La computación en nube Implicaciones para A dit í S id d Auditoría y

Anuncio
La computación en nube
Implicaciones para
A dit í y S
Auditoría
Seguridad
id d
Ing. Miguel Angel Aranguren Romero
CISA, CISM, CGEIT, CRISC, CISSP,
OSCP, Cobit FC, ITIL v3 FC
Introducción
A smarter planet creates new opportunities, but also new risks. The planet is becoming more instrumented, interconnected and intelligent.
New possibilities
“We have seen more change in the last 10 years than in the previous 90.”
New complexities
New risks
New risks
Critical
infrastructure protection
Ad J. Scheepbouwer,
CEO, KPN Telecom
Privacy and identity
New and emerging threats
Cloud security
“De las cinco tecnologías evaluadas, las redes sociales, las plataformas móviles y la
computación en nube presentan las mayores preocupaciones de riesgos”
64%
Herramientas de redes sociales
Plataformas móviles
21%
15%
54%
.
27%
19%
42%
Computación en nube
Fabricación, América del Norte
35%
24%
26%
31%
Virtualización
43%
Arquitectura orientada a servicios
a servicios
Extremadamente riesgoso / riesgoso
“Estamos preocupados por tener capacidad para controlar de manera segura el flujo de datos hacia y desde los dispositivos móviles de los empleados y de almacenarlos con seguridad”
almacenarlos con seguridad
25%
42%
34%
Algo riesgoso
Moderadamente riesgoso / sin ningún riesgo
Fuentes: The Economist Intelligence Unit and IBM Institute for Business Value (556 encuestados).
Q17 (¿Cuán grande es el riesgo de las siguientes tecnologías y herramientas para su empresa?)
“Ya estamos examinando la computación en nube y aún no se ha perfeccionado la seguridad en nuestras propias redes locales.”
Asistencia Medica, América del Norte
Regardless of the model ‐ public, private or hybrid –
security remains the top concern for cloud adoption.1
80 percent
p
of enterprises consider security the number one inhibitor to cloud adoptions
48 percent
of enterprises are concerned about the reliability of clouds
33 percent
of respondents are concerned with cloud interfering with their ability to comply
interfering with their ability to comply with regulations
1Driving Profitable
“How can we be assured that our data will not be leaked and that the vendors have the technology and the governance to control its employees from stealing data?”
“Security is the biggest concern. I don’t worry much about the other “‐ities” – reliability, availability, etc.”
“I prefer internal cloud to IaaS1. When the service is kept internally, I am more comfortable with the security that it offers ”
security that it offers.” Growth Through Cloud Computing, IBM Study (conducted by Oliver Wyman), March, 2010
Terminología
g
Cloud defined: a consumption and delivery model optimized
by workload.
• “Cloud” is an emerging style of computing that uses consumption
computing that uses consumption and delivery models to provide applications, data and IT resources as services to users over the network
the network
• Cloud allows: – Self‐service – Sourcing options – Flexible payment models
– Economies‐of‐scale
Cloud is:
An infrastructure and management methodology
A business model
A user A
user
experience • Cloud represents: – The industrialization of delivery for The industrialization of delivery for
IT‐supported services
Cloud lets you manage large numbers of highly virtualized resources that resemble a single large resource which can be used to deliver services.
Cloud computing delivery models include private, hybrid and public.
Private:
ƒ Access limited to enterprise and its partner network
ƒ Dedicated resources
ƒ Single tenant
Single tenant
ƒ Drives efficiency, standardization and best practices while retaining greater customization and t
t i ti
d
control
ƒ Might be managed or hosted by third party
Cloud services
i
Cloud computing model
d l
Hybrid:
ƒ Private infrastructure, integrated with public cloud
Public:
ƒ Open access, subject to subscription
ƒ Shared resources
ƒ Multiple tenants
ƒ Delivers select set of Delivers select set of
standardized business process, application or infrastructure services on a flexible price per use
a flexible price‐per‐use basis
ƒ Always managed and hosted by a third party
Standardization, capital preservation, flexibility and time to deploy …
Customization, efficiency, availability, resiliency, security and privacy …
Las bondades de la
computación en nube
Las bondades de la computación en nube
Enterprises are benefitting from cloud computing in tangible and
significant ways.
Results from cloud computing engagements
From:
To:
Test provisioning
Test provisioning
Weeks
Minutes
Change management
Months
Days or hours
Release management
Weeks
Minutes
Administered
Self service
Standardization
Complex
p
Reuse and share
Metering and billing
Fixed cost
Variable cost
Server and storage utilization
tili ti
10 to 20 percentt
70 to 90 percent
p
Years
Months
Increased speed Increased
speed
and flexibility1
Service access
Reduced costs1
Reduced costs
Payback period
1Based on IBM and client‐engagement experience
The View of Cloud Computing
““Cloud” is a
l d”
new consumption and delivery model
dd l
d l inspired by consumer db
Internet services.
Cloud is enabled by:
ƒ Pooling and virtualization of resources
ƒ Automation of service management
ƒ Standardization of workloads
Cloud enables: ƒ Self‐service ƒ Location independence
L ti i d
d
ƒ Flexible payment models
ƒ Economies‐of‐scale
Cloud represents: ƒ The industrialization of delivery for IT supported services
pp
Cloud Services
Software
Hardware
Storage
Networking
Las dificultades
de implementación
Las dificultades de implementación
Control
Many companies and governments Many
companies and governments
are uncomfortable with the idea of their information located on systems they do not control. Providers must offer a high degree of security transparency to help put customers at
transparency to help put customers at ease.
Compliance
Complying with SOX1, HIPAA2 and other regulations may prohibit the use g
yp
of clouds for some applications. Comprehensive auditing capabilities are essential.
Reliability
Data
Migrating workloads to a shared
Migrating workloads to a shared network and compute infrastructure increases the potential for unauthorized exposure. Authentication and access technologies become increasingly important.
High availability will be a key concern. IT departments will worry about a loss of service should outages occur. Mission critical applications may not run in the cloud without strong availability guarantees.
il bilit
t
Management
Providers must supply easy controls to manage firewall and security settings for applications and runtime environments in the cloud.
One‐size does not fit‐all: Different cloud workloads have unique
risk profiles.
High
Need for security aassurance
Mission‐critical workloads, personal information
Analysis and simulation with public data
Low
Mid‐risk
Business risk
Business risk
ƒ Quality of protection adapted to risk
ƒ Direct visibility and control
ƒ Significant level of assurance
Today’s clouds are primarily here:
ƒ Lower‐risk workloads
ƒ One‐size‐fits‐all approach to data protection
ƒ No significant assurance
ƒ Price is key
Training and testing with non‐sensitive data
Low‐risk
Tomorrow’s high‐value and high‐risk workloads need:
High‐risk
Perspectiva de auditoría y seguridad
I li
Implicaciones
i
y recomendaciones
d i
Preparing to Move to the Cloud
“Cloud
Computing” is complex where to begin: is complex where to begin:
Cloud Computing
Establish a set of objectives that clarify what a successful engagement in the cloud would look like. If externally hosting your cloud ensure that your vendor is reliable
Identify what workloads you are most comfortable Identify
what workloads you are most comfortable
with don’t just dive in.
Determine the appropriate security for your workload, and leverage managed services where
workload, and leverage managed services where possible
Multiple Delivery Models and Security Impacts
Delivery Models provide context into who is responsible for each clouds security Governance
Jurisdiction and regulatory requirements
• Can data be accessed and stored at rest within regulatory constraints?
• Are development test and operational clouds managing data within the required
• Are development, test and operational clouds managing data within the required jurisdictions including backups?
Complying with Export/Import controls
• Applying encryption software to data in the cloud, are these controls permitted in a particular country/jurisdiction?
l
/
• Can you legally operate with the security mechanisms being applied?
Compliance of the infrastructure
•• Are you buying into a cloud architecture/infrastructure/ service which is not Are you buying into a cloud architecture/infrastructure/ service which is not
compliant?
Audit and reporting
• Can you provide the required evidence and reports to show compliance to regulations such as PCI and SOX?
regulations such as PCI and SOX?
• Can you satisfy legal requirements for information when operating in the cloud?
Data
Data location and segregation
• Where does the data reside? How do you know?
h
d
h d
d ?
d
k
?
• What happens when investigations require access to servers and possibly other people’s data?
Data footprints
• How do you ensure that the data is where you need it when you need it, yet not left behind?
• How is it deleted?
• Can the application code be exposed in the cloud?
Backup and recovery
• How can you retrieve data when you need it?
• Can you ensure that the backup is maintained securely, in geographically separated locations?
Administration
• How can you control the increased access administrators have working in a virtualized model?
• Can privileged access be appropriately controlled in cloud environments?
p
g
pp p
y
Architecture
Protection
• How do you protect against attack when you have a standard infrastructure and the same vulnerability exists in many places across that infrastructure?
Hypervisor vulnerabilities
Hypervisor vulnerabilities
• How can you protect the hypervisor (a key component for cloud infrastructures) which interacts and manages multiple environments in the cloud? The hypervisor being a potential target to gain access to more systems, and hosted images.
M lti t
Multi‐tenant environments
t
i
t
• How do you ensure that systems and applications are appropriately and sufficiently isolated and protecting against malicious server to server communication?
Security policies
Security policies
• How do you ensure that security policies are accurately and fully implemented across the cloud architectures you are using and buying into?
Identity Management
y
g
• How do you control passwords and access tokens in the cloud?
• How do you federate identity in the cloud?
• How can you prevent user IDs/passwords being passed and exposed in the cloud unnecessarily increasing risk?
unnecessarily, increasing risk?
“67% of all web application
vulnerabilities had no patch in 2009.”
Source: IBM Security Solutions X‐Force
2009
Source: IBM Security Solutions X
Force 2009 Trend and Risk
Report, published Feb 2010.
Applications
Software Vulnerabilities
• How do you check and manage vulnerabilities in applications?
• How do you secure applications in the cloud that are increasing targets due to the large user y
pp
g g
g
population?
Patch management
• How do you secure applications where patches are not available?
y
pp
p
• How do you ensure images are patched and up to date when deployed in the cloud?
Application devices
• How do you manage the new access devices using their own new application software?
How do you manage the new access devices using their own new application software?
• How do you ensure they are not introducing a new set of vulnerabilities and ways to exploit your data?
Assurance
Operational oversight
•• When logs no longer just cover your own environment do you need to retrieve and analyse
When logs no longer just cover your own environment do you need to retrieve and analyse audit logs from audit logs from
diverse systems potentially containing information with multiple customers?
Audit and assurance
• What level of assurance and how many providers will you need to deal with?
What level of assurance and how many providers will you need to deal with?
• Do you need to have an audit of every cloud service provider?
Investigating an incident
• How much experience does your provider have of audit and investigation in a shared environment?
p
y
p
g
• How much experience do they have of conducting investigations without impacting service or data
confidentiality?
Experience of new cloud providers
• What will the security of data be if the cloud providers are no longer in business?
• Has business continuity been considered for this eventuality?
Mejores Prácticas
Propuesta
p
Metodológica
g
Iniciando
1. Define a cloud strategy with security in mind
gy
y
Identify the different workloads and how they need to interact. Which models are appropriate based on their security and trust requirements and the systems they need to interface to?
2. Identify the security measures needed
Using a framework Security, allows teams to capture the measures that are needed in areas such as governance, architecture, g
,
,
applications and assurance.
3. Enabling security for the cloud.
The upfront set of assurance measures you will want to take. Assessing The
upfront set of assurance measures you will want to take Assessing
that the applications, infrastructure and other elements meet your security requirements, as well as operational security measures.
Propuesta Metodológica
1. Implement and maintain a security program.
2. Build and maintain a secure cloud infrastructure.
3. Ensure confidential data protection.
4. Implement strong access and identity management.
5 Establish application and environment provisioning.
5.
Establish application and environment provisioning
6. Implement a governance and audit management program.
7. Implement a vulnerability and intrusion management program.
8. Maintain environment testing and validation.
Conclusiones y
Reflexiones finales
Conclusiones y reflexiones finales
Cloud computing offers new possibilities and new challenges.
Cl
d
ti
ff
ibiliti
d
h ll
These challenges range from governance, through to securing application and infrastructure. Fundamentally it is important to be able to assure the security of these new models in order to build trust and confidence.
The key to establishing trust in these new models is choosing the right cloud computing model for your organization. Place the right workloads in the right model
with the right security mechanisms.
•For those planning to consume cloud services looking for trust and assurance from the cloud provider; understanding the service level agreements and the approaches to security is key. Assessing that this can be delivered, including what assurances can be provided will be important.
• For those providing or building a cloud infrastructure, using a proven methodology and technologies that can deliver appropriate security is key.
This is not just a technical challenge but a challenge of governance and compliance; applications and infrastructure; and assurance. GRACIAS!!!
Ing. Miguel Angel Aranguren
Ing
Miguel Angel Aranguren Romero
CISA, CISM, CGEIT, CRISC Cobit Foundations Certificate
CISSP, OSCP ITIL v3 Foundations Certificate
marangur@co.ibm.com
Miguel aranguren@gmail com
Miguel.aranguren@gmail.com
Miguel.aranguren@isaca.org.co
Descargar