Cloud Computing

& IT Governance
Agenda


What is Cloud computing
Cloud service delivery model
Cloud deployment model
Critical Security issues
Frameworks : COSCO ERM,ITIL,ISO27001,ENISA governance
Cloud risk case study
What is Cloud Computing ?


Simply put, cloud computing provides a variety of computing resources ,
from servers and storage to enterprise applications such as email, security,
backup/DR, voice, all delivered over the Internet.
The Cloud delivers a hosting environment that is immediate, flexible,
scalable, secure, and available while saving corporations money, time and
resources.
On demand solutions for your business
Based on pay-as-you-go model
Traditional Software Model


Large upfront licensing costs
Annual support costs
Depends on number of users
Not based on usage
Organization is responsible for hardware
Security is a consideration
Customized applications
Cloud Service Delivery Models
Service delivery in Cloud Computing comprises three different service
models:
-Infrastructure-as-a-Service (IaaS),
-Platform-as-a-Service (PaaS), and
-Software-as-a-Service (SaaS).
The three service models or layer are completed by an end user layer that
encapsulates the end user perspective on cloud services.
Cloud Service Delivery Model
Several Technologies work together
Cloud access devices
Browsers and thin clients
High speed broad band access
Data centers and Server farms
Storage devices
Virtualization technologies
APIs
Key Drivers
Small investment and low ongoing costs : pay-as-you-go basis
Economies of scale
Open standards
Sustainability

Cloud Services Delivery Model

SaaS
- Rents software on a subscription basis
- Service includes software, hardware and support
- Users access the service through authorized device
- Suitable for a company to outsource hosting of apps
PaaS
- Vendor offers development environment to application developers
- Provide develops toolkits, building blocks, payment hooks
IaaS
- Processing power and storage service
- Hypervisor is at this level
Cloud Service Delivery Models
Division of Responsibility
Division of Responsibility
Deployment Models of Cloud
Cloud infrastructure is available to the general public, owned
by organization selling cloud services
Public
Cloud infrastructure for single organization only, may be
managed by the organization or a 3
rd
party, on or off premise
Private
Cloud infrastructure shared by several organizations that
have shared concerns, managed by organizations or 3
rd
party
Community
Combination of more than one cloud deployment models
bound by standard or proprietary technology
Hybrid
Deployment Models of Cloud (Contd.)

Deployment Models of Cloud (Contd.)
Critical Security Issues of Cloud
Private clouds are not secure
A cloud placed behind enterprise firewall is not inherently secure it needs to be implemented
and managed with security in mind
Security is limited to the weakest link be that users, departments with less security sense, or
unprotected applications
Security visibility and risk awareness
Monitoring not just resources, but the security state of a cloud is of utmost importance
Do not just gather metrics make them easily accessible, displayed in a meaningful way. Look for
potential issues every day, not only during compliancy-required monthly reviews
Safely storing sensitive information
Sensitive data must be encrypted with a strong industry-trusted encryption library. Do not roll
your own
Very difficult to guarantee absolutely no eavesdropping in a cloud environment
Decide to encrypt data in the cloud, or before It gets to the cloud


Critical Security Issues of Cloud (Contd.)
Application Security
The shared environment and difference in security architecture of a cloud increases the importance of
application security
Before migrating an application to the cloud, perform an architecture review and see where cloud
benefits can be leveraged
Migrating an application to the cloud is a unique chance to increase the security of the application
through increased availability, ability to scale, and use of cloud APIs
Authentication and Authorization
Should enterprise authentication be extended to the cloud? Depends on usage and sophistication
of security program
Authentication system should be flexible enough to support different authentication methods for
different cloud services
Wide variety of commercial solutions available
Authentication and authorization system logs can provide insight into reconnaissance or malicious
activity

COSO ERM Framework
COSO:
The framework is represented as a
pathway in which each ERM component
(starting with internal environment) is applied
in order to understand the specific advantages
and disadvantages that a given solution
candidate would bring to the organization.

In cases where a cloud solution has
already been implemented, the COSO ERM
framework can be used to
establish, refine, or perform a quality
assurance check of the cloud governance
program by ensuring that all major
aspects of the program (e.g., objectives, risk
assessment, and risk response) have been
addressed with respect to
managements requirements
ITIL Framework
Information Technology Infrastructure Library (ITIL) :

It is a set of practices for IT service management (ITSM) that focuses
on aligning IT services with the needs of business.
ITIL describes processes, procedures, tasks and checklists
These are not organization-specific,
ITIL is mainly used by an organization for establishing integration
with the organization's strategy, delivering value and maintaining a
minimum level of competency.
It allows the organization to establish a baseline from which it can
plan, implement and measure.
It is used to demonstrate compliance and to measure improvement.
It is by this framework , through which processes will be refined and
continuously improved to ensure that end users can expect
excellence on every service experience delivered.
ISO 27001 Framework
ISO 27001:
It is a structured set of guidelines and specifications
for assisting organizations in developing their own
information security framework
The standard relates to all information assets in an
organization regardless of the media on which it is
stored, or where it is located.
ISO 27001 suggests development and implementation
of a structured Information Security Management
System (ISMS), which governs the security
implementation and monitoring in an enterprise
It is designed to serve as a single 'reference point for
identifying the range of controls needed for most
situations where information systems are used
ENISA Governance Framework
ENISA:
Based on COSCOs Internal Control Integrated
framework
In order to guarantee that all controls will be deployed
and maintained properly, organization needs to move
from ad-hoc activities to a planned implementation
and monitoring system.
The Internal Control Systems is a tool that supports
attaining objectives of an organization.
An Internal Control System is defined by COSO as a
process, effected by an entity's board of directors,
management and other personnel, designed to
provide reasonable assurance regarding the
achievement of objectives in the following categories:
Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with applicable laws and regulations.
Cloud control
Accountability:
Preventive Controls
Detective Controls
Procedural Measures
Technical Measures

Responsibility:
Customer vs. Provider
Compliance
Data Management
Forensics & Recovery
CLOUD RISK
Case Study

Cloud risk assessment
In 2009, the European Network and Information Security Agency (ENISA) produced a
document titled Cloud Computing: Benefits, Risks and Recommendations for
Information Security. This document collates 35 types of risk identified by 19
contributors, and identifies eight top security risks based on ENISAs view of indicative
likelihood and impact

In March 2010, the Cloud Security Alliance (CSA) published Top Threats to Cloud
Computing V1.0, which includes the top seven threats as identified by its members

in April 2011, the Open Web Application Security Project (OWASP) released a pre-alpha
list of its top 10 cloud security risks derived from a literature review of other
publications and sources

The ISO/IEC 9126 standard (Information technologySoftware product evaluation
Quality characteristics and guidelines for their use), when used in conjunction with a
deep security assessment, is valuable for putting more structure and coherence around
assessing the suitability of new vendors and new technologies, including cloud offerings.
Case Study
This case study considers moving a risk management business function ( a home loan
mortgage insurance calculation) to the cloud.

The business benefit of placing this function in the cloud is that it will allow branches, call
centres, brokers and other channels to use the same code base and avoid replicating the
calculations in multiple places. The use of the cloud will also reduce paper handling and
host system access and the associated security required. There is also a potential business
driver for allowing customers access to their own data if placed on the public cloud.
The first step in the framework is to formulate and communicate a vision for the cloud at
an enterprise and business-unit level.
VisionWhat is the business vision and who will own the initiative?
VisibilityWhat needs to be done and what are the risks?
AccountabilityWho is accountable and to whom?
SustainabilityHow will it be monitored and measured?
Guiding principles
VISION:
1.Executives must have oversight over the cloud
2.Management must own the risks in the cloud

VISIBILITY:
3. All necessary staff must have knowledge of the cloud
4. Management must know who is using the cloud
5. Management must authorise what is put in the cloud
10 principles
ACCOUNTABILITY
6. Mature IT processes must be followed in the cloud
7. Management must buy or build management and security in the cloud
8. Management must ensure cloud use is compliant

SUSTAINABILITY
9. Management must monitor risk in the cloud
10. Best practices must be followed in the cloud
10 principles
References
An article at www.csoonline.com/article/717307
By John Kinsella, Protected Industries www.protectedindustries.com
An article at http://www.csoonline.com/article/647128/five-cloud-security-trends-experts-see-
for-2011
ITIL framework : http://sysonline.net/content.php?id=53
ENISA framework : http://www.enisa.europa.eu/activities/risk-management/current-
risk/business-process-integration/governance/ics
ISO 27001 : http://www.simosindia.in/services/plan/?id=iso