Black Hat Sessions VIII: Hacking the Cloud – Ede April 2010 It’s the security, stupid! How IT audits cope with cloud computing drs. Mike Chung RE
May 17, 2015
Black Hat Sessions VIII: Hacking the Cloud – Ede April 2010
It’s the security, stupid!How IT audits cope with cloud computing
drs. Mike Chung RE
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 2
Cloud computing
Cloud computing is putting your data on someone else’s hard disk and accessing it via a network.. Public cloud: ..with a lot of other people too Private/dedicated cloud: ..alone
Infrastructure-as-a-Service: you have to install OS and software on that hard disk yourself
Platform-as-a-Service: you have to install software only Software-as-a-Service: everything’s been installed
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 3
Main questions
What is the (ir)relevance of audits in the cloud? What are the specific factors concerning the cloud? How (ir)relevant are audit standards? How (in)competent are IT auditors?
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 4
The relevance of IT audits
Compliance with legislations, regulations and standards SOx, HIPAA, PCI DSS.. No compliance means significant loss of business or even out of business Due to / thanks to the credit crunch, regulations have been tightened
IT audits as part of the annual statement of accounts Cloud computing is a matter of trust – current trust models are weak
You don’t trust what you don’t understand – perceptions, fairy tales and FUD Why should decision-makers trust IT vendors and advisors? Security is the biggest concern for decision-makers: according to KPMG’s 2010
cloud computing survey, security issues are the main concern of CIOs and managers (75%), followed by privacy, compliance and legal matters
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 5
Security issues of cloud computing are real
Hackers stole credentials of Salesforce.com’s customers via phishing attacks (2007)
Thousands of customers lost their data in the cloud due to the ‘Sidekick disaster’ of Microsoft/T-Mobile (2009)
Botnet incident at Amazon EC2 infected customer’s computers and compromised their privacy (2009)
Security flaws in GoogleDocs gave erroneous permissions to its users (2009)
Thousands of hotmail accounts were hacked due to technical flaws in Microsoft’s software (2010)
Botnets are increasingly threatening access to internet services SPAM, excessive traffic of multimedia sites and P2P networks are
clogging the internet’s arteries
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 6
Security risks: specific factors concerning the cloud
External data storage Multi-tenancy Use of the (public) internet Integration with the internal IT environment
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 7
Specific factor concerning the cloud: external data storage
Weak control of data (failing backup, recovery, destruction) Legal complications (privacy violation, conflicting/contradicting and
often unworkable/archaic legislations) Uncertain viability (insufficient guarantees regarding continuity and
availability of services) Single point of failure (failure of one cloud vendor/provider means
disaster for many customers) Vendor lock-in (difficulty in getting back the data in open formats and
switching to other vendors)
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 8
Specific factor concerning the cloud: multi-tenancy
Inadequate segregation of data between different customers (datacontamination)
Inadequate Identity & Access Management (erroneous authentication, access and authorization to IT resources and data)
Insufficient logging & monitoring The weakest link is decisive (virtualization, shared databases)
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 9
Specific factor concerning the cloud: use of the (public) internet
Unclear and unaddressed accountability, ownership Unclear demarcation of responsibilities and control Limited regulation A lot of clandestine traffic (Spam) and networks (Botnets) Exceptionally poorly protected for such an important infrastructure – the
internet is commercially the most valuable infrastructure Extremely dependent on couple of optic fibers and electricity Threats are virtually unknown to most politicians and decision-makers
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 10
Specific factor concerning the cloud: integration with the internal IT environment
Unclear (network) perimeters Difficulties/discrepancies in matching cloud computing vendor’s security
measures with internal security measures, requirements and baselines Complexity of integration between the cloud and the internal IT
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 11
Security benefits
Centralized security Concentration of security expertise Economy-of-scale
High accessibility ‘Nakedness leads to fitness’
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 12
Audit standards
Localized IT as starting point (ITIL) Strong focus on client-server/on-premise IT (ISO27001/2) Static (Cobit) Strong focus on processes (SOx)
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 13
Audit standards versus external data storage
Based on access from external/third parties, not on access to cloud services
Based on management of internally stored data (eventually managed by externals)
From the viewpoint of the customer: irrelevant From the viewpoint of the cloud computing vendor: insufficient New principles and practices
11 commandments of the Jericho Forum Cloud security initiatives from ISF
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 14
Audit standards versus multi-tenancy
Marginal attention on (technical) architecture Multi-tenancy virtually unobserved/unexposed Mere focus on segregation of duties, facilities and networks New principles and practices
Cloud Security Alliance – Security guidance Liberty Alliance’s IAM ‘baselines’ for Federated IAM Enisa – Cloud computing security framework
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 15
Audit standards versus use of the (public) internet
Primarily financial-legal issues (accountability, ownership) outside the domain of IT audits
Exceptionally difficult to audit – there is no usable and accepted ‘atlas of the internet’
Existing principles and practices for e-mail usage and internet security partly applicable, but an audit framework for the internet is yet to be released
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 16
Audit standards versus integration with the internal IT environment
‘Open standards’ – which one(s) to choose? ‘Open’ audit standards versus the reality of ‘proprietary’ cloud
technologies New principles and practices
ISF – The standard of Good Practice for Information Security OWASP frameworks
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 17
Compliance
Responsibility and risks are with the customer, not the cloud vendor Legislations versus the current state of (technical) affairs Compliance with different legislations from different countries (SOx,
HIPAA, PCI DSS, WBP..) SAS70 as a way out?
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 18
SAS70: objections
Type I or Type II? Free to choose the controls Fully dependent on the expertise and view point of the auditor Many variations on audit approach, set-out and level of (technical) detail Wide intervals between audits
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19
SAS70 in practice
Same standards used as for client-server/on-premise IT environments Hardly any attention on multi-tenancy, service integration and external
data storage Superficially reviewed by (potential) customers and auditors Lacunas rarely raised
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 20
IT auditors
Competent researchers and analysts High-level knowledge of architecture and technology Mostly educated in economics, accounting, business management Existing audit standards and baselines as starting points
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 21
IT audits in practice
Use of partly irrelevant and insufficient controls for cloud computing Approach tailored for client-server/on-premise IT Emphasis on (service management) processes with paper evidences Recommendations only partly aimed to mitigate cloud specific risks
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 22
Steps forward
Actualize existing standards and frameworks with relevant controls for the cloud
Control (read: reduce) the many good initiatives of setting up new standards and frameworks – consolidate expertise
More emphasis on architecture and technology with technical evidences Increase the share of technically educated auditors
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 23
Conclusion
IT audits are essential part of compliance and assurance Cloud computing harbours specific security risks Audit standards and baselines are partly irrelevant and insufficient, but
there are (too) many initiatives to actualize these While IT auditors are competent researchers, their (technical) knowledge
on cloud computing needs to be updated
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 24
Contact
Drs. Mike Chung REManagerKPMG Advisory N.V.E-mail: [email protected]: +31 (0)6 1455 9916
© 2010 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 25
About the spider
The spider as depicted in this presentation is the European Garden Spider, also known as the Cross Spider (Araneus diadematus)
The Garden Spider makes large webs Like most spiders, it possesses venom glands However, this spider is docile and its venom is harmless to humans