Upload
hoangnhi
View
214
Download
0
Embed Size (px)
Citation preview
© Grant Thornton International, Ltd.. All rights reserved.
Avoiding Stormy Skies With Cloud Computing
Todd Fitzgerald CISSP, CISA, CISM, CRISC, CGEIT, PMP, ISO27000, CIPP, CIPP/US, ITILV3f
Global Director Information Security
Grant Thornton International, Ltd.
2014 Mega Healthcare Conference
Jan 29-31, 2014
Wisconsin Dells, WI
© Grant Thornton International, Ltd.. All rights reserved.
Today’s Objective
• Define “The Cloud”
• Cloud Computing Architecture
• Cloud Deployment Models
• Cloud Use Cases
• Security Risks, Benefits,
Vulnerabilities
• Current Cloud Market space
• Information Security Issues
2
© Grant Thornton International, Ltd.. All rights reserved.
Disclaimer
• Todd Fitzgerald is a Director of Information Security with Grant Thornton
International Ltd. The views expressed in this presentation are solely
Todd Fitzgerald's personal views and do not necessarily represent the
views of Grant Thornton or its clients or its related entities. The
information provided with respect to Todd Fitzgerald's affiliation with
Grant Thornton is solely for identification purposes and may not and
should not be construed to imply endorsement or support by Grant
Thornton of the views expressed herein.
© Grant Thornton International, Ltd.. All rights reserved. 4
About Grant Thornton
35,000 people in over
100 countries
Total global revenues
$4.2bn (2012)
Global tax revenues
$909m 9% growth
(2012)
Mergers in 19
countries Q1-Q3 2012
adding revenues of
$250m
Global advisory revenues
$1.1bn
18% growth 2012
© Grant Thornton International, Ltd.. All rights reserved.
THE 'WHAT'S' AND 'WHY'S' OF
CLOUD
Section I
© Grant Thornton International, Ltd.. All rights reserved.
Current State of Cloud Computing
• Evolving Landscape
• New Business Opportunities
• Much Hype, Some Reality.. In
It’s Infancy
• … It Will Impact Future IT
Delivery
© Grant Thornton International, Ltd.. All rights reserved.
Business Drivers
• Lower Costs
• Delivering IT according to Business
Priorities
• Faster Delivery
• Reacting to changes
• Standards Migration
• Pricing to influence business behavior
• Lowering barrier to entry/exit
7
© Grant Thornton International, Ltd.. All rights reserved.
The Central Issue: What Are We Trying To
Protect ?
For Each Asset, ask These Questions…How
Would we be harmed if…
…the asset became widely public and distributed?
…an employee of the cloud provider accessed the asset?
…the process or function was manipulated by an outsider?
…the process or function failed to provide expected results
…the data was unexpectedly changed
…the asset was unavailable for a period of time?
Source: Cloud Security Alliance, Security Guidance for critical areas of Cloud Computing 3.0
© Grant Thornton International, Ltd.. All rights reserved.
Working Definition of “The Cloud”
9
Source: Cloud Security Alliance/ NIST
© Grant Thornton International, Ltd.. All rights reserved.
Cloud Computing Taxonomy
10
Source: Cloud Computing Uses Whitepaper, Version 4
© Grant Thornton International, Ltd.. All rights reserved.
Standards Will Be Determined By Interoperability,
Auditability, Security & Management
11
Source: Cloud Computing Use Cases White Paper
© Grant Thornton International, Ltd.. All rights reserved.
Platform Stacks – Who Is In Control?
12
Source: cloudblueprint.wordpress.com/cloud-taxonomy
© Grant Thornton International, Ltd.. All rights reserved.
Gartner Hype Cycle Predictions 2014 and Beyond
• Cloud computing interest "peaked", now in Trough of
Disillusionment
• Mainstream cloud adoption 2014-2017
– Salesforce automation, SAAS, and Virtualization
• Cloud email – by 2014 10% adoption rate
• Big Data – by 2015, competitors defeated by 20%
• PAAS – confusing to enterprises, varying experiences
• SAAS-50% organizations have SAAS strategy by 2015
• Personal cloud replaces PC by 2014
Source: www.rickscloud.com
© Grant Thornton International, Ltd.. All rights reserved.
Match Security Tool To Cloud Computing Problem
• Low security
environments 20% of
market
• High-End – APIs for
Externalized Security
Monitoring
• Middle-Compromise
between public/private
clouds
17
© Grant Thornton International, Ltd.. All rights reserved.
2012 data breach statistics
• Of 621 security breach incident investigations:
– 92% perpetrated by outsiders
– 52% utilized some form of hacking
– 40% incorporated malware
– 29% used social tactics
– 66% took months or more to discover (69% by a third
party)
– 78% initial intrusions rated as low difficulty, 71%
targeted end user devices
Source: Verizon RISK Team 2013 Data Breach Investigations Report
© Grant Thornton International, Ltd.. All rights reserved.
Large Gap Between Time To Attack and Discovery
© Grant Thornton International, Ltd.. All rights reserved.
Top 2013 Cloud Threats (Notorious Nine)
1. Data Breaches
2. Data Loss
3. Account or Service Traffic Hijacking
4. Insecure Interfaces and APIs
5. Denial of Service
6. Malicious Insiders
7. Abuse of Cloud Services
8. Insufficient Due Diligence
9. Shared technology Vulnerabilities
26
Source: Cloud Security Alliance, Feb 2013
© Grant Thornton International, Ltd.. All rights reserved.
Top 5 HIPAA Breach Violations Reported to HHS (281 >
than 500 as of June 2011) – In the Cloud?
27
Provider Year #Affected How?
Health Net 2011 1,900,000 Stolen Portable
Disk from Office
NYC Health & Hospitals Corp 2010 1,700,000 Hard drives stolen
from van
AVMed 2009 1,220,000 Laptops stolen corp
office
BCBS Tennessee 2009 1,023,209 Hard drives stolen
from IT closet
South Shore Hospital 2010 800,000 Drives lost while
transported for
destruction
Source: Software Advice study 6/11
© Grant Thornton International, Ltd.. All rights reserved.
2013- 3,000 Patients Posted on Google E-mail
and Document Storage Services
HIPAA Violation?
© Grant Thornton International, Ltd.. All rights reserved.
RISK: Physical Cloud Components
– Data Centers: self-hosted, third-party, both?
– Network circuits and firewalls: who’s
managing, who’s watching?
– Disaster preparedness and recoverability: is
there a plan, is it tested?
– Who is aware of and managing vendor
SLAs and are they adequate? Risk Slides Source: Orus Dearman, Grant Thornton Lost In Cyberspace Presentation
© Grant Thornton International, Ltd.. All rights reserved.
RISK: Data and Organizational
• Where is the data and how is it protected?
– In-flight, standing still / at-rest, etc.?
– Archives and back-up?
– Unintended uses?
– Data privacy and compliance?
• What is the tone at the top?
– Stakeholder knowledge of attributes and risks
– Have internal controls evolved effectively?
– Who is monitoring internal use of public cloud services?
© Grant Thornton International, Ltd.. All rights reserved.
RISK: Attention To Security
• The cloud provider’s security policies are not as strong as
the organization’s data security requirements
• Cloud systems which store organization data are not
updated or patched when necessary
• Security vulnerability assessments or
penetration tests are not performed to
ensure logical and physical security controls
are in place
• The physical location of organization data is
not properly secured
© Grant Thornton International, Ltd.. All rights reserved.
Source: 2013 Ponemon Institute Survey, Who's minding your cloud?
© Grant Thornton International, Ltd.. All rights reserved.
Source: 2013 Ponemon Institute Survey, Who's minding your cloud?
© Grant Thornton International, Ltd.. All rights reserved.
Security Vulnerabilities
• AAA Vulnerabilities
• User Provisioning/De-
provisioning
• Remote access to mgmt
interface
• Hypervisor
• Lack of resource isolation
• Lack of reputational
Isolation
• Communication encryption
• Weak archive encryption
• Impossibility of processing
in encrypted form
• Poor key mgmt procedures
35
Source: Cloud Computing Benefits, Risks and recommendations for Information Security, ENISA
© Grant Thornton International, Ltd.. All rights reserved.
Security Vulnerabilities (Cont’d)
• Key Generation/Low entropy for
random number generation
• Lack standard
technologies/solutions (lock-in)
• No source escrow agreement
• Inaccurate modelling of resource
usage
• Conflicting SLAs/stakeholders
• Audit not available
• No control over vulnerability
assessment process
• Internal net probing
• Co-residence checks
• Forensic readiness
• Sensitive media sanitization
• Synchronizing responsibilities
• Cross-cloud applications
dependency
36
Source: Cloud Computing Benefits, Risks and recommendations for Information Security, ENISA
© Grant Thornton International, Ltd.. All rights reserved.
Best Practices
• Implement IP Restrictions
• Consider Two-Factor Authentication
• Secure Employee Systems
– Use malware/spyware utilities
• Strengthen Password Policies
• Require Secure Sessions (https://)
• Decrease Session Timeout Thresholds
• Identify a Primary Security Contact
© Grant Thornton International, Ltd.. All rights reserved.
Security Vulnerabilities (Not specific to the cloud
• Lack of security awareness
• Lack of vetting process
• Unclear roles/responsibilities
• Poor enforcement role definitions
• Need-to-know principles not
applied
• Inadequate physical security
• Mis-configuration
• Unclear asset ownership
• Un-trusted software
• Incomplete asset
inventory/classification/ownership
• Poor provider selection
• Liability from data loss
• Inadequate/mis-configured
filtering resources
38
Source: Cloud Computing Benefits, Risks and recommendations for Information Security, ENISA
© Grant Thornton International, Ltd.. All rights reserved.
RISK: Multi-tenancy
• Organization data is not appropriately segregated on shared hardware resulting in organization data being inappropriately accessed by third parties
• The cloud service provider has not deployed appropriate levels of encryption to ensure data is appropriately segregated both in rest and transit
• The cloud service provider cannot determine the specific location of the organization’s data on its systems
• Organization data resides on shared server space which might conflict with regulatory compliance requirements for the organization
© Grant Thornton International, Ltd.. All rights reserved.
RISK: Data Location
• The organization is not aware of all of the
cloud service provider’s physical
location(s)
• The organization does not know where
their data is physically or virtually stored
• The Cloud service provider moves
organization data to another location
without informing the organization
• Organization data is stored in international
locations and falls under foreign business
or national laws/regulations
© Grant Thornton International, Ltd.. All rights reserved.
RISK: Reliability
• The cloud service provider has quality of service
standards which conflict with operational
requirements
• During peak system activity times, the cloud
service provider experiences system
performance issues that result in the following:
― organization employees cannot access the
organization’s data when needed
― Customers are unable to use the organization’s
systems (such as placing an order on the organization’s
web site) because of performance problems with the
cloud provider
© Grant Thornton International, Ltd.. All rights reserved.
RISK: Sustainability
• In the event the cloud service provider goes
out of business, the organization might not
be able to retrieve the organization’s data.
In addition, another third party might gain
access/control of the organization’s data
• The cloud service provider does not have
appropriate system recovery procedures
in place in the event of a disaster
• The organization’s business continuity plan does not
address the cloud’s service offering being unavailable
• Organization data is compromised as a result of a disaster
© Grant Thornton International, Ltd.. All rights reserved.
Scalability risks
• The cloud service provider’s systems
cannot scale to meet the organization’s
anticipated growth, both for a short-term
spike and/or to meet a long-term strategy
• If the organization decides to migrate all
or part of the organization’s system
and/or data back in-house (or to
another provider), the cloud service
provider cannot (or will not) provide
the data
© Grant Thornton International, Ltd.. All rights reserved.
Source Information Week, 2013 Cloud Security and Risk Survey, Sept 2013
© Grant Thornton International, Ltd.. All rights reserved.
Compliance Frameworks For Evaluating The
Cloud Security
• COBIT
• CSA Security Matrix
• Jericho Forum Self-
Assessment Scheme
• AICPA Service Organization
Control (SOC) 1 Report
• AICPA/CICA Trust Services
(Systrust/Webtrust)
• FedRAMP
• NIST 800-53
• HITRUST
• BITS
• ENISA Report
• RYO (Roll Your Own)
© Grant Thornton International, Ltd.. All rights reserved.
NIST Has Excellent Publications To Help With
Security and Privacy
© Grant Thornton International, Ltd.. All rights reserved.
Source Information Week, 2013 Cloud Security and Risk Survey, Sept 2013
© Grant Thornton International, Ltd.. All rights reserved.
Key Cloud Macro Issues
• Critical mass of separation between data owners and data processors
• Anonymity of geography of data centers & devices
• Anonymity of provider
• Transient provider relationships
• Physical controls must be replaced by virtual controls
• Identity management has a key role to play
• Cloud WILL drive change in the security status quo
• Reset button for security ecosystem Source: Achieving Security Assurance and Compliance in the Cloud, Cloud Security Alliance 2011
© Grant Thornton International, Ltd.. All rights reserved.
Key Trust Issues Are Emerging
– Will my cloud provider be transparent about
governance and operational issues?
– Will I be considered compliant?
– Do I know where my data is?
– Will a lack of standards drive unexpected
obsolescence?
– Is my provider really better at security than me?
– Are the hackers waiting for me in the cloud?
– Will I get fired? Source: Achieving Security Assurance and Compliance in the Cloud, Cloud Security Alliance 2011
© Grant Thornton International, Ltd.. All rights reserved.
Potential Challenges For Tomorrow
• Keeping pace with cloud changes
• Globally incompatible legislation and policy
• Non-standard Private & Public clouds
• Lack of continuous Risk Management &
Compliance monitoring
• Incomplete Identity Management
implementations
• Haphazard response to security incidents Source: Achieving Security Assurance and Compliance in the Cloud, Cloud Security Alliance 2011
© Grant Thornton International, Ltd.. All rights reserved.
4 Stages to Cloud Maturity
Source: Assess Your Cloud Maturity, Forrester Research 5/29/12
© Grant Thornton International, Ltd.. All rights reserved.
10 2013 Cloud Predictions… Which Ones Came
True? Which will Remain This Year (In 2014) ?
• End of cloud "one-size-fits-all"
• Cloud and mobile will become one
• Stop stressing about cloud service-level-agreements
• Get real about cost modelling
• Developers will be developing with support from infrastructure and
operations professionals
• Get real about cloud for backup and disaster recovery
• Cloud ≠ commodity
• Cloud ≠ Amazon Web Services
• Virtualization is good, but not a cloud
• Development in the cloud not that much different Source: Forrester Research, Predictions for 2013: Cloud Computing, Feb 22, 2013
© Grant Thornton International, Ltd.. All rights reserved.
Final Thoughts – Remember The Baby Toddler
• Cloud Computing Is now a Toddler
• …But as a Toddler, it is wise to plan
for college early
• …because the Toddler does grow up
• Apply concepts from other prior kids
to this one
• Learn from the Toddler
• Embrace and don’t be afraid of the
Toddler
• Know where the Toddler is coming
from, and know they will always be
your baby!
55
© Grant Thornton International, Ltd.. All rights reserved.
References
• Cloud Computing: Benefits, Risks and Recommendations for
Information Security, www.enisa.europa.eu
• Security Guidance for Critical Areas of Focus in Cloud
Computing V3.0, www.cloudsecurityalliance.org/
• Cloud Computing Use Cases White Paper, Version 4.0,
http://cloudusecases.org
• Moving to the Cloud, V1.0, http://cloudusecases.org
• The NIST Definition of Cloud Computing (Draft), SP 800-145,
Jan 2011, http://csrc.nist.gov/publications/drafts/800-
145_cloud-definition.pdf
• Gartner Security & Risk Management Summit, 6/11,
Washington, DC, various presentations
• IT Control Objectives for Cloud Computing: Controls and
Assurance in the Cloud, ISACA
• cloud.cio.gov/action/secure-your-cloud
• Information Security Governance Simplified: From The
Boardroom to the Keyboard (Fitzgerald, 2012)
• CISO Leadership: Essential Principles for Success (Fitzgerald
& Krause, 2008)
56
© Grant Thornton International, Ltd.. All rights reserved.
Todd Fitzgerald
Global Information Security Director
Grant Thornton International, Ltd.
Oak Brook Terrace, IL
linkedin.com/in/toddfitzgerald
© Grant Thornton International, Ltd.. All rights reserved.
Use Case #1: End User To Public Cloud
• End user accesses data
and applications in the
cloud
• Gmail,Facebook, LinkedIn
• No idea of Architecture
• Any browser, any device
59
Source: Cloud Computing Use Cases White Paper
© Grant Thornton International, Ltd.. All rights reserved.
Use Case #1: End User To Public Cloud –
Requirements
• Identity- Cloud service must
authenticate
• Open client
• SLAs for end users simpler
• Cloud vendors must be
clear on service level
60
Source: Cloud Computing Use Cases White Paper
© Grant Thornton International, Ltd.. All rights reserved.
Use Case #2: End User-Public Cloud To
Enterprise
• End user interacts with
enterprise
• Enterprise interacts with cloud
• End user is external or
internal
• (Variation Use case w/o
Internal User for Internal
processes)
61
Source: Cloud Computing Use Cases White Paper
© Grant Thornton International, Ltd.. All rights reserved.
Use Case #2: End User-Public Cloud To Enterprise -
Requirements
• Identity- cloud service must
authenticate
• Open client
• Federated identities, single
ID for end user
• Location awareness
• Metering & Monitoring
• Governance/Mgmt
62
Source: Cloud Computing Use Cases White Paper
© Grant Thornton International, Ltd.. All rights reserved.
Use Case #2: End User-Public Cloud To Enterprise –
Requirements (Cont’d)
• VM Common file format
• Common API Cloud
Storage/Middleware
• Data/Application
FederationSLA and
Benchmarks
• Lifecycle Mgmt
63
Source: Cloud Computing Use Cases White Paper
© Grant Thornton International, Ltd.. All rights reserved.
Use Case #3: Enterprise to Cloud to
Enterprise
• Two enterprises using the
same cloud
• Hosted resources in cloud
• Applications interoperate
• Supply chain
64
Source: Cloud Computing Use Cases White Paper
© Grant Thornton International, Ltd.. All rights reserved.
Use Case #3: Enterprise to Cloud to
Enterprise - Requirements
• Similar to Enterprise-To-
Cloud Use Case
• Plus:
– Transactions and
concurrency
– Interoperability
65
Source: Cloud Computing Use Cases White Paper
© Grant Thornton International, Ltd.. All rights reserved.
Use Case #4: Private Cloud
• Cloud contained within
enterprise
• Computing power spread
across enterprise
• Department gets extra
cycles when needed (i.e.,
Payroll, Finance)
66
Source: Cloud Computing Use Cases White Paper
© Grant Thornton International, Ltd.. All rights reserved.
Use Case #4: Private Cloud - Requirements
• Requirements same as
public cloud, except:
– Identity/Federated
– Location awareness
– Transactions
– Industry standards
– Common APIs for middleware
67
Source: Cloud Computing Use Cases White Paper
© Grant Thornton International, Ltd.. All rights reserved.
Use Case #5: Hybrid Cloud
• Multiple clouds working
together
• Federated cloud provider-
combines own resources
with others
• Cloud Broker – delivers
clouds, no resources of
their own
• No difference to end user
68
Source: Cloud Computing Use Cases White Paper
© Grant Thornton International, Ltd.. All rights reserved.
Use Case #5: Hybrid Cloud - Requirements
• Same requirements as prior
use cases
• SLAs – machine readable
to permit cloud provider to
select resources without
human intervention
69
Source: Cloud Computing Use Cases White Paper
© Grant Thornton International, Ltd.. All rights reserved.
Use Case #5a – Community Cloud
• Subset of Hybrid Cloud
• Users access via Intranet
vs Internet
• User has no knowledge of
what hybrid cloud provider
does
70
© Grant Thornton International, Ltd.. All rights reserved.
5 Customer Scenarios
71 Source: Cloud Computing Use Cases White Paper
© Grant Thornton International, Ltd.. All rights reserved.
Todd Fitzgerald
Global Information Security Director
Grant Thornton International, Ltd.
Oak Brook Terrace, IL
linkedin.com/in/toddfitzgerald