Cloud Governance : Cloud and GRC ( Audit)

1
Bangkok Thailand
Cloud Governance Cloud and GRC ( Audit)
Moderator Mr. Jirapon Tubtimhin Panelist
Mr. Metha Suvanasarn Slide attached
Mr. Wee Tan Yeong
Mr. Russell Pipe
7 February 2013
2
Abstract
Cloud computing is a flexible, cost-effective,
and proven delivery platform for providing
business or consumer IT services over the
Internet. Cloud resources can be rapidly deployed
and easily scaled, with all processes,
applications, and services provisioned "on
demand", regardless of user location or device.
As a result, cloud computing gives organizations
the opportunity to increase their service
delivery efficiencies, streamline IT management,
and better align IT services with dynamic
business requirements. In many ways, cloud
computing offers the "best of both worlds",
providing solid support for core business
functions along with the capacity to develop new
and innovative services. In addition to
the usual challenges of developing secure IT
systems, cloud computing presents an added level
of risk, because essential services are often
outsourced to a third party. The "externalized"
aspect of outsourcing makes it harder to maintain
data integrity and privacy, support data and
service availability, and demonstrate compliance.
The security measures discussed in this
IBM Redpapers publication represent best
practice implementations for cloud security.
2
3
Cloud Governance
Cloud and GRC ( Audit)
Cloud and Risk Management Process-gtDecision Making
4
Cloud and Integrated GRC and Risk Appetite
How many color in the Cloud -gt White / Black /
White and Black
4
5
Cloud and GRC (Audit) Criterion and Success
Factors for Management and Audit
1. Objectivelt-gtRisklt-gtControlslt-gtAuditlt-gtReportslt-
gt Monitor 2. Incorporate conditions and right to
audit in contract vs. events. 3. Set Gap analysis
with AS-IS and Standards To-Be to identify
potential solutions and proper actions 4. look
for ways to integrate framework and approaches
to/for Cloud 5. Match evidence via Audit and
document review of service provide Process,
People and Technology with required Enterprise
and IT- Related goals and levels to be
concerned. 6. Manage expectations and follow
Vision-Mission-Policy-Strategy Actions and
Metrics.-gtBreak down the overall project into
achievable projects. 7.Focus on implementations
that enable business value. And ensure adequate
insight into the business environment. 8.Focus on
change enablement planning and Enterprise
goals.Cont.
5
6
Cloud and GRC (Audit) Challenges for Management
and Auditors and how do we get there.?
How to making final decisions?

• 9. Cleary explain and sell business/Stakeholder
  s benefits.
• 10. Raise issues with the Audit Committee.
• 11. Consider how the culture might need to be
  changed.
• 12. Raise the issue with the CEO and Board.
• 13. Ensure that Risk management is and impact
  applied across the enterprise.
• 14. Apply management and governance principles.
• 15. Ensure adequate insight into the business
  environment.
• 16. Be careful on overly optimistic goals, and
  underestimation to effort required.
• 17. Be careful IT in fire-fighting mode and
  focused on Operational issues.
• 18. Lack of dedicated resources or capacity.
• 19.Insufficient insight into the business
  environment and Business overall objectives.
• 20.Set clear, measurable and realistic goals.
• 21.Make sure roles and responsibilities are clear
  and accepted, changing roles, and jobs
  descriptions if required.
• 22.
• 23. Do we get there? Or, Solutions too complex or
  impractical. Then, What to do?

6
7
Cloud and Integrated GRC and Risk Appetite
Evaluate different models of cloud computing
Different models of cloud computing have various
ways of exposing their underlying infrastructure
to the user. This influences the degree of direct
control over the management of the computing
infrastructure and the distribution of
responsibilities for managing its security.
With the Software as a Service (SaaS) model, most
of the responsibility for security management
lies with the cloud provider. SaaS provides a
number of ways to control access to the Web
portal, such as the management of user
identities, application level configuration,and
the ability to restrict access to specific IP
address ranges or geographies.
8
Cloud and Integrated GRC and Risk Appetite
Cloud models like Platform as a Service
allow clients to assume more responsibilities for
managing the configuration and security for the
middleware, database software, and application
runtime environments. The Infrastructure as a
Service (IaaS) model transfers even more control,
and responsibility for security, from the cloud
provider to the client. In this model, access is
available to the operating system that supports
virtual images, networking, and storage.
Organizations are intrigued with these cloud
computing models because of their flexibility and
cost-effectiveness, but they are also concerned
about security. Recent cloud adoption studies by
industry analysts and articles in the press have
confirmed these concerns, citing the lack of
visibility and control, concerns about the
protection of sensitive information, and storage
of regulated information in a shared, externally
managed environment.
9
Cloud and Integrated GRC and Risk Appetite
In the near term, most organizations are
looking at ways to leverage the services of
external cloud providers. These clouds would be
used primarily for workloads with a low-risk
profile, where a one-size-fits-all approach to
security with few assurances is acceptable, and
where price is the main differentiator. For
workloads with a medium-to-high-risk profile
involving highly regulated or proprietary
information, organizations are choosing private
and hybridclouds that provide a significant level
of control and assurance. These workloads will be
shifting into external clouds as they start
offering tighter and more flexible security.
10
Cloud and Integrated GRC and Risk Appetite
Take a closer look at thisframework to better
understand the different aspects of a holistic
security architecture.
Security GRC Governance, Risk management, and
Compliance Organizations require visibility into
the security posture of their cloud. This
includes broad-based visibility into change,
image, and incident management, as well as
incident reporting for tenants and
tenant-specific log and audit data.
The above Security Framework was developed to
describe security in terms of the
business resources that need to be protected, and
it looks at the different resource domains from a
business point of view.
11
Security GRC Governance, Risk management, and
Compliance
Organizations require visibility into the
security posture of their cloud.
Visibility can be especially critical for
compliance. The Sarbanes-Oxley Act, the Health
Insurance Portability and Accountability Act
(HIPAA), European privacy laws, and many other
regulations require comprehensive auditing
capabilities. Since public clouds are by
definition a black box to the subscriber,
potential cloud subscribers may not be able to
demonstrate compliance. (A private or hybrid
cloud, on the other hand, can be configured to
meet those requirements.) In addition, providers
sometimes are required to support third-party
audits, and their clients can be directed to
support e-Discovery and forensic investigations
when a breach is suspected. This adds even more
importance to maintaining proper visibility into
the cloud. In general, organizations often cite
the need for flexible Service Level Agreements
(SLAs) that can be adapted to their specific
situation, building on their experiences with
strategic outsourcing and traditional, managed
services.
12
Guide To Implementing A Secure Cloud
The following security measures represent general
best practice implementations for cloud security.
At the same time, they are not intended to be
interpreted as a guarantee of success. Guidance
for your specific implementation requirements.
-Implement and maintain a security program.
-Build and maintain a secure cloud
infrastructure. -Ensure confidential data
protection. Implement strong access and identity
management. -Establish application and
environment provisioning. -Implement a
governance and audit management program.
-Implement a vulnerability and intrusion
management program. -Maintain environment
testing and validation.
13
A secure application development and testing
program should be implemented
Develop software applications based on best
practices, with security being a conscious
component of the initiative. - a. Validation of
all security patches prior to production
deployment. b. Ensure that test and production
environments are separate. c. Ensure separation
of duties between test, development, and
administration personnel. d. Do not use
production data that contains confidential or PII
information in a test environment. e. Ensure
removal of all test data and administrative
information from the test environment prior to
conversion to production. f. Ensure that all test
accounts and custom accounts have been removed
prior to production activation. g. Perform
security code reviews on all code prior to
release into production.
14
CSA Cloud Controls Matrix
The Cloud Security Alliance Cloud Controls Matrix
(CCM) is specifically designed to provide
fundamental security principles to guide cloud
vendors and to assist prospective cloud customers
in assessing the overall security risk of a cloud
provider. The CSA CCM provides a controls
framework that gives detailed understanding of
security concepts and principles that are aligned
to the Cloud Security Alliance guidance in 13
domains. The foundations of the Cloud Security
Alliance Controls Matrix rest on its customized
relationship to other industry-accepted security
standards, regulations, and controls frameworks
such as the ISO 27001/27002, ISACA COBIT, PCI,
NIST, Jericho Forum and NERC CIP and will augment
or provide internal control direction for SAS 70
attestations provided by cloud providers. As a
framework, the CSA CCM provides organizations
with the needed structure, detail and clarity
relating to information security tailored to the
cloud industry. The CSA CCM strengthens existing
information security control environments by
emphasizing business information security control
requirements, reduces and identifies consistent
security threats and vulnerabilities in the
cloud, provides standardize security and
operational risk management, and seeks to
normalize security expectations, cloud taxonomy
and terminology, and security measures
implemented in the cloud. The Cloud Controls
Matrix is part of the CSA GRC Stack.
15
GRC Stack Cloud Security Alliance
Achieving Governance, Risk Management and
Compliance (GRC) goals requires appropriate
assessment criteria, relevant control objectives
and timely access to necessary supporting data.
Whether implementing private, public or hybrid
clouds, the shift to compute as a service
presents new challenges across the spectrum of
GRC requirements. The Cloud Security Alliance
GRC Stack provides a toolkit for enterprises,
cloud providers, security solution providers, IT
auditors and other key stakeholders to instrument
and assess both private and public clouds against
industry established best practices, standards
and critical compliance requirements.
16
Value driver Risk driver Controls
17
IT Risk Management Audit / Assurance Program
IT Governance, Risk and Control IT governance,
risk and control are critical in the performance
of any assurance management process.
Governance of the process under review will be
evaluated as part of the policies and management
oversight controls. Risk plays an important
role in evaluating what to audit and how
management approaches and manages risk. Both
issues will be evaluated as steps in the
audit/assurance program. Controls are the
primary evaluation point in the process. The
audit/assurance program will identify the control
objectives and the steps to determine control
design and effectiveness.
18
IT Risk Management Audit / Assurance Program
Responsibilities of IT Audit and Assurance
Professionals IT audit and assurance
professionals are expected to customize this
document to the environment in which they are
performing an assurance process. This
presentation is to be used as a review tool and
starting point for Cloud-gt GRC-gtAudit. It may be
modified by the IT audit and assurance
professional, assumed that the IT audit and
assurance professional has the necessary subject
matter expertise required to conduct the work and
is supervised by a professional with the CISA
designation and/or necessary subject matter
expertise to adequately review the work performed.
19
IT Risk Management Audit / Assurance Program
The primary view of IT is that of an operations
or service delivery organization. In this
capacity, IT risk addresses the ability to
deliver the IT services that enable the
enterprise to perform day-to-day operational
processes. However, IT risk also addresses
system development, acquisition and maintenance
processes. This relates to ensuring the
selection, development and maintenance of
business processes that operate the revenue
generation and fulfillment of the organization,
and address business needs in a cost-effective
manner. Finally, IT risk addresses the ability
for IT to provide value and/or benefit to the
enterprise through automation.
20
IT Risk Management Audit / Assurance Program
21
Maturity Assessment vs. Target Assessment
This spider graph is an example of the assessment
results and maturity target for an IT risk
management assessment.
Cloud Perspectives
22
Cloud and Integrated GRC and Audit
Only with such unified platform can enterprise IT
Leaders ensure that they have a highly consumable
cloud that will not breakdown as workloads and
complexity grow. Otherwise, enterprise will not
gain the agility and efficiency that they seek
from the cloud.
23
GRC Stack Initiatives
The goal of Cloud Audit is to provide a common
interface and namespace that allows cloud
computing providers to automate the Audit,
Assertion, Assessment, and Assurance (A6) of
their infrastructure (IaaS), platform (PaaS), and
application (SaaS) environments and allow
authorized consumers of their services to do
likewise via an open, extensible and secure
interface and methodology. Cloud Audit provides
the technical foundation to enable transparency
and trust in private and public cloud systems.
24
GRC Stack Initiatives
The Cloud Security Alliance Cloud Controls Matrix
(CCM) is specifically designed to provide
fundamental security principles to guide cloud
vendors and to assist prospective cloud customers
in assessing the overall security risk of a cloud
provider. The Cloud Controls Matrix provides a
controls framework that gives detailed
understanding of security concepts and principles
that are aligned to the Cloud Security Alliance
guidance in 13 domains. The foundations of the
Cloud Security Alliance Cloud Controls Matrix
rest on its customized relationship to other
industry-accepted security standards,
regulations, and controls frameworks such as the
HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI,
HIPAA and NIST, and will augment or provide
internal control direction for SAS 70
attestations provided by cloud providers. As a
framework, the CSA CCM provides organizations
with the needed structure, detail and clarity
relating to information security tailored to the
cloud industry. The CSA CCM strengthens existing
information security control environments by
emphasizing business information security control
requirements, reduces and identifies consistent
security threats and vulnerabilities in the
cloud, provides standardize security and
operational risk management, and seeks to
normalize security expectations, cloud taxonomy
and terminology, and security measures
implemented in the cloud.
25
GRC Stack Initiatives
The Cloud Security Alliance Consensus Assessments
Initiative (CAI) was launched to perform
research, create tools and create industry
partnerships to enable cloud computing
assessments. We are focused on providing
industry-accepted ways to document what security
controls exist in IaaS, PaaS, and SaaS offerings,
providing security control transparency. This
effort by design is integrated with and will
support other projects from our research
partners. The initial deliverable of this project
is the Consensus Assessments Initiative
Questionnaire (CAIQ). This questionnaire is
available in spreadsheet format, and provides a
set of questions a cloud consumer and cloud
auditor may wish to ask of a cloud provider. It
provides a series of yes or no control
assertion questions which can then be tailored to
suit each unique cloud customers evidentiary
requirements.
26
GRC Stack Initiatives
The Cloud Trust Protocol (CTP) is the mechanism
by which cloud service consumers (also known as
cloud users or cloud service owners) ask for
and receive information about the elements of
transparency as applied to cloud service
providers. The primary purpose of the CTP and the
elements of transparency is to generate
evidence-based confidence that everything that is
claimed to be happening in the cloud is indeed
happening as described, , and nothing else. This
is a classic application of the definition of
digital trust.4 And, assured of such evidence,
cloud consumers become liberated to bring more
sensitive and valuable business functions to the
cloud, and reap even larger payoffs. With the CTP
cloud consumers are provided a way to find out
important pieces of information concerning the
compliance, security, privacy, integrity, and
operational security history of service elements
being performed in the cloud.
27
Cloud Security Threats and How Government
Agencies are Coping
Cloud computing services exemplify a significant
change in the way companies and organizations
perceive IT infrastructure in terms of cost and
productivity.  Many of the functions and
capabilities provided by cloud environments are
typically very costly and labor-intensive to
implement in traditional data centers.  For this
reason many companies, organizations, and
government agencies are rethinking IT
infrastructure and opting for virtualization to
reduce costs while maintaining productivity in a
difficult economy. Although cloud computing
represents many new opportunities to access
state-of-the-art technology at a much lower cost,
many are concerned about the risks associated
with cloud computing systems and the loss of
control over IT infrastructure which you
otherwise have with a traditional IT
infrastructure. This is especially true with
government agencies that have countless security
and compliance requirements to follow, most of
which cannot be accessed on a cloud services
platform.  These are guidelines enforced by
International Traffic in Arms Regulations and
security controls and certifications such as ISO
27001, ISO 27002, SAS-70, SAS-70 Type 2, and
regulations set forth by the Health Insurance
Portability and Accountability Act. According to
the Cloud Security Alliance cyber criminals
continue to take advantage of new technologies to
extend the reach of criminal activities and avoid
detection.  Cloud computing systems have been
highly targeted due to the fact it is a
relatively new technology without the security
controls typically included in a traditional IT
infrastructure.  However, this is rapidly
changing but in the meantime, the Cloud Security
Alliance has highlighted some of the top cloud
computing threats which CSPs face when providing
cloud services to organizations.
28
Common Cloud Security Threats
Criminals find ways to release new threats on a
frequent basis just as viruses and malware are
released on the Internet every day.  Cloud
computing is not immune to this fact which can
make risk management an ongoing task for
maintaining secure cloud computing systems.
Iaas and Paas Attacks  Cloud computing systems
which are offered as IaaS (Infrastructure as a
Service) and PaaS (Platform as a Service) have
been subject to password and key cracking in
which criminals use sophisticated software to
obtain passwords and key codes for unauthorized
access.  A more common form of Iaas and Paas
attacks are botnets which take command of the
cloud server environment for malicious purposes
and Denial of Service attacks which breach server
security before sending massive amounts of
information packets in an effort to bring down a
cloud server and gain unauthorized access to
sensitive data. Inside Threats  Cloud service
providers employ a staff of people to help
monitor and maintain the infrastructure however,
when you use some of the services the provider
may not reveal who has access to the servers and
vaults which are used with cloud computing
infrastructure.  In this case, there is a chance
that a threat to sensitive data could come from
the inside if the cloud service provider does not
have policies in place for monitoring employees
and policy compliance.  Depending upon the
process the cloud service provider (CSP) uses for
hiring, confidential data could be subject to
espionage, hacking, or someone working within
organized crime. Hijacking  Phishing and
software exploitation has been around for some
time now however, cloud computing adds a new
dimension to this crime.  If a criminal obtains
unauthorized access to your credentials through a
phishing scheme or software vulnerability it is
then possible for them to eavesdrop on cloud
computing activities, redirect your clients to
sites that look legitimate but are laced with
criminal intentions, or alter the data and
information which is stored in an account on the
cloud server.
29
Common Cloud Security Threats (cont.)
Issues with Shared Technology  In a cloud
environment which offers multi-tenancy the
services are typically provided with scalability
which is accomplished using a shared
infrastructure.  Sometimes the proper isolation
and security properties are not in place which
can create a gap between the virtualized server
and the host operating system.  This can cause
problems with data breaches, network traffic,
disk partitions, CPU caches, and other shared
elements.  Once the shared technology is accessed
it can impact the security of others who are
using the cloud services.
These are a few of the general cloud security
threats which can occur in a cloud computing
environment.  Government agencies are able to
cope with these threats by using cloud service
providers (CSPs) which have been certified by the
FedRAMP assessment process which is a
standardized approach set forth by the federal
government to ensure security and compliance is
being followed when using cloud computing
systems. Government agencies are also choosing to
use services such as GovCloud provided by Amazon
Web Services which has been designed to meet
government data security compliance and
guidelines for different types of data
classification.  GovCloud also ensures access to
data stays within the borders of the United
States in accordance with the International
Traffic in Arms Regulations.
30
Cloud Computing Service Audit
Data Classification  
31
Cloud Audit
CloudAudit is a specification for the
presentation of information about how a cloud
computing service provider addresses control
frameworks. The goal of CloudAudit is to provide
cloud service providers with a way to make their
performance and security data readily available
for potential customers. The specification
provides a standard way to present and share
detailed, automated statistics about performance
and security. Standardized information makes
comparisons among providers easier, reducing the
resources required to assemble documentation and
analyze the data. CloudAudit is intended to
benefit cloud computing providers as well. For
example, the cost of responding to a potential
customer's compliance controls may be minuscule
for a large vendor. However, a small vendor may
find it burdensome to provide that information to
multiple prospective customers. With CloudAudit,
vendors can provide information once and only
update when there are changes. CloudAudits
development codename was A6 (Automated Audit,
Assertion, Assessment, and Assurance API).
According to the Internet Engineering Task Force
(IETF) draft document, CloudAudit provides a
common interface, naming convention, set of
processes and technologies utilizing the HTTP
protocol to enable cloud service providers to
automate the collection and assertion of
operational, security, audit, assessment, and
assurance information. CSA released CloudAudit
as part of a free tool suite for cloud-based
Governance, Risk and Compliance (GRC) in November
2010.  The tool consists of a directory or common
namespace that serves as an organized repository.
Cloud computing providers can put whatever they
want within the directories (PDF files, text
documents, links to websites, etc.) to indicate
how they are addressing requirements within
various control frameworks.  The first set of
namespaces is compliance-driven with a focus on
PCI-DSS, HIPAA, COBIT, ISO 27002 and NIST 800-53.
32
IT Assurance Framework
ISACAs IT Assurance Framework (ITAF) includes
a section (3630.6) on outsourcing and third-party
activities (see figure 1). Cross-references are
includedCOBIT PO4, PO7, PO8, PO9, AI2 and AI5,
and ISACA IT Audit and Assurance Guidelines
(formerly IS Audit Guidelines) G4, G18, G32 and
G37. These referenced documents provide useful
technical assistance in conducting an IT audit
for cloud computing.
33
IT Assurance Framework (cont.)
Obviously, the fact that a third party is
involved means direct auditing of the service
entity may not be practical or even possible.
ITAF also supplies a list of potential documents
that could provide service audit information that
should be relevant (see figure 2).
34
(No Transcript)
35
Developing the IT Audit Plan Related Monitoring
by management
Understanding the Business IT Risk
Understanding the IT environment in a business
context
35
36
36
37
Metha Suvanasarn CGEITCRISCCRMA CIACPA

www.itgthailand.com
37