Www.isaca.org Cloud Computing Risk Assessments Donald Gallien March 31, 2011.

Slides:

Advertisements

Similar presentations

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.

Advertisements

How Virtualization and the Cloud Will Change Your Business and What You Can Do To Prepare.

Cloud Computing - clearing the fog Rob Gear 8 th December 2009.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.

The Cloud: Demystified Neil Cattermull Frontier Technology.

SAM for Mobile Device Management Presenter Name. of employees spend at least some portion of their time working outside their office. Mobility is the.

Cloud Computing Will Crowley Monica Lopez Jaimie Morrison.

Wally Kowal, President and Founder Canadian Cloud Computing Inc.

Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.

Cloud Computing Risk Assessments & Governance Donald Gallien Obinna Nwagbara April 21, 2015.

Does "The Cloud" Fit Into Your Organization? Tom Horan Meridian IT Inc. VP, Strategic Markets (847)

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Cloud computing Tahani aljehani.

Plan Introduction What is Cloud Computing?

Security Framework For Cloud Computing -Sharath Reddy Gajjala.

Effectively and Securely Using the Cloud Computing Paradigm.

Clouds on IT horizon Faculty of Maritime Studies University of Rijeka Sanja Mohorovičić INFuture 2009, Zagreb, 5 November 2009.

September * Provide analysis, advice, and recommendations on the impacts that new and emerging technologies are likely to have on the management.

CLOUD COMPUTING & COST MANAGEMENT S. Gurubalasubramaniyan, MSc IT, MTech Presented by.

CLOUD COMPUTING For Beginners.

Introduction to Cloud Computing

Cloud Computing Saneel Bidaye uni-slb2181. What is Cloud Computing? Cloud Computing refers to both the applications delivered as services over the Internet.

PhD course - Milan, March /09/ Some additional words about cloud computing Lionel Brunie National Institute of Applied Science (INSA) LIRIS.

Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over the Internet. Cloud is the metaphor for.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Cloud Computing Kwangyun Cho v=8AXk25TUSRQ.

CLOUD COMPUTING  IT is a service provider which provides information.  IT allows the employees to work remotely  IT is a on demand network access.

Cloud Computing. What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable.

In the name of God :).

SUNY FARMINGDALE Computer Programming & Information Systems BCS451 – Cloud Computing Prof. Tolga Tohumcu.

Cloud Computing. Cloud Computing defined Dynamically scalable, device-independent and task-centric computing resources are provided online, with all charges.

It’s Early Days For Cloud Computing Ted Schadler Vice President & Principal Analyst Forrester Research March 22, 2010.

Cloud Computing John Engates CTO, Rackspace Presented: Rackspace Customer Conference, 2008 October 29, 2008.

Plan  Introduction  What is Cloud Computing?  Why is it called ‘’Cloud Computing’’?  Characteristics of Cloud Computing  Advantages of Cloud Computing.

What is the cloud ? IT as a service Cloud allows access to services without user technical knowledge or control of supporting infrastructure Best described.

1 NETE4631 Course Wrap-up and Benefits, Challenges, Risks Lecture Notes #15.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Federal Trade Commission U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009.

1© Copyright 2010 EMC Corporation. All rights reserved. Hey Enterprise! I’ve got my OWN Cloud! IAPP 2010 Privacy Academy Wayne Pauley, EMC Corporation.

Enterprise Cloud Computing

Speaker: Meng-Ting Tsai Date:2010/11/25 The Information Assurance Practices of Cloud Computing Vendors IEEE Communications Society.

CLOUD COMPUTING RICH SANGPROM. What is cloud computing? “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a.

Implications of Privacy Risks in IT and Operations Virginie Hupé Strategist, Trustworthy Computing Microsoft Corporation.

3/12/2013Computer Engg, IIT(BHU)1 CLOUD COMPUTING-1.

AFACT Cloud Computing WG Zon-yin Shae Institute for Information Industry Bangkok, Thailand, Nov. 26, 2014.

Web Technologies Lecture 13 Introduction to cloud computing.

1 TCS Confidential. 2 Objective : In this session we will be able to learn:  What is Cloud Computing?  Characteristics  Cloud Flavors  Cloud Deployment.

Your Cyber Security: The scope of your risk is broad and growing To understand the nature of the risk landscape look at the presentations here today-begin.

By: Joshua Wiegand. Overview ● What is the cloud computing? ● History of Mobile Computing ● Service Models ● Deployment Models ● Architecture ● Security.

Software as a Service (SaaS) Fredrick Dande, MBA, PMP.

What Project Managers Need to Know About Cloud Computing Stacy Taylor President, Red Mountain Services

© 2012 Eucalyptus Systems, Inc. Cloud Computing Introduction Eucalyptus Education Services 2.

1 Views of Cloud Computing Prof. Ravi Sandhu Executive Director and Endowed Chair March 25, © Ravi Sandhu.

CS 6027 Advanced Networking FINAL PROJECT . Cloud Computing KRANTHI CHENNUPATI PRANEETHA VARIGONDA SANGEETHA LAXMAN VARUN DENDUKURI.

Cloud Computing Market Size Statistics, Global Size, Share, Analysis.

Unit 3 Virtualization.

Chapter 6: Securing the Cloud

Understanding The Cloud

Avenues International Inc.

Platform as a Service (PaaS)

Hot Topics:Mobility in the Cloud

CNIT131 Internet Basics & Beginning HTML

Cloud Computing.

Cloud Computing Cloud computing refers to “a model of computing that provides access to a shared pool of computing resources (computers, storage, applications,

Emerging technologies-

Cloud Computing: Concepts

Views of Cloud Computing

Cloud Computing for Wireless Networks

Presentation transcript:

Cloud Computing Risk Assessments Donald Gallien March 31, 2011

2 Overview Cloud Computing Refresher Assessing Cloud Computing Universe Completeness Using a Cloud Computing Risk Ranking Model Risk Ranking Case Study

3 Quiz What do the following have in common? –Paisley GRC –Salesforce.com –Amazon EC2 –Google Apps –Microsoft Business Productivity Online Suite (BPOS) –Rackspace –WebEx

Cloud Computing Refresher

5 Cloud Computing Basics Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on- demand, like the electricity grid (Source: Wikipedia) Based on virtualization and abstraction of the underlying infrastructure IT Audit Risk is largely driven by: –Deployment Model –Service Model –Nature of Applications & Data in Cloud

6 Deployment Models ModelDefinitionExample PublicAvailable to the general public or a large industry group Google Apps (Free) CommunityShared by several organizations and supports a specific community that has shared concerns Google Apps for Government PrivateOperated solely for an organization Microsoft BPOS for a Business Source: NIST

7 Service Models ModelDefinitionExample Infrastructure as a Service (IaaS) Fundamental computing resources to deploy software, including OS and applications Rackspace Cloud Platform as a Service (PaaS) Applications based on programming languages and tools supported by the cloud provider Force.com Software as a Service (SaaS) Cloud provider applications running on a cloud infrastructure Salesforce. com (CRM) Source: NIST

8 Another Way to Look as Service Models SaaS PaaS IaaS WebEx BPOS Amazon EC2 Provider Control Example

9 Deployment Model Risk Profile HigherLower PublicPrivateCommunity Likelihood of Data Security, Privacy, and Control Breach

10 Service Model Risk Profile HigherLower IaaSSaaSPaaS Impact of Loss of Control & Security Breach

11 Cloud Refresher Summary Public clouds are inexpensive, but provide less security and service Private clouds are expensive, but align better with technology and security standards IaaS models are very broad in scope, but organizations maintain more control SaaS models are narrow in scope, but organizations relinquish almost all control What is the impact of cloud computing on the IT audit function?

12 But one thing never changes All IT Audit and Governance groups must: 1.Identify an Universe 2.Risk Rank the Universe 3.Provide Appropriate Coverage based on Risk

Assessing Cloud Computing Universe Completeness

14 The Cloud Universe Challenge Cloud DynamicFlexibleTransientAbstract Rapidly Deployed

15 Finding the Clouds Technology Governance Firewalls & Encryption Certificates Invoices / Time & Expense Reporting Process Walkthroughs Control Points

16 Technology Governance Oversight Technology Approvals Partner Approvals How does your organization promote controlled cloud computing?

17 Firewalls and Encryption Certificates Firewall & VPN Rule Changes Firewall Logs Encryption Certificate Requests Cloud computing environments are unlikely to stand-alone.

18 Invoices / T&E Reporting Vendor Master Invoice Lists T&E Reporting How much does it cost to deploy cloud based service at Google?

19 Process Walkthroughs Business Process Data Flow Technology Overview Has anyone discovered cloud based computing in a walkthrough meeting?

20 Summary – Universe Completeness Cloud computing can be difficult to identify Traditional technology governance, security, and procurement controls can be used to identify cloud computing Users and business analysts could be your best source of cloud computing information What else can you do to identify cloud computing?

Using a Cloud Computing Risk Ranking Model

22 A few thoughts before we start Risk models include elements of judgment and must fit the organization Some model assumptions may be completely wrong for your organization – We should have a lot of debate on this topic Risk ranking scores must drive governance requirements and audit activities

23 Cloud Risk Ranking Example

24 Potential Governance & Audit Requirements

25 Deployment Model Considerations HighMediumLow Deploy Model PublicCommunityPrivate - Security and privacy are not a priority - Service level agreements may not exist - Private environments provide adequate security and privacy - Service level agreements should exist Public Private

26 Service Model Considerations HighMediumLow Service Model IaaSPaaSSaaS - Issues may impact all hosted applications and data - No control over foundational general controls - PaaS - Impact limited to outsourced platform - SaaS - Impact limited to applications and data IaaS SaaS

27 Data Security Considerations HighMediumLow Security Level SecretRestrictedUnclassified - Difficult to enforce security standards when outsourcing - Difficult to demonstrate compliance with regulations like GLBA - Security and privacy is not a concern (good candidate for cloud computing) Secret Unclassified

28 Physical Hosting Site Considerations HighMediumLow Hosting Site UndefinedInternational Location Domestic Location - May result in cross border data protection regulatory issues - Difficult to demonstrate compliance with regulations like GLBA - Minimizes concerns about cross border data protection regulations Undefined Domestic Location

29 SOX Criticality Considerations HighMediumLow SOX Critical YesNo - SAS 70 reports may not cover SOX critical application controls - Business units may not have visibility or access to test SOX controls - Non SOX critical applications may be good candidates for cloud computing Yes No

30 Dependent Applications HighMediumLow Number of Apps Greater than 104 to 9Less than 3 - Implies complexity and greater organizational significance - Implies simplicity and less organizational significance > 10 < 3

31 Recovery Time Objectives (RTO) Considerations HighMediumLow RTO4 Hours7 days31 Days Implies increased business importance Cloud provider may lack geographic diversity Single points of failure may exist in network Implies lower business importance - good candidate for cloud computing 4 Hours 31 Days

32 Regions Supported Considerations HighMediumLow RegionEurope or Global United StatesAll Other - Strictest cross border data protection regulations – can be at odds with abstract cloud computing - “Other” countries may have less restrictive cross border data protection regulations Europe / Global All Other

33 Summary – Cloud Risk Ranking Models Cloud risk ranking attributes and scoring must vary based on environment and need Risk attributes and scoring require alignment with organizational standards What other risk attributes might you use, and how would your rank them on a high, medium, low basis?

Risk Ranking Case Study

35 Conclusions Business and technology leaders are embracing cloud computing - it is here to stay and growing Cloud computing standards and risk ranked cloud universes are foundational requirements for governance We must adjust our approach to remain relevant

36 Questions Contact Information: