mark e.s. bernard cloud computing and associated risks based on iso 27001 isms
DESCRIPTION
In early 2010 I facilitated a Cloud Computing Risk Assessment for presentation at ISACA Victoria Chapter based on my own 22 years of experience on as both a customer and as a service provider. Over the course of the last 7 years I have been working almost exclusively with Cloud Computing Vendors, Suppliers, Cloud Computing Service Providers to adopt ISO 27001 – Information Security Management System (ISMS). The adoption of ISO 27001 ISMS has been very badly communicated because it is so new and so many consultants are jumping on the band wagon I felt that this would be useful. In 2010 I had no idea that ISO 27001 would become the De Facto security standard for Cloud Computing that it has. Since that time I have added additional slide share presentation to review what a typical statement of work would look like and the Human Resource Allocation might look like in attempts to raise awareness and knowledge of this rapidly growing profession. If you have any questions or require some of my expertise please contact me at [email protected] or 250-812-7060. These day I have been traveling around the globe helping corporations and I know that I can help you too.TRANSCRIPT
Compiled by Mark E.S. Bernard, CRISC, CGEIT, CISM, CISA, CISSP, PM, PA, CNA, ITIL, ISO27k Lead Auditor, SABSA F2,Information Security, Privacy & Governance Consultant,Mobile: 250-812-7060 or email: [email protected]
•Cloud Predictions
•eCommerce Evolution
•Cloud Analysis
•Risk Management
•Terms
CPA/PA, PM, ISO27k Lead Auditor, CISSP, CISA, CISM, CGEIT, Mark E.S. Bernard
Contact phone: 250-812-7060 ; e-Mail: [email protected]
EXPERIENCE: Mark has twenty-years of proven experience within the domain of Information Security, Privacy
& Compliance within a broad range of industries including: Government, Financial Services, Credit Unions, Charter Banking, Insurance,
Pharmaceutical, Telecommunications, Technology, Manufacturing and Academia.
•In 2009 Mark led Canadian Financial Services ISO/IEC 27001 Registration/Certification of 1st Public Sector organization for the Ministry of
Labour, Citizen Service, Common Business Service and more specifically - Corporate Accounting Services.
•In 2009 Mark led the Transition-In Project of new Core Services Contractor to Corporate Accounting Services on behalf of the Province.
•In 2009 Mark led the Technology and Operations workstream during Negotiated Request for Proposal for Corporate Accounting Services on
behalf of the Province.
•In 2008 Mark led Canadian Financial Services ISO/IEC 27001 Registration/Certification of 1st online banking system for Credi t Union Central
of British Columbia now Central1.
• Mark Led Canadian Financial Services Privacy, Security, and Compliance Office work-stream during outsourcing of Ministry of Small
Business and Revenue and contract refresh on behalf of EDS Advanced Solutions.
• Mark Led International Food Manufacturer Information Security Program development and implementation of the Information Security
Management System based on behalf of McCain Foods Limited a 6.7 billion-dollar global business.
• Mark Led International Technology Services - Independent System Assurance Review against international financial systems located in
Trinidad, Barbados, Nassau, Jamaica and Antigua and financial systems managed in Canada running on behalf of IBM Global Services.
• Mark Led Canadian Insurance HRIS Business Unit for Zurich Insurance for 7 years as Manager of HRIS including in-house payroll systems.
• Mark Led Canadian Financial Systems Project to upgrade IBM iSeries servers supporting the Toronto Stock Exchange and TD Bank Wealth
Management Services.
• Mark Led International Pharmaceutical Manufacturer Project to centralize Enterprise, Resource, Planning systems and ISO 9001 and 9002 re-
certification of lab systems in compliance with FDA and Health Canada regulations for Taro Pharmaceuticals.
VOLUNTEER: Mark has volunteered his time to participate and actively contribute to the local Information Systems Audit and Control Association
chapter and the High Technology Crime Investigation Association chapter. Mark was the founder of New Brunswick’s HTCIA chapter.
MEDIA: Mark has published articles in magazines and contributed to the CISM Common body of knowledge in
addition to appearing as an expert source on Information Security and Privacy topics in local Conferences and
Newspapers, on CBC Radio and Rogers Cable Television.
•Order Series (ORD)
•Materials Handling Series (MAT)
•Tax Services Series (TAX)
•Warehousing Series (WAR)
•Financial Series (FIN)
•Government Series (GOV)
•Manufacturing Series (MAN)
•Delivery Series (DEL)
•Engineering Management & Contract
Series (ENG)
•Insurance/Health Series (INS)
•Miscellaneous ANSI X12 Transactions
Series (MIS)
•Mortgage Series (MOR)
•Product Services Series (PSS)
•Quality and Safety Series (QSS)
•Student Information Series (STU)
•Transportation:
-Air and Motor Series (TAM)
-Ocean Series (TOS)
-Rail Series (TRS)
-Automotive Series (TAS)
CICA is a new approach to message design aimed at resolving the costly
proliferation of differing (and often incompatible) XML messages used for
business-to-business data exchange. CICA gives developers access to reusable
components that can be used to construct interface standards to satisfy common
business requirements as well as industry-specific needs.
CICA is a syntax-neutral architecture that supports both business content and
implementation information. CICA messages ("documents") can currently be
expressed as XML schemata.
Value
Added
Network
Government MinistriesSuppliers
Intranet
Cloud
Internet
Cloud
Internet
CloudCitizens
•Quality of Service standards?
•Service Level Agreement?
•Eliminating capital expenditures on hardware and software.
•Transferring for Service Management to the Service Provider.
•Access to broader ranges of applications at lower costs?
•More functionality though their service offerings?
•More flexibility with capital budget vs operating budget?
•Improve the efficiency of their data center by transferring inefficient processes.
•Who will champion the adoption of Cloud Computing?
•Open standards that fuelled the rapid growth of Cloud Computing?
• Clouds are complex comprising highly specialized applications made up of even more granular, yet simple application procedures replicated thousands of times
• Clouds can generate both security benefits and risks
• How can we establish and maintain trust?
• How can the virtualization of servers, and systems maintain acceptable levels of security?
• How can encryption be successfully deployed and managed over extremely complex over millions and maybe billions of unique data streams and business channels?
• How can we even hope to achieve mandatory compliance with statutes, regulations and contractual obligations?
•Tactically “Virtualization” is about saving money
•Strategic “Virtualization” leads to flexible resourcing
1). Enables economies of scale: Cloud providers maximize the usage of their resources to make money.
2). Decouples users from implementation: Virtualization forces the relationship to change from
implementation, to service level agreements.
3). Speed, flexibility, agility: Early adopters of cloud computing talk about how quickly they can get new
servers online. Compared to the 4-6 weeks it takes an average IT shop to deploy a server, just about
anything is faster. However, virtual machines can be deployed roughly 30 times faster.
4). Breaks software pricing and licensing: Software Manufacturers can’t charge users for physical
capacity when only a small portion of that is used. Its also impossible to charge for every potential server
the software might be running on.
5). Enables, motivates chargeback: When servers can be delivered in minutes rather than weeks, IT users
ask for more – roughly two times as much. IT needs to focus more on usage accounting, and chargeback.
The term "Web 2.0" (2004–present) is commonly associated with web applications
that facilitate interactive information sharing, interoperability, user-centered design
and collaboration on the World Wide Web. Examples of Web 2.0 include web-
based communities, hosted services, web applications, social-networking sites,
video-sharing sites, wikis, blogs, mashups and folksonomies.
A Web 2.0 site allows its users to interact with other users or to change website
content, in contrast to non-interactive websites where users are limited to the
passive viewing of information that is provided to them.
•Authority Attack (with or without artefact): using fake identification or badge, utility service, or law enforcement
uniform, to gain access or identify a key individual by name/title as supposed friend or acquaintance or claiming
authority such as a lawyer or auditor and demanding information (impersonation).
•Zero-Sum Knowledge Attack: Baiting someone to add, deny or clarify pieces of information or incorrect
information, claiming to know more than they actual do, to solicit more information.
•Persistent Attack: Continuous harassment using guilt, intimidation and other negative ways to reveal information.
This could take place over days, weeks, months.
•Stake-Out Attack: Analyze operational activity over a period of time including people, regular mail, or special
courier, and/or supply deliveries, the patrol patterns of guards, location of CCTV, off hours activity.
•“The boy who cried wolf” Attack: Setting off a series of false alarms, either physical or digital, until some gets
tied of responding and disables the alarm system.
•Help Desk Attack: Impersonating a current or new end-use needing help with access to a network or server.
•Fake Survey/Questionnaire Attack: Win a free trip to Hawaii, or somewhere special in exchange
for completing a survey and answering questions about work or you network.
•Quality of Service Standards
•Open Standards
•Ajax (asynchronous JavaScript and
XML)
•Java
•Delphi
•Product Realization
•Software Development Life Cycle
•Acceptance Criteria
•Quality Management – ISO 9001:2008
•7 Product realization
•7.1 Planning of product realization
•7.2 Customer-related processes
•7.3 Design and development
•7.4 Purchasing
•7.5 Production and service provision
•7.6 Control of monitoring and
measuring equipment
•Distributed background worker pool
•Load-balanced, edge-service processes
handling user requests (often virtualized)
•Distributed caches (like memcached)
•CDN (content delivery network like Akamai)
•Distributed blob storage (aka S3)
•Asynchronous, durable message
queues (aka SQS)
•Non-Relational-/non-transactional
databases (like SimpleDB, Google
BigTable, Azure SQL Services)
•Kiosk Mode
•Unauthenticated Access
•(Un)Hidden Hotkeys
•Restricted Desktop Access
•Attack Microsoft Office
SCOPE: Review and assess proposed Cloud services for Software as a Service, Platform as a
Service and Infrastructure as a Service.
RATIONALE: Consideration was given for the fact that Cloud services are a new service
deliver approach that has not been fully implemented. More emphasis on patterning with service
providers and dependency on managing necessary controls through collaborative partnerships
and/or transferring risk completely to the service providers. Transparency of processes,
consistency of outcomes, and quality of service and deliverables will become more and more
important and thus understanding of the potential issues important to its success.
The threat-risk assessment was facilitated against existing best practices for information security
management systems, ISO/IEC 27001:2005. These controls are based on industry best practice
for information handling based on known vulnerabilities and risks associated with most
businesses, however this standard was initially developed by and for government in the UK.
http://gizmodo.com/5449037/google-hacked-the-chinese-hackers-right-back;
•Unauthorized and/or up coordinated and planned changes
•Ineffective acceptance criteria
•Ineffective application tests for malicious code
•Broken or ineffective cryptographic controls
•Unchecked technical vulnerabilities
•Missing security requirements
•Noncompliance with legal obligations
•Missing audit requirements
•Ineffective security in development and support processes
•Missing confidentiality agreements
•Ineffective or broken network access control
•Unknown users accessing the network
•Ineffective privilege management
•Incomplete removal of access rights upon exits
•Ineffective or missing fault logging
•Weak external party service delivery management
•Missing or weak governance of external party services
•Missing capacity management
•Lack of information handling procedures
•Missing or weak information exchange policies and procedures
•No exchange agreements
•Below standard network controls
•Weak security of network services
•No independent reviews of information security
•Unchecked risks related to external parties
•No flow down security and privacy obligations in external party agreements
•Weak application and information access controls
•No corrective and/or preventive actions for errors in processing of applications
•Broken or weak electronic commerce services
•Ineffective Audit logging
•No security of log information
•Inability to collect evidence
•Ineffective Business Continuity planning
•Week or ineffective control of secure areas
•Operating system access control
•Unprotected system files
•No reporting of information security incidents
•No reporting of security weaknesses
•Ineffective compliance with security policies and standards
•Missing authorization process for information processing facilities
•No communication concerning acceptable use of assets
•Noncompliance with classification guidelines
•Missing information labelling and handling
•Ineffective employee/contractor security screening
•Missing or ineffective information security awareness, education and training
•No disciplinary process for employees or contractors
• Reduce risk by transferring it to Cloud Service Provider
• Security auditing and testing could be simplified
• Streamline the automation of security management
• Built-in redundancy will improve disaster recovery and business continuity
• Lower Total Cost of Ownership
• Lower costs of services
• Reduce the need for capital by as much as 40%
• Provide a broader range of services
• Provide an agile response to increases and decreases in service demands
• Establishing Trust?
• Suppliers response to audit findings
• Support for investigations and evidence gathering
• System administrator accountability
• Drawing the line between proprietary and nonproprietary for examination.
• Virtualized servers and applications
• Physical control of that data
• Mandatory compliance with statutes, regulations and contractual obligations
Security Posture:
•Equilibrium State (EQ): In this state the threats are identified and the appropriate safeguards are deemed to be in place .
•Vulnerable State (VU): In this state the threats far outweigh the safeguards.
•Excessive State (EX): In this state the safeguards far outweigh the threats. This can result in an overspending in the area of security
measures.
Information Classification:
•Low Sensitivity (L): a). limited financial losses, b). limited impact in service level, or, c). performance, embarrassment and
inconvenience.
•Medium Sensitivity (M): a). loss of competitive advantage, b). loss of confidence in the government program, c). significant financial
loss, d). legal action, or, e). damage to partnerships, relationships and reputations.
•High Sensitivity (H): a). extremely significant financial loss, b). loss of life or public safety, c). loss of confidence in the government, d).
social hardship, or, e). major political or economic impact.
•Unclassified (U): a) information of public knowledge that can be found on most government web sites and would include such
information as the government telephone books, advertisements for job opportunities in the various ministries, government-wide
initiatives such as Government-On-Line, public health information, job classification level and range of pay scale.
Compiled by Mark E.S. Bernard, CRISC, CGEIT, CISM, CISA, CISSP, PM, PA, CNA, ITIL, ISO27k Lead Auditor, SABSA F2,Information Security, Privacy & Governance Consultant,Mobile: 250-812-7060 or email: [email protected]