1. Implementing Cloud Computing with Proper Controls
ISACA Geek Week
August 12, 2014
Chuck Wysocki
Clay Douglas

2. Introduction Chuck Wysocki
Frame up the conversation. Why are we talking about this? Professional and experience backgrounds

3. Controlled Cloud Computing
What’s in the cloud?
What are the risks and why should I care?
Implementing a controlled cloud environment?
Now what should I audit?
How can I see through the cloud?
Here’s what we’ll talk about
What’s in the cloud? - Clay
What are the risks and why should I care? - Clay
Implementing a controlled cloud environment? - Chuck
Now what should I audit? - Clay
How can I see through the cloud? - Chuck

4. What’s in the Cloud?
Clay Douglas

5. Delivery of computing as a service Why is it called “Cloud?”
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal mgt. effort or service provider interaction.
Source NIST
Analogy: Similar to purchasing a cell phone (the product);
you are buying the product, but you are actually
purchasing the telecommunication service.

6. CPS-Cloud Service Provider
The Cloud Demystified
Characteristics:
On-demand self-service
Broad network access
Resource pooling
Rapid elasticity
Measured service
Service Models:
PAAS
IAAS
SAAS
Delivery Models:
Public Cloud
Private Cloud
Community Cloud
Hybrid Cloud
CPS-Cloud Service Provider
Reference Source: NIST Definition of Cloud Computing

7. Operating System Layer
Who’s In Charge Here?
Cloud Consumer
SaaS*
Application Layer
Middleware Layer
Operating System Layer
PaaS
IasS
SaaS
PaaS
IaaS
Cloud Provider
Customer responsibilities:
SaaS – Data only
PaaS – Data and some middleware
IaaS - All layers (except for underlying infrastructure)
Source: SANS Institute Cloud Security Fundamentals Course

8. Source: 2012 Cloud Computing Market Maturity Study Results CSA & ISACA (ISACA Website)

9. What are the risks and why should I care?
Clay Douglas

10. The Cloud Risk Categories
Contract and SLAs
Data Management
CSP selection process
Lack of customer due diligence
Pre-implementation activities
Governance over cloud activities
Effective information security – post implementation
Regulatory compliance – post implementation
Operational performance - post implementation

11. Know your risks and prepare a good game plan
OR it may not go as well as you hoped!!!!
Lost of Data!
What
can go
Wrong?
No right
to audit
clause!
Note: Any references to persons or schools is strictly coincidental and does not necessarily represent the views of the presenters or any organization represented here.

12. The Cloud Risks Review Contracts and SLAs
Contracts & SLAs do not provide terms to mitigate risk:
No “right to audit” provisions
Performance is not measurable
Not reviewed by Legal
Not aligned with mgt’s goals
Inadequate physical security
Data breach clause
Inadequate portability terms
Inadequate info. security terms
No penalties for non-compliance
Gaps in CSP & customer roles
Regulatory non-compliance
No contract termination clause

13. Data Risks Data Conversion through Disposal
Who is responsible?
Data Conversion
Data Location
Data Transport
Data
Breech
Commingled Data
Data Encryption
Data Integrity
HIPAA, PCI
SOX?
Data Mgt.
&
Security
Who owns it?
Backed up retained?
Is Legal involved?
Data Disposal

14. Lifecycle Considerations Key Risk Areas
CSP Selection
Pre-implementation
Governance
Lack of viability
Data Conversion
Cost Overruns
Unethical behavior
Ineffective status reports
Risk Management
Poor control of API
Ineffective project mgt.
Monitoring & Audit
Backup & Recovery
Mgt. of customization
Third party mgt.
Are mgt.’s goals for the cloud being accomplished?
Does CSP security = Customer requirements?
Does CSP + Customer security ensure compliance?

15. AICPA’s Top 10 Technology US Initiatives How do they apply to Cloud computing?
1 Managing and retaining data
2 Securing the IT environment
3 Managing IT risks and compliance
4 Ensuring privacy
5 Managing system implementation
6 Preventing and responding to computer fraud
7 Enabling decision support and analytics
8 Governing and managing IT investment and spending
9 Leveraging emerging technologies
10 Managing vendors and service providers
Source: American Institute of CPAs Website

16. Implementing a controlled Cloud environment
Chuck Wysocki
Frame up the conversation. Why are we talking about this? Professional and experience backgrounds

17. Will it be a stormy cloud?
Cloud is a SERVICE
Green-field to production
Agility is ideal for development environments
Focus on IAAS
ITSM and Control processes
Provisioning
Support (Event, Incident, Problem Mgmt)
Vendor Mgmt
Service Level Mgmt
SACM
Change Mgmt
Information Security Mgmt
Service Brokering

18. Traditional IT Service Management
Reference Source: ITIL® Service Design

19. Cloud Service Management
IT as service broker/provider/manager
IT or vendor(s) provide abstracted Infrastructure

20. Top Cloud Use Cases Cloudbursting Intelligent Capacity Mgmt.
Onboarding to ESP
Consolidation/ Migration
Availability/DR
Reference Source: Gartner

21. Cloud provisioning agility
Standard
Configuration
Requirements
Select Solution
Creation
Approval
Notifications
Processing
Build to Spec
Activate Components
Fulfillment
Activate Service
Confirmation & Delivery
In Service
SLA measures
Post-Fulfillment
Accelerated provisioning
Accelerated provisioning can include automated entry or using Di’s mailbox
To better understand what could be included in a RC package, here are the different standard components and options.
Takeaways:
-This structure provides great flexibility to tailor your environment
-Can easily add or change components and options
Non-Standard (custom) configuration?
Legacy provisioning

22. Typical Cloud provisioning portal
Single Service request portal for all service requests
Delivered through Automation & Orchestration
Patching & Compliance
Performance
What do you want to do today?
Continue 
Production
Development
Test
Co-Location
New Virtual
New Physical
Select your requirements and click Continue
Modify
Cancel
Existing
Facility
Differences between traditional provisioning methods and new
Standard front-end, components and process can deliver a Tailored Solution

23. Healthy choices for the business?

24. Common Point of Reference
In the cloud, there are multiple potential providers, internal and external, each offering multiple service agreements, at a variety of inconsistent service levels and at multiple price points.
A common point of reference to allows “apples to apples” comparison between different service agreements
Azure
Plan / SLA / price
MyCloud
. . .
Equinix
Option a / SLA / cost
Option b / SLA / cost
Option c / SLA / cost
AWS
X, Y, Z
Choice 1 / SLA / price
Choice 2 / SLA / price
Choice 3 / SLA / price
Choice 4 / SLA / price
Translate
Uniform Service Level Profile

25. Uniform Service Level Profile
Work Load Profile
Matched to
Security Level
Compliance Level
Performance Level
Availability Level
Resiliency Level
Accountability Level
Service Agreement Profile
Results in
Service Agreements meeting workload profile

26. Security – How sensitive is the data?
Security Levels
Non-Sensitive
De-sensitized test data
General information (e.g. marketing materials)
Confidential
Company sensitive
Customer sensitive
Live test data
Restricted
Strategic planning
Financial forecasts
Mergers and acquisitions
Unauthorized access would not be damaging to the company, but corruption or destruction of data would
Unauthorized access would have a business impact on McKesson or one or more of our customers
Unauthorized access would have a severe business and/or legal impact on McKesson
Authentication
Role based access
Log mng’t.
Vulnerability Mng’t
Configuration mng’t.
Patching
Forensics & eDiscovery
Non-sensitive req’ts +
Encryption & key mng’t.
Intrusion prevention
Data isolation
Integrity monitoring
Data loss prevention
Root security
Endpoint encryption / wipe
Access logging / reporting
user water marking of documents
Downloads restricted
Other agreement profiles in Appendix

27. Compliance -- what external rules apply?
Compliance Levels
Personal Health Information (PHI)
Personal Credit Information
Sarbanes/Oxley (S-OX)
Facility controls
Access controls
Audit controls
Integrity controls
Transmission controls
Risk analysis
PCI DSS compliance
Network & systems security
Vulnerability management
Strong access control
Monitor all network access
Regular security testing
Internal system controls
Prevention of altering, destruction, or falsifying of protected records
Infrastructure quarterly freezes
Department of Defense (DOD)
Payor Contract Compliance
Non-USA Compliance
DoD 8500 and DIACAP
Authentication and encryption
Physical security
Boundary defense
Continuity
Vulnerability & incident mgmt
PHI compliance plus
Access strictly limited and logged
Data downloads restricted
In some contracts data must reside in company facilities
Canada and European Union have distinct and much tighter personal information regulations
Both require personal informal be stored locally within the region
Other agreement profiles in Appendix

28. Existing IT Service SegmentsA B C D E
Traditional Development Cloud Resources
New Private Cloud Resources
Traditional Production Cloud Resources
External Development Cloud Resources
Existing Computing Environments target different parts of the spectrum,
however there is significant overlap of workload use cases.

29. Multiple Cloud Solution ExampleB C D E
Cloud 1
Cloud 2
Cloud 3
Cloud 4
NO SERVICE
NO SERVICE
NO SERVICE
A customer can consume any capabilities across the spectrum offered by a particular cloud environment.
In this example, a customer could consume any capability from Levels A through C with Cloud 2.
However, to obtain Level D capabilities, the customer would have to switch to Cloud 1.
It doesn’t mean that Cloud 1 “can’t” support levels A & B. It simply means that Cloud 1 is not optimized to support levels A & B due to its support and cost profile that is optimized for high compliance, high risk, etc. environments.

30. Risk & Impact BenchmarksD E
< 10 employees affected
< 100 employees affected
< 1000 employees affected
Revenue affecting
Customer facing
Regulatory / PCI Compliance
“Non-Production”
“Production”
Dev Sandboxes
Software Pilots
Install Testing
Configuration Testing
Sandboxes
Dev Machines
QA Environments
Small team file servers
Non Critical Systems
SharePoint
Time Tracking
Project Tracking
Ticketing
Large File Servers
Internal Business Apps
HRIS
Financial
External SharePoint
Customer Facing Apps
Sensitive Internal Apps
Oracle
ERP
CRM / MRM
Cust Web/Ordering
Managed Services
Critical Customer Apps
Critical Internal Apps
Moderator Notes:
What’s the difference between the two?
5 minutes for slides 6 &7
Increasing Cost
Increasing Complexity
Typical enterprise workload alignments across the risk & impact spectrum
There are some common benchmarks that can help determine
levels of risk and impact along this spectrum

31. Results Summary A B C D E Thank you for your responses.
Based on your selections, your needs are most closely aligned with Level D-1. A2 B2
C1 C2 D1 E1 A B C D E
Weak Match
Weak Match
Weak Match
Strong Match
OK Match
Broker along the spectrum of IT resources and capabilities
Finding the optimal fit between IT capabilities and Business requirements
Position IT Capabilities against Business Risk & Business Impact to narrow options

32. IaaS Brokering Meets the service profile at the lowest cost
Capacity brokering involves comparing different service options to find the service agreement that meets the profile of a particular work load at the lowest cost (the most efficient option).
Svc Agreement
SLA: a, c, d
$0.50 per unit
Svc Agreement
SLA : b, c, e
$1.00 per unit
Workload
Profile: a, b, c
Svc Agreement
SLA: a, d, e
$1.50 per unit
Even in the DEV environment, compliance requirements may exist, particularly when live data is in use
Svc Agreement
SLA: a, b, c
$2.00 per unit
Svc Agreement
SLA: c, d, e
$2.50 per unit
Meets the service profile at the lowest cost

33. IAAS Features IaaS SaaS Consumption based On demand provisioning
Capacity managed
Commodity sharing/
multi-tenant
Location agnostic/
brokered
Always On
Physical Provider
IaaS
PaaS

34. Example IAAS Provider Comparison
Compliant
Managed plus isoloation and compliance.
HIGH
e.g. provider C
$1000 -$1500/mo
Fully Managed
Advanced plus full support, security and protection
MEDIUM
e.g. provider B, C
$600-$1100/mo
Monthly Cost
Advanced
Basic plus heartbeat, basic security and basic support
e.g. provider B
$300-$600/mo
LOW
The 4 classes offer scaling price and support beginning with bare technology within an external data center all the way up through full management of operations, security and compliance providing similar support levels to current McKesson IT offerings. Of course as we move along the Support axis, price also grows.
Takeaways:
- Mckesson IT will deliver at the Compliant level but will be priced at or below the Fully Managed level
Basic
IaaS plus OS stack, shared, multi-tenant
LOW
e.g. provider A
$100-$250/mo
IaaS Reference Architecture
NONE
BASIC
STANDARD
PREMIUM
Support

35. Typical IAAS Components
MyCloud
Service Bundle
MySupport
Premium
Standard
Basic
MyPlatform
Unix
X86
Shared
Dedicated
MyStorage
Tier 3 IP
Opt Tiers
MyRestore
Operational
To better understand what could be included in a RC package, here are the different standard components and options.
Takeaways:
-This structure provides great flexibility to tailor your environment
-Can easily add or change components and options
Default Options

36. Business Application/Service Topology
Business Application Profile
MyCloud Service
Legacy IT Services
Server A7 Infra Server
MyCloud
Server B8 Infra Server
MyCloud
Server C9
Infra Server MyCloud
Server D10 Legacy Server (Physical)
Server E11 Legacy Server (Physical)
Server F12 Legacy Server (other)

37. Launch workstreams Event monitoring and management
Onboarding and provisioning
Configuration Management
Operations Processes (Incident, Problem Change)
Vendor Management
Product Management
Service Level Management
Business application pilot
Network Management
Storage Management
Automation
Change Leadership

38. Now, what should I audit?
Clay Douglas

39. Approach for Auditing the Cloud Part 1
Determine management’s objectives for the cloud
Evaluate the cloud governance process
Identify the cloud environment implemented
Review contracts and SLAs
Review pre-implementation
(if applicable)

40. Approach for Auditing the Cloud Part 2
Review SSAE 16 and cloud performance metrics
Identify relevant risks based on cloud model
Map risks to controls & identify gaps
Determine the nature & extent of testing
Conduct audit, report results to mgt & follow up

41. What to Audit. Reference: ISACA Cloud Computing Mgt
What to Audit ? Reference: ISACA Cloud Computing Mgt. Audit & Assurance Pgm.
Pre-implementation
Post-implementation
Assess Maturity
CSP selection process
Incident response
Service Levels Mgt.
Contracts and SLAs
Monitoring and logging
Manage 3rd Parties
Due diligence activities
Application Security
Continuous service
Cloud Governance and Risk Management
Information Security:
Data Security and Integrity
Change & Configuration Management
Identity & Access Mgt.
Backup and Recovery
Network Security
System Security
Review CSP audit reports and certifications
Cloud Governance
Service Desk and Incident Mgt.
Project Management
Virtualization
Configuration Mgt.
Data Conversation
Cloud performance to objectives
Data Mgt.
Map Management’s Goals to project mgt.
Third Party Mgt.
Monitor & Evaluate Internal Control
Coordination with Information Security
Legal and Regulatory Compliance
Compliance with External Requirements
Right to audit clause
Portability, Interoperability & shared technology

42. How can I see through the clouds?
Chuck Wysocki
Pre- Implementation
Cloud Computing
Post Implementation
Cloud Computing
Pre-implementation – you’re auditing your ability to implement controls and audit
Post-implementation – you’re auditing actual business services and controls
Eg: comingled data
SLAs

43. Technology Is the Tip of the Iceberg
Cloud computing technologies 1 2
End-to-end processes, metrics, policies, automation
Processes
Business Management 3
Business model, sourcing, cost accounting, chargeback, demand mgmt.
People 4
New and changing roles, skills
Reference Source: Gartner

44. Information Security and Operational Risk Categories Post “Go Live”
CSP aligned security
Identity and access mgt.
Logging & audit trails
Application mgt. & sec.
Legal compliance
Incident Response
Denial of Service
Virtualization processes
Change management
Network sec. & monitoring
CSP backup & DR
Physical Security
Vulnerability mgt.
Logging

45. Service Management process considerations
Vendor Management
Service Level Management
Security Management
Configuration Management
Change Management
Request Fulfillment
Event Management
Incident Management
Problem Management

46. Going from “green field” to production
Many Cloud initiatives start as “shadow IT”
Small scale SAAS business applications
Application development environments
Differences in financial models (capital vs expense, purchase/lease vs usage)
This is more a change in IT’s business model than a technology change

47. Production application hosting
Business Application Profile
MyCloud SLA
Legacy SLAs
Server A7 Infra Server
MyCloud
Server B8 Infra Server
MyCloud
Server C9
Infra Server MyCloud
Server D10 Legacy Server (Physical)
Server E11 Legacy Server (Physical)
Server F12 Legacy Server (OSVH)
Storage OLA
Data Restore OLA
SAN Storage
Backup

48. QUESTIONS?
Inquiring minds want to know…

49. Appendix

50. Map the Risks to the Cloud Environment
Source: CSA Mapping the Cloud Model to Security Control & Compliance

51. Audit Program Sources 1 min
AUDITING GUIDANCE – ISACA
COBIT – Cloud Computing Management Audit/Assurance Program; COBIT 5
SECURITY GUIDANCE - CLOUD COMPUTING ALLIANCE (CSA)
Security Guidance for Critical Areas of focus in Cloud Computing V 3.0; Cloud Controls Matrix other; Consensus Assessment Questionnaire
OTHER SOURCES/REFERENCES:
SANS Institute
Art of Service
NIST
FedRAMP
European Network & Information Security Agency
Center for Internet Security
Defense Information Systems Agency
Why do I care about this?
Value of IT performance metrics to auditors
Standards for measuring IT performance
Why should IT organizations measure performance
What should be measured
Why metric accuracy is critical
high integrity metrics model
A process to ensure high integrity metrics
Challenges to capturing high integrity metrics
A model for incorporating IT metrics into IT Auditing
References to take a “deeper dive”

52. More Cloud Sources ISACA Website

53. FedRAMP

54. APPENDIX (Chuck)
9/17/2018

55. Performance – what is acceptable throughput?
Performance Levels
High Performance / Customer Proximity
High Performance
Average Performance
Throughput > xx.x
Proximity: xx% of customers within xxx miles of a data center
Transaction load > xx
Throughput > xx.x
Transaction load > xx
Throughput > xx.x
Transaction load > xx
Note:
Traditionally performance was defined in terms of the characteristics of the physical infrastructure – bandwidth, CPUs, processor speed, etc.
However, IaaS abstracts the service from the underlying infrastructure
In the Cloud performance is measured in terms of business impact – throughput
We need to develop means of measuring and holding providers accountable for end to end throughput
Low Performance
Best effort – no specific performance guarantees

56. Availability – what is acceptable uptime?
Availability Levels
High Availability
Average Availability
Low Availability
99.999%
99.99%
99.9%
Note:
Traditionally availability is measured as a generalized aggregate over time
However, an hour outage at 2 AM has a significantly different business impact than an outage at 2 PM
A customer receiving abnormally low availability doesn’t care what the generalized aggregate availability might be
We need to develop a means of measuring availability on a granular level related to both time of day and customer to develop meaningful business metrics

57. Resiliency – how fast must the system be recovered?
Resiliency Levels
High Resilience
Average Resilience
Best Effort
Recovery time < xx min.
Data replicated at multiple physical sites
Full disaster recovery
Recovery time < xx min.
Data replicated on multiple servers same site
No specific guarantee
Note:
Break fix, disaster recovery, and business continuity are all components of the resiliency of a business process
They all need to be accounted for in defining resiliency levels

58. Accountability – will the provider share risk?
Accountability Levels
High Accountability
Limited Accountability
No Accountability
Substantial cash penalty
Shared regulatory culpability
Regular compliance reporting
Cash or service credit
No shared regulatory culpability
Limited or no compliance reporting
No contractual penalties for non-performance
Note:
Providers accept risk usually at a higher cost
However, without well defined penalties SLAs are little more than a matter of trust and confidence

59. Reference The composition of a service and its constituent parts
Reference Source: ITIL® Service Design

60. Cloud Deployment Models
The 4 different ways to deploy cloud services and the layers that would need to be managed through each model

61. The Imperative: IT Must Do Things Differently
Server, months
OLD WAY OF IT
Multiple RFPs with overseas and 3rd-party competition
Locked down and reactive
Disconnected in silos
CapEx
OSI, days
NEW WAY OF IT
McKesson IT as the internal cloud provider
Borderless, proactive, dynamic
Real-time IT analytics tied to KPIs
OpEx and consumption-based
Ability of IT
Source of IT
Image of IT
Analytics of IT
Cost of IT