Cloud Computing Security

Description

We can argue that it is not a matter of whether cloud computing will become ubiquitous—because the economic forces are inescapable—but rather what can we do to assess enterprise governance, risk assessment and development of strong internal controls, in the implementation and management of ever increasing cloud computing environments.
 
This program will begin by first establishing the definition of cloud computing, then describing the various service delivery models of a cloud computing architecture, and the ways in which clouds can be deployed as public, private, hybrid, and community clouds, followed by a much deeper review of the security and privacy issues related to cloud computing environments.
 
We will examine cloud computing models, look into the threat model and security issues related to data and computation outsourcing, and explore practical applications of secure cloud computing. Using the confidentiality, integrity, and availability of data (CIA) model we will examine the threats and security implications to befall poorly established and maintained cloud computing environment. Audit approaches and methodologies for assessing internal control exposures within cloud computing environments will also be fully discussed and examined.
 
Participants will develop a cloud ICQ as part of the multiple exercises included in the multi-day presentation.

Audience

This presentation is intended for Internal and external auditors (IT, financial, operational), Chief Technology Officers, General Counsels, Chief Information Officers, Chief Security Officers, Controllers, and persons charged with establishing or reviewing the implications of establishing strategies that embrace cloud computing and coordinate the role of organizational IT in substantiating organizational compliance to today’s (and tomorrow’s) governance regulations, as well as professionals who generally want to learn more about cloud computing and assessing their organization’s implementation of cloud computing technologies.

Prerequisites

There is no prerequisite for this seminar.
 
Objectives

After completing this seminar, participants will be able to:

  • Discuss, with confidence, what is cloud computing and what are key security and control considerations within cloud computing environments.
  • Identify various cloud services.
  • Assess cloud characteristics and service attributes, for compliance with enterprise objectives.
  • Explain the four primary cloud category “types”.
  • Evaluate various cloud delivery models.
  • Contrast the risks and benefits of implementing cloud computing.
  • Specify security threat exposure within a cloud computing infrastructure.
  • Recognize steps and processes used to perform an audit assessment of a cloud computing environment.
  • Summarize specific environments that would benefit from implementing cloud computing, contrasted against those environments that might not benefit.
  • Weight the impact of improperly controlled cloud computing environments on organizational sustainability.

Course Outline

PART 1

  • Cloud Computing Definition
  • What are Cloud Services
  • Cloud Service Attributes
    • Access to the Cloud
    • Cloud Hosting
    • Information Technology Support
    • Provisioning
    • Pricing
    • Underestimated costs
  • User Interface
  • System Interface
  • Shared Resources/Common Versions
  • Characteristics of Cloud Computing
    • Rapid elasticity
    • Pay per use
    • Independent resource pooling
    • Network access
  • On-demand self-service
  • The Five Levels of Redundancy
  • Physical
  • Virtual resource
  • Availability zone
  • Region
  • Cloud
  • Cloud Categories
    • Public Cloud
    • Private Cloud
    • Hybrid Cloud
    • Community Cloud
  • Cloud Delivery Models
    • SaaS
    • PaaS
    • Iaas
  • Cloud Architectural Models
    • Design for Failure (DFF)
    • Traditional
  • Cloud Architecture Summary
    • Customization
    • Service Reliability and Disruptions
    • Integration Challenges
  • Loss of Control
  • Emerging Technology
  • Vendor Choices
  • Infrastructure Limitations
  • Negligence
  • Cloud Scenarios and Considerations
  • Would you want the computer that controls safety local or in the cloud?
  • Someone you know is in a hospital. Do you want their respirator and medical dosage managed in the cloud or locally?
  • Weapons control system
  • Corporate web server
  • Satellite navigation system
  • DNS, Firewall rules, Active Directory
  • ERP
  • Workforce management
  • The Evolution of the Cloud
    • Advantages
    • Savings
    • Benefits

PART 2

  • Security in the Cloud
    • Data Security and Control
    • Provider Loss
    • Subpoenaed Data
    • Lack of Provider Security
    • Encryption
    • Regulatory Compliance
      • Directive 95/46/EC
      • HIPPA
      • PCI/PCI DSS
      • Lack of Provider Security
      • 21CFR11
  • Cloud Threats
  • Threat Mitigation
  • Cloud Security
    • Cloud Security vs. Traditional IT
    • Ponemon Study Discussion
    • Cloud Security Attributes
    • Security as a Service from the Cloud
    • Cloud and Security Risks
      • Risk Areas
      • Privileged User Access
      • Data Location and Ownership
      • Data Segregation
      • Data Recovery
      • Investigative Support
      • Long Term Viability
  • Data Confidentiality and Privacy
  • Service Availability
    • Cloud Risk Summary
  • Real World Issues with Cloud Computing
  • Cloud Security Alliance
  • National Institute of Standards and Technology
    • Strategy
    • Security Model
    • Process Maturity Model
    • Core Technologies
  • Information Assurance Framework
    • Cloud Leverage for IA
    • Roadmap
  • Next Steps
    • Expanding to New Markets
    • Small and Medium Enterprises
    • Adjacent Markets
    • New Acquisitions
    • Expansion
  • Cloud Computing and Business Commerce
    • Cloud Movement
    • Financial Services
    • Media
    • Automotive
    • High Tech
    • Google.com
    • Amazon.com
    • Microsoft.com

PART 3

  • Cloud Audit
    • Value
    • Tactics
  • Cloud Management Audit/Assurance Program
    • Internal Audit Role
    • Minimum Audit Skills
    • Planning for a Cloud Audit
    • Support Activities
  • Cloud Business Continuity Planning
    • Retention and E-Discovery
    • Privacy Requirements
    • Portability and Interoperability
    • Cloud Sourcing
  • Cloud Impacts
  • Realities of Cloud Services
  • Defining Cloud Services
  • Cloud Performance Limitations
  • Determining the Cloud Category
    • Your Environment
    • Optimize
  • Consolidate
  • Web Security
  • Addressing Web Threats
  • Web Threats in the Cloud
  • Risks of Web Threats
    • Web Threat Mitigation
  • Web Security Summary
  • Conclusion