EMERGING ISSUES IN

IT SECURITY: CLOUD
COMPUTING
GROUP 4
What is cloud
computing?
Cloud Computing
•a style of computing that provides scalable and elastic, IT-enabled
capabilities ‘as a service’ to external customers via Internet
technologies(Gartner,n.d.).
•a model for enabling convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or service
provider interaction(National Institute of Standards and Technology,
n.d.).
Cloud Computing
•cloud computing provides IT services over the Internet in such a way
that the end user doesn’t have to worry about where the data is
being stored
• For example, our google classroom and google drive
•Cloud computing at the corporate level expands on this concept,
resulting in enterprise business applications, client (PC) applications,
and other aspects of the IT environment being provided over the
Internet using a shared infrastructure.
Five Characteristics of
Cloud Computing (NIST)
Five Characteristics of Cloud
Computing (NIST)
1. On-Demand Self-Service. This means that you can
provision computing capabilities, such as storage, as
needed automatically without requiring human
interaction with each service’s provider.
2. Broad Network Access. This means that capabilities
should be accessible from anywhere and from any device
(such as laptops and mobile devices) as long as Internet
connectivity is available.
Five Characteristics of Cloud
Computing (NIST)
3. Resource Pooling. This means that the provider’s
computing resources are pooled to serve multiple
consumers using a multi-tenant model, with different
physical and virtual resources dynamically assigned and
reassigned according to consumer demand.
4. Rapid Elasticity. This means that capabilities can be
rapidly and elastically provisioned (often automatically)
to scale out quickly, and rapidly released to scale in
quickly.
Five Characteristics of Cloud
Computing (NIST)
5. Measured Service. This means that cloud systems
automatically control and optimize resource usage by
leveraging metering capabilities appropriate to the type
of service (such as storage, processing, bandwidth, and
active user accounts).
 Test Steps for Auditing Cloud Computing
and Outsourced Operations

Preliminary and Overview

1. Review the audit steps in the other chapters in this part of the book and determine which risks and audit
steps are applicable to the audit being performed over outsourced operations. Perform those audit steps
that are applicable. - The risks present for an insourced function are also present for an outsourced function.
Remember that the components and functions of what you’ve outsourced are similar in many cases to what you
would have internally

2. Request your service provider to produce independent assurance from reputable third parties regarding
the effectiveness of their internal controls and compliance with applicable regulations. Review the
documentation for issues that have been noted. Also, determine how closely these certifications match your
own company’s control objectives and identify gaps. - These assessments can be used to reduce your need to
audit the service provider’s functions, thereby reducing the scope of your audit. In fact, many service providers,
especially the larger ones, will insist that you use these assessments in lieu of performing your own audit.

Vendor Selection and Contracts

3.Review applicable contracts to ensure that they adequately identify all deliverables, requirements, and
responsibilities pertinent to your company’s engagement. - The contract is your only true fallback mechanism
should you have issues with the vendor.
4. Review and evaluate the process used for selecting the outsourcing vendor. - If the process for selecting the
vendor is inadequate, it can lead to the purchase of services that do not meet the requirements of the business
and/or poor financial decisions. This step is applicable to all forms of outsourcing.

Data Security

5. 5. Determine how your data is segregated from the data of other customers - a form of outsourcing in which
your data is being stored on the vendors’ systems at their site (such as in cloud computing and dedicated hosting),
you no longer have full control over your data.

6. Review and evaluate the usage of encryption to protect company data stored at and transmitted to the
vendor’s site. - it is critical that the data be encrypted to protect against possible compromise. This reduces the
risk of a breach impacting the confidentiality or integrity of your data.

7. Determine how vendor employees access your systems and how data is controlled and limited. - If your
data is being stored or processed by employees outside of your company and you do not maintain ownership
regarding who has access to that data, you’re putting its confidentiality, integrity, and availability at risk.

8. Review and evaluate processes for controlling non-employee logical access to your internal network and
internal systems. - If you’re using service outsourcing and/or supplemental (contract) labor, you are likely allowing
a third-party vendor’s personnel to have a degree of logical access to your network and systems.

9. Ensure that data stored at vendor locations is being protected in accordance with your internal policies. - No matter
where you store your data, it is still subject to your internal policies. Outsourcing storage to a third party does not absolve
your company of responsibility to comply with policies and ensure proper security of the data.

10. Review and evaluate controls to prevent, detect, and react to attacks. - Without appropriate intrusion detection and
prevention techniques, your systems and data are at an increased risk of compromise. This risk is increased in an outsourced
model, specifically when outsourcing systems and infrastructure, because of the shared infrastructure,—an attack and
compromise on one customer could result in compromise of your systems.

Intrusion Detection - Look for the usage and monitoring of Intrusion Detection Systems (IDSs) to detect potential attacks on
your systems and integrity checking tools to detect potential unauthorized changes to system baselines.

Intrusion Prevention - Look for the usage and monitoring of Intrusion Prevention Systems (IPSs) to proactively detect and
cut off potential attacks on your systems.

Incident Response - Look for clearly defined processes for responding to potential security incidents, including notification
and escalation procedures.

Discovering and Remediating Vulnerabilities - Look for the usage and monitoring of vulnerability scanning tools to detect
and mitigate potential vulnerabilities that might allow an intruder to access and/or disrupt your systems.
Logging - Look for the logging of significant activities (successes and failures) on your systems, for the monitoring of these
logs, and for the storage of these logs in a secure location for an adequate period of time.

Patching - Look for procedures to receive and apply the latest security patches so that known security holes are closed.

Protection from Viruses and Other Malware - Look for the usage of antivirus software and the application of new
signature files as they are released.

11. Determine how identity management is performed for cloud-based and hosted systems. - Proper identity
management practices are critical for controlling access to your systems and data

12. Ensure that data retention and destruction practices for data stored offsite comply with internal policy. - If the
lifecycle of data is not defined, data might be retained longer than necessary (resulting in additional storage costs and
possible legal liabilities) or may be destroyed prematurely (leading to potential operational, legal, or tax issues).

13. Review and evaluate the vendor’s physical security - Physical security impacts logical security, because physical
access can override some logical access controls.

Operations

14. Review and evaluate your company’s processes for monitoring the quality of outsourced operations. Determine
how compliance with SLAs and other contractual requirements are monitored. - dictated expectations in your
contract, unless you monitor for compliance with those expectations, you will have no way of knowing whether they’re being
met.
15. Ensure that adequate disaster recovery processes are in place to provide for business continuity in the event
of a disaster at your service provider. - Just as with internally-hosted systems, you must to prepare for recovery from a
disaster when outsourcing operations. Failure to do so will likely result in extended outages and business disruptions if a
disaster occurs with your vendor

16. Determine whether appropriate governance processes are in place over the engagement of new cloud
services by your company’s employees. - Cloud computing makes it easy for business unit personnel to meet their
needs without ever engaging corporate IT. This has the potential to bypass all of the governance processes normally in
place to ensure proper security of company data, interoperability of systems, appropriate support capabilities, and so on.

17. Review and evaluate your company’s plans in the event of expected or unexpected termination of the
outsourcing relationship. - The provider could go out of business or discontinue the service you’re using. You could be
unhappy with the provider’s cost or performance. You might engage in a new competitive bid at the end of your contract
and another vendor may win the business.

18. If IT services have been outsourced, review the service provider’s processes for ensuring quality of staff and
minimizing the impact of turnover. If those services are being performed offshore, look for additional controls to
ensure employee attendance and effective communication and hand-offs with the home office. - If service
provider employees aren’t qualified to perform their jobs or the provider experiences high levels of turnover, the quality
of IT services will obviously be poor. This risk generally increases with outsourced operations, where turnover tends to be
higher.
Legal Concerns and Regulatory Compliance

19. Review and evaluate your company’s right and ability to obtain information from the vendor that may be
necessary to support investigations. - Inability to produce applicable data may result in legal ramifications, as your
company will be held legally responsible for your information, even if it’s being stored and processed by a third-party
provider.

20. Review requirements for security breach notification. Ensure that requirements are clearly defined
regarding when and how the vendor should notify your company in the event of a security breach and that your
company has clearly defined response procedures when they receive such notification. - A security breach at your
service provider not only puts your data and operations in jeopardy but may also have legal implications.

21. Determine how compliance with applicable privacy laws and other regulations is ensured. - Regardless of
where your data is stored and who manages it, you are still responsible for making sure that your company is
complying with all applicable laws and regulations. If your company is found to be in violation of applicable laws and
regulations, it can lead to stiff penalties and fines, a damaged reputation, lawsuits, and possibly the cessation of the
company.

22. Review and evaluate processes for ensuring that the company is in compliance with applicable software
licenses for any software hosted offsite or used by non-employees. - Using software illegally can lead to penalties,
fines, and lawsuits. If companies do not develop processes for tracking the legal usage of software and licenses, they
may be subject to software vendor audits and will not be able to account properly for the company’s use of the vendor’s
software.
 Advantages of
Cloud Computing
 From a strategic
planning basis cloud
computing may be
seen to have several
advantages.
PROMISE!
Capacity Planning

Variable Load Planning

Pay as you go
Response time

Time to market

Quick Deployment
Automatic Software
Updates and Integration

Cost Reduction

Data Security
Thank you!
 Scalability
Different companies have different IT needs — a large enterprise of 1000+ employees
won’t have the same IT requirements as a start-up.

Cloud-based solutions are ideal for businesses with growing or fluctuating bandwidth
demands. If your business demands increase, you can easily increase your cloud capacity
without having to invest in physical infrastructure.

This scalability minimizes the risks associated with in-house operational issues and
maintenance. You have high-performance resources at your disposal with professional
solutions and zero up-front investment.
ADVANTAGES OF CLOUD COMPUTING

 Collaboration
Cloud environments enables better collaboration across teams: developers, QA,
operations, security and product architects are all exposed to the same infrastructure
and can operate simultaniously without stepping on each other toes.

Different cloud environments can be built for specific purposes like staging, QA, demo or
pre-production. It’s much easier to collaborate in a transparent manner and the cloud
encourages it.

ADVANTAGES OF CLOUD COMPUTING

 Unlimited Storage Capacity

Related to the scalability benefit above, the cloud has essencially unlimited capacity to
store any type of data in various cloud data storage types, depending on the
availability, performance and frequency the data has to be accessed.

Creating and optimizing the cloud cost stucture policy can reduce the cost of cloud
storage significantly while maintaining the company’s business goals related to data
storage in the cloud.

ADVANTAGES OF CLOUD COMPUTING

 Back-up and Restore Data

As end-users data changes over time and needs to be tracked for regulations or
compliance reasons, older software versions can be stored for later stages, in cases they
would be needed for recovery or rollback.

ADVANTAGES OF CLOUD COMPUTING

 Disaster Recovery
Having previous versions of software stored in the cloud, and having production instances
running on multiple cloud availability zones or regions allow for faster recovery from
disasters: if your application is deployed on multiple locations and for some reason one
region goes down – the traffic can automatically failover to the working regions without any
interruptions to the end-users.

ADVANTAGES OF CLOUD COMPUTING

 Mobility
Cloud computing allows mobile access to corporate data via smartphones
and devices, which is a great way to ensure that no one is ever left out of
the loop. Staff with busy schedules, or who live a long way away from the
corporate office, can use this feature to keep instantly up-to-date with
clients and coworkers.

Resources in the cloud can be easily stored, retrieved, recovered, or

processed with just a couple of clicks.

ADVANTAGES OF CLOUD COMPUTING

 Data Loss Prevention

Data loss is a major concern for all organizations, along with data security. Storing your
data in the cloud guarantees that data is always available, even if your equipment like
laptops or PCs, is damaged. Cloud-based services provide quick data recovery for all kinds
of emergency scenarios – from natural disasters to power outages.

Cloud infrastructure can also help you with loss prevention. If you rely on a traditional on-
premises approach, all your data will be stored locally, on office computers.

ADVANTAGES OF CLOUD COMPUTING

 Control
Having control over sensitive data is vital to any company. You never know what can
happen if a document gets into the wrong hands, even if it’s just the hands of an untrained
employee.

Cloud enables you complete visibility and control over your data. You can easily decide
which users have what level of access to what data.

ADVANTAGES OF CLOUD COMPUTING

 Competitive Edge
Cloud adoption increases every year, since companies realize that it offers them
access to world-class enterprise technology. And, if you implement a cloud
solution now, you’ll be ahead of your competitors.

ADVANTAGES OF CLOUD COMPUTING

Cloud Computing
Risks
 Data Privacy
Access Control
Internal Segmentation Availability
Sub-contractors Service Degradation
Data Ownership Service Outage
E-Discovery
Data Censorship
Encryption

Service
Provisioning
Service Changes Malicious Attack
Cost Changes Likelihood of Attack

Audit Records
Regulatory Storage Location
Compliance Lack of Breach Notice
Compliance
 Data Privacy Risks
ACCESS CONTROL
Individuals within the service provider organization may have access to the
data submitted to the cloud environment

To mitigate this risk, the organization can require that the service provider
● limit access to the data/files to essential personnel only;
● conduct background checks
● maintain proper records of approval, removal, and review of internal
access to the data
● monitor access to the data
● train internal staff on requirements; and
● provide reports to the organization regarding access to the data records
by support staff.

Internally, the organization can

● Contractually obligate the service provider to these requirements; and
● Monitor vendor compliance with the requirements.
 Data Privacy Risks
SUB-CONTRACTORS
INTERNAL SEGMENTATION
Many cloud service providers
Data architecture underlying the themselves are composed of multiple
service could put the layers of cloud services, with the
organization’s data at risk of originally contracted provider using
disclosure to other organization other cloud providers to support their
own services.
To mitigate this risk
● implement internal To mitigate this risk
barriers/segmentation; and
● discuss regulatory requirements with the
● conduct audits of data storage
cloud vendor, and require that the service
provider provide the identities of all;
● if this level of compliance monitoring is
not required, request that the service
provider agree contractually;
● require that the service provider
implement a vendor management
program
● monitor the service provider’s compliance
with this requirement.
 Data Privacy Risks
DATA OWNERSHIP E-DISCOVERY
Not unusual for cloud service Data is now subject to
providers to claim ownership of discovery not only by legal
all data/files submitted to their actions targeting the
care, and to publicly state the organization, but may also be at
right to redistribute. risk of discovery and disclosure
by legal actions targeting the
To mitigate this risk service provider or any one of
● ensure that the service its other customers or service
provider acknowledges the providers.
primacy of the organization’s To mitigate this risk
rights to the data submitted; ● ensure that the service
● contractually obligate the provider is bound
service provider to limit use of contractually to notify the
the data to that approved by organization of any required
the organization; and legal disclosure; and
● contractually require that the ● make internal plans to
organization’s data be address e-disclosure
returned and deleted upon
severing the relationship
 Data Privacy Risks
DATA CENSORSHIP
Cloud providers retain to
themselves the right to audit
and censor any data submitted
to the service.
To mitigate this risk
● contractually define any such
activities on the part of the
service provider, and the
process through which it is
supported; and
● require the service provider to
report any such activities to
the organization
ENCRYPTION
Implementation of encryption
for data “at rest” within the
cloud remains relatively rare, or
is expensive when available.
To mitigate this risk
● use cloud services only for those data services
that do not require data encryption for data
privacy purposes; or
● select a cloud service provider that can provide
encryption if required;
● confirm that the service provider has
implemented appropriate encryption controls;
● use cloud services only for those data services
that do not require data encryption for data
privacy purposes;
● select a cloud service provider that can provide
encryption if required;
● confirm that the service provider has
implemented appropriate encryption controls;
 Availability Risks
SERVICE DEGRADATION
The service may be degraded by a malicious attack, either
due to the diversion of resources caused by an attack on
the service provider, by the diversion of resources due to
an attack upstream from the service provider (an attack
on one of their service providers) and resulting congestion
on the telecommunication lines, or by diversion of
resources caused by a successful penetration and use of
the service itself as the base for further attacks on other
sites.
To mitigate this risk
● use cloud services only for those applications for which
degradation of service is not a significant issue; or
● obtain redundant lines to the service provider through
alternate carriers that can provide alternate connecting
line; and
● implement appropriate and feasible alternatives.
Availability Risks
SERVICE OUTAGE
All service providers will, for one reason or another, incur
service outages and performance issues on a periodic basis.

To mitigate this risk

● confirm that the service provider has designed the service
with adequate capacity and multiple service sources;
● require a service level agreement with the provider with
contractual penalties for less than acceptable availability
performance levels;
● ensure that the defined level of availability is acceptable;
● confirm that the service provider has an active backup
program and recovery plan,
● confirm that the service provider recovery plan is tested
regularly;
● determine if alternate service options are available; and
● implement appropriate and feasible alternatives.
Cloud Computing
Risks
 Data Privacy
Access Control
Internal Segmentation Availability
Sub-contractors Service Degradation
Data Ownership Service Outage
E-Discovery
Data Censorship
Encryption

Service
Provisioning
Service Changes Malicious Attack
Cost Changes Likelihood of Attack

Audit Records
Regulatory Storage Location
Compliance Lack of Breach Notice
Compliance
 Risks of Cloud Computing

Service Provisioning

A manner of providing
customers access to
resources to complete the
desired tasks required by
the customer.
Malicious Attack

Is software designed to
cause harm or damage to a
computer, server, client or
computer network and/or
infrastructure without
end-user knowledge
Service Provisioning
Service Changes

As all IT professionals know, technology firms come and

go. Cloud service providers may fail, be acquired, or
change their business models and discontinue a service at
any time. As a result, the organization may lose access to
its data or to the service upon short notice.

To mitigate this risk, the organization can

● contractually require a specified minimum period of

notice for service changes
● identify alternate service options that can be
activated upon need; and
● maintain an updated internal copy of the data for
emergency use.
 Service Provisioning
Cost Changes
As with any outside service, costs for cloud services will
change over time. Such changes can make this type of
service less cost effective, jeopardizing the purpose
behind using the service in the first place.

To mitigate this, the organization can

● ensure that service costs and changes are

defined in the service contract; and
● evaluate the cost/benefit/risk trade-offs of the
relationship during each contract renewal.
 Malicious Attack
Because cloud service providers support multiple businesses and must have their
services available on the open Internet, they are at increased risk of being attacked
through their website portals.

After all, attackers tend to prefer target-rich environments, and cloud service providers
concentrate multiple targets within their service areas. This situation is made worse by
the fact that they must make web support and administration tools available to their
customers as a part of the normal business model through the web portal, thereby
leaving these tools accessible to attackers as well.

To mitigate this risk, the organization can

● confirm that the service provider follows recommended security best practices
in the development and coding of its web application, including code reviews
and appropriate application security steps within each level of its infrastructure;
● confirm that the service provider performs vulnerability and penetration tests on
a periodic basis and remediates any issues identified; and
● confirm that these practices have been audited and shown to be in place and
operationally effective.
Cloud Computing
Risks
 Regulatory compliance risks

Audit Record Lack of breach Notice

Storage Location Compliance

 Audit Record Verifying the
functionality and
Negotiate controls of all supporting
negotiate with service
systems may be required
provider a mechanism through for compliance with
which supporting systems can be
audited and verified, either through
regulatory requirements,
an audit performed by the becoming a significant
organization’s audit team or
through a third party verification
risk.
using SSAE 16 SOC 1 and SOC 3
reports, and include this in the Mandated
contract; Contractually
obtain copies ensure that
obtain copies of appropriate audit reports
previous relevant service are mandated
provider SAS 70/SSAE contractually to meet the
16 reports or conduct needs of the
regular audits of the organization.
provider
 Storage location
a situation may or may
To Mitigate not be permissible,
based upon regulations
the risk under which the
organization operates.
 Storage location
1. assess the organization’s 3. if possible, agree
legal and regulatory contractually to storage
requirements, and determine location restrictions that
if restrictions exist on
will keep the organization
whether it can permit its data
to be stored outside of a
compliant with its
specific legal jurisdiction regulatory needs

4. if this is not
2. if the organization possible, exclude the
faces this type of service provider from
restriction, include a those to be considered
discussion of this issue for the service.
with any service providers
considered as service
providers
 Lack of breach notice

00 01
The organization may
use cloud
not even know that a
resources for only
breach has occurred
those data applications
until it appears in the
that do not have
evening news.
regulatory compliance

00
requirements

To Mitigate the 04
risk contract with a cloud service
provider that is willing to
assert contractually that they
will notify the organization at
once in the event of a
possible breach.
 Compliance

To mitigate this Risk

use cloud resources for only those

data applications that do not have
regulatory compliance requirements

contract with a cloud service provider

that is willing to assert contractually
that they will maintain compliance
with the regulation in question

maintain a compliance verification

program that validates the service
provider’s compliance with the
requirements.
 Mitigation summary

Evaluate the risks

01 involved 01

Assess the available cloud

02 computing service providers 02

Perform appropriate
Mitigating 03 due diligence 03
the
Risk
Obtain copies of the service
04 provider SAS 70 04
 Mitigation Summary

05 . Ensure that

all other appropriate

internal mitigating
strategies and 06. Implement a
options are vendor management
implemented. program to ensure
ongoing compliance
of the service

07 . Ensure that the

provider with all
necessary controls
service provider contract and service levels.
includes language
specifying all required
mitigating controls and
reporting.