Embed Size (px)
DESCRIPTION
Citation preview
Cloud Computing & Control Auditing~ Navin Malhotra
Cloud Computing Basics
Internet
Your company doesn’t pay for h/w and maintenance
The service provider pays for equipment and maintenance
•Cloud computing is a construct that allows you to access applications that actually reside at a location other than your computer or other internet connected device, most often this will be a distant datacenter. Cloud computing can be defined as a benefit-driven operations solution that delivers scalable IT resources via the web, as opposed to hosting and operating these services locally.
•These resources include tools, applications and services, in addition to the infrastructure in which these services operate. By deploying these tools and services over the web, companies and organizations can access resources on demand and significantly reduce (or possibly even eliminate) software and hardware costs. Additionally, a business‟ IT capacity can quickly and easily adjust to changes on demand, making the flexible nature of cloud computing immensely appealing.
•One of the most valuable benefits of the cloud is the ability for employees to access, update and share files, documents and data, and use software applications from anywhere there is internet connectivity.
Cloud Topology
Internet
Client computers
Distributed Servers
Datacenter
Client are in a cloud computing architecture, the exact same things that they are in plain old, everyday LAN. They may be your desktop, laptop, tablet PCs, mobile phones or PDAs.
Servers located at remote locations but are all placed in one region. Servers are distributed across the
remote locations.
Advantages of “thin” client:• Lower h/w & IT cost• Data and information security• Less power consumption• Ease of repair
Cloud Service Models
Service Models
SaaS
PaaS
IaaS
Moving apps to cloud costs can be a double edged sword. Proper ROI and needs to be measured before moving apps to cloud. Inter-operability or lock-in concerns.
SaaS is a model in which an application is hosted as a service to customers who access it via the Internet. The customer doesn’t have to maintain it or support it. On the other hand, it is out of customer’s hand when the hosting service will decides to change it. The provider does all the maintenance and upgrades as well as keeping the infrastructure up and running.
PaaS is another application delivery platform. PaaS supplies all the resources required to build applications and services
completely from the Internet, without having to download or install software.
PaaS service include application design, development, testing, deployment and
hosting. Other services include database integration, security, scalability and storage
to name a few.
A downfall of PaaS is a lack of interoperability and portability among providers. Also, if the provider goes out of business, your applications and data will be lost as it is all stored there.
The ability of geographically isolated development teams to work together.The ability to merge web services from multiple sources.The ability to realize cost savings from using built-in infrastructure services for security, scalability and failover, rather obtaining them and test them separately.
Rather than purchase servers, s/w, racks and having to pay for the datacenter space for them, the service provider rents those resources. Additionally, the infrastructure can be dynamically scaled up and down, based on the application resource needs.
IaaS offers the hardware so that your organization can put whatever they want onto it. It is sometimes also called as Hardware as a Service (HaaS). Whereas SaaS and PaaS were providing applications to customers, IaaS doesn’t. We only talk about hardware in the cloud here.
Cloud Deployment Models
Deployment
Models
Private
PublicHybrid
Community
The cloud infrastructure is available only for an organization. – if you do not want your data to be shared with other tenants (parties)
The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services
The cloud infrastructure is shared by several organizations and supports a specific community that has shared concern
The cloud infrastructure is a composition of two or more clouds (private, community, or public)
System Architecture
H/W - CPU cycles - Processor speed
O/S
Web Server App Server DB
Application
Cloud is everywhere
First movers in the cloud
It is one of the first companies to offer cloud services to public. They offer a number of cloud services:• Elastic Compute Cloud (EC2): Offers virtual machines and extra CPU cycles.• Simple Storage Service (S3): Allows you to store items up to 5GB in size in Amazon’s virtual storage
service• Simple Queue Service(SQS): Allows machines to talk to each other using this message passing API.• Simple DB: A web service for running queries on structured data in real time. This service works in close
conjunction with S3 and EC2, collectively providing the ability to store, process and query datasets in the cloud.
These services needs to be done on command line, so you may find it difficult to use it if you are not used to working in command line environment. Amazon’s virtual machines are versions of Linux distributions, so those who are experienced with Linux will find no difficulty in using the Amazon cloud platform. Applications can be written on your own machine and then uploaded to the cloud.
You can see more about Amazon’s cloud services at http://aws.amazon.com
Google offers online documents and spreadsheets and encourages developers to build features for those and other online s/w, using it’s Google App Engine. To store data you need to use Google database. Groups and individuals will likely get the most out of App Engine by writing a layer of Python that sits between the user and database. You can also have a look at the app engine at http://code.google.com/appengine/
First movers in the cloud
Microsoft cloud computing solution is called Windows Azure, an OS that allows organizations to run Windows applications and store files and data using Microsoft’s datacenters. Key components of Azure service platform include:
• Windows Azure: Provides service hosting and management and low level scalable storage, computation and networking.
• MS SQL Service: Provides database services and reporting.• MS .NET Service: Provides service based implementation of .NET framework.• Live Services: Used to share, store and synchronize documents, photos and files across PCs,
phones, PC apps and websites.• MS SharePoint services and Dynamics CRM services: Used for business content, collaboration and
solution development in the cloud.MS plans the next version of Office to offer a browser based option so that users can read and edit documents online as well as offer the ability to users to collaborate using web, mobile and client versions of Office.
MS cloud offerings can be found at http://www.microsoft.com/azure/default.mspx
Cloud Computing - Objective
Increased focus on business: Facilitates superior user experience through agile and robust cloud services.
Faster time-to-market: Cloud uses enterprise frameworks such as Authentication, authorization user-interface and workflow which reduces overall time-to-market
Increased business agility: Empowers business users to make effective functional changes through configuration.
Reduced operational costs: Pay-as-you-use model, low maintenance and support, reduces hardware, software, licensing and development
Objectives
Cloud Computing - Benefits
Benefits
Scalability – If you are anticipating huge upswing in computing needs, cloud computing can help you manage. Rather than having to buy, install and configure new equipment, you can buy additional CPU cycles or storage from a third party by click of a button and let them handle the installation and configuration for you. Since you will asked to pay per use, so your actual costs will be lesser than when you would have opted to buy the equipments as a whole.
Simplicity – The cloud solution makes it possible to get your application started immediately and it costs a fraction of what it would cost to implement an in-site solution.
Knowledgeable Vendors – The first comers to the cloud computing are very reputable companies. Amazon, Google, Microsoft, IBM, Yahoo and lately Apple. They have offered reliable services, plenty of capacity and we get some brand familiarity with these well-known names.
More internal resources – By shifting your non-mission-critical data needs to a cloud, resources are freed up to work on important, business-related tasks. Network outages are a nightmare for the IT staff, this burden in offloaded onto cloud service provider.
Security – There are security risks when using a cloud, but the reputable companies strive to keep you safe and secure. Vendors have strict privacy policies and are auditable by external auditors. They have in place proven cryptographic methods to authenticate users.
When No to Cloud Computing
WHEN NO TO CLOUD
Regulated
environments
Geopolitical
concerns
Hardware dependen
cies
Server control
CostLack of Need
Integration
Latency concern
Throughput
demands
Cloud Security – Concerns & Assurance
Security
Security is one of the top most concern in the cloud environment. Though reliable and reputable cloud service providers can be trusted to provide us safe and secure service, but still concerns are growing and we need to seriously look upon them before getting our data into cloud. Though data in our servers is also not secure if those servers can be connected via internet or VPN.
The provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information.
DOS ATTACK
UNAUTHORIZED ACCESS
TECHNOLOGIES
AUDIT TRAILSPOLICIES
PRIVACY ISSUES
Cloud security architecture is effective only if the correct defensive implementations are in place. An efficient cloud security architecture should recognize the issues that will arise with security management. The security management addresses these issues with security controls. These controls are put in place to safeguard any weaknesses in the system and reduce the effect of an attack.
CORRECTIVE CONTROLSPREVENTATIVE
CONTROLSDETECTIVE CONTROLS
COMPLIANCE ISSUES
1Gartner: Seven cloud-computing security risksCloud Computing Security
Correct security controls should be implemented according to asset, threat, and vulnerability risk assessment matrices. While cloud security concerns can be grouped into any number of dimensions (Gartner names seven1) these dimensions have been aggregated into three general areas: Security and Privacy, Compliance, and Legal or Contractual Issues
APPLICATION SECURITY
IDM POLICY
LEGAL ISSUES
HIPAA / PCI-DSS / SOX
Cloud Security - Benefits
BENEFITS
Centralized data
Monitoring
Reduced data loss
Security testing
Instant Swap over
Cloud Computing - Trends
Cloud Computing - Gartner Predictions for 2014 and BeyondIndustry predictionsBy 2016, poor return on equity will drive more than 60% of banks worldwide to process the majority of their transactions in the Cloud.By 2017, 40% of utilities with smart metering solutions will use cloud-based big data analytics to address asset-, commodity-, customer- or revenue-related needs.
Gartner recently shared the Top 10 strategic technology trends for 2014:
Mobile device diversity and management - BYOD
Mobile apps and applications
Hybrid Cloud and IT as service broker
Cloud/Client architecture
The era of personal Cloud
Web-scale IT
As mobile users continue to demand more complex uses of their mobile technologies, it will drive a need for higher levels of server-side computing and storage capacity.
The push for more personal cloud technologies will lead to a shift toward services and away from devices. The type of device one has will be less important, as the personal cloud takes over some of the role that the device has traditionally had with multiple devices accessing the personal cloud
Large cloud services providers such as Amazon, Google, Salesforce.com, and the like are re-inventing the way in which IT services can be delivered. The suggestion is that IT organizations should align with and emulate the processes, architectures, and practices of these leading Cloud providers. The combination of the aforementioned three among others is how Gartner defines “Web-scale IT.”
Gartner suggests that bringing together personal Clouds and external private Cloud services is essential. Enterprises should design private Cloud services with a hybrid future in mind and make sure future integration/interoperability is possible.
Cloud Attributes
Scalability
Availability
Reliability
Adaptability
Security
Accountabi
lity
Cloud Controls
Controls to be put in place for Cloud environments
Architecture & Design Security
Environmental Controls
SLA
Service Availability
Logical Security – Access Control
GovernanceRegulatory
Controls
BC & DR
Background Checks
Physical Security
Risk Management
Quality / Compliance in Cloud
Before defining approach for cloud audits / assessments we need to have below requirements in place:
• Expertise in terms of resources who have understanding of the cloud services/ environments.• We should have complete understanding of the business and IT risks. Those risks should include
risk associated with data privacy, information security, statutory and regulatory requirements.• Define the controls(detective, corrective & preventative) to effectively mitigate those risks.• Control testing to be performed on frequent basis depending upon the risk associated with controls.• Control testing should be defined in way to measure the control effectiveness.• Governance model to be defined which should be owned by the organization’s steering committee.
Control Objectives
Control Definitions
Control Testing
Documentation of test results
Business & IT Risks
On defined frequency
Governance / Steering Committee/
Business & IT Leadership
Report releaseBusiness & IT Risk review
Case Study- Salesforce.com
Salesforce.com is global cloud computing company started in 1999 and best known for the Customer Relationship management product.
Salesforce.com disrupted the CRM industry in two different ways. First, it changed the earnings logic by applying the “rental” model (monthly payment billed based on the number of users) to an industry hitherto characterized by lump sum licensing fees (charged for a company as a whole). The company understood that not all small businesses could afford software costing many thousands of dollars. By offering an affordable solution (a monthly fee per user) to small and medium firms, Salesforce.com cashed on a significant blue ocean market at the time deemed unattractive by large players as it could not be served with their current business models.
Second, Saleforce.com understood that prospective clients wanted to experiment with the product before committing to it. As a result, while other service providers were promising their clients a customized solution in exchange for commitment, the goal of Salesforce.com was to get prospective customers (specifically end-users) to try its product for free.
In 2007, Salesforce.com extended its services by launching Force.com – a customization platform for corporations. The company knew it could not provide a complete back-end customized solution. Thus, Salesforce.com opened its infrastructure to external developers by allowing them to supplement its own inputs. By making Force.com compatible with all major development environments and tools (i.e. .NET, Java, PHP, Ruby on Rails, among others), independent developers (i.e. those outside Salesforce.com) were able to integrate services ranging from simple email to Facebook and Twitter within the platform. Competitors became partners, allowing Salesforce.com to better serve existing clients and acquire new ones. In 2011, more than 340,000 developers were contributing to the Salesforce.com platform.
Case Study- GSK: GlaxoSmithKline
GSK, the second largest pharmaceutical company in the world chose to migrate to the Cloud offering of Microsoft Business Productivity Online Suite. Everything was hosted by Microsoft on its data centers across the globe. GSK was looking for a productivity and collaboration increase from the switch.
The global implementation of Microsoft online services gave GSK numerous Benefits a. Reduce Operational Cost The migration to cloud resulted in 30% savings in their IT operational costs.
b. Drive Innovation The subscription service can be tailored to fit growing and changing needs. So that when GlaxoSmithKline adapts to changing market, its software adapts too.
c. Expand External Collaboration GlaxoSmithKline is aggressively driving a more externally collaborative business through all practices: research and development, manufacturing, and sales. This supports collaboration between partners and GlaxoSmithKline, allowing for a more innovative and competitive business.
d. Simplification of user experience Moving away from the customized solutions environment, GlaxoSmithKline was looking for a simple solution that would effectively extend to the many branches, regions, and employee types internally.
•www.northbridge.com •www.wikipedia.org •Cloud Computing – A Practical Approach by Anthony T. Velte, Toby J. Velte and Robert Elsenpeter•www.gartner.com
References
