Cloud Computing

NSAATallahassee

September 2010Brian Ruebrue@fsu.edu

Agenda1) Cloud Audit Drivers2) Cloud Deployment (SaaS, PaaS, IaaS)3) Cloud Delivery Methods (Private, Community, Public, Hybrid)4) Cloud Communications 5) Data/Application Data Center Geography6) Select Cloud Legal Issues7) Select Data Security Issues8) Cloud Contract Review9) Cloud Audit Program Resources10) Cloud Resources

2

* Back to the Future*- Centralized Computing Architecture,

Application Service Providers, and Thin Client Computing Architectures

3

Why State Entities Cloud - • Potential to Reduce Costs

Cloud technology can result in cost savings over in-house solutions. • Promotes Automation

Can shift (variable by cloud type) backend hardware and software support to cloud vendor reducing required staff at the client site.

• On-DemandScalable architecture allows client to dial-up and dial-down computing resources to match work flows.

• Mobility Web User Interface allows clients to connect from any computing device using a supported Web browser.

• Shift IT Security Controls Client can contractually shift IT security controls to the vendor depending

on the type of cloud architecture.• Frees IT to Innovate

Clients have less support issues to worry about allowing IT to concentrate on innovation.

4

5

1. Cloud Audit Drivers

6

Audit Reports

7

Evolving Government GuidanceLegislative Interest

8

Outsourcing Compliance Mandated Reviews

Evolving Cloud Security Controls

9

State Cloud IssuesState Cloud Migration

Getting Confortable in the Cloud Environment

10

2. Three Cloud Deployment Methods

11

1. Software as a Service (SaaS)• Vendor runs/owns:

– Application Software– Platform (Operating System/Web apps/middleware/database)– Supporting Infrastructure (data center)

• The applications are accessible from various client devices through a thin client interface such as a web browser.

12

SAS Video

13

14

Example SaaS Product--Google Apps

2. Platform as a Service (PaaS)

• Vendor runs/owns:– Platform (Operating System/Web

apps/middleware/database)– Supporting Infrastructure (data center)

• Client does not manage underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

15

PaaS Video

16

3. Infrastructure as a Service (IaaS)

• Vendor runs/owns:– Supporting Infrastructure (data center)

• The client does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

17

IaaS Video

18

19

NIST Chart

20

Cloud Providers

3. Cloud Delivery Methods 21

1. Private Clouds

• The Private Cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.

22

1.1 Private Clouds

23

2. Community Clouds

• The Community cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.

24

2.1 Community Clouds Video

25

3. Public Clouds• The Public Cloud infrastructure is made

available to the general public or a large industry group and is owned by an organization selling cloud services.

26

3.1 Public Clouds

27

4. Hybrid Clouds

• The Hybrid Cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

28

4.1 Hybrid Cloud Video

29

30

NIST Cloud Delivery Chart

31

4. Cloud CommunicationsMapping the data flows between auditee,

the cloud service, and any outside customers

32

Understanding the Pipes

• Internet• Secure 100 Mbps or Gigabit private

networks• Virtual Private Networks (VPNs)• Dedicated Lines• SSL/SSH• Wireless Carriers (Wi-Fi/WiMax/LTE/3G)• Home Networks• Public Access Points• Multinational

Security of the Pipes-A Cloud Security Concern (Does a Plan B Exist?)Service Disruptions – From entity ISP Internet connectivity to Denial of service attacks against Internet/Vendor infrastructure

33

34

Encrypted Communications

• Encrypted Cloud Contacts– Strength– Key Management• Vendor Retains Encryption Keys• Entity Retains Keys

Data Packet 54 Where are

You?

5. Data Center

Geography

35

Cloud Vendors Maintain Data Centers in Multiple Locations Across the Globe

36

Location, Location, Location

37

Cloud vendors can have the ability to port client data and application processing across borders absent contractual geographical restrictions.

38

• One prominent SaaS provider has been identified as not being able to state, definitively, where one's data is hosted or that its location will be restricted to any given region.

http://www.cio.com/article/612063/Data_Compliance_and_Cloud_Computing_Collide_Key_Questions

39

40

More Secrecy from Vendors

• According to Network World, “Cloud service providers often cultivate an aura of secrecy about data centers and operations, claiming this stance improves their security even if it leaves everyone else in the dark”; these providers often believe that such secrecy is an integral part of the cloud-computing business model.

41

6. Select Legal Issues

42

IMPORTANT: Cloud Vendors do not always know if entity is using cloud resources to store and/or process data that is protected by State, Federal, or Contractual Obligations….

43

HIPAA/HITECH – Note requirements concerning the terms between audited entity and the business associate contract (BAC) which HIPAA/HITECH requires these parties to have. HITECH does create security obligations for Business Associates (BAs) with responsibility for joint IT environments. Additional issues concern BAs ability to monitor entity’s environment to ensure any privacy/security issues are promptly communicated to contracted entity.

PCI DSS – Cloud use for credit card processing must include cloud contract provisions concerning the cloud vendors duties as a Service Provider under PCI DSS including the vendors obligation to maintain a compliant cloud environment.

State Privacy Laws – Contracted cloud provisions should match the appropriate state security or privacy laws.

Business Associates – State Laws – Service Providers

44

e-Discovery in the Cloudcloud provider possession and custody but delegation of control to a customer

• Has the auditee developed e-discovery procedures including getting information off the cloud when a request is made?

• Has the auditee reviewed and validated controls used to of protect the cloud documents to counter potential legal challenges?

– How does the entity ensure documents are not moved to geographical locations that may put e-document integrity at risk?

45

Subpoenas

• State or Federal Subpoenas could be issued against data/logs held by the cloud vendor– Subpoena procedures may result in customer

data/logs being reviewed even if customer data is not part of subpoena due to multi-tenant cloud architecture if data is not encrypted and key held by client.

• There may be not judicial oversight requiring the cloud vendor to alert the client of the subpoena activity involving client data or network logs

7. Cloud Data Security Issues

46

Security Issues• Vendor connections to entity data security systems

– Vendor may have access to local authentication and authorization assets maintained by client (i.e. Active Directory) through hosted apps and databases

• Lack of client audit clauses• Data encryption keys controlled by cloud vendor not entity• Lack of vendor logs (Application/Database/Network) or

limited access logs to vendor logs• Slack vendor change management/patching procedures• Unclear vendor incident response procedures (timely

alerts?)• Loss of physical control of data assets

– Controlling movement of data assets geographically– Increased security issues in virtual environments 47

Top Cloud Client Security Fails

• 0.0% development of client risk assessment to understand and develop appropriate control and monitoring procedures to ensure CIA in the cloud and end-points

• Client gives up ownership or responsibility or governance of what's going on with their data to cloud service providers

48

Contracted Security

• Cloud vendors will construct security clauses in client contracts that best protect the legal interest of the vendor and not necessarily the client:– Vendor may not define security

standards they will follow to protect client assets

– Vendor may not define procedures for the timely application of security patches to purchased infrastructure

– Most vendors contractually prohibit client vulnerability and PII scans of purchased cloud environment

– Not specify what privacy or data security laws they must comply with.

49

50

SAS 70 - ISO/IEC 27002 – SSAE No. 16The Vendor Entity Contracting Guidelines or Procedures

SSAE No. 16

8. Cloud Contract Review

51

It’s All About the Contracts

• The majority of your program audit hours will be allocated to cloud contract review

52

9. Developing a Cloud Audit Program

53

54http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit-Programs/Pages/ICQs-and-Audit-Programs.aspx

ISACA – Cloud Computing ManagementAudit/Assurance Program

55

56

10. Cloud Auditing Resources

57

58http://www.gao.gov/new.items/d10855t.pdf

GSA Cloud Guidance

59

http://www.privacylives.com/wp-content/uploads/2010/08/Privacy-Recommendations-Cloud-Computing-8-19-2010.pdf

Cloud Federal Privacy Recommendations

60http://www.cloudsecurityalliance.org/csaguide.pdf

CSA Cloud Security Guidance

61

http://csrc.nist.gov/groups/SNS/cloud-computing/index.html

NIST Cloud Presentations

62

Questions