Cloud Computing - Introduction & Governance

8/12/2019 Cloud Computing - Introduction & Governance

1/31

Cloud Computing& IT Governance


2/31

Agenda

What is Cloud computing

Cloud service delivery model

Cloud deployment model

Critical Security issues

Frameworks : COSCO ERM,ITIL,ISO27001,ENISA governance

Cloud risk case study


3/31

What is Cloud Computing ?

Simply put, cloud computing provides a variety of computing resources ,from servers and storage to enterprise applications such as email, security,backup/DR, voice, all delivered over the Internet.

The Cloud delivers a hosting environment that is immediate, flexible,scalable, secure, and available while saving corporations money, time andresources.

On demand solutions for your businessBased on pay-as-you-go model


4/31

Traditional Software Model

Large upfront licensing costs

Annual support costs

Depends on number of users

Not based on usage

Organization is responsible for hardware

Security is a consideration

Customized applications


5/31

Cloud Service Delivery ModelsService delivery in Cloud Computing comprises three different servicemodels:

-Infrastructure-as-a-Service (IaaS),

-Platform-as-a-Service (PaaS), and

-Software-as-a-Service (SaaS).

The three service models or layer are completed by an end user layer thatencapsulates the end user perspective on cloud services.


6/31

Cloud Service Delivery ModelSeveral Technologies work together Cloud access devices

Browsers and thin clients

High speed broad band access Data centers and Server farms

Storage devices

Virtualization technologies

APIs

Key Drivers

Small investment and low ongoing costs : pay-as-you-go basis Economies of scale

Open standards

Sustainability


7/31

Cloud Services Delivery Model

SaaS

- Rents software on a subscription basis- Service includes software, hardware and support

- Users access the service through authorized device

- Suitable for a company to outsource hosting of apps

PaaS- Vendor offers development environment to application developers

- Provide develops toolkits, building blocks, payment hooks

IaaS- Processing power and storage service

- Hypervisor is at this level


8/31

Cloud Service Delivery Models


9/31

Division of ResponsibilityDivision of Responsibility


10/31

Deployment Models of Cloud

Cloud infrastructure is available to the generalby organization selling cloud servicesPublic

Cloud infrastructure for single organization onmanaged by the organization or a 3rdparty, onPrivate

Cloud infrastructure shared by several organizhave shared concerns, managed by organizatioCommunity

Combination of more than one cloud deploymbound by standard or proprietary technologyHybrid


11/31

Deployment Models of Cloud (Cont
http://en.wikipedia.org/wiki/File:Cloud_computing_types.svg


12/31

Deployment Models of Cloud (Cont


13/31

Critical Security Issues of CloPrivate clouds are not secure A cloud placed behind enterprise firewall is not inherently secureit needs to be imple

and managed with security in mind

Security is limited to the weakest linkbe that users, departments with less security seunprotected applications

Security visibility and risk awareness Monitoring not just resources, but the security state of a cloud is of utmost importance

Do not just gather metricsmake them easily accessible, displayed in a meaningful waypotential issues every day, not only during compliancy-required monthly reviews

Safely storing sensitive information Sensitive data must be encrypted with a strong industry-trusted encryption library. Do

your own

Very difficult to guarantee absolutely no eavesdropping in a cloud environment

Decide to encrypt data in the cloud, or before It gets to the cloud


14/31

Critical Security Issues of Cloud (CApplication Security

The shared environment and difference in security architecture of a cloud increases the im

application security Before migrating an application to the cloud, perform an architecture review and see wher

benefits can be leveraged

Migrating an application to the cloud is a unique chance to increase the security of the appthrough increased availability, ability to scale, and use of cloud APIs

Authentication and Authorization Should enterprise authentication be extended to the cloud? Depends on usage and so

of security program

Authentication system should be flexible enough to support different authentication mdifferent cloud services

Wide variety of commercial solutions available

Authentication and authorization system logs can provide insight into reconnaissance activity


15/31

COSO ERM Framework

COSO:

The frame

pathway in which eac

(starting with internain order to understan

and disadvantages th

candidate would brin

In cases w

already been implem

framework can be use

establish, refine, or p

assurance check of thprogram by ensuring

aspects of the progra

assessment, and risk

addressed with respe

managements requir


16/31

ITIL Framework

Information Technology Infrastructure Library (ITIL

It is a set of practices for IT service management

on aligning IT services with the needs of business

ITIL describes processes, procedures, tasks and c

These are not organization-specific,

ITIL is mainly used by an organization for establis

with the organization's strategy, delivering value

minimum level of competency. It allows the organization to establish a baseline f

plan, implement and measure.

It is used to demonstrate compliance and to mea

It is by this framework , through which processes

continuously improved to ensure that end users c

excellence on every service experience delivered


17/31

ISO 27001 Framework

ISO 27001:

It is a structured set of guidelines a

for assisting organizations in develo

information security framework The standard relates to all informat

organization regardless of the medi

stored, or where it is located.

ISO 27001 suggests development a

of a structured Information Security

System (ISMS), which governs the s

implementation and monitoring in It is designed to serve as a single 're

identifying the range of controls ne

situations where information system


18/31

ENISA Governance Framework

ENISA:

Based on COSCOs Internal Co

framework

In order to guarantee that all controand maintained properly, organizati

from ad-hoc activities to a planned

and monitoring system.

The Internal Control Systems is a to

attaining objectives of an organizati

An Internal Control System is define

process, effected by an entity's boamanagement and other personnel,

provide reasonable assurance regar

achievement of objectives in the fo

Effectiveness and efficiency of

Reliability of financial reporting

Compliance with applicable law


19/31

Cloud control

Accountability:

Preventive Controls

Detective Controls Procedural Measure

Technical Measures

Responsibility:

Customer vs. Provid

Compliance

Data Management

Forensics & Recove


20/31

CLOUD RISKCase Study

Cloud risk assessment


21/31

Cloud risk assessment

In 2009, the European Network and Information Security Agency (ENISA) produc

document titled Cloud Computing: Benefits, Risks and Recommendations

Information Security. This document collates 35 types of risk identified by

contributors, and identifies eight top security risks based on ENISAs view of indic

likelihood and impact

In March 2010, the Cloud Security Alliance (CSA) published Top Threats to C

Computing V1.0,which includes the top seven threats as identified by its members

in April 2011, the Open Web Application Security Project (OWASP) released a pre-a

list of its top 10 cloud security risks derived from a literature review of o

publications and sources

The ISO/IEC 9126 standard (Information technologySoftware product evaluati

Quality characteristics and guidelines for their use), when used in conjunction w

deep security assessment, is valuable for putting more structure and coherence aro

assessing the suitability of new vendors and new technologies, including cloud offeri


22/31


23/31

Case Study


24/31

Case Study

This case study considers moving a risk management business function ( a home

mortgage insurance calculation) to the cloud.

The business benefit of placing this function in the cloud is that it will allow branche

centres, brokers and other channels to use the same code base and avoid replicatincalculations in multiple places. The use of the cloud will also reduce paper handlin

host system access and the associated security required. There is also a potential bus

driver for allowing customers access to their own data if placed on the public cloud.

The first step in the framework is to formulate and communicate a vision for the clou

an enterprise and business-unit level.

Guiding principles


25/31

VisionWhat is the business vision and who will own the initiative?

VisibilityWhat needs to be done and what are the risks?

AccountabilityWho is accountable and to whom?

SustainabilityHow will it be monitored and measured?

Guiding principles

10 principles


26/31

VISION:

1.Executives must have oversight over the cloud

2.Management must own the risks in the cloud

VISIBILITY:

3. All necessary staff must have knowledge of the cloud

4. Management must know who is using the cloud

5. Management must authorise what is put in the cloud

p p


27/31


28/31

10 principles


29/31

ACCOUNTABILITY

6. Mature IT processes must be followed in the cloud

7. Management must buy or build management and security in the cloud

8. Management must ensure cloud use is compliant

SUSTAINABILITY

9. Management must monitor risk in the cloud

10. Best practices must be followed in the cloud


30/31


31/31

ReferencesAn article at www.csoonline.com/article/717307

By John Kinsella, Protected Industries www.protectedindustries.com

An article at http://www.csoonline.com/article/647128/five-cloud-securitfor-2011

ITIL framework : http://sysonline.net/content.php?id=53

ENISA framework : http://www.enisa.europa.eu/activities/risk-manageme

risk/business-process-integration/governance/ics ISO 27001 : http://www.simosindia.in/services/plan/?id=iso
http://www.csoonline.com/article/717307http://www.protectedindustries.com/http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://sysonline.net/content.php?id=53http://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://www.enisa.europa.eu/activities/risk-management/current-risk/business-process-integration/governance/icshttp://sysonline.net/content.php?id=53http://sysonline.net/content.php?id=53http://sysonline.net/content.php?id=53http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-for-2011http://www.protectedindustries.com/http://www.csoonline.com/article/717307

Documents

Cloud Computing - Introduction & Governance