Download presentation
Presentation is loading. Please wait.
1
Implementing Cloud Computing with Proper Controls
ISACA Geek Week August 12, 2014 Chuck Wysocki Clay Douglas
2
Introduction Chuck Wysocki
Frame up the conversation. Why are we talking about this? Professional and experience backgrounds
3
Controlled Cloud Computing
What’s in the cloud? What are the risks and why should I care? Implementing a controlled cloud environment? Now what should I audit? How can I see through the cloud? Here’s what we’ll talk about What’s in the cloud? - Clay What are the risks and why should I care? - Clay Implementing a controlled cloud environment? - Chuck Now what should I audit? - Clay How can I see through the cloud? - Chuck
4
What’s in the Cloud? Clay Douglas
5
Delivery of computing as a service Why is it called “Cloud?”
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal mgt. effort or service provider interaction. Source NIST Analogy: Similar to purchasing a cell phone (the product); you are buying the product, but you are actually purchasing the telecommunication service.
6
CPS-Cloud Service Provider
The Cloud Demystified Characteristics: On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service Service Models: PAAS IAAS SAAS Delivery Models: Public Cloud Private Cloud Community Cloud Hybrid Cloud CPS-Cloud Service Provider Reference Source: NIST Definition of Cloud Computing
7
Operating System Layer
Who’s In Charge Here? Cloud Consumer SaaS* Application Layer Middleware Layer Operating System Layer PaaS IasS SaaS PaaS IaaS Cloud Provider Customer responsibilities: SaaS – Data only PaaS – Data and some middleware IaaS - All layers (except for underlying infrastructure) Source: SANS Institute Cloud Security Fundamentals Course
8
Source: 2012 Cloud Computing Market Maturity Study Results CSA & ISACA (ISACA Website)
9
What are the risks and why should I care?
Clay Douglas
10
The Cloud Risk Categories
Contract and SLAs Data Management CSP selection process Lack of customer due diligence Pre-implementation activities Governance over cloud activities Effective information security – post implementation Regulatory compliance – post implementation Operational performance - post implementation
11
Know your risks and prepare a good game plan
OR it may not go as well as you hoped!!!! Lost of Data! What can go Wrong? No right to audit clause! Note: Any references to persons or schools is strictly coincidental and does not necessarily represent the views of the presenters or any organization represented here.
12
The Cloud Risks Review Contracts and SLAs
Contracts & SLAs do not provide terms to mitigate risk: No “right to audit” provisions Performance is not measurable Not reviewed by Legal Not aligned with mgt’s goals Inadequate physical security Data breach clause Inadequate portability terms Inadequate info. security terms No penalties for non-compliance Gaps in CSP & customer roles Regulatory non-compliance No contract termination clause
13
Data Risks Data Conversion through Disposal
Who is responsible? Data Conversion Data Location Data Transport Data Breech Commingled Data Data Encryption Data Integrity HIPAA, PCI SOX? Data Mgt. & Security Who owns it? Backed up retained? Is Legal involved? Data Disposal
14
Lifecycle Considerations Key Risk Areas
CSP Selection Pre-implementation Governance Lack of viability Data Conversion Cost Overruns Unethical behavior Ineffective status reports Risk Management Poor control of API Ineffective project mgt. Monitoring & Audit Backup & Recovery Mgt. of customization Third party mgt. Are mgt.’s goals for the cloud being accomplished? Does CSP security = Customer requirements? Does CSP + Customer security ensure compliance?
15
AICPA’s Top 10 Technology US Initiatives How do they apply to Cloud computing?
1 Managing and retaining data 2 Securing the IT environment 3 Managing IT risks and compliance 4 Ensuring privacy 5 Managing system implementation 6 Preventing and responding to computer fraud 7 Enabling decision support and analytics 8 Governing and managing IT investment and spending 9 Leveraging emerging technologies 10 Managing vendors and service providers Source: American Institute of CPAs Website
16
Implementing a controlled Cloud environment
Chuck Wysocki Frame up the conversation. Why are we talking about this? Professional and experience backgrounds
17
Will it be a stormy cloud?
Cloud is a SERVICE Green-field to production Agility is ideal for development environments Focus on IAAS ITSM and Control processes Provisioning Support (Event, Incident, Problem Mgmt) Vendor Mgmt Service Level Mgmt SACM Change Mgmt Information Security Mgmt Service Brokering
18
Traditional IT Service Management
Reference Source: ITIL® Service Design
19
Cloud Service Management
IT as service broker/provider/manager IT or vendor(s) provide abstracted Infrastructure
20
Top Cloud Use Cases Cloudbursting Intelligent Capacity Mgmt.
Onboarding to ESP Consolidation/ Migration Availability/DR Reference Source: Gartner
21
Cloud provisioning agility
Standard Configuration Requirements Select Solution Creation Approval Notifications Processing Build to Spec Activate Components Fulfillment Activate Service Confirmation & Delivery In Service SLA measures Post-Fulfillment Accelerated provisioning Accelerated provisioning can include automated entry or using Di’s mailbox To better understand what could be included in a RC package, here are the different standard components and options. Takeaways: -This structure provides great flexibility to tailor your environment -Can easily add or change components and options Non-Standard (custom) configuration? Legacy provisioning
22
Typical Cloud provisioning portal
Single Service request portal for all service requests Delivered through Automation & Orchestration Patching & Compliance Performance What do you want to do today? Continue Production Development Test Co-Location New Virtual New Physical Select your requirements and click Continue Modify Cancel Existing Facility Differences between traditional provisioning methods and new Standard front-end, components and process can deliver a Tailored Solution
23
Healthy choices for the business?
24
Common Point of Reference
In the cloud, there are multiple potential providers, internal and external, each offering multiple service agreements, at a variety of inconsistent service levels and at multiple price points. A common point of reference to allows “apples to apples” comparison between different service agreements Azure Plan / SLA / price MyCloud . . . Equinix Option a / SLA / cost Option b / SLA / cost Option c / SLA / cost AWS X, Y, Z Choice 1 / SLA / price Choice 2 / SLA / price Choice 3 / SLA / price Choice 4 / SLA / price Translate Uniform Service Level Profile
25
Uniform Service Level Profile
Work Load Profile Matched to Security Level Compliance Level Performance Level Availability Level Resiliency Level Accountability Level Service Agreement Profile Results in Service Agreements meeting workload profile
26
Security – How sensitive is the data?
Security Levels Non-Sensitive De-sensitized test data General information (e.g. marketing materials) Confidential Company sensitive Customer sensitive Live test data Restricted Strategic planning Financial forecasts Mergers and acquisitions Unauthorized access would not be damaging to the company, but corruption or destruction of data would Unauthorized access would have a business impact on McKesson or one or more of our customers Unauthorized access would have a severe business and/or legal impact on McKesson Authentication Role based access Log mng’t. Vulnerability Mng’t Configuration mng’t. Patching Forensics & eDiscovery Non-sensitive req’ts + Encryption & key mng’t. Intrusion prevention Data isolation Integrity monitoring Data loss prevention Root security Endpoint encryption / wipe Access logging / reporting user water marking of documents Downloads restricted Other agreement profiles in Appendix
27
Compliance -- what external rules apply?
Compliance Levels Personal Health Information (PHI) Personal Credit Information Sarbanes/Oxley (S-OX) Facility controls Access controls Audit controls Integrity controls Transmission controls Risk analysis PCI DSS compliance Network & systems security Vulnerability management Strong access control Monitor all network access Regular security testing Internal system controls Prevention of altering, destruction, or falsifying of protected records Infrastructure quarterly freezes Department of Defense (DOD) Payor Contract Compliance Non-USA Compliance DoD 8500 and DIACAP Authentication and encryption Physical security Boundary defense Continuity Vulnerability & incident mgmt PHI compliance plus Access strictly limited and logged Data downloads restricted In some contracts data must reside in company facilities Canada and European Union have distinct and much tighter personal information regulations Both require personal informal be stored locally within the region Other agreement profiles in Appendix
28
Existing IT Service Segments
A B C D E Traditional Development Cloud Resources New Private Cloud Resources Traditional Production Cloud Resources External Development Cloud Resources Existing Computing Environments target different parts of the spectrum, however there is significant overlap of workload use cases.
29
Multiple Cloud Solution Example
B C D E Cloud 1 Cloud 2 Cloud 3 Cloud 4 NO SERVICE NO SERVICE NO SERVICE A customer can consume any capabilities across the spectrum offered by a particular cloud environment. In this example, a customer could consume any capability from Levels A through C with Cloud 2. However, to obtain Level D capabilities, the customer would have to switch to Cloud 1. It doesn’t mean that Cloud 1 “can’t” support levels A & B. It simply means that Cloud 1 is not optimized to support levels A & B due to its support and cost profile that is optimized for high compliance, high risk, etc. environments.
30
Risk & Impact Benchmarks
D E < 10 employees affected < 100 employees affected < 1000 employees affected Revenue affecting Customer facing Regulatory / PCI Compliance “Non-Production” “Production” Dev Sandboxes Software Pilots Install Testing Configuration Testing Sandboxes Dev Machines QA Environments Small team file servers Non Critical Systems SharePoint Time Tracking Project Tracking Ticketing Large File Servers Internal Business Apps HRIS Financial External SharePoint Customer Facing Apps Sensitive Internal Apps Oracle ERP CRM / MRM Cust Web/Ordering Managed Services Critical Customer Apps Critical Internal Apps Moderator Notes: What’s the difference between the two? 5 minutes for slides 6 &7 Increasing Cost Increasing Complexity Typical enterprise workload alignments across the risk & impact spectrum There are some common benchmarks that can help determine levels of risk and impact along this spectrum
31
Results Summary A B C D E Thank you for your responses.
Based on your selections, your needs are most closely aligned with Level D-1. A2 B2 C1 C2 D1 E1 A B C D E Weak Match Weak Match Weak Match Strong Match OK Match Broker along the spectrum of IT resources and capabilities Finding the optimal fit between IT capabilities and Business requirements Position IT Capabilities against Business Risk & Business Impact to narrow options
32
IaaS Brokering Meets the service profile at the lowest cost
Capacity brokering involves comparing different service options to find the service agreement that meets the profile of a particular work load at the lowest cost (the most efficient option). Svc Agreement SLA: a, c, d $0.50 per unit Svc Agreement SLA : b, c, e $1.00 per unit Workload Profile: a, b, c Svc Agreement SLA: a, d, e $1.50 per unit Even in the DEV environment, compliance requirements may exist, particularly when live data is in use Svc Agreement SLA: a, b, c $2.00 per unit Svc Agreement SLA: c, d, e $2.50 per unit Meets the service profile at the lowest cost
33
IAAS Features IaaS SaaS Consumption based On demand provisioning
Capacity managed Commodity sharing/ multi-tenant Location agnostic/ brokered Always On Physical Provider IaaS PaaS
34
Example IAAS Provider Comparison
Compliant Managed plus isoloation and compliance. HIGH e.g. provider C $1000 -$1500/mo Fully Managed Advanced plus full support, security and protection MEDIUM e.g. provider B, C $600-$1100/mo Monthly Cost Advanced Basic plus heartbeat, basic security and basic support e.g. provider B $300-$600/mo LOW The 4 classes offer scaling price and support beginning with bare technology within an external data center all the way up through full management of operations, security and compliance providing similar support levels to current McKesson IT offerings. Of course as we move along the Support axis, price also grows. Takeaways: - Mckesson IT will deliver at the Compliant level but will be priced at or below the Fully Managed level Basic IaaS plus OS stack, shared, multi-tenant LOW e.g. provider A $100-$250/mo IaaS Reference Architecture NONE BASIC STANDARD PREMIUM Support
35
Typical IAAS Components
MyCloud Service Bundle MySupport Premium Standard Basic MyPlatform Unix X86 Shared Dedicated MyStorage Tier 3 IP Opt Tiers MyRestore Operational To better understand what could be included in a RC package, here are the different standard components and options. Takeaways: -This structure provides great flexibility to tailor your environment -Can easily add or change components and options Default Options
36
Business Application/Service Topology
Business Application Profile MyCloud Service Legacy IT Services Server A7 Infra Server MyCloud Server B8 Infra Server MyCloud Server C9 Infra Server MyCloud Server D10 Legacy Server (Physical) Server E11 Legacy Server (Physical) Server F12 Legacy Server (other)
37
Launch workstreams Event monitoring and management
Onboarding and provisioning Configuration Management Operations Processes (Incident, Problem Change) Vendor Management Product Management Service Level Management Business application pilot Network Management Storage Management Automation Change Leadership
38
Now, what should I audit? Clay Douglas
39
Approach for Auditing the Cloud Part 1
Determine management’s objectives for the cloud Evaluate the cloud governance process Identify the cloud environment implemented Review contracts and SLAs Review pre-implementation (if applicable)
40
Approach for Auditing the Cloud Part 2
Review SSAE 16 and cloud performance metrics Identify relevant risks based on cloud model Map risks to controls & identify gaps Determine the nature & extent of testing Conduct audit, report results to mgt & follow up
41
What to Audit. Reference: ISACA Cloud Computing Mgt
What to Audit ? Reference: ISACA Cloud Computing Mgt. Audit & Assurance Pgm. Pre-implementation Post-implementation Assess Maturity CSP selection process Incident response Service Levels Mgt. Contracts and SLAs Monitoring and logging Manage 3rd Parties Due diligence activities Application Security Continuous service Cloud Governance and Risk Management Information Security: Data Security and Integrity Change & Configuration Management Identity & Access Mgt. Backup and Recovery Network Security System Security Review CSP audit reports and certifications Cloud Governance Service Desk and Incident Mgt. Project Management Virtualization Configuration Mgt. Data Conversation Cloud performance to objectives Data Mgt. Map Management’s Goals to project mgt. Third Party Mgt. Monitor & Evaluate Internal Control Coordination with Information Security Legal and Regulatory Compliance Compliance with External Requirements Right to audit clause Portability, Interoperability & shared technology
42
How can I see through the clouds?
Chuck Wysocki Pre- Implementation Cloud Computing Post Implementation Cloud Computing Pre-implementation – you’re auditing your ability to implement controls and audit Post-implementation – you’re auditing actual business services and controls Eg: comingled data SLAs
43
Technology Is the Tip of the Iceberg
Cloud computing technologies 1 2 End-to-end processes, metrics, policies, automation Processes Business Management 3 Business model, sourcing, cost accounting, chargeback, demand mgmt. People 4 New and changing roles, skills Reference Source: Gartner
44
Information Security and Operational Risk Categories Post “Go Live”
CSP aligned security Identity and access mgt. Logging & audit trails Application mgt. & sec. Legal compliance Incident Response Denial of Service Virtualization processes Change management Network sec. & monitoring CSP backup & DR Physical Security Vulnerability mgt. Logging
45
Service Management process considerations
Vendor Management Service Level Management Security Management Configuration Management Change Management Request Fulfillment Event Management Incident Management Problem Management
46
Going from “green field” to production
Many Cloud initiatives start as “shadow IT” Small scale SAAS business applications Application development environments Differences in financial models (capital vs expense, purchase/lease vs usage) This is more a change in IT’s business model than a technology change
47
Production application hosting
Business Application Profile MyCloud SLA Legacy SLAs Server A7 Infra Server MyCloud Server B8 Infra Server MyCloud Server C9 Infra Server MyCloud Server D10 Legacy Server (Physical) Server E11 Legacy Server (Physical) Server F12 Legacy Server (OSVH) Storage OLA Data Restore OLA SAN Storage Backup
48
QUESTIONS? Inquiring minds want to know…
49
Appendix
50
Map the Risks to the Cloud Environment
Source: CSA Mapping the Cloud Model to Security Control & Compliance
51
Audit Program Sources 1 min
AUDITING GUIDANCE – ISACA COBIT – Cloud Computing Management Audit/Assurance Program; COBIT 5 SECURITY GUIDANCE - CLOUD COMPUTING ALLIANCE (CSA) Security Guidance for Critical Areas of focus in Cloud Computing V 3.0; Cloud Controls Matrix other; Consensus Assessment Questionnaire OTHER SOURCES/REFERENCES: SANS Institute Art of Service NIST FedRAMP European Network & Information Security Agency Center for Internet Security Defense Information Systems Agency Why do I care about this? Value of IT performance metrics to auditors Standards for measuring IT performance Why should IT organizations measure performance What should be measured Why metric accuracy is critical high integrity metrics model A process to ensure high integrity metrics Challenges to capturing high integrity metrics A model for incorporating IT metrics into IT Auditing References to take a “deeper dive”
52
More Cloud Sources ISACA Website
53
FedRAMP
54
APPENDIX (Chuck) 9/17/2018
55
Performance – what is acceptable throughput?
Performance Levels High Performance / Customer Proximity High Performance Average Performance Throughput > xx.x Proximity: xx% of customers within xxx miles of a data center Transaction load > xx Throughput > xx.x Transaction load > xx Throughput > xx.x Transaction load > xx Note: Traditionally performance was defined in terms of the characteristics of the physical infrastructure – bandwidth, CPUs, processor speed, etc. However, IaaS abstracts the service from the underlying infrastructure In the Cloud performance is measured in terms of business impact – throughput We need to develop means of measuring and holding providers accountable for end to end throughput Low Performance Best effort – no specific performance guarantees
56
Availability – what is acceptable uptime?
Availability Levels High Availability Average Availability Low Availability 99.999% 99.99% 99.9% Note: Traditionally availability is measured as a generalized aggregate over time However, an hour outage at 2 AM has a significantly different business impact than an outage at 2 PM A customer receiving abnormally low availability doesn’t care what the generalized aggregate availability might be We need to develop a means of measuring availability on a granular level related to both time of day and customer to develop meaningful business metrics
57
Resiliency – how fast must the system be recovered?
Resiliency Levels High Resilience Average Resilience Best Effort Recovery time < xx min. Data replicated at multiple physical sites Full disaster recovery Recovery time < xx min. Data replicated on multiple servers same site No specific guarantee Note: Break fix, disaster recovery, and business continuity are all components of the resiliency of a business process They all need to be accounted for in defining resiliency levels
58
Accountability – will the provider share risk?
Accountability Levels High Accountability Limited Accountability No Accountability Substantial cash penalty Shared regulatory culpability Regular compliance reporting Cash or service credit No shared regulatory culpability Limited or no compliance reporting No contractual penalties for non-performance Note: Providers accept risk usually at a higher cost However, without well defined penalties SLAs are little more than a matter of trust and confidence
59
Reference The composition of a service and its constituent parts
Reference Source: ITIL® Service Design
60
Cloud Deployment Models
The 4 different ways to deploy cloud services and the layers that would need to be managed through each model
61
The Imperative: IT Must Do Things Differently
Server, months OLD WAY OF IT Multiple RFPs with overseas and 3rd-party competition Locked down and reactive Disconnected in silos CapEx OSI, days NEW WAY OF IT McKesson IT as the internal cloud provider Borderless, proactive, dynamic Real-time IT analytics tied to KPIs OpEx and consumption-based Ability of IT Source of IT Image of IT Analytics of IT Cost of IT
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.