cloud services providers. 72 Rapp Consulting peet.rapp@yahoo.com

Cloud Security Issues 1.04.10

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (19)

Ähnlich wie Cloud Security Issues 1.04.10

Ähnlich wie Cloud Security Issues 1.04.10 (20)

Cloud Security Issues 1.04.10

Hinweis der Redaktion