Professional Documents
Culture Documents
IT SECURITY: CLOUD
COMPUTING
GROUP 4
What is cloud
computing?
Cloud Computing
•a style of computing that provides scalable and elastic, IT-enabled
capabilities ‘as a service’ to external customers via Internet
technologies(Gartner,n.d.).
•a model for enabling convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or service
provider interaction(National Institute of Standards and Technology,
n.d.).
Cloud Computing
•cloud computing provides IT services over the Internet in such a way
that the end user doesn’t have to worry about where the data is
being stored
• For example, our google classroom and google drive
•Cloud computing at the corporate level expands on this concept,
resulting in enterprise business applications, client (PC) applications,
and other aspects of the IT environment being provided over the
Internet using a shared infrastructure.
Five Characteristics of
Cloud Computing (NIST)
Five Characteristics of Cloud
Computing (NIST)
1. On-Demand Self-Service. This means that you can
provision computing capabilities, such as storage, as
needed automatically without requiring human
interaction with each service’s provider.
2. Broad Network Access. This means that capabilities
should be accessible from anywhere and from any device
(such as laptops and mobile devices) as long as Internet
connectivity is available.
Five Characteristics of Cloud
Computing (NIST)
3. Resource Pooling. This means that the provider’s
computing resources are pooled to serve multiple
consumers using a multi-tenant model, with different
physical and virtual resources dynamically assigned and
reassigned according to consumer demand.
4. Rapid Elasticity. This means that capabilities can be
rapidly and elastically provisioned (often automatically)
to scale out quickly, and rapidly released to scale in
quickly.
Five Characteristics of Cloud
Computing (NIST)
5. Measured Service. This means that cloud systems
automatically control and optimize resource usage by
leveraging metering capabilities appropriate to the type
of service (such as storage, processing, bandwidth, and
active user accounts).
Test Steps for Auditing Cloud Computing
and Outsourced Operations
1. Review the audit steps in the other chapters in this part of the book and determine which risks and audit
steps are applicable to the audit being performed over outsourced operations. Perform those audit steps
that are applicable. - The risks present for an insourced function are also present for an outsourced function.
Remember that the components and functions of what you’ve outsourced are similar in many cases to what you
would have internally
2. Request your service provider to produce independent assurance from reputable third parties regarding
the effectiveness of their internal controls and compliance with applicable regulations. Review the
documentation for issues that have been noted. Also, determine how closely these certifications match your
own company’s control objectives and identify gaps. - These assessments can be used to reduce your need to
audit the service provider’s functions, thereby reducing the scope of your audit. In fact, many service providers,
especially the larger ones, will insist that you use these assessments in lieu of performing your own audit.
3.Review applicable contracts to ensure that they adequately identify all deliverables, requirements, and
responsibilities pertinent to your company’s engagement. - The contract is your only true fallback mechanism
should you have issues with the vendor.
4. Review and evaluate the process used for selecting the outsourcing vendor. - If the process for selecting the
vendor is inadequate, it can lead to the purchase of services that do not meet the requirements of the business
and/or poor financial decisions. This step is applicable to all forms of outsourcing.
Data Security
5. 5. Determine how your data is segregated from the data of other customers - a form of outsourcing in which
your data is being stored on the vendors’ systems at their site (such as in cloud computing and dedicated hosting),
you no longer have full control over your data.
6. Review and evaluate the usage of encryption to protect company data stored at and transmitted to the
vendor’s site. - it is critical that the data be encrypted to protect against possible compromise. This reduces the
risk of a breach impacting the confidentiality or integrity of your data.
7. Determine how vendor employees access your systems and how data is controlled and limited. - If your
data is being stored or processed by employees outside of your company and you do not maintain ownership
regarding who has access to that data, you’re putting its confidentiality, integrity, and availability at risk.
8. Review and evaluate processes for controlling non-employee logical access to your internal network and
internal systems. - If you’re using service outsourcing and/or supplemental (contract) labor, you are likely allowing
a third-party vendor’s personnel to have a degree of logical access to your network and systems.
9. Ensure that data stored at vendor locations is being protected in accordance with your internal policies. - No matter
where you store your data, it is still subject to your internal policies. Outsourcing storage to a third party does not absolve
your company of responsibility to comply with policies and ensure proper security of the data.
10. Review and evaluate controls to prevent, detect, and react to attacks. - Without appropriate intrusion detection and
prevention techniques, your systems and data are at an increased risk of compromise. This risk is increased in an outsourced
model, specifically when outsourcing systems and infrastructure, because of the shared infrastructure,—an attack and
compromise on one customer could result in compromise of your systems.
Intrusion Detection - Look for the usage and monitoring of Intrusion Detection Systems (IDSs) to detect potential attacks on
your systems and integrity checking tools to detect potential unauthorized changes to system baselines.
Intrusion Prevention - Look for the usage and monitoring of Intrusion Prevention Systems (IPSs) to proactively detect and
cut off potential attacks on your systems.
Incident Response - Look for clearly defined processes for responding to potential security incidents, including notification
and escalation procedures.
Discovering and Remediating Vulnerabilities - Look for the usage and monitoring of vulnerability scanning tools to detect
and mitigate potential vulnerabilities that might allow an intruder to access and/or disrupt your systems.
Logging - Look for the logging of significant activities (successes and failures) on your systems, for the monitoring of these
logs, and for the storage of these logs in a secure location for an adequate period of time.
Patching - Look for procedures to receive and apply the latest security patches so that known security holes are closed.
Protection from Viruses and Other Malware - Look for the usage of antivirus software and the application of new
signature files as they are released.
11. Determine how identity management is performed for cloud-based and hosted systems. - Proper identity
management practices are critical for controlling access to your systems and data
12. Ensure that data retention and destruction practices for data stored offsite comply with internal policy. - If the
lifecycle of data is not defined, data might be retained longer than necessary (resulting in additional storage costs and
possible legal liabilities) or may be destroyed prematurely (leading to potential operational, legal, or tax issues).
13. Review and evaluate the vendor’s physical security - Physical security impacts logical security, because physical
access can override some logical access controls.
Operations
14. Review and evaluate your company’s processes for monitoring the quality of outsourced operations. Determine
how compliance with SLAs and other contractual requirements are monitored. - dictated expectations in your
contract, unless you monitor for compliance with those expectations, you will have no way of knowing whether they’re being
met.
15. Ensure that adequate disaster recovery processes are in place to provide for business continuity in the event
of a disaster at your service provider. - Just as with internally-hosted systems, you must to prepare for recovery from a
disaster when outsourcing operations. Failure to do so will likely result in extended outages and business disruptions if a
disaster occurs with your vendor
16. Determine whether appropriate governance processes are in place over the engagement of new cloud
services by your company’s employees. - Cloud computing makes it easy for business unit personnel to meet their
needs without ever engaging corporate IT. This has the potential to bypass all of the governance processes normally in
place to ensure proper security of company data, interoperability of systems, appropriate support capabilities, and so on.
17. Review and evaluate your company’s plans in the event of expected or unexpected termination of the
outsourcing relationship. - The provider could go out of business or discontinue the service you’re using. You could be
unhappy with the provider’s cost or performance. You might engage in a new competitive bid at the end of your contract
and another vendor may win the business.
18. If IT services have been outsourced, review the service provider’s processes for ensuring quality of staff and
minimizing the impact of turnover. If those services are being performed offshore, look for additional controls to
ensure employee attendance and effective communication and hand-offs with the home office. - If service
provider employees aren’t qualified to perform their jobs or the provider experiences high levels of turnover, the quality
of IT services will obviously be poor. This risk generally increases with outsourced operations, where turnover tends to be
higher.
Legal Concerns and Regulatory Compliance
19. Review and evaluate your company’s right and ability to obtain information from the vendor that may be
necessary to support investigations. - Inability to produce applicable data may result in legal ramifications, as your
company will be held legally responsible for your information, even if it’s being stored and processed by a third-party
provider.
20. Review requirements for security breach notification. Ensure that requirements are clearly defined
regarding when and how the vendor should notify your company in the event of a security breach and that your
company has clearly defined response procedures when they receive such notification. - A security breach at your
service provider not only puts your data and operations in jeopardy but may also have legal implications.
21. Determine how compliance with applicable privacy laws and other regulations is ensured. - Regardless of
where your data is stored and who manages it, you are still responsible for making sure that your company is
complying with all applicable laws and regulations. If your company is found to be in violation of applicable laws and
regulations, it can lead to stiff penalties and fines, a damaged reputation, lawsuits, and possibly the cessation of the
company.
22. Review and evaluate processes for ensuring that the company is in compliance with applicable software
licenses for any software hosted offsite or used by non-employees. - Using software illegally can lead to penalties,
fines, and lawsuits. If companies do not develop processes for tracking the legal usage of software and licenses, they
may be subject to software vendor audits and will not be able to account properly for the company’s use of the vendor’s
software.
Advantages of
Cloud Computing
From a strategic
planning basis cloud
computing may be
seen to have several
advantages.
PROMISE!
Capacity Planning
Pay as you go
Response time
Time to market
Quick Deployment
Automatic Software
Updates and Integration
Cost Reduction
Data Security
Thank you!
Scalability
Different companies have different IT needs — a large enterprise of 1000+ employees
won’t have the same IT requirements as a start-up.
Cloud-based solutions are ideal for businesses with growing or fluctuating bandwidth
demands. If your business demands increase, you can easily increase your cloud capacity
without having to invest in physical infrastructure.
This scalability minimizes the risks associated with in-house operational issues and
maintenance. You have high-performance resources at your disposal with professional
solutions and zero up-front investment.
ADVANTAGES OF CLOUD COMPUTING
Collaboration
Cloud environments enables better collaboration across teams: developers, QA,
operations, security and product architects are all exposed to the same infrastructure
and can operate simultaniously without stepping on each other toes.
Different cloud environments can be built for specific purposes like staging, QA, demo or
pre-production. It’s much easier to collaborate in a transparent manner and the cloud
encourages it.
Creating and optimizing the cloud cost stucture policy can reduce the cost of cloud
storage significantly while maintaining the company’s business goals related to data
storage in the cloud.
Disaster Recovery
Having previous versions of software stored in the cloud, and having production instances
running on multiple cloud availability zones or regions allow for faster recovery from
disasters: if your application is deployed on multiple locations and for some reason one
region goes down – the traffic can automatically failover to the working regions without any
interruptions to the end-users.
Mobility
Cloud computing allows mobile access to corporate data via smartphones
and devices, which is a great way to ensure that no one is ever left out of
the loop. Staff with busy schedules, or who live a long way away from the
corporate office, can use this feature to keep instantly up-to-date with
clients and coworkers.
Cloud infrastructure can also help you with loss prevention. If you rely on a traditional on-
premises approach, all your data will be stored locally, on office computers.
Control
Having control over sensitive data is vital to any company. You never know what can
happen if a document gets into the wrong hands, even if it’s just the hands of an untrained
employee.
Cloud enables you complete visibility and control over your data. You can easily decide
which users have what level of access to what data.
Competitive Edge
Cloud adoption increases every year, since companies realize that it offers them
access to world-class enterprise technology. And, if you implement a cloud
solution now, you’ll be ahead of your competitors.
Cloud Computing
Risks
Data Privacy
Access Control
Internal Segmentation Availability
Sub-contractors Service Degradation
Data Ownership Service Outage
E-Discovery
Data Censorship
Encryption
Service
Provisioning
Service Changes Malicious Attack
Cost Changes Likelihood of Attack
Audit Records
Regulatory Storage Location
Compliance Lack of Breach Notice
Compliance
Data Privacy Risks
ACCESS CONTROL
Individuals within the service provider organization may have access to the
data submitted to the cloud environment
To mitigate this risk, the organization can require that the service provider
● limit access to the data/files to essential personnel only;
● conduct background checks
● maintain proper records of approval, removal, and review of internal
access to the data
● monitor access to the data
● train internal staff on requirements; and
● provide reports to the organization regarding access to the data records
by support staff.
Service
Provisioning
Service Changes Malicious Attack
Cost Changes Likelihood of Attack
Audit Records
Regulatory Storage Location
Compliance Lack of Breach Notice
Compliance
Risks of Cloud Computing
Service Provisioning
A manner of providing
customers access to
resources to complete the
desired tasks required by
the customer.
Malicious Attack
Is software designed to
cause harm or damage to a
computer, server, client or
computer network and/or
infrastructure without
end-user knowledge
Service Provisioning
Service Changes
After all, attackers tend to prefer target-rich environments, and cloud service providers
concentrate multiple targets within their service areas. This situation is made worse by
the fact that they must make web support and administration tools available to their
customers as a part of the normal business model through the web portal, thereby
leaving these tools accessible to attackers as well.
● confirm that the service provider follows recommended security best practices
in the development and coding of its web application, including code reviews
and appropriate application security steps within each level of its infrastructure;
● confirm that the service provider performs vulnerability and penetration tests on
a periodic basis and remediates any issues identified; and
● confirm that these practices have been audited and shown to be in place and
operationally effective.
Cloud Computing
Risks
Regulatory compliance risks
4. if this is not
2. if the organization possible, exclude the
faces this type of service provider from
restriction, include a those to be considered
discussion of this issue for the service.
with any service providers
considered as service
providers
Lack of breach notice
00 01
The organization may
use cloud
not even know that a
resources for only
breach has occurred
those data applications
until it appears in the
that do not have
evening news.
regulatory compliance
00
requirements
To Mitigate the 04
risk contract with a cloud service
provider that is willing to
assert contractually that they
will notify the organization at
once in the event of a
possible breach.
Compliance
Perform appropriate
Mitigating 03 due diligence 03
the
Risk
Obtain copies of the service
04 provider SAS 70 04
Mitigation Summary
05 . Ensure that