Upload
lenguyet
View
258
Download
1
Embed Size (px)
Citation preview
Francis Kabaso
Thursday, 27 August 2015
Zambezi Sun International Hotel
Livingstone, Zambia
2nd IIA / ISACA Zambia 2015 Governance, Risk
and Control (GRC) Conference
Cloud Computing: Governance, Risk and Control
Agenda
Cloud Computing: What is it?
Cloud Computing Service Models
Cloud Computing Deployment Models
Cloud Computing Feasibility
Cloud Computing Benefits
Cloud Computing Challenges
Cloud Computing Risks in Business Terms
Cloud Outsourcing Lifecycle
Company XYZ SaaS Cloud Strategy Adoption: Risk-
Based Audit Assurance using Risk IT and COBIT
Conclusions and Recommendations
Q&A
Cloud Computing: What is it?
Gartner defines cloud computing as a style of computing in
which scalable and elastic IT-enabled capabilities are delivered
as a service to external customers using Internet technologies.
Utility Computing refers to the ability to meter the offered
services and charge customers for exact usage.
The five attributes of cloud computing (Gartner, 2016) are:
Service-based
Elastic and Scalable
Shared
Metered by Use (Fixed, Subscription, Pay-As-You-Go and
Fee Plans).
Used Internet Technologies / Self-Service
Cloud Computing Service Models
Infrastructure-as-a-Service (IaaS) is a standardized, highly
automated offering, where compute resources, complemented by storage and
networking capabilities are owned and hosted by a service provider and offered
to customers on-demand (Gartner, 2015).
Platform-as-a-Service (PaaS) offering, usually depicted in all-
cloud diagrams between the SaaS layer above it and the IaaS layer below, is a
broad collection of application infrastructure (middleware) services (including
application platform, integration, business process management and database
services) (Gartner, 2015).
Software-as-a-Service (SaaS) is software that is owned, delivered
and managed remotely by one or more providers. The provider delivers software
based on one set of common code and data definitions that is consumed in a
one-to-many model by all contracted customers at anytime on a pay-for-use
basis or as a subscription based on use metrics (Gartner, 2015).
Data-as-a-Service (DaaS) for Business empowers businesses to use
data as a standalone asset and connect with partner data to make smarter
decisions. DaaS offers the variety, scale, and connectivity in the industry
including cross-channel, cross-device, and known and anonymous data (Oracle,
2015).
Cloud Computing Deployment Models
Private Cloud is a form of cloud computing that is used by only one organization, or that
ensures that an organization is completely isolated from others. On-premise cloud is an
example of private cloud; not all private clouds are on-premise (Gartner, 2015).
Self-service agility, Standardization, IT as a Business, Chargeback
(Usage Metering)
Public Cloud computing uses internet technologies to support customers that are
external to the provider’s organization (Gartner, 2015).
Increased flexibility (elastic and scalable), Economies of Scale /
Reduced Unit Cost
Hybrid Cloud refers to policy-based and coordinated service provisioning, use and
management across a mixture of internally and externally controlled cloud services (Gartner,
2015).
Cost for Peak Loads, Flexibility for Peak Loads
Community Cloud is a shared (multi-tenancy) cloud computing service environment
that is targeted at a community with similar computing concerns (Gartner, 2015).
Mission, Policy, Security, Privacy, Performance and Compliance
requirements.
Feasibility
“Cloud computing has reached an inflection
point for enterprises — a comprehensive
strategy for broad adoption and use is now
required. Until now, most companies had
adopted public cloud services in an adhoc
fashion, driven mostly by business leaders
and developers creating new customer-
facing systems that corporate IT could not
deliver quickly enough” (Forrester Research,
2015).
Feasibility …. Cont’d
Every complex global and connected world (Truly CNN’s Becky
Anderson Connect the World)
Fast Paced Technological Era of The Big Five Trends: Cloud,
Social, Mobile, Commoditization and Big Data
Nexus of Forces (Internet of Things (IoT), Information Society,
Social Media, Big Data, Cloud and Enterprise Mobility)
From Technical-centric to Business-centric organizations. From
BYOD to BYOx. It’s a about CHOICE!!!
Virtualization / Compartmentalization and Consolidation
Era of customer choice; failure to give customers choice can mean
doom to your business
Feasibility …. Cont’d
Industries and companies of all sizes can connect to customers
directly using the latest innovations in mobile, social, and cloud
technology
Cloud Computing is not just a good idea but THEE Good Idea
Cloud Applications, Platforms and Business Services are now
used as strategic resources in the business technology
portfolio.
Cloud-based services being offered as Utility or Commoditized
Service
Caveat: Business must strike right balance between Agility,
Efficiency, Security, Compliance and Integration for a
successful cloud strategy
Cloud Computing has moved beyond the pure hype stage and
into the beginning of mainstream adoption
Feasibility …. Cont’d
The technology of Cloud-based Services offered as a Utility is becoming
mature
Mature B2B, B2P, B2C, C2C and P2P Cloud platforms and solution offerings
available:
Examples of Cloud-Service Providers:
salesforce.com. Leading provider of CRM in the enterprise cloud
ecosystem
Oracle Fusion Applications. Oracle ERP in the Cloud (Financials, GRC,
HCM, SCM, Procurement, CRM, PPM). Runs on On-Premise, in hosted
environment or through mix of each option. Oracle’s claim of the New
Standard for Business
Microsoft Online Services (Data and Insights, Cloud Platform,
Enterprise Social & Productivity, Mobility, Cybersecurity and Piracy,
Email, Collaboration and Conferencing). Office 365, Exchange,
SharePoint, Skype for Business, Project, Visio, Yammer, Power BI,
Dynamics CRM
Feasibility …. Cont’d
Examples of Cloud-Service Providers:
Amazon Elastic Compute Cloud (E2C). A Web service that provides
resizable compute capacity in the cloud. EC2 changes the economics
of computing by allowing you to pay only for capacity that you
actually use.
Paypal is Cloud Payment Services providing Person-to-Person (P2P)
card-based payment services
Google Cloud Platform Services - SQL and NoSQL, IaaS (Virtual
Machines), PaaS, Application Services, Big Data Solutions and
Object Storage
KYC Managed Services: Managed Service Model and Shared Utility
Service Model such as SWIFT’s KYC Registry used for KYC
compliance due diligence management in the financial sector
Feasibility …. Cont’d
Examples of Cloud-Service Providers:
SWIFT Alliance Lite2 provides a cloud-based connection to the SWIFT
network and related applications and services
Alliance Lite2 meets the needs of lower volume SWIFT customers,
including banks, corporates, investment and funds managers, and
brokers/dealers. Alliance Lite 2 brings the following benefits:
Little upfront investment
Minimized operational costs and overheads
Connect directly to SWIFT without a third party
No SWIFT infrastructure maintained at your site
N/B Lower volume SWIFT Customers are those that send and receive
up to 10,000 messages per day with standard throughput
expectations.
BenefitsOrganizations move from traditional IT infrastructure models to
Cloud Computing for many reasons:
Economics of the Cloud
Four distinct mechanisms through which these cost savings are
generated:
Lower opportunity cost of running technology
Cloud Computing provides a shift from the CapEx to OpEx
model. Cloud Computing typically provides outsourcing leasing
options.
Lowering total cost of ownership (TCO) of technology (Full Life
Cycle Costs of IT investment over a predefined period)
Focus on core business and competencies. Strong Business and
Customer Focus overcomes the inherent organizational inability
to quickly respond to changing business circumstances
Probably one of the only strategies able to keep up with pace of
rapid technological change
Real Benefit is Agility (adjusting quickly) and speed (of deployment)
Challenges
The adoption of the Cloud Computing model creates an
enormous threat landscape that poses all sorts of strategic,
financial, regulatory and operational challenges.
Strategic: The Cloud Service Provider has little
understanding of the organization’s business
Financial: Hidden costs arising from unexpectedly high
‘extras’ to the contract
Regulatory: Comply with diverse regulations across different
jurisdictions
Operational: The service levels are not as good as anticipated
Challenges
Efficiency, effectiveness, confidentiality, integrity, availability, reliability and
compliance
Loss of Operational and Security Control
Reliance of Third Party Cloud Service Providers
Switchover Costs / Cost of Transition
Uncertainty of Long Term Benefits
Privileged User Access
Regulatory Compliance
Privacy Issues / Personal Identifiable Information (PII) Protection
Data Location
Data Segregation because of co-location/multi-tenancy
Business Continuity and Recovery
Investigative Support
Long-term viability of the Cloud Service Providers
Data Security: Data-at-rest, Data-in-Process and Data-in-Transit
In this part of the word, bandwidth, performance and reliability considerations are
real
IT Audit Universe has just grown a whole lot bigger. Audit coverage includes
aspects that may not be directly under the control of the organization
Cloud Computing Risks in Business Terms
IT-related events and conditions could potentially impact the business. IT risk is
pervasive and a component of the overall risk universe of the enterprise.
Enterprise Risk: Strategic Risk, Environmental Risk (Internal and External), Market
Risk, Credit Risk, Operational Risk, Compliance Risk
In many enterprises (and dangerously so), IT-related risks are considered as part
of operational risks, eg. in the financial industry in the Basel II framework.
Prolonged downtime of the core business cloud system can infect huge and
irreparable reputational damage to an organization.
Figure 1. Examples of IT-related risks expressed in Business Terms:
Cloud Outsourcing Lifecycle
Phase 1: Business Case
Phase 2: Due Diligence
Phase 3: Establishing vendor engagement
Phase 4: Ongoing monitoring and review
Phase 5: Evaluate the relationship
Map Risk IT Framework IT risk scenarios and COBIT Processes to
establish end-to-end comprehensive view of risk types (Figure 2).
Prepare risk-based audit programme (Tables 1 to 8) for high-risk areas in
Figure 2
Analyse and Evaluate All Mapped Risks
Risk Consequence:
Negligible, Minor, Major, Significant, Catastrophic
Risk Likelihood:
Rare, Unlikely, Probable, Likely, Very Likely
Risk Rating = Consequence/Impact x Likelihood/Frequency
Very Low, Low, Medium, High and Very High
Prepare Risk Heat Map (Figure 3)
Prioritise high risks (Figure 4) and recommend appropriate risk treatment
Residual Risk = Inherent Risk (Risk IT) – Controls (COBIT)
Risk treatment actions by Company XYZ: Additional mitigating controls,
Transfer, Avoidance and Acceptance of risks.
Company XYZ SaaS Cloud Adoption Strategy:Risk-Based Audit Assurance using Risk IT and CoBIT
Company XYZ SaaS Cloud Adoption Strategy:Risk-Based Audit Assurance using Risk IT and CoBIT
Generic risk frameworks such as ISO 31000:2009 ERM (adopted
from AS/NZS 4360:2006 ERM) and COSO ERM – Integrated
Framework
IT domain-specific risk frameworks, practices and process models
such as ISO 27001:2013 for Information Security Management
Systems (ISMS) and IT Infrastructure Library (ITIL) for IT Security
Delivery and Support
Risk IT framework fills the gap between generic risk management
frameworks and domain-specific frameworks based on premise that
IT risk is both a business and technical issue.
Risk IT is about IT risk – business risk related to the use of IT.
Risk IT provides a list of 36 organizational-adaptable generic high-
level risk scenarios
Risk IT provides a toolkit for IS auditors to come up with a
comprehensive and end-to-end enterprise view of IT risk
Company XYZ SaaS Cloud Adoption Strategy:Risk-Based Audit Assurance using Risk IT and CoBIT
Risk IT is used in conjunction with CoBIT, the comprehensive
business framework for the governance and management of
enterprise IT, to efficiently identify, analyze and evaluate risks
(Risk Assessment).
Risk IT and CoBIT mapping provides alignment for the
management of IT-related business risk within the overall
enterprise risk management structure
Company XYZ SaaS Cloud Adoption Strategy:Risk-Based Audit Assurance using Risk IT and CoBIT
Figure 2 – Mapping Between High-Level Risk Scenarios and Corresponding COBIT Control Objectives
COBIT Processes and Corresponding Control Objectives
Risk IT
Reference
No.
High-level Risk ScenariosPlan and
Organize (PO)
Acquire and
Implement (IA)
Deliver and
Support (DS)
Monitor and
Evaluate (ME)
3 Technology selection PO3.2 AI1.2, AI5.2
16 Selection/performance of third-party suppliers PO5.2 DS2.4 ME3.4
27 Logical attacks AI2.4 DS5.3, DS5.10
28 Information media DS5.11
31 Database security DS11.6
32 Logical trespassing DS5.4, DS5.5
34 Contractual compliance ME3.4
Source: ISACA, ISACA Journal Volume 4, 2011; The Risk IT Practitioner Guide, USA, 2015, http://www.isaca.org/knowledge-
center/research/documents/risk-it-framework-excerpt_fmk_eng_0109.pdf
Company XYZ SaaS Cloud Adoption Strategy:Risk-Based Audit Assurance using Risk IT and CoBIT
Table 1. Audit Programme: Technology Selection (AI5.2)Table 2. Audit Programme: Selection/Performance of Third-party
Suppliers (ME3.4)
Relevant COBIT Control Objective
AI5.2 Supplier contract management—Set up a procedure for
establishing, modifying and terminating contracts for all suppliers.
The procedure should cover, at a minimum, legal, financial,
organizational, documentary, performance, security, intellectual
property, and termination responsibilities and liabilities (including
penalty clauses). All contracts and contract changes should be
reviewed by legal advisors.
Relevant COBIT Control Objective
ME3.4 Positive assurance of compliance—Obtain and report assurance of
compliance and adherence to all internal policies derived from internal
directives or external legal, regulatory or contractual requirements,
confirming that any corrective actions to address any compliance gaps
have been taken by the responsible process owner in a timely manner.
Audit Procedure
Confirm, through interviews with key staff members, that the policies
and standards are in place for establishing contracts with suppliers.
Contracts should also include legal, financial, organizational,
documentary, performance, security, auditability, intellectual
property, responsibility and liability aspects.
Audit Procedure
Inquire whether procedures are in place to regularly assess levels of
compliance with legal and regulatory requirements by independent parties.
Review policies and procedures to ensure that contracts with third party
service providers require regular confirmation of compliance (e.g., receipt
of assertions) with applicable laws, regulations and contractual
commitments.
Findings
The cloud provider contract does not include certain critical
elements to help protect security and privacy requirements. The
contract does not include a nondisclosure agreement or a right-to-
audit clause. There is no process for the monitoring of potential
vendor failure.
An independent auditor’s report (e.g., ISAE 3402/SOC 1/SSAE16/SAS
70 report, WebTrust report, SysTrust report) was not reviewed. A
review of the report would allow the user organization to understand
the controls at the service provider and the nature and extent of
controls required to implement.
Findings
Monitoring of the quality of service (QoS) provided by the CSP needs to
be strengthened. Degradation in the QoS may have a significant impact on
Company XYZ’s ability to meet its obligations to its customers.
In future years, an independent auditor’s report (e.g., ISAE
3402/SOC1/SSAE16/SAS70 report, WebTrust report, SysTrust report)
would need to be reviewed. A review of the report would help the user
organization understand the state of controls at the CSP and whether the
user organization needs to add compensating controls.
Source: ISACA, ISACA Journal Volume 4, 2011
Company XYZ SaaS Cloud Adoption Strategy:Risk-Based Audit Assurance using Risk IT and CoBIT
Table 3. Audit Programme: Logical Attacks (DS5.3) Table 4. Audit Programme: Local Attacks (DS5.10)
Relevant COBIT Control Objective
DS5.3 Identity management—Ensure that all users (internal, external
and temporary) and their activity on IT systems (business
application, IT environment, system operations, development and
maintenance) are uniquely identifiable. Enable user identities via
authentication mechanisms. Confirm that user access rights to
systems and data are in line with defined and documented business
needs and that job requirements are attached to user identities.
Ensure that user access rights are requested by user management,
approved by system owners and implemented by the security-
responsible person. Maintain user identities and access rights in a
central repository. Deploy cost effective
technical and procedural measures, and keep them current
to establish user identification, implement authentication and
enforce access rights.
Relevant COBIT Control Objective
DS5.10 Network security—Use security techniques and related management
procedures (e.g., firewalls, security appliances, network segmentation,
intrusion detection) to authorize access and control information flows from
and to networks.
Audit Procedure
Determine whether access provisioning and authentication control
mechanisms are utilized for controlling logical access across all
users, system processes and IT resources for in-house and remotely
managed users, processes and systems
Audit Procedure
Inquire whether and confirm that a network security policy (e.g., provided
services, allowed traffic, types of connections permitted) has been
established and is maintained.
Inquire whether and confirm that procedures and guidelines for administering
all critical networking components (e.g., core routers, DMZ, virtual private
network [VPN] switches) are established and updated regularly by the key
administration personnel and that changes to the documentation are tracked
in the document history.
Findings
Generic user identifications (IDs) are used to access the virtual
servers in the cloud. Multifactor authentication is not utilized for the
cloud management console.
Findings
Application teams currently manage the configuration of the cloud firewall
instead of relying on the network engineering team.
Source: ISACA, ISACA Journal Volume 4, 2011
Company XYZ SaaS Cloud Adoption Strategy:Risk-Based Audit Assurance using Risk IT and CoBIT
Table 5. Audit Programme: Information Media (DS5.11) Table 6. Audit Programme: Data(base) Integrity (DS11.6)
Relevant COBIT Control Objective
DS5.11 Exchange of sensitive data—Exchange sensitive transaction
data only over a trusted path or medium with controls to provide
authenticity of content, proof of submission, proof of receipt and
nonrepudiation of origin.
COBIT Control Objective
DS11.6 Security requirements for data management—Define and
implement policies and procedures to identify and apply security
requirements applicable to the receipt, processing, storage and output of
data to meet business objectives, the organization’s security policy and
regulatory requirements.
Audit Procedure
Inquire whether and confirm that data transmissions outside the
organization require an encrypted format prior to transmission.
Inquire whether and confirm that sensitive data processing is
controlled through application controls that validate the transaction
prior to transmission.
Audit Procedure
Determine whether a policy has been defined and implemented to protect
sensitive data and messages from unauthorized access and incorrect
transmission and transport, including, but not limited to, encryption,
message authentication codes, hash totals, bonded couriers and tamper-
resistant packaging for physical transport.
Findings
Exchange of sensitive data and administration of cloud instances are
done via a regular Internet connection instead of a secure channel
such as Secure Sockets Layer (SSL) or Secure Shell (SSH).
The organization utilizes an outdated version of Internet Explorer
browser software to access and administer the cloud.
According to the US Sarbanes-Oxley Act, there need to be proper
controls over the initiation, authorization and recording of
transactions relevant for financial reporting.
Findings
Personally identifiable information (PII) is stored in clear text at the CSP.
Source: ISACA, ISACA Journal Volume 4, 2011
Company XYZ SaaS Cloud Adoption Strategy:Risk-Based Audit Assurance using Risk IT and CoBIT
Table 7. Audit Programme: Logical Trespassing (DS5.5) Table 8. Audit Programme: Contractual Compliance (ME3.4)
Relevant COBIT Control Objective
DS5.5 Security testing, surveillance and monitoring—Test
and monitor the IT security implementation in a proactive
way. IT security should be reaccredited in a timely manner to
ensure that the approved enterprise’s information security
baseline is maintained. A logging and monitoring function
will enable the early prevention and/or detection and
subsequent timely reporting of unusual and/or abnormal
activities that may need to be addressed.
Relevant COBIT Control Objective
ME3.4 Positive assurance of compliance—Obtain and report
assurance of compliance and adherence to all internal policies
derived from internal directives or external legal, regulatory or
contractual requirements, confirming that any corrective actions
to address any compliance gaps have been taken by the
responsible process owner in a timely manner.
Audit Procedure
Determine whether the IT security management function has
been integrated within the organization’s project
management initiatives to ensure that security is considered
in development, design and testing requirements to
minimize the risk of new or existing systems introducing
security vulnerabilities.
Audit Procedure
Inquire whether procedures are in place to regularly assess
levels of compliance with legal and regulatory requirements by
independent parties.
Review policies and procedures to ensure that contracts with
third-party service providers require regular confirmation of
compliance (e.g., receipt of assertions) with applicable laws,
regulations and contractual commitments.
Findings
Network diagrams have not been updated to reflect
connectivity with the CSP. As a result, the last network
penetration testing did not include this as part of the scope.
Findings
The cloud computing vendor does not have an independent
auditor’s report (e.g., ISAE3402/SOC1/SSAE 16 report).
Source: ISACA, ISACA Journal Volume 4, 2011
Company XYZ SaaS Cloud Adoption Strategy:Risk-Based Audit Assurance using Risk IT and CoBIT
Figure 3. Risk Assessment Head Map
Source: ISACA, ISACA Journal Volume 4, 2011
Company XYZ SaaS Cloud Adoption Strategy:Risk-Based Audit Assurance using Risk IT and CoBIT
Figure 4. Summary of Risks and Gaps
Risk IT
Reference
No.
High-level Risk Scenarios Specific Risks and Gaps
3 Technology selection
The cloud provider contract does not include certain critical elements to
help protect security and privacy requirements and lacks a technology
infrastructure plan and a cost/benefit analysis (CBA). An independent
auditor’s report was not reviewed.
16Selection/performance of third-
party suppliers
Monitoring of the QoS, including availability, needs to be improved.
Service level agreements (SLAs) are vague.
27 Logical attacks
The business owner of the IaaS arrangement has not been defined yet.
IaaS firewalls are managed by the application team instead of the
network administrators. Multifactor authentication is not utilized to
administer the cloud.
28 Information mediaTLS and SSL are not used to exchange sensitive information with the
CSP.
31 Data(base) integrity PII is stored in clear text at the cloud provider.
32 Logical trespassingCompany XYZ’s network diagrams have not been updated to reflect the
IaaS arrangement.
34 Contractual complianceThe CSP does not go through an independent service auditor’s
examination
Source: ISACA, ISACA Journal Volume 4, 2011
Conclusions and Recommendations
Cloud Computing is mature and commoditized
Cloud Computing brings agility and speed to business
Leveraging Risk IT and a well known business governance and
management framework for enterprise IT such as COBIT makes
risk identification robust and the risk assessment process
efficient and effective.
The Risk IT and COBIT risk mapping process creates a model
that is extensible and reusable and that can be scaled up right
across the enterprise to assess IT-related business risks.
Cloud Computing Strategy is not a quick-fix solution: Cloud
computing strategy must be implemented within a wider context
of a well ochestrated IT strategy with clearly defined benefits
and managed pitfalls (risks).
The Cloud Computing adoption strategy must informed by a
comprehensive due diligence and risk assessment process.
Q&A
Thank You!!!!!