How Credit Unions Are Taking Advantage of the Cloud

Similar documents
Cloud Computing Definitions and Audits

Privacy hacking & Data Theft

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Cloud Computing, SaaS and Outsourcing

Moving to computing are auditors ready for the security challenges? Albert Otete CPA CISA ISACA Uganda Workshop

Clouds in the Forecast. Factors to Consider for In-House vs. Cloud-Based Systems and Services

Copyright 2011 EMC Corporation. All rights reserved.

Auditing the Cloud. Paul Engle CISA, CIA

Data Security, Integrity and Accessibility in the Cloud

Introduction to Cloud Computing. [thoughtsoncloud.com] 1

SOARING THROUGH THE CLOUDS IT S A BREEZE

Cloud First Policy General Directorate of Governance and Operations Version April 2017

The Challenge of Cloud Security

Cloud Computing: The Next Wave. Matt Jonson Connected Architectures Lead Cisco Systems US and Canada Partner Organization

Security Models for Cloud

CLOUD COMPUTING. The Old Ways Are New Again. Jeff Rowland, Vice President, USAA IT/Security Audit Services. Public Information

CLOUD COMPUTING. Lecture 4: Introductory lecture for cloud computing. By: Latifa ALrashed. Networks and Communication Department

OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE HEALTH AFFAIRS SKYLINE FIVE, SUITE 810, 5111 LEESBURG PIKE FALLS CHURCH, VIRGINIA

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

ISACA Cincinnati Chapter March Meeting

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

Why the cloud matters?

Public vs private cloud for regulated entities

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

ALI-ABA Topical Courses ESI Retention vs. Preservation, Privacy and the Cloud May 2, 2012 Video Webcast

SOC Lessons Learned and Reporting Changes

Leveraging the Cloud for Law Enforcement. Richard A. Falkenrath, PhD Principal, The Chertoff Group

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Introduction to Cloud Computing

Large Scale Computing Infrastructures

Risks and Trends in IT (Security and Compliance)

Cloud Computing Overview. The Business and Technology Impact. October 2013

SEEM3450 Engineering Innovation and Entrepreneurship

Data Security: Public Contracts and the Cloud

Version 1/2018. GDPR Processor Security Controls

Securing the Cloud Today: How do we get there?

2013 CliftonLarsonAllen LLP Not All IT Audits Are the Same How to Choose One That Is Right For You CliftonLarsonAllen LLP. CLAconnect.

Microsoft Azure Course Content

DuncanPowell RESTRUCTURING TURNAROUND FORENSIC

THE DATA CENTER AS A COMPUTER

Fraud and Social Engineering in Community Banks

locuz.com SOC Services

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

SOC 3 for Security and Availability

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

ISACA Phoenix Chapter Meeting

Managing SaaS risks for cloud customers

Cloud-Security: Show-Stopper or Enabling Technology?

Mitigating Risks with Cloud Computing Dan Reis

Cloud Computing and Service-Oriented Architectures

Implementing Microsoft Azure Infrastructure Solutions

COMPLIANCE IN THE CLOUD

ASD CERTIFICATION REPORT

Business Technology Briefing: Fear of Flying, And How You Can Overcome It

10 Cloud Myths Demystified

Cloud Customer Architecture for Securing Workloads on Cloud Services

IT Attestation in the Cloud Era

INFS 214: Introduction to Computing

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

CLOUD COMPUTING READINESS CHECKLIST

Chapter 4. Fundamental Concepts and Models

Distributed Systems. 31. The Cloud: Infrastructure as a Service Paul Krzyzanowski. Rutgers University. Fall 2013

COMPTIA CLO-001 EXAM QUESTIONS & ANSWERS

Ethical Hackers Perspective Things that Make a Hacker's Job Easy

Community Clouds And why you should care about them

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Cloud Security. Copyright Ramesh Nagappan. All rights reserved.

PCI DSS Compliance. White Paper Parallels Remote Application Server

Building Trust in the Era of Cloud Computing

Cloud Computing and Service-Oriented Architectures

Securing Data in the Cloud: Point of View

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

10 Considerations for a Cloud Procurement. March 2017

Best Practices in Securing a Multicloud World

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

Module Day Topic. 1 Definition of Cloud Computing and its Basics

Credit Union Service Organization Compliance

Is Your Compliance Strategy Putting Your Business at Risk?

Cloud Computing introduction

1/10/2011. Topics. What is the Cloud? Cloud Computing

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

CHEM-E Process Automation and Information Systems: Applications

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

Information Technology General Control Review

Cloud Computing: Is it safe for you and your customers? Alex Hernandez DefenseStorm

Microsoft Security Management

PCI DSS Compliance and the Cloud

Cloud Computing and Its Impact on Software Licensing

Course Overview This five-day course will provide participants with the key knowledge required to deploy and configure Microsoft Azure Stack.

Introduction to Cloud Computing

CLOUD COMPUTING WHAT HEALTH CARE INTERNAL AUDITORS NEED TO KNOW GABRIELA MERINO DIRECTOR BUSINESS ADVISORY SERVICES

SOC for cybersecurity

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

The SOC 2 Compliance Handbook:

Journey to the Cloud. Jeff Hoehing, Principal Consultant

Transcription:

2013 CliftonLarsonAllen LLP How Credit Unions Are Taking Advantage of the Cloud CUNA Technology Council Conference September 2013 CLAconnect.com Randy Romes, CISSP, CRISC, MCP, PCI-QSA Principal, Information Security and Financial Institutions CliftonLarsonAllen

Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S. Largest Credit Union Service Practice* *Callahan and Associates 2012 Guide to Credit Union CPA Auditors. CliftonLarsonAllen s credit union practice has recently grown to over 100 professionals including more than 20 principals. The group focuses on audit, assurance, consulting and advisory, information technology, and human resource management for credit unions across the country. www.larsonallen.com news release 2

Overview What is the cloud Terms and Definitions Standards, Service and Deployment Models Benefits Risks Things to think about Resources and References 3

Definition of a Secure System A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford People Rules Confidentiality Integrity Availability ` Tools 4

What is the Cloud? Is it a clever marketing term? Where is the cloud? 5

The Original Cloud Computing Model? Mainframes 6

Cloud Version 2.0? Thin Clients (Citrix, RDP, etc ) 7

Today's Forecast: Cloudy or Clear? Hosted service or process all the way to hosted infrastructure. 8

Cloud Standards National Institute of Standards and Technology (NIST) definition of cloud computing published October 7, 2009: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 9

Three Cloud Computing Service Models Software as a Service (SaaS) Capability to use the provider s applications that run on the cloud infrastructure. Platform as a Service (PaaS) Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider Infrastructure as a Service (IaaS) Capability to provision processing, storage, networks and other fundamental computing resources that offer the customer the ability to deploy and run arbitrary software, which can include operating systems and applications 10

Cloud Computing Service Models Cloud Computing is about Multi-Tenancy Multi-Tenancy implies the use of the same resources or application by multiple businesses/user communities/consumers that may belong to the same organization or different organizations. 11

Cloud Computing Service Models The KEY takeaway for cloud architecture is that: The lower down the stack the cloud service provider stops -- The more capabilities and management the users are responsible for implementing and managing themselves 12

What does that mean? Cloud computing means an increased need for: Good polices Clear communication between the provider and the consumer of the services Ownership and governance of the relationship with the provider 13

Cloud Computing Deployment Models Private cloud: Operated solely for an organization May be managed by the organization or a third party May exist on or off premise Community cloud: Shared by several organizations Supports a specific community that has a shared mission or interest May be managed by the organizations or a third party May reside on or off premise 14

Cloud Computing Deployment Models cont. Public cloud: Made available to the general public or a large industry group Owned by an organization that sells cloud services Hybrid cloud: Composed of two or more clouds (private, community or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds) 15

Benefits Cost Administration DR/BCP Compliance 16

Risks Vendor Risks Governance Risks Data Risks Who has your data? Where is your data? Who has access to your data? 17

What Credit Unions Are Doing Mobile Banking Example Also need controls on the dedicated link This is essentially a web server for the mobile devices to connect to. Pros Cons Lessons Learned? 18

What Credit Unions Are Doing Enterprise Applications Key/Core Vendor Supplied Vendor supplied application system within organization for check imaging and processing VPN connection between FI and vendor Data (images) sent to datacenter Processing done at vendors data center 3 Primary categories of issues Architecture Authentication Weak/default vendor configurations 19

What Credit Unions Are Doing Enterprise Applications Key/Core Vendor Supplied Architecture - Wide open site-to-site VPN connection to the vendors datacenter No restrictions or filtering of traffic Default passwords and anonymous FTP Missing Microsoft updates (some more than 4 years old) Visibility through data center to other FIs 20

What Credit Unions Are Doing Enterprise Applications Online Accounting/Management System Example of attack into financial management software In the cloud application for staff Defaults? Logging? Lessons Learned 21

What Credit Unions Are Doing Online (Secure) Backups Backup Appliance Highly efficient/automated Local copies and in-the cloud Ability to restore w/in cloud (DRP/BCP bonus) Vendor managed Remote access 22

What Credit Unions Are Doing Online (Secure) Backups Recent conference Company X offers online, secure back up to the cloud Company X has grown over 300% in the last year Best of all, Company X now provides online, secure, cloud based back up for Company Y one of the larger Core hosting company providers Where does the outsourcing chain end? How many FI s using Company Y know where their data is 23

What Credit Unions Are Doing Enterprise Communication - Email Recent client experience 18 months ago we outsourced our email to a cloud based email solution with Company A 6 months ago Company A was purchased by Company B 2 months ago Company B was purchased by Company C I don t know where my data is I don t know who has access to my data I don t know where my data is backed up at any more I don t know 24

What Credit Unions Are Doing Bring Your Own Device (BYOD) Data classification Standards Hardware and Software Process and Storage Acceptable Use Controls to support the above Preventative controls Administrative controls Monitoring controls 25

Examples in the news Cloud Computing Service Outages in 2011 http://newtech.about.com/od/cloudcomputing/tp/cloud- Computing-Major-Service-Outages-In-2011.htm Playstation Network 4/21/11 25 days Amazon Web Services 4/21/11 4 days Twitter 2/25, 3/16, 3/25, 3/27 periodically Gmail and Google Apps 2/27/11 2 days Intuit Service &Quickbooks 3/28/11 2-5 days 26

Examples in the news Google: cloud service outage Microsoft Windows Azure Cloud Suffers Outage; Blame Leap Year... Feb 29, 2012 Microsoft Windows Azure, the software company's cloud computing service, has been suffering through a lengthy outage today, preventing... Amazon gets 'black eye' from cloud outage Computerworld Apr 21, 2011 Keith Shaw chats with Network World's Jon Brodkin about the Amazon EC2 cloud service outage that... 27

Cloud Computing Controls The overall control domain is the same as an inhouse IT environment, the challenge is to figure out who is doing what. Controls in the cloud computing environment may be provided by the consumer/company, the cloud service provider, or a separate 3 rd party. SSAE 16 SOC2 or SOC3 report from service providers Stick with someone familiar with FI s 28

Evaluate the Control Environment 29

Risk Assessment: What to Consider Due Diligence Review service providers SSAE16 SOC report which provided a third party opinion on the suitability of the design and operating effectiveness of the controls. Vendor Management CU has clear contractual relationship with the service provider which defines the responsibilities for both he vendor and CU. Internal management of the service provider is assigned and managed within the IT area to monitor services and compliance. 30

Risk Assessment: What to Consider Audit CU has defined internal controls for the IT area and has actively reviewed the impact of cloud computing against the defined controls, updating or creating new controls as needed. Information Security The cloud services SSAE16 SOC report defines the information security practices provided to CU. CU has documented the internal processes what data can be held in cloud environments, handling, backup, monitoring, and other data centric controls for this environment. 31

Risk Assessment: What to Consider Legal, Regulatory, and Reputation Considerations CU has clearly defined what information and services are provided within the cloud services environment. Contracts are in place which define the service providers obligations. Business Continuity Planning Reviewed the service providers SSAE16 SOC report which describes the cloud service providers BCP/DRP planning and operational backup, and incident response control environment. 32

Things to do Risk Assessment (process NOT point in time ) Cost benefit analysis Vendor due diligence Scrutinize contracts Ongoing vendor management Be rigorous about where your data is Understand vendors responsibility and YOURS Remember basic security tenants 33

Definition of a Secure System A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford Confidentiality Integrity Availability People ` Rules Tools 34

Questions? 35

2013 CliftonLarsonAllen LLP Thank you! Randy Romes, CISSP, CRISC, MCP, PCI-QSA Principal Information Security Services & Financial Institutions Randy.romes@cliftonlarsonallen.com 888.529.2648 CLAconnect.com twitter.com/ CLAconnect facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 36

References & Resources http://en.wikipedia.org/wiki/cloud_computing Google: Managing the risks as you outsource to the Cloud Amazon Web Services: http://aws.amazon.com/security Cloud Security Alliance: Top Threats to Cloud Security: https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf www.isaca.org Good source of audit and assurance templates FFIEC: http://ithandbook.ffiec.gov/media/153119/06-28-12_- _external_cloud_computing_-_public_statement.pdf 37

Cloud Audit and Compliance References NIST csrc.nist.gov/publications/pubssps.html NIST Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud Computing NIST Special Publication 800-145 The NIST Definition of Cloud Computing NIST Special Publication 800-146 Cloud Computing Synopsis and Recommendations NIST Special Publications 800-53 Recommended Security Controls for Federal Information Systems and Organizations 38

Cloud Audit and Compliance References Cloud Computing Security Alliance cloudsecurityalliance.org Security Guidance Cloud Controls Matrix Top Threats to Cloud Computing Report ISACA www.isaca.org Cloud Computing Management Audit/Assurance Program 39

Risk Assessment Outline: A Quick Approach How does Confidentiality, Integrity, Availability change if all or part of an asset is handled in the cloud. Identify the Asset in the cloud Data Applications/Functions/Processes Evaluate the Asset: How would the business be harmed or impacted if The data became widely public and distributed The provider accessed the data The data or function was manipulated by an outsider The function failed to provide expected results The data was unexpectedly changed The data or function were unavailable 40

Risk Assessment Outline: A Quick Approach Determine the Cloud Deployment Model Public Private, Internal / External Community Hybrid 41

Risk Assessment Outline: A Quick Approach Map out the Data Flow Public Private, Internal Private, External Community Hybrid 42

Risk Assessment Outline: A Quick Approach Legal issues Where is the data? Is it here? Another State? Another Country? ediscovery: How do you identify all documents that pertain to a case? Possession, Custody and Control: How do you control and make available data that is not in your own systems yet is your data? 43

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback