Cloud Computing - Security audits versus cloud computing

26
Audit in the cloud Security audits versus cloud computing drs. Mike Chung RE KPMG Risk & Compliance ADVISORY

description

Security audits versus cloud computing (English version). A presentation by Mike Chung, manager at KPMG Netherlands.

Transcript of Cloud Computing - Security audits versus cloud computing

Page 1: Cloud Computing - Security audits versus cloud computing

Audit in the cloudSecurity audits versus cloud computing

drs. Mike Chung RE

KPMG Risk & Compliance

ADVISORY

Page 2: Cloud Computing - Security audits versus cloud computing

2© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Cloud computing as phenomenon

� The IT service model of choice for 2010 and beyond

− The total revenue of cloud services is approaching 25 billion USD worldwide in

2010

− Cloud computing is growing by over 30% per year

− More than 50% of all Fortune500 enterprises are already using some form of

cloud computing

� Massive investments by leading software vendors and IT integrators

� Growing demand despite/thanks to the low economic tide and the perceptive ‘reliability’ of the internet

Page 3: Cloud Computing - Security audits versus cloud computing

3© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Main questions

� How (un)secure is the cloud compared with on-premise IT?

− Integrity

− Confidentiality

− Availability

� How (ir)relevant are audit standards?

� How (in)competent are IT auditors?

Page 4: Cloud Computing - Security audits versus cloud computing

4© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Definition of cloud computing

� Hosted services from the (inter)net, metaphorically depicted as a cloud

� Utilization of Web 2.0

� ‘ASP 2.0’

� Examples:

− Software-as-a-Service (Salesforce.com, Gmail, Microsoft Online)

− Platform-as-a-Service (GoogleApps, Force.com, 3tera AppLogic)

− Infrastructure-as-a-Service (Amazon EC2, Citrix Cloud Centre)

Page 5: Cloud Computing - Security audits versus cloud computing

5© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Characteristics of cloud computing

� Multi-tenant

� External data storage

� Use of the (public) internet

� On-demand

� Subscription-based model

� Elastic

� Web based

Page 6: Cloud Computing - Security audits versus cloud computing

6© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Security issues of cloud computing are real

� Google Web Service vulnerability leaked database usernames and passwords (2007)

� Hackers stole credentials of Salesforce.com’s customers via phishing attacks (2007)

� Thousands of customers lost their data in the cloud due to the ‘Sidekick disaster’ of Microsoft/T-Mobile (2009)

� Botnet incident at Amazon EC2 infected customer’s computers and compromised their privacy (2009)

� Thousands of hotmail accounts were hacked due to technical flaws in Microsoft’s software (2010)

Page 7: Cloud Computing - Security audits versus cloud computing

7© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Security risks: specific factors concerning the cloud

� External data storage

� Multi-tenancy

� Use of the (public) internet

� Integration with the internal IT environment

Page 8: Cloud Computing - Security audits versus cloud computing

8© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Security risks: external data storage

� Weak control of data (failing backup & recovery)

� Legal complications (privacy violation, conflicting/contradicting legislations)

� Uncertain viability (insufficient guarantees regarding continuity and availability of services)

� Single point of failure (failure of one cloud vendor/provider means disaster for many customers)

Page 9: Cloud Computing - Security audits versus cloud computing

9© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Security risks: multi-tenancy

� Inadequate segregation of data between different customers

� Inadequate Identity & Access Management

� Insufficient logging & monitoring

� The weakest link is decisive (virtualization, shared databases)

Page 10: Cloud Computing - Security audits versus cloud computing

10© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Security risks: use of the (public) internet

� Unclear and unaddressed accountability, ownership

� Loss, misuse and theft of data

� No access to data and/or services

� Non-repudiation issues

Page 11: Cloud Computing - Security audits versus cloud computing

11© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Security risks: integration with the internal IT environment

� Unclear (network) perimeters

� No match with internal security measures, requirements and baselines

� Complexity of integration between the cloud and the internal IT

Page 12: Cloud Computing - Security audits versus cloud computing

12© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Residual risks

� High, unforeseen, initial investments

− Legal costs

− Costs to perform risk analyses

− Costs of escrow arrangement

� Poor performance

� Additional IT management

− Identity & Access Management

− Key management

Page 13: Cloud Computing - Security audits versus cloud computing

13© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Security benefits

� Centralized security

− Concentration of security expertise

− Economy-of-scale

� High accessibility

� ‘Nakedness leads to fitness’

Page 14: Cloud Computing - Security audits versus cloud computing

14© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Audit standards

� Localized IT as starting point (ITIL)

� Strong focus on client-server/on-premise IT (ISO27001/2)

� Static (Cobit)

� Strong focus on processes (SOx)

Page 15: Cloud Computing - Security audits versus cloud computing

15© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Audit standards versus external data storage

� Based on access from external/third parties, not on access to cloud services

� Based on management of internally stored data (eventually managed by externals)

� From the viewpoint of the customer: irrelevant

� From the viewpoint of the cloud computing vendor: insufficient

� New principles and practices

− 11 commandments of the Jericho Forum

− Cloud security initiatives from ISF

Page 16: Cloud Computing - Security audits versus cloud computing

16© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Audit standards versus multi-tenancy

� Marginal attention on (technical) architecture

� Multi-tenancy virtually unobserved/unexposed

� Mere focus on segregation of duties, facilities and networks

� New principles and practices

− Cloud Security Alliance – Security guidance

− Liberty Alliance’s IAM ‘baselines’

Page 17: Cloud Computing - Security audits versus cloud computing

17© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Audit standards versus use of the (public) internet

� Primarily financial-legal issues (accountability, ownership) outside the domain of IT audits

� Exceptionally difficult to audit

� Existing principles and practices for e-mail usage and internet security applicable

Page 18: Cloud Computing - Security audits versus cloud computing

18© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Audit standards versus integration with the internal IT environment

� ‘Open standards’ – which one(s) to choose?

� ‘Open’ audit standards versus the reality of ‘proprietary’ cloud technologies

� New principles and practices

− ISF – The standard of Good Practice for Information Security

Page 19: Cloud Computing - Security audits versus cloud computing

19© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Compliance

� Responsibility and risks are with the customer, not the cloud vendor

� Legislations versus the current state of (technical) affairs

� Compliance with different legislations from different countries (SOx, HIPAA, PCI DSS, WBP..)

� SAS70 as a way out?

Page 20: Cloud Computing - Security audits versus cloud computing

20© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

SAS70: objections

� Free to choose the controls

� Fully dependent on the expertise and view point of the auditor

� Many variations on audit approach, set-out and level of (technical) detail

� Wide intervals between audits

Page 21: Cloud Computing - Security audits versus cloud computing

21© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

SAS70 in practice

� Same standards used as for client-server/on-premise IT environments

� Hardly any attention on multi-tenancy, service integration and external data storage

� Superficially reviewed by (potential) customers and auditors

� Lacunas rarely raised

Page 22: Cloud Computing - Security audits versus cloud computing

22© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

IT auditors

� Competent researchers and analysts

� High-level knowledge of architecture and technology

� Mostly educated in economics, accounting, business management

� Existing audit standards and baselines as starting points

Page 23: Cloud Computing - Security audits versus cloud computing

23© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

IT audits in practice

� Use of partly irrelevant and insufficient controls for cloud computing

� Approach tailored for client-server/on-premise IT

� Emphasis on (service management) processes with paper evidences

� Recommendations only partly aimed to mitigate cloud specific risks

Page 24: Cloud Computing - Security audits versus cloud computing

24© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Conclusion

� Cloud computing harbours specific security risks

� Audit standards and baselines are partly irrelevant and insufficient, but there are initiatives to actualize these

� While IT auditors are competent researchers, their (technical) knowledge on cloud computing needs to be updated

Page 25: Cloud Computing - Security audits versus cloud computing

25© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

Contact

Drs. Mike Chung RE

Manager

KPMG Advisory N.V.

E-mail: [email protected]

Mobile: +31 (0)6 1455 9916

Page 26: Cloud Computing - Security audits versus cloud computing

26© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG

International, a Swiss cooperative.

About the painter & painting

� J.H. Weissenbruch was a 19th century Dutch painter famed for hisdepiction of clouds

� His style of painting is typical for the so-called Hague School (Haagse School)

� The title of the painting is Beach at Scheveningen (Strand bij Scheveningen)

� The picture as used for this presentation has been modified a bit