Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer

What is Cloud Computing “ A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” 5 essential characteristics 3 cloud service models 4 cloud deployment models

Essential Characteristics On-demand service – Computing capabilities as needed, often from a user portal allowing self-provisioning Broad Network Access – Services available over the net using desktop, laptop, PDA, mobile phone Resource pooling – Provider resources pooled to server multiple clients, Users are often sharing the same physical machines Rapid Elasticity – Ability to quickly scale in/out service levels to meet demand Measured service – Services based on metering, usually measured in service/timeframe

Service Models Software as a Service (SaaS) – Users access application, Provider manages the network, servers, OS, storage, application, & infrastructure Platform as a Service (PaaS) – User deploys their application, Provider supports servers, network, storage, & infrastructure Infrastructure as a Service (IaaS) – User controls application, OS, storage, apps, selected network components, Provider Controls the infrastructure

Deployment Models Public – Cloud infrastructure is available to the general public, owned by provider selling cloud services Private – Cloud infrastructure for single customer only, may be managed by the customer or a 3 rd party, on or off premise Community – Cloud infrastructure shared by several customers that have shared concerns, managed by customers or 3 rd party Hybrid – Combination of clouds bound by standard or proprietary technology

A Practical Example

Before Moving to the Cloud Identify the asset, application, or information for deployment – Data type and sensitivity level – Application/Function/Process Evaluate the asset – How important is the data or the functionality to the organization. Identify the stakeholders

Asset Evaluation How would we be harmed if the asset became widely public & widely distributed An employee of our cloud provider accessed the asset The process of function were manipulated by an outsider The process or function failed to provide expected results The info/data was unexpectedly changed The asset were unavailable for a period of time Does the deployment type address required security

Understand the Flow of Data Understand the flow of data Can data be used in unintended ways How can data move in/out of the cloud What is your risk tolerance for loss of data

Cloud Computing Architecture

Cloud Computing Governance Cloud computing governance is not much different than a traditional governance program. – Need to establish processes and controls – Effective Information Security Program – Providers must provide documentation – Service Level Agreements

What Should Audit Consider Physical – Where are the server physically located – What are the governing laws of that area Compliance – Can the provider show a recent SAS 70 Type II, ISO 27001/2, SSAE 16 Type II audit statement? – Contractual “Right to Audit” clause

What Should Audit Consider Legal – E-Discovery – Ownership of data – Clearly defined roles and responsibilities – Rights during separation Auditability – What regulations impact cloud services – Regulatory impact on data security

What Should Audit Consider Data Life Cycle – Data storage requirements – Comingling of data Disaster Recovery – Disaster Recovery Plan – Recovery Time Objectives (RTOs)

What Should Audit Consider Information Security – Information security is not always a first priority – Is an “Incident” clearly defined – Does the provider meet regulatory requirements Application Security – Does the provider have a defined Software Development Life Cycle

What Should Audit Consider Encryption – Encrypt all data in transit, at rest, backup media – Encryption Standards Identity and Access Management – Provisioning, deprovisioning – User authentication

Final Thoughts Cloud computing should not be scary. Decide on Public or Private depending on risk. With the governance, risk management, information security policy and auditing, a cloud implementation can be as secure a traditional implementation.

References Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 – NIST Cloud Model – computing/index.html computing/index.html Pizza as a Service – Albert Barron, Sr. Software Client Architect at IBM – pizza-as-a-service pizza-as-a-service