Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer
What is Cloud Computing “ A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” 5 essential characteristics 3 cloud service models 4 cloud deployment models
Essential Characteristics On-demand service – Computing capabilities as needed, often from a user portal allowing self-provisioning Broad Network Access – Services available over the net using desktop, laptop, PDA, mobile phone Resource pooling – Provider resources pooled to server multiple clients, Users are often sharing the same physical machines Rapid Elasticity – Ability to quickly scale in/out service levels to meet demand Measured service – Services based on metering, usually measured in service/timeframe
Service Models Software as a Service (SaaS) – Users access application, Provider manages the network, servers, OS, storage, application, & infrastructure Platform as a Service (PaaS) – User deploys their application, Provider supports servers, network, storage, & infrastructure Infrastructure as a Service (IaaS) – User controls application, OS, storage, apps, selected network components, Provider Controls the infrastructure
Deployment Models Public – Cloud infrastructure is available to the general public, owned by provider selling cloud services Private – Cloud infrastructure for single customer only, may be managed by the customer or a 3 rd party, on or off premise Community – Cloud infrastructure shared by several customers that have shared concerns, managed by customers or 3 rd party Hybrid – Combination of clouds bound by standard or proprietary technology
A Practical Example
Before Moving to the Cloud Identify the asset, application, or information for deployment – Data type and sensitivity level – Application/Function/Process Evaluate the asset – How important is the data or the functionality to the organization. Identify the stakeholders
Asset Evaluation How would we be harmed if the asset became widely public & widely distributed An employee of our cloud provider accessed the asset The process of function were manipulated by an outsider The process or function failed to provide expected results The info/data was unexpectedly changed The asset were unavailable for a period of time Does the deployment type address required security
Understand the Flow of Data Understand the flow of data Can data be used in unintended ways How can data move in/out of the cloud What is your risk tolerance for loss of data
Cloud Computing Architecture
Cloud Computing Governance Cloud computing governance is not much different than a traditional governance program. – Need to establish processes and controls – Effective Information Security Program – Providers must provide documentation – Service Level Agreements
What Should Audit Consider Physical – Where are the server physically located – What are the governing laws of that area Compliance – Can the provider show a recent SAS 70 Type II, ISO 27001/2, SSAE 16 Type II audit statement? – Contractual “Right to Audit” clause
What Should Audit Consider Legal – E-Discovery – Ownership of data – Clearly defined roles and responsibilities – Rights during separation Auditability – What regulations impact cloud services – Regulatory impact on data security
What Should Audit Consider Data Life Cycle – Data storage requirements – Comingling of data Disaster Recovery – Disaster Recovery Plan – Recovery Time Objectives (RTOs)
What Should Audit Consider Information Security – Information security is not always a first priority – Is an “Incident” clearly defined – Does the provider meet regulatory requirements Application Security – Does the provider have a defined Software Development Life Cycle
What Should Audit Consider Encryption – Encrypt all data in transit, at rest, backup media – Encryption Standards Identity and Access Management – Provisioning, deprovisioning – User authentication
Final Thoughts Cloud computing should not be scary. Decide on Public or Private depending on risk. With the governance, risk management, information security policy and auditing, a cloud implementation can be as secure a traditional implementation.
References Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 – NIST Cloud Model – computing/index.html computing/index.html Pizza as a Service – Albert Barron, Sr. Software Client Architect at IBM – pizza-as-a-service pizza-as-a-service