Cloud Computing - Home | University of Texas System Cloud...Cloud Computing Audit Report # 16-09 ......
Transcript of Cloud Computing - Home | University of Texas System Cloud...Cloud Computing Audit Report # 16-09 ......
Cloud Computing
Audit Report # 16-09
February 28, 2017
The University of Texas at El Paso Institutional Audit Office
"Committed to Service, Independence and Quality"
- THE UNIVERSITY of TEXAS SYSTEM FOURTEEN INSTITUTIONS . UNLIMITED POSSIBILITIES .
February 28, 2017
Dr. Diana Natalicio President, The University of Texas at El Paso Administration Building, Suite 500 EIPaso,Texas79968
Dear Dr. Natalicio:
UTEP Institutional Audit Office 500 West University Ave El Paso, Texas 79968 915-747-5191 WWW uTEP"
WWW.UTSYS f ~· "')L
The Office of Auditing and Consulting Services has completed a limited scope audit of cloud computing services. During the audit, we identified opportunities for improvement and offered the corresponding recommendations in the audit report. The recommendations are intended to assist the department in strengthening controls and help ensure that the University's mission, goals and objectives are achieved.
We appreciate the cooperation and assistance provided by the Information Security Office staff and the survey respondents during our audit.
Sincerely,
~ r/1J_ 10.ud; Lori Wertz Chief Audit Executive
The University ofTexas at Arlington · The University of Texas at Austin 'The University of Texas atDallas · The University of Texas at El Paso ·
The University of Texas of the Permian Basin · The University of Texas Rio Grande Valley ·The University of Texas at San Antonio · The University of Texas at
Tyler 'The University of Texas Southwestern Medical Center · The University of Texas Medical Branch at Galveston ·
The University of Texas Health Science Center at Houston · The University of Texas Health Science Center at San Antonio ·
The University of Texas MD Anderson Cancer Center · The University of Texas Health Science Center at Tyler ·
Report Distribution:
The University of Texas at El Paso:
Mr. Richard Adauto Ill, Executive Vice President
Dr. Stephen Riter, Vice President for Information Resources and Planning
Ms. Sandy Vasquez, Assistant Vice President for Compliance Services
Mr. Gerard Cochrane Jr., Chief Information Security Officer
The University of Texas System (UT System):
UT System Audit Office
External:
Governor's Office of Budget, Planning and Policy
Legislative Budget Board
Internal Audit Coordinator, State Auditor's Office
Sunset Advisory Commission
Audit Committee Members:
Mr. David Lindau
Mr. Steele Jones
Mr. Fernando Ortega
Dr. Howard Daudistel
Mr. Benjamin Gonzalez
Dr. Gary Edens
Dr. Roberto Osegueda
Auditors Assigned to the Audit:
Ms. Cecilia Estrada, Auditor I
Ms. Victoria Morrison, IT Auditor
TABLE OF CONTENTS
EXECUTIVE SUMMARY ........................................................................................... ..... . 4
BACKGROUND .............................................................................................................. . 5
AUDIT OBJECTIVES ..................................................................................................... . 6
SCOPE AND METHODOLOGY ..................................................................................... . 7
RANKING CRITERIA ..................................................................................................... . 8
AUDIT RESULTS ........................................................................................................... . 9
1. Awareness I Training Of Cloud Computing Services Selection And Risk ......... .. ..... . 9
2. Cloud Computing Policies, Procedures And Standards ................................... ... ... 10
3. Type Of Cloud Computing Services Throughout The University ...................... ... ... 10
4. The University Cloud Computing Services: Risks, Data Classification, Safeguarding Of The Data ...................................................................................... ... 1 O
5. CISO Access And Awareness Of Cloud Computing Services Throughout The University ................................................................................................................... 11
CONCLUSION ........................................................................................................... .... 12
Appendix A: Cloud Computing Companies .......................................................... ...... 13
Appendix B: Cloud Computing Services ............................................................... .. .... 14
Appendix C: Extended List of Category - I Data ..................................................... ... 15
Appendix D: Phase 1 Summary Results .................................................................... 16
Appendix E: Criteria ................................................................................................ ... 18
Appendix F: Glossary ................................................................................................. 20
Office of Auditing and Consulting Services Audit #16-09 Cloud Computing
EXECUTIVE SUMMARY
The Office of Auditing and Consulting Services (OACS) has completed an audit of cloud computing services throughout the University. The audit scope was limited to understanding the types of services already purchased by faculty and staff as well as assessing the types of data stored outside the University network.
The source of the audit criteria is The Texas Department of Information Resources (DIR) and the Cloud Security Alliance. During the audit we tested the following:
• Awareness/training of cloud computing services
• Cloud computing policies, procedures, and standards
• Type of cloud computing services in use at the University, and
• Chief Information Security Officer (CISO) access and awareness of cloud
computing services throughout the University.
The results of our audit indicated that users of cloud computing services at The University of Texas at El Paso (UTEP) are not aware of the current guidelines developed by the CISO. Nonetheless, there were no instances in which Category I data was stored in unsecured cloud applications. In addition, assessments of research data did not reveal any high risks for the University.
4
Office of Auditing and Consulting Serl/ices Audit #16-09 Cloud Computing
BACKGROUND Cloud computing was rated as high in the University-wide risk assessment for the last two years.
According to the Cloud Security Alliance, "Cloud solutions continue to be adopted at a rapid rate as Cloud Service Providers offer flexible computing and storage needs, easier collaboration with internal users and customers, added security features, and more; allowing organizations to focus on their core business functions." For a visual example of cloud computing Companies go to Appendix A: Cloud Computing Companies)
Cloud computing has been described as "the ultimate form of outsourcing." This refers to the fact that moving into the cloud allows the enterprise to outsource or rent infrastructure, IT services, application software, business systems, computer processing time, storage or any combination of these (See Appendix B: Cloud Computing Services).
It has become crucial that the University, when using cloud computing services, be protected from risks such as data loss, loss of reputation, investment loss, and legal action .
The Chief Information Security Officer (CISO) has a general idea of the cloud computing services being used and the type of data being stored by the UTEP community. With this audit, we hope to close the gap even further by identifying the kind of cloud computing services used, service providers, and the type of data being stored in the cloud.
5
Office of Auditing and Consulting Services Audit #16-09 Cloud Computing
AUDIT OBJECTIVES
The objectives of this audit were to:
• Assure that the University has policies and procedures, directed and approved by management, when acquiring and using cloud services to remediate risks and comply with laws and regulations.
• Identify the type of cloud computing services used throughout the University, and the type of data being stored in the cloud .
• Conclude whether those sampled cloud computing users are addressing the risks of acquiring the services on the cloud, have classified data, and if data is safeguarded .
• Ensure there is an awareness program when selecting or using cloud computing services in order to reduce the University's risk of loss of data, revenue, or/and reputation .
• Determine if the CISO has access and awareness of cloud computing services to assure security controls and if he is able to investigative incidents and perform forensic analysis.
6
Office of Auditing and Consulting Services Audit #16-09 Cloud Computing
SCOPE AND METHODOLOGY
The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors (llA) .
The audit addresses the high risk areas identified in the University-wide risk assessments for Fiscal Years 2016 and 2017.
The audit criteria is:
• Cloud Security Alliance (CSA)-Cloud Controls Matrix Cloud Security Alliance (CSA) • Texas Department of Information Resource-Security Control Standards Catalog
(TAC 202-76) • UTS165 Information Resources Use and Security Policy
The audit scope is limited to purchases of cloud software/services within the period beginning 09/01/2015 and ending 08/31/2016.
Audit procedures included:
Interviewing key personnel,
reviewing applicable laws, regulations, policies and procedures,
verifying the existence of appropriate institutional policies and procedures,
requesting information from key personnel,
analyzing purchasing reports,
surveying the University community, and
limited in-depth testing of cloud controls.
7
Office of Auditing and Consulting Services Audit #16-09 Cloud Computing
RANKING CRITERIA
All findings in this report are ranked based on an assessment of applicable qualitative, operational control and quantitative risk factors, as well as the probability of a negative outcome occurring if the risk is not adequately mitigated. The criteria for the rankings are
as follows:
Priority - an issue identified by an internal audit that, if not addressed timely, could directly impact achievement of a strategic or important operational objective of a UT institution or the UT System as a whole.
High - A finding identified by internal audit that is considered to have a medium to high probability of adverse effects to the UT institution either as a whole or to a significant college/school/unit level.
Medium - A finding identified by internal audit that is considered to have a low to medium probability of adverse effects to the UT institution either as a whole or to a college/ school/unit level.
Low - A finding identified by internal audit that is considered to have minimal probability of adverse effects to the UT institution either as a whole or to a college/ school/unit level.
8
Office of Auditing and Consulting Ser 11ices Audit #16-09 Cloud Computing
AUDIT RESULTS
1. Awareness I Training Of Cloud Computing Services Selection And Risk
The CISO has developed cloud computing policies and procedures which are posted on the Information Security UTEP Web site. After the survey and interviews were conducted during the course of this audit, users reached out to the Information Security Office for guidance on addressing the risks of cloud computing. There is currently no awareness program or training provided to users.
Based on the assessment results, there is a lack of user awareness in the following areas:
• Procurement/acquisition guidelines for cloud computing services, and • Policies and procedures for cloud services usage
The lack of awareness increases the risk of loss of data, revenue, and reputation .
Recommendation:
We recommend the ISO develop an awareness program based on the System-wide Information Security Office training materials.
Level: This finding is considered Medium as the lack of awareness of cloud computing guidelines could result in users selecting a non-reliable service provider. This may lead to data loss and possible financial or legal issues.
Management Response:
Training material will be created and incorporated into UTEP's annual compliance training for 2017.
Responsible Party:
Gerard Cochrane Jr. , Chief Information Security Officer
Implementation Date:
November 1, 2017
9
Office of Alldtting and Consulting Services Audit #16-09 Cloud Computing
2. Cloud Computing Policies, Procedures And Standards
The ISO has posted the "Information Security Policies and Procedures" on the UTEP Web site which includes cloud computing services guidelines. Attention has been placed on guidelines that focus on Category I and II data (See Appendix C: Extended List of Category - I Data).
3. Type Of Cloud Computing Services Throughout The University
We were able to determine the type of cloud computing services used throughout the University, the type of data being stored in the cloud, the names of providers, and what method was used to purchase the services. We provided the CISO with the full report of results. For a summary of the results go to the Appendix D: Phase 1 Summary Results.
The "Phase I" of our assessment did not indicate any high risks to UTEP.
4. The University Cloud Computing Services: Risks, Data Classification, Safeguarding Of The Data
To determine if current cloud computing users are adequately protecting data and addressing the risks of this type of services, auditors judgmentally selected a sample of 11 out of 213 users who responded to the survey to conduct formal interviews. Questions were related to what type of data was being stored in the cloud and if they were conscious of the risks associated with selecting a non-reliable vendor and storing confidential information . These subsequent interviews constitute "Phase II" of our assessment.
After analyzing the results from "Phase I" and "Phase II", we concluded that faculty and staff across the University are using a variety of cloud computing services. Some risks of cloud computing were addressed by establishing a formal contract with the vendor or by using a purchase order.
There were no instances in which Category I data was stored in unsecured cloud applications. Additionally, the assessment on research data did not indicate high risks to the University. The CISO was provided the detailed results of each user interview.
10
Office of Auditing and Consulting Services Audit #16-09 Cloud Computing
5. CISO Access And Awareness Of Cloud Computing Services Throughout The University
The Chief Information Security Officer requires notification when Category I and II type data is stored in the cloud. The "UTEP Information Security Office Cloud Services Guidelines" specifies that for non-approved cloud services, an exception form must be submitted:
"The University of Texas at El Paso Information Security Office {ISO} specifies that neither Category I nor Category II University Data may be stored on non-approved cloud services. An ISO Exception Form must be submitted for approval by the UTEP Chief Information Security Officer {CISO} if Category I or Category II data that must be stored on a non-approved cloud services. Please review the UTEP Information Security Exception Reporting Process referenced below. "
In "Phase I" of our assessment, 42 percent of the users surveyed answered yes when asked if they were aware of cloud computing services guidelines.
11
Office of Auditing and Consulting Services Audit #16-09 Cloud Computing
CONCLUSION
Based on the work performed, OACS did not find any instances in which confidential student or research data was stored in unprotected cloud services. However, the University needs improvement in the areas of training and user awareness on cloud computing policies.
We wish to thank the management and staff of the Information Security Office and all of our survey respondents for the assistance and cooperation provided throughout the audit.
12
()fiic2 rJf !\uc11t111g 'll1C1 Corr ;ult111g 2erl/IC~3 Audit P. I i)-1)'-) Cloud Comput n~
Appendix A: Cloud Computing Companies
A visual: Companies with cloud computing services grouped by laaS, PaaS, Saas
Business Management
..i11 Aff> M • rf111i
- C::e<tam ....,. t
"'~"" - O mupo = c vent __.,.,..)
.rii- 'c rte.At
Tools
6.:uuo ,~ ~
"( ••. 1 t = '""" jii/i! cru ...... , P.agro
O -.t ~r:·U UOf!i;e9.,., .rc,
I •t 0
Crealed by :
Cloud'U:i mrs
Source: CloudTimes Org . Return to BACKGROUND
-Cloud
Seculi1y
Cloud Compa ie
CRM
E~-.. -. ----
General
aU.t
-.
Em!D f) ' ' ' "c-.;,Q~ Skytap l • 4. lfflOf'Y
N<!tw"'11ing
~ · ~:;;~· CrT'lbronc
M ,_, .... ~
Content Delive<y Netwo<1<s
("?., ~
~ ~ . .. -...,. ELAS~A EMC'
:::11 • • 3e!i I.lo
13
Office of Auditing and Consulting Services Audit #16-09 Cloud Computing
Appendix B: Cloud Computing Services
A Visual of possible cloud computing services grouped by laaS, PaaS, Saas
Source: EMC Corporation. Return to BACKGROUND
14
Office of ,il,ucJit111g a11d Consulting Se1 11ices AucJ1t # 16-09 Cloud Computing
Appendix C: Extended List of Category- I Data
From the document "Data Classification Appendix A" in the ISO policies and procedures UTEP Website
Patient Medical/Health Information (HIPAA) The following information is confidential:
• Social security number
• Patient names, street address, city, county, zip code, telephone I fax numbers
• Dates (except year) related to an individual, account I medical record numbers, health plan beneficiary numbers • Personal vehicle information • Certificate/ license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
• Access device numbers (ISO number, building access code, etc.) • Biometric identifiers and full face images • Any other unique identifying number, characteristic, or code • Payment Guarantor's information
Student Records (FERPA) The following information is confidential. This applies to both enrolled and prospective student data.
• Social security number • Grades (including test scores, assignments, and GPA, class grades) • Student financials, credit cards, bank accounts, wire transfers, payment history, financial aid/grants,
scholarships, student bills • Ethnicity • Access device numbers (UTEP 80/88 number, building access code, etc.) • Biometric identifiers (fingerprint, voice print, retina or iris image, etc.) • Note that for enrolled students, the following data may ordinarily be revealed by the university without student
consent unless the student designates otherwise: • Name, directory address and phone number, mailing address, secondary mailing or permanent address,
residence assignment and room or apartment number, campus office address (for graduate students) • Electronic mail address • Specific semesters of registration at UTEP; UTEP degree(s) awarded and date(s); major(s), minor(s), and
field(s); the university degree honors • Institution attended immediately prior to UTEP • ID card photographs for the university classroom use
Donor/Alumni Information (UTS-165, Texas Identity Theft Enforcement and Protection Act, HIPAA) The following information is confidential:
• Social security number
• Name • Personal financial information • Family information
• Medical information
Return to 1. Cloud computing policies, procedures and standards
15
Office of Auditing and Consulting Services Audit #16-09 Cloud Computing
Appendix D: Phase 1 Summary Results
Percent of survey respondents using cloud computing services
Does your dept. use external services not provided by UTEP?
Yes No
30% 70%
Type of cloud computing services being used throughout the University and ranked by usage
Rank Cloud computing services 1 Application Services
2 Data Storage, Collection, Database
3 Data Sharing
Comimems Software as a Service (SaaS)
Infrastructure as a Service (laaS)
e.g. Dropbox
4 Use of external database to query information
5 Data Backup/Recovery
6 Other
Cloud computing Guidelines Awareness
Method Percentage 42%
58%
Comments
Lack of response was interpreted as lack of awareness.
16
Office of Auditing and Consulting Services Audit #16-09 Cloud Computing
Data Type in the Cloud (There could be multiple entries for a reply)
Entries 0
2
5
Data Type Bank routing information
Biometric identifiers and full face images Social security numbers
6 Credit card numbers
9 UTEP ID numbers (80/88 or 600)
Comments
Used by Enterprise Computing, College of Education, Enrollment Services, Registrar, Veteran Affairs (Queries)
FERPA protected student information Used by Enterprise Computing, Enrollment Services, Registrar, Student
10 Support Services, College of Liberal Arts, VP Student Affairs
11
14
20
30
32
Research data (e.g. intellectual property, medical research data, etc.) Date of birth
Student Information
No Response
OTHER
Will consider using cloud computing services in the future
Yes
No
Response
No response
Percentage 30%
30%
40%
Return to 2. Type of cloud computing services throughout the University
Comments
17
Office of Auditing and Consulting Services Audit #16-09 Cloud Computing
Appendix E: Criteria
Cloud Security Alliance (CSAJ-Cloud Controls Matrix Cloud Security Alliance V3.0. 1 0610612016
CSA: Provide in-depth training specific to the content handled by the facility
CSA: Develop and regularly update a security awareness program and train company personnel and third party workers upon hire and annually thereafter on the security policies and procedures, addressing the following areas at a minimum: • IT security policies and procedures • Content/asset security and handling •Security incident reporting and escalation • Disciplinary measures
CSA: Establish policies and procedures regarding asset and content security; policies should address the following topics, at a minimum: • Human resources policies ·Acceptable use (e.g., social networking, Internet, phone, etc.) • Asset classification • Asset handling policies • Digital recording devices (e.g., smart phones, digital cameras, camcorders) • Exception policy (e.g., process to document policy deviations) •Password controls (e.g., password minimum length, screensavers) • Prohibition of client •asset removal from the facility
Texas Department of Information Resource-Security Control Standards Catalog (TAC 202-76)
Awareness and Training Controls AT-1 Security Awareness and Training Policy and Procedures AT-2 Security Awareness Training AT-3 Role-Based Security Training AT-4 Security Training Records
Planning Controls PL-1 Security Planning Policy and Procedures
Personnel Security Controls PS-7 Third-Party Personnel Security Policies and Procedures
18
Office of Auditing and Consulting Services Audit #16-09 Cloud Computing
UTS165 Information Resources Use and Security Po/icy
UTS165 Sec. 26 Security Training UTS165 Standard 2. Acceptable Use of Information Resources UTS 165 Standard 11. Safeguarding Data UTS165 Standard 13. Use and Protection of Social Security Numbers UTS165 Standard 14. Information Services (IS) Privacy
UTEP Information Security Policies and Procedures
Acceptable Use of Information Resources-Jun2014.pdf Data Classification Appendix A Data Classification Standards UTEP Security Exception Reporting Process Social Security Number Use Solicitation Policy FERPA 101
19
Of11ce -n ud1ling cl'ld _.1'w 1 ting Serv es .A.11d1t it 1 o lJ'J Clouo C>mputmg
Appendix F: Glossary
Term CSA
Software as a Service (SaaS)
Infrastructure as a Service (laaS)
Platforms as a Service (PaaS)
CSP
Definition The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. http://www. cloudsecurityalliance.org
Software as a Service There are various ways to break down Saas, but here is one framework: • Business process modeling • Evaluation and analysis • Process execution When opting for Saas, cloud users not only hire infrastructure and platforms from the CSP, but also run CSP-provided applications on them. Examples are: Computer Services Inc., Salesforce, New Relic®, Logicworks, Apptix®, Google App Engine, Microsoft Windows Azure, Amazon Web Services LLC, etc. from ISACA
Infrastructure as a Service There are various ways to break down laaS, but here is one way: • Connectivity • Network services and management • Compute services and management • Data storage •Security In an laaS solution, the CSP provides cloud users with processing, storage, networks and other fundamental computing resources. Operating systems and applications, however, are the responsibility of the user and are not included in the service offering of the CSP. Examples are: Racks pace®, Equinix®, Softlayer®, iomart Group pie, Amazon Web Services LLC, etc. from ISACA
Platforms as a Service (PaaS)-PaaS entails the CSP making available Infrastructures and platforms on which cloud users deploy their own applications. This requires the CSP to support programming languages, libraries, services and tools. Examples are: Google App Engine TM, Microsoft® Windows Azure TM, from ISACA
Cloud service provider
20
Office of Auditing and Consulting Services Audit #16-09 Cloud Computing
Term Cloud computing
Cloud computing risks
Definition Cloud computing is defined by the US National Institute of Standards and Technology (NIST) as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."
Assets common risk events: (DDos) • Unavailability-The asset is unavailable and cannot be used or accessed by the enterprise. The cause can be accidental (failure of the infrastructure), intentional (distributed denial-of-service [DDoS] attacks) or legal (subpoena of database holding all data in a case of multitenancy architecture where one client's data are subject to legal investigation). • Loss-The asset is lost or destroyed. The cause can be accidental (natural disaster, wrong manipulation, etc.) or intentional (deliberate destruction of data). • Theft-The asset has been intentionally stolen and is now in possession of another individual/enterprise. Theft is a deliberate action that can involve data loss. • Disclosure-The asset has been released to unauthorized staff/enterprises/organizations or to the public. Disclosure can be accidental or deliberate. This also includes the undesired, but legal, access to data due to different regulations across international borders
Source: ISACA, DOD, NIST, Cloud Security Alliance
21