Download - Cloud Computing Risk Assessments
www.isaca.org
Cloud Computing Risk Cloud Computing Risk AssessmentsAssessments
Donald GallienDonald Gallien
March 31, 2011March 31, 2011
www.isaca.org 2
OverviewOverview
• Cloud Computing Refresher
• Assessing Cloud Computing Universe Completeness
• Using a Cloud Computing Risk Ranking Model
• Risk Ranking Case Study
www.isaca.org 3
QuizQuiz
• What do the following have in common?– Paisley GRC– Salesforce.com– Amazon EC2– Google Apps– Microsoft Business Productivity Online Suite
(BPOS) – Rackspace– WebEx
www.isaca.org
Cloud Computing RefresherCloud Computing Refresher
www.isaca.org 5
Cloud Computing BasicsCloud Computing Basics
• Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid (Source: Wikipedia)
• Based on virtualization and abstraction of the underlying infrastructure
• IT Audit Risk is largely driven by:– Deployment Model– Service Model– Nature of Applications & Data in Cloud
www.isaca.org 6
Deployment ModelsDeployment Models
Model Definition Example
Public Available to the general public or a large industry group
Google Apps (Free)
Community Shared by several organizations and supports a specific community that has shared concerns
Google Apps for Government
Private Operated solely for an organization
Microsoft BPOS for a Business
Source: NIST
www.isaca.org 7
Service ModelsService Models
Model Definition Example
Infrastructure as a Service (IaaS)
Fundamental computing resources to deploy software, including OS and applications
Rackspace Cloud
Platform as a Service (PaaS)
Applications based on programming languages and tools supported by the cloud provider
Force.com
Software as a Service (SaaS)
Cloud provider applications running on a cloud infrastructure
Salesforce.com (CRM)
Source: NIST
www.isaca.org 8
Another Way to Look as Service Another Way to Look as Service ModelsModels
WebEx
BPOS
Amazon EC2
Example
www.isaca.org 9
Deployment Model Risk ProfileDeployment Model Risk Profile
Public PrivateCommunity
Likelihood of Data Security, Privacy, and
Control Breach
www.isaca.org 10
Service Model Risk ProfileService Model Risk Profile
IaaS SaaSPaaS
Impact of Loss of Control & Security
Breach
www.isaca.org 11
Cloud Refresher SummaryCloud Refresher Summary
• Public clouds are inexpensive, but provide less security and service
• Private clouds are expensive, but align better with technology and security standards
• IaaS models are very broad in scope, but organizations maintain more control
• SaaS models are narrow in scope, but organizations relinquish almost all control
What is the impact of cloud computing on the IT audit function?
www.isaca.org 12
But one thing never changesBut one thing never changes
• All IT Audit and Governance groups must:1. Identify an Universe
2. Risk Rank the Universe
3. Provide Appropriate Coverage based on Risk
www.isaca.org
Assessing Cloud Computing Assessing Cloud Computing Universe Completeness Universe Completeness
www.isaca.org 14
The Cloud Universe ChallengeThe Cloud Universe Challenge
www.isaca.org 15
Finding the CloudsFinding the Clouds
www.isaca.org 16
Technology GovernanceTechnology Governance
•Oversight•Technology Approvals•Partner Approvals
How does your organization promote controlled cloud computing?
www.isaca.org 17
Firewalls and Encryption Firewalls and Encryption CertificatesCertificates
•Firewall & VPN Rule Changes•Firewall Logs•Encryption Certificate Requests
Cloud computing environments are unlikely to stand-alone.
www.isaca.org 18
Invoices / T&E ReportingInvoices / T&E Reporting
•
•Vendor Master•Invoice Lists•T&E Reporting
How much does it cost to deploy cloud based e-mail service at Google?
www.isaca.org 19
Process WalkthroughsProcess Walkthroughs
•Business Process•Data Flow•Technology Overview
Has anyone discovered cloud based computing in a walkthrough meeting?
www.isaca.org 20
Summary – Universe CompletenessSummary – Universe Completeness
• Cloud computing can be difficult to identify
• Traditional technology governance, security, and procurement controls can be used to identify cloud computing
• Users and business analysts could be your best source of cloud computing information
What else can you do to identify cloud computing?
www.isaca.org
Using a Cloud Computing Risk Using a Cloud Computing Risk Ranking ModelRanking Model
www.isaca.org 22
A few thoughts before we startA few thoughts before we start
• Risk models include elements of judgment and must fit the organization
• Some model assumptions may be completely wrong for your organization– We should have a lot of debate on this topic
• Risk ranking scores must drive governance requirements and audit activities
www.isaca.org 23
Attribute High (5) Med (3) Low (1)Deployment Model Public Community PrivateService Model IaaS PaaS SaaSData Security level Secret Restricted UnclassifiedPhysical Hosting Site Undefined Int'l Location Domestic LocationSOX Critical Yes NoDependent Apps Greater than 10 4 to 10 0 to 3Recovery Time 4 Hours 7 Days 31 DaysRegion Supported Europe or Global US All other
Cloud Risk Ranking ExampleCloud Risk Ranking Example
www.isaca.org 24
Potential Governance & Audit Potential Governance & Audit RequirementsRequirements
Cloud Risk Category
ScoreGovernance
Requirements
Audit Requirements /
Frequency
High >25 SAS 70 Type IIFull Scope /
Annual
Medium 11-24 SAS 70 Type ILimited Scope /
Bi – Annual
Low <10 NoneRisk Assess
Only
www.isaca.org 25
Deployment Model ConsiderationsDeployment Model Considerations
High Medium Low
DeployModel
Public Community Private
Public
Private
www.isaca.org 26
Service Model ConsiderationsService Model Considerations
High Medium Low
Service Model
IaaS PaaS SaaS
IaaS
SaaS
www.isaca.org 27
Data Security ConsiderationsData Security Considerations
High Medium Low
Security Level
Secret Restricted Unclassified
Secret
Unclassified
www.isaca.org 28
Physical Hosting Site Physical Hosting Site ConsiderationsConsiderations
High Medium Low
Hosting Site
Undefined International Location
Domestic Location
Undefined
Domestic Location
www.isaca.org 29
SOX Criticality ConsiderationsSOX Criticality Considerations
High Medium Low
SOX Critical
Yes No
Yes
No
www.isaca.org 30
Dependent ApplicationsDependent Applications
High Medium Low
Number of Apps
Greater than 10 4 to 9 Less than 3
> 10
< 3
www.isaca.org 31
Recovery Time Objectives (RTO) Recovery Time Objectives (RTO) ConsiderationsConsiderations
High Medium Low
RTO 4 Hours 7 days 31 Days
4 Hours
31 Days
www.isaca.org 32
Regions Supported ConsiderationsRegions Supported Considerations
High Medium Low
Region Europe or Global
United States All Other
Europe/ Global
All Other
www.isaca.org 33
Summary – Cloud Risk Ranking Summary – Cloud Risk Ranking ModelsModels
• Cloud risk ranking attributes and scoring must vary based on environment and need
• Risk attributes and scoring require alignment with organizational standards
What other risk attributes might you use, and how would your rank them on a high, medium, low basis?
www.isaca.org
Risk Ranking Case StudyRisk Ranking Case Study
www.isaca.org 35
ConclusionsConclusions
• Business and technology leaders are embracing cloud computing - it is here to stay and growing
• Cloud computing standards and risk ranked cloud universes are foundational requirements for governance
• We must adjust our approach to remain relevant