AOrel-ISACA Security v 1 - CSA CEE Summit · 2018. 2. 22. · ISACA CSX Security Considerations for Cloud Computing Andrej Orel Marand d.o.o. & ISACA Slovenia Chapter. ... functions

www.marand.com

ISACA CSXSecurity Considerations for

Cloud Computing

Andrej OrelMarand d.o.o. & ISACA Slovenia Chapter

ISACA, CSX, COBIT5, CLOUD, SECURITY…

2 www.marand.com

2ABOUT COBITABOUT ISACA

1COBIT 5 FOR INF. SEC.

3THE CLOUD

4SECURITY OF CLOUD

5DEPLOYMENT OF CLOUD

6THE END

7

www.marand.comwww.marand.com3

ABOUT ISACA

www.marand.comwww.marand.com

• ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions.

• ISACA® offers industry-leading knowledge, standards, credentialing and education, and thus enables professionals to apply technology so to prove confidence, address threats, drive innovation and create positive momentum.

• ISACA® is the creator of the COBIT® framework, which helps organizations effectively govern and manage their information and technology.

• ISACA® helps organizations develop skilled cyber workforces through its Cybersecurity Nexus – the CSX®

ISACA FACTS

4


• Established in 1969, • ISACA is a global nonprofit association of 140,000 professionals

in 187 countries. • Its members include internal and external auditors, CEOs, CFOs,

CIOs, CTOs, CISOs, various educators, information security and control professionals, business managers, students, and IT consultants.

• ISACA has more than 215 chapters in more than 92 countries.• In Slovenia there is a “Slovenia Chapter”

founded more then 20 years ago consisting of about 150 members.

ISACA MEMBERSHIP AND CHAPTERS

5


• Certified Information Systems Auditor(CISA), a designation for experienced IS audit, control and security professionals.

• Certified Information Security Manager (CISM), a designation for leading managers of information security.

• Certified in the Governance of Enterprise IT(CGEIT), for those who manage, provide advisory and/or assurance services, or otherwise support the IT governance

• Certified in Risk and Information Systems Control™ (CRISC™), for IT professionals who have experience with risk identification, assessment and evaluation; risk response…

ISACA ACTIVITIES & CERTIFICATIONS

6


• Cybersecurity Nexus (CSX) (https://cybersecurity.isaca.org) includes:• Fundamental and skills-based

Cybersecurity CSX Certification and Training on various levels

• The Nexus—free monthly newsletter• CSX conferences—expanding globally• Cybersecurity research, guidance,

training, education and collaboration• Cybersecurity Career Road Map• Threats and Controls tool

• COBIT®5, a business framework to better manage and govern an organization’s information and technology

ISACA CORNERSTONES

7


ABOUT COBIT®5


COBIT* was developed 20 years ago to help enterprises optimize the value of their critical information assets. Now

in version 5, COBIT helps enterprise leaders, managers and IT professionals protect the integrity of their

enterprise’s information and “get more” from their information systems, now and in the years to come.

COBIT – 20 YEARS ALREADY

9

An ISACA Professional Somebody from the ISACA Community

*COBIT ‐ Control Objectives for Information and related Technology


• Simply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.

• COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.

• The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes,whether commercial, not-for-profit orin the public sector.

THE COBIT 5 FRAMEWORK

10


COBIT 5 PRINCIPLES

11


COBIT 5 ENABLERS

12


• Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM).

• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).

GOVERNANCE AND MANAGEMENT

13


BUSINESS FRAMEWORK FROM ISACA

14

Governance of Enterprise IT

COBIT 5

IT Governance

COBIT4.0/4.1

Management

COBIT3

Control

COBIT2

Audit

COBIT1

2005/720001998

Evo

lutio

n of

sco

pe

1996 2012

*Val IT 2.0(2008)

**Risk IT(2009)

*Val IT is a governance framework; can be used to create business value from IT investments (IT Govern. Institute)**Risk IT provides an end‐to‐end, comprehensive view of all risks related to the use of IT (ISACA)

www.isaca.org/cobit


COBIT 5 FOR INFORMATION SECURITY


Information is a key resource for all enterprises.Information is created, used, retained, disclosed and destroyed.

Technology plays a key role in these actions.Technology is becoming pervasive in all aspects of business and

personal life.

INFORMATION!

16

A lot of unknown thinkers

What benefits do information and technology bring to organization? What benefits do information and technology bring to organization?


Information security is something that ensures that within the *enterprise, information is protected against disclosure

to unauthorized users (confidentiality), improper modification (integrity) and non-access when required

(availability).

ISACA INFO SECURITY DEFINITION

17

ISACA

*ISACA refers to organization by the term enterprise! *ISACA refers to organization by the term enterprise!


• Extended view of COBIT5• Explains each component

from info security perspective

COBIT 5 FOR INFORMATION SECURITY

18


WHAT DOES COBIT5 CONTAIN?

Alignment with standards

Enablers for support

Principles from infosec perspective

Guidance on drivers, benefits


• Major drivers of COBIT5 for Information Security:• Need to describe information security in enterprise context• Need for enterprises to keep risk at acceptable levels, maintain

availability to systems, and comply to relevant regulation.• Need to align and connect to major standards and frameworks• Need to link together relevant research and guidance

• Major benefits of COBIT5 for Information Security:• Reduced complexity and increased cost-effectiveness due to

improved integration of information security standards• Increased user satisfaction with information security • Improved integration of information security in the enterprise• Informed risk decisions and risk awareness• Improved prevention, detection and recovery

DRIVERS & BENEFITS OF COBIT5

20


• COBIT 5 for Information Security provides specific guidance related to all enablers:• Information security policies, principles, and frameworks• Processes, including information security-specific details and

activities• Information security-specific organizational structures• In terms of culture, ethics and behavior, factors determining

the success of information security governance and management

• Information security-specific information types• Service capabilities required to provide information security

functions to an enterprise• People, skills and competencies specific for information

security

ENABLERS FOR IMPLEMENTATION

21


• Principles, policies and frameworks enablers refer to the communication mechanisms put in place to convey the direction and instructions of the governing bodies and management.

PRINCIPLES, POLICIES & FRAMEWORKS

22


• Information security principles communicate the rules of the enterprise (organization).

• These principles need to be limited in number and expressed in simple language.

• Policies provide more detailed guidance on how to put principles into practice. • Policies may include:• Information security policy• Access control policy• Personnel information security policy• Incident management policy• Asset management policy

PRINCIPLES & POLICIES + ATTRIBUTES

23

Policies attributes:• Scope

• Validity• Goals


• The COBIT 5 process reference model subdivides IT-related practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes:• The Governance domain contains five governance

processes; within each process, evaluate, direct and monitor (EDM) practices are defined.

• The four Management domains are in line with the responsibility areas of plan, build, run and monitor (PBRM).

• COBIT 5 for Information Security examines each of theprocesses from an information security perspective.

PROCESSES - 1

24


PROCESSES - 2

25


THE CLOUD


DILBERT ON CLOUD COMPUTING


The next stage of cloud computing is fog computing!When cloud drops into our computing environment

we have fog.

THE FUTURE OF THE CLOUD

28

A well known Slovenian professional who is working as the CTO in an advanced

Slovenian company


Cloud computing is defined by the US National Institute of Standards and Technology (NIST) as “a model for

enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that

can be rapidly provisioned and released with minimal management effort or service provider interaction.”

CLOUD COMPUTING – NIST DEFINITION

29


SECURITY CONSIDERATIONS FOR CLOUD COMPUTING


• The essential characteristics of cloud computing are:• On-demand self-service - Computing capabilities can be

provisioned without human interaction from the service provider.

• Broad network access - Computing capabilities are available over the network and can be accessed by diverse client platforms.

• Resource pooling - Computer resources are pooled to support a multitenant model.

• Rapid elasticity - Resources can scale up or down rapidly and in some cases automatically in response to business demands.

• Measured service - Resource utilization can be optimized by leveraging charge-per-use capabilities.

ESSENTIAL CHARACTERISTICS

31


• Infrastructure as a Service (IaaS) - In an IaaS solution, the CSP provides cloud users with processing, storage, networks and other fundamental computing resources. Operating systems and applications, however, are the responsibility of the user and are not included in the service offering of the CSP. Examples are: Rackspace®, Equinix®, Softlayer®, iomart Group plc, Amazon Web Services LLC, etc.

• Platforms as a Service (PaaS) - PaaS entails the CSP making available infrastructures and platforms on which cloud users deploy their own applications. This requires the CSP to support programming languages, libraries, services and tools. Examples are: Google App EngineTM, Microsoft® Windows AzureTM, OpenShift, Amazon Web Services LLC, etc.

• Software as a Service (SaaS) - When opting for SaaS, cloud users not only hire infrastructure and platforms from the CSP, but also run CSP-provided applications on them. Examples are: Computer Services Inc., Salesforce, NewRelic®, Logicworks, Apptix®, Google App Engine, Microsoft Windows Azure, Amazon Web Services LLC, etc.

CLOUD SERVICE MODELS

32


• Public cloud - The infrastructure is made available to the general public (e.g., Google Apps, Amazon Elastic Compute Cloud (EC2TM), Apple® iCloud). It is deployed within the CSP infrastructure, offsite to the enterprise infrastructure.

• Community cloud - The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from enterprises or interest groups (e.g., vertical industries, schools, researchers, software developers) that have shared concerns. It can be deployed onsite (within the enterprise infrastructure) or offsite (within the CSP infrastructure, also called “outsourced”).

• Private cloud - The infrastructure can be used only by one single enterprise. As for community clouds, it can be deployed onsite or offsite enterprise premises.

• Hybrid cloud - The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community or public) that remain unique entities.

CLOUD DEPLOYMENT MODELS

33


CLOUD SERVICE MODULES & RISK

34


• Unavailability -The asset is unavailable and cannot be used or accessed by the enterprise. The cause can be accidental (failure of the infrastructure), intentional (distributed denial-of-service [DDoS] attacks) or legal (subpoena of database holding all data in a case of multitenancy architecture where one client’s data are subject to legal investigation).

• Loss - The asset is lost or destroyed. The cause can be accidental (natural disaster, wrong manipulation, etc.) or intentional (deliberate destruction of data).

• Theft - The asset has been intentionally stolen and is now in possession of another individual/enterprise. Theft is a deliberate action that can involve data loss.

• Disclosure—The asset has been released to unauthorized staff/enterprises/organizations or to the public. Disclosure can be accidental or deliberate. This also includes the undesired, but legal, access to data due to different regulations across international borders.

INFORMATION ASSETS AND RISK

35


IMPACT OF RISK EVENTS ON ASSETS

36

We must not forget the Cost Considerations and Privacy Considerations!


• The chief information security officer (CISO) or the information security manager (ISM) or chief technology officer (CTO) is responsible for being aware of the current risk affecting the assets of the enterprise and for understanding how the migration to the cloud will affect those assets and the current level of risk.

• The impact of a migration to the cloud depends on the cloud service model and deployment model being considered.

• The combination of service model and deployment model can help identify an appropriate balance for organizational assets (e.g., choosing a private cloud deployment model can help balance the risk related to multitenancy).

• The risk-decreasing and risk-increasing factors depending on service model are linked to actual threats and mitigating actions.

RISK ASSESSMENT WITH MIGRATION

37


• With IaaS (Infrastructure as a Service), the CSP provides the enterprise with fundamental computing resources/equipment (storage, hardware, servers and network components) while the enterprise remains in control of the operating system (OS) and applications installed.

• Risk-decreasing factors:• Scalability and elasticity - Lack of physical resources is no

longer an issue… (Risk affected – Unavailability)• DRP and backup - CSPs should already have in place, as

common practice, disaster recovery and backup procedures… (Risk affected - Unavailability, loss)

• Patch management - Cloud infrastructures are commonly based on hypervisors which allow the necessary patches to be applied… (Risk affected - Unavailability, loss, theft, disclosure)

RISK BY SERVICE MODEL – IAAS - 1

38


• Risk-increasing factors:• Legal transborder requirements - CSPs are often

transborder in different countries... (Risk affected - Disclosure)• Multitenancy and isolation failure - Common approach is a

multi-tenant environment…(Risk affected - Theft, disclosure)• Lack of visibility of technical security measures - An

intrusion.. (Risk affected - Unavailability, loss, theft, disclosure)• Absence of DRP and backup - The absence of a proper DRP

or backup procedures…(Risk affected - Unavailability, loss)• Physical security - In an IaaS model, physical computer

resources are shared with… (Risk affected - Theft, disclosure)• Offshoring infrastructure - Offshoring of key infrastructure

expands.. (Risk affected - Unavailability, loss, theft, disclosure)• …

RISK BY SERVICE MODEL – IAAS - 2

39


• PaaS (Platforms as a Service) adds a layer to IaaS by providing the capability to deploy applications in a cloud infrastructure. The applications are developed using the programming languages and tools supported by the CSP. This service model entails the sameimpacts on risk as IaaS, plus some of the following factors:

• Risk-decreasing factors:• Short development time - Using the service oriented

architecture (SOA)… (Risk affected—Unavailability, loss)• Risk-increasing factors:

• Application mapping - If current applications are not perfectly aligned with the capabilities…(Risk affected - Theft, disclosure)

• SOA-related vulnerabilities - Security for SOA presents new challenge…(Risk affected - Unavailability, loss, theft, disclosure)

• Application disposal – (Risk affected—Theft, disclosure)

RISK BY SERVICE MODEL – PAAS

40


• In a SaaS (Software as a Service) model, the CSP provides to the enterprise the capability to use applications running on the cloud infrastructure. The enterprise, in turn, provides to the CSP the data necessary to run the application. The whole infrastructure is the responsibility of the CSP. This service model entails the same impacts on risk as PaaS, plus some of the following factors:

• Risk-decreasing factors:• Improved security - CSPs depend on the good reputation of

their software capabilities… (Risk affected—Unavailability, loss)• Risk-increasing factors:

• Data ownership - The CSP provides the applications and cust. provides data. (Risk affected - Unavailability, loss, disclosure)

• Data disposal - In a case of a contract end, the data in the CSP’s app. must be erased (Risk affected - Theft, disclosure)

• …

RISK BY SERVICE MODEL – PAAS

41


• In a public cloud, the CSP shares infrastructure and resources among various unrelated enterprises and individuals.

• Risk-decreasing factors:• Public reputation - Providers of public cloud services are

aware of being perceived as more “risky.” It is critical for them to ensure… (Risk affected - Unavailability, loss, theft, disclosure)

• Risk-increasing factors:• Full sharing of the cloud - Cloud infrastructure is shared by

multiple tenants of the CSP. These tenants have no relation to enterprise.(Risk affected—Unavailability, loss, theft, disclosure)

• Collateral damage - If one tenant of a public cloud is attacked, there could be an impact to the other tenants of the same CSP, even if they are not the intended target (e.g., DDoS). Another possibility is an attack exploiting vulnerabilities of SW installed by other… (Risk affected - Unavailability, loss, theft, disclosure)

RISK BY DEPLOYMENT– PUBLIC

42


• In the community cloud, cloud services are deployed for the use of a group of entities who share an inherent level of “trust.” In some cases, all the entities are subject to a common security policy.

• Risk-decreasing factors:• Same group of entities—The component of “trust” among the

entities in a community cloud makes the level of risk lower than in a public...(Risk affected - Unavailability, loss, theft, disclosure)

• Dedicated access for the community - Dedicated access can be configured for authorized community users only. (Risk affected - Theft, disclosure)

• Risk-increasing factors:• Sharing of the cloud - Different entities may have different

security measures or security requirements in place, even if they belong to the same enterprise. It may render an entity at risk because of faulty... (Risk affected—Loss, theft, disclosure)

RISK BY DEPLOYMENT– COMMUNITY

43


• In a private cloud, cloud services are deployed for the exclusive use of one enterprise. No interaction with other entities is allowed within the cloud. There are on-site and off-site private clouds.

• Risk-decreasing factors:• Can be built on-premises - Physical or location considerations

can be closely controlled by the enterprise as the cloud is located… (Risk affected - Unavailability, loss, theft, disclosure)

• Performance - Affects on-site private clouds. The private cloud is deployed inside the firewall on the enterprise’s intranet, transfer rates are increased. (Risk affected - Unavailability, loss)

• Risk-increasing factors:• Application compatibility - Applications that have already

been confirmed to be virtualization-friendly are likely to run well in a private cloud,… but…(Risk affected - Unavailability, loss)

• …

RISK BY DEPLOYMENT– PRIVATE

44


• Hybrid cloud is a model that allows enterprises to create a mix of public, community and private clouds, depending on the level of “trust” required for their information assets. For example, an enterprise could decide that its web portals can be migrated to a public cloud; its main business application should be migrated to a private cloud, this combination will create a hybrid cloud model.

• Because hybrid clouds are a mix of the other three models, their risk-increasing or risk-decreasing factors are the same as those models. There is, however, one risk-increasing factor related: • Cloud-interdependency - If the enterprise mixes two or more

different types of clouds, strict identity controls and strong credentials will be needed to allow one cloud to have access to another. This is similar to a common network infrastructure problem: how to allow access from a low-level to a high-level security…(Risk affected - Unavailability, loss, theft, disclosure)

RISK BY DEPLOYMENT– HYBRID

45


CLOUD SERVICE DECISION


CHOOSING A SERVICE MODEL

47


CHOOSING A DEPLOYMENT MODEL

48


THE END


CONTACT

50

Andrej OrelCISO & CQMO

[email protected]

Documents

AOrel-ISACA Security v 1 - CSA CEE Summit · 2018. 2. 22. · ISACA CSX Security Considerations for Cloud Computing Andrej Orel Marand d.o.o. & ISACA Slovenia Chapter. ... functions