Cloud Computing NSAA Tallahassee September 2010 Brian Rue

Agenda 1)Cloud Audit Drivers 2)Cloud Deployment (SaaS, PaaS, IaaS) 3)Cloud Delivery Methods (Private, Community, Public, Hybrid) 4)Cloud Communications 5)Data/Application Data Center Geography 6)Select Cloud Legal Issues 7)Select Data Security Issues 8)Cloud Contract Review 9)Cloud Audit Program Resources 10)Cloud Resources 2

* Back to the Future* - Centralized Computing Architecture, Application Service Providers, and Thin Client Computing Architectures 3

Why State Entities Cloud - Potential to Reduce Costs Cloud technology can result in cost savings over in-house solutions. Promotes Automation Can shift (variable by cloud type) backend hardware and software support to cloud vendor reducing required staff at the client site. On-Demand Scalable architecture allows client to dial-up and dial-down computing resources to match work flows. Mobility Web User Interface allows clients to connect from any computing device using a supported Web browser. Shift IT Security Controls Client can contractually shift IT security controls to the vendor depending on the type of cloud architecture. Frees IT to Innovate Clients have less support issues to worry about allowing IT to concentrate on innovation. 4

5 1. Cloud Audit Drivers

Audit Reports 6

Evolving Government Guidance Legislative Interest 7

Outsourcing Compliance Mandated Reviews Evolving Cloud Security Controls 8

State Cloud Issues State Cloud Migration 9

Getting Confortable in the Cloud Environment 10

2. Three Cloud Deployment Methods 11

1. Software as a Service (SaaS) Vendor runs/owns: – Application Software – Platform (Operating System/Web apps/middleware/database) – Supporting Infrastructure (data center) The applications are accessible from various client devices through a thin client interface such as a web browser. 12

SAS Video 13

14 Example SaaS Product --Google Apps

2. Platform as a Service (PaaS) Vendor runs/owns: – Platform (Operating System/Web apps/middleware/database) – Supporting Infrastructure (data center) Client does not manage underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. 15

PaaS Video 16

3. Infrastructure as a Service (IaaS) Vendor runs/owns: – Supporting Infrastructure (data center) The client does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). 17

IaaS Video 18

19 NIST Chart

20 Cloud Providers

3. Cloud Delivery Methods 21

1. Private Clouds The Private Cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. 22

1.1 Private Clouds 23

2. Community Clouds The Community cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. 24

2.1 Community Clouds Video 25

3. Public Clouds The Public Cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. 26

3.1 Public Clouds 27

4. Hybrid Clouds The Hybrid Cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). 28

4.1 Hybrid Cloud Video 29

30 NIST Cloud Delivery Chart

4. Cloud Communications Mapping the data flows between auditee, the cloud service, and any outside customers 31

Understanding the Pipes Internet Secure 100 Mbps or Gigabit private networks Virtual Private Networks (VPNs) Dedicated Lines SSL/SSH Wireless Carriers (Wi-Fi/WiMax/LTE/3G) Home Networks Public Access Points Multinational 32

Security of the Pipes-A Cloud Security Concern (Does a Plan B Exist?) Service Disruptions – From entity ISP Internet connectivity to Denial of service attacks against Internet/Vendor infrastructure 33

Encrypted Communications Encrypted Cloud Contacts – Strength – Key Management Vendor Retains Encryption Keys Entity Retains Keys 34

Data Packet 54 Where are You ? 5. Data Center Geography 35

Cloud Vendors Maintain Data Centers in Multiple Locations Across the Globe 36

Location, Location, Location 37 Cloud vendors can have the ability to port client data and application processing across borders absent contractual geographical restrictions.

One prominent SaaS provider has been identified as not being able to state, definitively, where one's data is hosted or that its location will be restricted to any given region. 38

39

More Secrecy from Vendors According to Network World, “Cloud service providers often cultivate an aura of secrecy about data centers and operations, claiming this stance improves their security even if it leaves everyone else in the dark”; these providers often believe that such secrecy is an integral part of the cloud-computing business model. 40

6. Select Legal Issues 41

IMPORTANT: Cloud Vendors do not always know if entity is using cloud resources to store and/or process data that is protected by State, Federal, or Contractual Obligations…. 42

HIPAA/HITECH – Note requirements concerning the terms between audited entity and the business associate contract (BAC) which HIPAA/HITECH requires these parties to have. HITECH does create security obligations for Business Associates (BAs) with responsibility for joint IT environments. Additional issues concern BAs ability to monitor entity’s environment to ensure any privacy/security issues are promptly communicated to contracted entity. PCI DSS – Cloud use for credit card processing must include cloud contract provisions concerning the cloud vendors duties as a Service Provider under PCI DSS including the vendors obligation to maintain a compliant cloud environment. State Privacy Laws – Contracted cloud provisions should match the appropriate state security or privacy laws. Business Associates – State Laws – Service Providers 43

e-Discovery in the Cloud cloud provider possession and custody but delegation of control to a customer Has the auditee developed e-discovery procedures including getting information off the cloud when a request is made? Has the auditee reviewed and validated controls used to of protect the cloud documents to counter potential legal challenges? – How does the entity ensure documents are not moved to geographical locations that may put e- document integrity at risk? 44

Subpoenas State or Federal Subpoenas could be issued against data/logs held by the cloud vendor – Subpoena procedures may result in customer data/logs being reviewed even if customer data is not part of subpoena due to multi-tenant cloud architecture if data is not encrypted and key held by client. There may be not judicial oversight requiring the cloud vendor to alert the client of the subpoena activity involving client data or network logs 45

7. Cloud Data Security Issues 46

Security Issues Vendor connections to entity data security systems – Vendor may have access to local authentication and authorization assets maintained by client (i.e. Active Directory) through hosted apps and databases Lack of client audit clauses Data encryption keys controlled by cloud vendor not entity Lack of vendor logs (Application/Database/Network) or limited access logs to vendor logs Slack vendor change management/patching procedures Unclear vendor incident response procedures (timely alerts?) Loss of physical control of data assets – Controlling movement of data assets geographically – Increased security issues in virtual environments 47

Top Cloud Client Security Fails 0.0% development of client risk assessment to understand and develop appropriate control and monitoring procedures to ensure CIA in the cloud and end-points Client gives up ownership or responsibility or governance of what's going on with their data to cloud service providers 48

Contracted Security Cloud vendors will construct security clauses in client contracts that best protect the legal interest of the vendor and not necessarily the client: – Vendor may not define security standards they will follow to protect client assets – Vendor may not define procedures for the timely application of security patches to purchased infrastructure – Most vendors contractually prohibit client vulnerability and PII scans of purchased cloud environment – Not specify what privacy or data security laws they must comply with. 49

SAS 70 - ISO/IEC – SSAE No. 16 The Vendor Entity Contracting Guidelines or Procedures 50 SSAE No. 16

8. Cloud Contract Review 51

It’s All About the Contracts The majority of your program audit hours will be allocated to cloud contract review 52

9. Developing a Cloud Audit Program 53

54 ISACA – Cloud Computing Management Audit/Assurance Program

55

56

10. Cloud Auditing Resources 57

58 GSA Cloud Guidance

59 Cloud Federal Privacy Recommendations

60 CSA Cloud Security Guidance

61 NIST Cloud Presentations

62 Questions