Download presentation
Presentation is loading. Please wait.
Published byImogene Bailey Modified over 9 years ago
1
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer
2
What is Cloud Computing “ A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” 5 essential characteristics 3 cloud service models 4 cloud deployment models
3
Essential Characteristics On-demand service – Computing capabilities as needed, often from a user portal allowing self-provisioning Broad Network Access – Services available over the net using desktop, laptop, PDA, mobile phone Resource pooling – Provider resources pooled to server multiple clients, Users are often sharing the same physical machines Rapid Elasticity – Ability to quickly scale in/out service levels to meet demand Measured service – Services based on metering, usually measured in service/timeframe
4
Service Models Software as a Service (SaaS) – Users access application, Provider manages the network, servers, OS, storage, application, & infrastructure Platform as a Service (PaaS) – User deploys their application, Provider supports servers, network, storage, & infrastructure Infrastructure as a Service (IaaS) – User controls application, OS, storage, apps, selected network components, Provider Controls the infrastructure
5
Deployment Models Public – Cloud infrastructure is available to the general public, owned by provider selling cloud services Private – Cloud infrastructure for single customer only, may be managed by the customer or a 3 rd party, on or off premise Community – Cloud infrastructure shared by several customers that have shared concerns, managed by customers or 3 rd party Hybrid – Combination of clouds bound by standard or proprietary technology
6
A Practical Example
7
Before Moving to the Cloud Identify the asset, application, or information for deployment – Data type and sensitivity level – Application/Function/Process Evaluate the asset – How important is the data or the functionality to the organization. Identify the stakeholders
8
Asset Evaluation How would we be harmed if the asset became widely public & widely distributed An employee of our cloud provider accessed the asset The process of function were manipulated by an outsider The process or function failed to provide expected results The info/data was unexpectedly changed The asset were unavailable for a period of time Does the deployment type address required security
9
Understand the Flow of Data Understand the flow of data Can data be used in unintended ways How can data move in/out of the cloud What is your risk tolerance for loss of data
10
Cloud Computing Architecture
11
Cloud Computing Governance Cloud computing governance is not much different than a traditional governance program. – Need to establish processes and controls – Effective Information Security Program – Providers must provide documentation – Service Level Agreements
12
What Should Audit Consider Physical – Where are the server physically located – What are the governing laws of that area Compliance – Can the provider show a recent SAS 70 Type II, ISO 27001/2, SSAE 16 Type II audit statement? – Contractual “Right to Audit” clause
13
What Should Audit Consider Legal – E-Discovery – Ownership of data – Clearly defined roles and responsibilities – Rights during separation Auditability – What regulations impact cloud services – Regulatory impact on data security
14
What Should Audit Consider Data Life Cycle – Data storage requirements – Comingling of data Disaster Recovery – Disaster Recovery Plan – Recovery Time Objectives (RTOs)
15
What Should Audit Consider Information Security – Information security is not always a first priority – Is an “Incident” clearly defined – Does the provider meet regulatory requirements Application Security – Does the provider have a defined Software Development Life Cycle
16
What Should Audit Consider Encryption – Encrypt all data in transit, at rest, backup media – Encryption Standards Identity and Access Management – Provisioning, deprovisioning – User authentication
17
Final Thoughts Cloud computing should not be scary. Decide on Public or Private depending on risk. With the governance, risk management, information security policy and auditing, a cloud implementation can be as secure a traditional implementation.
18
References Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 – http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org NIST Cloud Model – www.csrc.nist.gov/groups/SNS/cloud- computing/index.html www.csrc.nist.gov/groups/SNS/cloud- computing/index.html Pizza as a Service – Albert Barron, Sr. Software Client Architect at IBM – https://www.linkedin.com/pulse/20140730172610- 9679881-pizza-as-a-service https://www.linkedin.com/pulse/20140730172610- 9679881-pizza-as-a-service
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.