First, a general comment: ISACA SV chapter is the best chapter in the WORLD. There, I said it. Consider me four out of five dentists, and just agree. It was my great privilege to share training and dialogue surrounding the risks of Virtualization and how auditors must apply new models to prevent those bad outcomes. So without a breach of confidentiality, let me say Thank You to Susan, Tony, Lawrence, Jim, Jon, Ralph, Jennifer, Usha, Rishi, Pat, Mike, Arasu, Jay, Kathleen, Colin, Peter, Ray, Arun, John, Arvind, and likely a few who did not put a name on their cards, for the following list of great points in our discussion.
When members of the ISACA Silicon Valley monthly meeting were asked to write down concepts from Cloud and Virtualization discussion that represent distinct “red flags” or points of risk in their audit review, the attendees of the January 19th event felt concerns about:
- Data leakage (5 comments)
- Complex Network Topology is hard to represent on a per customer basis
- BCP, as affected by new services
- Usage-based costs, where use might be unpredictable
- Ownership of data, where the path of information might not be understood
- Provider usage of customer data, especially in providers who state by contract that they are not accountable to your privacy or the geographic location of your data
- Single factor authentication
- Need for monitoring tools in Workplace Virtualization, Storage Virtualization, and Network Virtualization, but existing resources may not know they exist
- Single Point of Failure SPoF devices, where Virtual Appliances carry shared risk of many users
- Data portability (as in easy to move, easy to take) (3 comments)
- Cloud provider is subpoenaed / court ordered to turn over data and does so without informing you
- Cloud provider’s dependency on external third party providers is not transparent or not understood
- Data governance – lack of process or maturity around
- Multi-tenancy is not resolved – lack of inventory to show where placement of customer package creates “concentration risk” or “placement risk”
- ITAR and classified information is problematic
- Data center “known operations” vs. cloud “unknown” operations
- Lack of standardization in operations prior to creating template VM, what’s meant to be recoverable might be a one off
- Use-based licensing and charge back where duplicate data, such as Virtual Machine Copying could create duplicate license (compliance issue)
- Auditing cloud service – (need for everyone to leverage recent guidance from ISACA
- Capacity to assess the risk of cascading failures, where providers are not inclined to share their detail internal BCP design
- Information transmitted from satellite
- ERM modules not including cloud controls
- Capacity to correctly segregate manufacturing systems from areas under cloud controls
- A plan to monitor your data as you adopt SaaS, IaaS and Paas
- How to centralize and monitor reporting
- Who and How should organizations be responsible (RACI) for data confidentiality in cloud services
- Extending corporate compliance requirements to the vendor contract management process
- Inability to get customer reports beyond what the Cloud Service will supply
- Reliability – in case of service provider outage, and business continuity plan
- Connectivity and Access to critical information during a provider outage
- Segregation of duties in companies that are selling and serving PaaS and SaaS on their IaaS infrastructure.
- Scenarios of destruction where attack targets a single customer, but takes out everyone on the same block, in the same state, or even the same country (5 days down in Sweden)
- Trend to respond to efficiency by using more, example shooting 4 rolls of film on a trip, as opposed to 300 shots using a digital camera
- Ability to get a provider to supply SOC I feedback in a timely manner
- Knowing who performs network administration for remote users, and what and who is connecting to SaaS such as Salesforce.com, Box.net
Add your voice to the RiskWatch. Tweet with us. What do you think about the list from our dialogue?
Two camps debate over the safety of Cloud Computing, but chances are neither camp was sufficiently consulted before their companies invested substantially in either virtualization infrastructure or moved any number of key business functions into the Cloud. The reality is both auditors and the business have to collaborate in refining existing risk scenarios, address new areas of configuration management, and modify change policies to prevent common pitfalls known to the adoption of any new technology, (i.e., loss of availability, integrity, and reputation). While Cloud and Virtualization pose unprecedented essential business value, (such as avoiding downtime, improving availability, reducing the cost of operations and speeding product to markets) companies that rush to leverage cost savings, are also likely to experience our next biggest losses of all time.
Your company, however, doesn't have to own that headline.
Controlling Risk in Virtualized Environments session discusses practical education and Information Technology approaches providing strategies for effective risk management in Virtualization and Cloud adoption. The topic will cover key cloud concepts & terminology, cloud, and virtualization project components, and their implications for Information Technology Service Management (ITSM) as well as security and legal aspects in governance.
Leveraging guidelines proposed in the CompTIA Cloud and Virtualization Essentials curriculum, this hour will also outline steps organization should take to increase their success rate of implementing cloud computing, improve in-house cloud competencies, and decrease dependence on external consultants and services.
Discussion points include:
- Service Management - (ITIL):
- Cloud computing as a set of technologies and an approach to IT service delivery.
- Governance – (COBIT):
- Detailing ways that risks should be mitigated such that investments generate value.
- Information Security- (ISO/IEC 27001):
- "Risk Management or Governance" through specific "Policy" where information security ensures that information in the cloud is safe and secure.
About Robin Basham, M.ED, M.IT, CISSP, CISA, CGEIT, CRISC, ACC, CRP and VEP, Managing Partner, EnterpriseGRC Solutions Inc., creator of Facilitated Compliance Management Software, and founder of Phoenix Business and Systems Process, Inc. Recent ITPreneurs partner, Robin now leads Cloud and Virtualization training in the San Francisco and Bay Area. As EnterpriseGRC Solutions lead architect, Robin brings team experience leveraging platforms such as Oracle, Archer, SAP, Web Applications like Joomla, Visual Studio, Access, and SharePoint. As an Archer Certified Consultant and SharePoint architect, she's known for successful GRC implementations, supplying overall design, development, and training to companies ranging from start-up to fortune five hundred. Over the last decade, Robin has architect more than 70 GRC programs, delivering end to end solutions with full knowledge transfer to program owners and users. Corporate leadership includes acting as a technical liaison for ISACA in the development of the OCEG Redbook V1, TC Co-Chair for OMG's Open Regulatory Compliance Architecture (ORCA) project, working with co-chairs EMC's Chief Governance Officer, Dr. Marlin Pohlman and world expert, Dr. Said Tabet. Robin's companies remain active in emerging standards with participation on recent releases from ISACA® for both Oracle R12 and SAP ECC 6.0 controls. Ms. Basham is also a director of the Association of Certified Green Technology Auditors, ACGTA, a frequent committee contributor to the ISACA Silicon Valley Chapter and liaison to the ITSMF SV chapter, as well as a participant in Cloud Security Alliance. EntepriseGRC Solutions is recently added to the Cloud Credential Council and is an active sponsor to Information Systems Audit and Control Association, ISACA, listed as a corporate sponsor and many time CobiT trainer for the ITGI.