Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Computing NSAA Tallahassee September 2010 Brian Rue

Similar presentations

Presentation on theme: "Cloud Computing NSAA Tallahassee September 2010 Brian Rue"— Presentation transcript:

1 Cloud Computing NSAA Tallahassee September 2010 Brian Rue

2 Agenda 1)Cloud Audit Drivers 2)Cloud Deployment (SaaS, PaaS, IaaS) 3)Cloud Delivery Methods (Private, Community, Public, Hybrid) 4)Cloud Communications 5)Data/Application Data Center Geography 6)Select Cloud Legal Issues 7)Select Data Security Issues 8)Cloud Contract Review 9)Cloud Audit Program Resources 10)Cloud Resources 2

3 * Back to the Future* - Centralized Computing Architecture, Application Service Providers, and Thin Client Computing Architectures 3

4 Why State Entities Cloud - Potential to Reduce Costs Cloud technology can result in cost savings over in-house solutions. Promotes Automation Can shift (variable by cloud type) backend hardware and software support to cloud vendor reducing required staff at the client site. On-Demand Scalable architecture allows client to dial-up and dial-down computing resources to match work flows. Mobility Web User Interface allows clients to connect from any computing device using a supported Web browser. Shift IT Security Controls Client can contractually shift IT security controls to the vendor depending on the type of cloud architecture. Frees IT to Innovate Clients have less support issues to worry about allowing IT to concentrate on innovation. 4

5 5 1. Cloud Audit Drivers

6 Audit Reports 6

7 Evolving Government Guidance Legislative Interest 7

8 Outsourcing Compliance Mandated Reviews Evolving Cloud Security Controls 8

9 State Cloud Issues State Cloud Migration 9

10 Getting Confortable in the Cloud Environment 10

11 2. Three Cloud Deployment Methods 11

12 1. Software as a Service (SaaS) Vendor runs/owns: – Application Software – Platform (Operating System/Web apps/middleware/database) – Supporting Infrastructure (data center) The applications are accessible from various client devices through a thin client interface such as a web browser. 12

13 SAS Video 13

14 14 Example SaaS Product --Google Apps

15 2. Platform as a Service (PaaS) Vendor runs/owns: – Platform (Operating System/Web apps/middleware/database) – Supporting Infrastructure (data center) Client does not manage underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. 15

16 PaaS Video 16

17 3. Infrastructure as a Service (IaaS) Vendor runs/owns: – Supporting Infrastructure (data center) The client does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). 17

18 IaaS Video 18

19 19 NIST Chart

20 20 Cloud Providers

21 3. Cloud Delivery Methods 21

22 1. Private Clouds The Private Cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. 22

23 1.1 Private Clouds 23

24 2. Community Clouds The Community cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. 24

25 2.1 Community Clouds Video 25

26 3. Public Clouds The Public Cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. 26

27 3.1 Public Clouds 27

28 4. Hybrid Clouds The Hybrid Cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). 28

29 4.1 Hybrid Cloud Video 29

30 30 NIST Cloud Delivery Chart

31 4. Cloud Communications Mapping the data flows between auditee, the cloud service, and any outside customers 31

32 Understanding the Pipes Internet Secure 100 Mbps or Gigabit private networks Virtual Private Networks (VPNs) Dedicated Lines SSL/SSH Wireless Carriers (Wi-Fi/WiMax/LTE/3G) Home Networks Public Access Points Multinational 32

33 Security of the Pipes-A Cloud Security Concern (Does a Plan B Exist?) Service Disruptions – From entity ISP Internet connectivity to Denial of service attacks against Internet/Vendor infrastructure 33

34 Encrypted Communications Encrypted Cloud Contacts – Strength – Key Management Vendor Retains Encryption Keys Entity Retains Keys 34

35 Data Packet 54 Where are You ? 5. Data Center Geography 35

36 Cloud Vendors Maintain Data Centers in Multiple Locations Across the Globe 36

37 Location, Location, Location 37 Cloud vendors can have the ability to port client data and application processing across borders absent contractual geographical restrictions.

38 One prominent SaaS provider has been identified as not being able to state, definitively, where one's data is hosted or that its location will be restricted to any given region. 38

39 39

40 More Secrecy from Vendors According to Network World, “Cloud service providers often cultivate an aura of secrecy about data centers and operations, claiming this stance improves their security even if it leaves everyone else in the dark”; these providers often believe that such secrecy is an integral part of the cloud-computing business model. 40

41 6. Select Legal Issues 41

42 IMPORTANT: Cloud Vendors do not always know if entity is using cloud resources to store and/or process data that is protected by State, Federal, or Contractual Obligations…. 42

43 HIPAA/HITECH – Note requirements concerning the terms between audited entity and the business associate contract (BAC) which HIPAA/HITECH requires these parties to have. HITECH does create security obligations for Business Associates (BAs) with responsibility for joint IT environments. Additional issues concern BAs ability to monitor entity’s environment to ensure any privacy/security issues are promptly communicated to contracted entity. PCI DSS – Cloud use for credit card processing must include cloud contract provisions concerning the cloud vendors duties as a Service Provider under PCI DSS including the vendors obligation to maintain a compliant cloud environment. State Privacy Laws – Contracted cloud provisions should match the appropriate state security or privacy laws. Business Associates – State Laws – Service Providers 43

44 e-Discovery in the Cloud cloud provider possession and custody but delegation of control to a customer Has the auditee developed e-discovery procedures including getting information off the cloud when a request is made? Has the auditee reviewed and validated controls used to of protect the cloud documents to counter potential legal challenges? – How does the entity ensure documents are not moved to geographical locations that may put e- document integrity at risk? 44

45 Subpoenas State or Federal Subpoenas could be issued against data/logs held by the cloud vendor – Subpoena procedures may result in customer data/logs being reviewed even if customer data is not part of subpoena due to multi-tenant cloud architecture if data is not encrypted and key held by client. There may be not judicial oversight requiring the cloud vendor to alert the client of the subpoena activity involving client data or network logs 45

46 7. Cloud Data Security Issues 46

47 Security Issues Vendor connections to entity data security systems – Vendor may have access to local authentication and authorization assets maintained by client (i.e. Active Directory) through hosted apps and databases Lack of client audit clauses Data encryption keys controlled by cloud vendor not entity Lack of vendor logs (Application/Database/Network) or limited access logs to vendor logs Slack vendor change management/patching procedures Unclear vendor incident response procedures (timely alerts?) Loss of physical control of data assets – Controlling movement of data assets geographically – Increased security issues in virtual environments 47

48 Top Cloud Client Security Fails 0.0% development of client risk assessment to understand and develop appropriate control and monitoring procedures to ensure CIA in the cloud and end-points Client gives up ownership or responsibility or governance of what's going on with their data to cloud service providers 48

49 Contracted Security Cloud vendors will construct security clauses in client contracts that best protect the legal interest of the vendor and not necessarily the client: – Vendor may not define security standards they will follow to protect client assets – Vendor may not define procedures for the timely application of security patches to purchased infrastructure – Most vendors contractually prohibit client vulnerability and PII scans of purchased cloud environment – Not specify what privacy or data security laws they must comply with. 49

50 SAS 70 - ISO/IEC 27002 – SSAE No. 16 The Vendor Entity Contracting Guidelines or Procedures 50 SSAE No. 16

51 8. Cloud Contract Review 51

52 It’s All About the Contracts The majority of your program audit hours will be allocated to cloud contract review 52

53 9. Developing a Cloud Audit Program 53

54 54 ISACA – Cloud Computing Management Audit/Assurance Program

55 55

56 56

57 10. Cloud Auditing Resources 57

58 58 GSA Cloud Guidance

59 59 Cloud Federal Privacy Recommendations

60 60 CSA Cloud Security Guidance

61 61 NIST Cloud Presentations

62 62 Questions

Download ppt "Cloud Computing NSAA Tallahassee September 2010 Brian Rue"

Similar presentations

Ads by Google