General Computing Controls don't account for Cloud & Virtualized Environments. How bad could it be?

ISACA SV - The Next Great Outage

Notes from Attendees Workshop,

servers under water

First, a general comment: ISACA SV chapter is the best chapter in the WORLD.  There, I said it.  Consider me four out of five dentists, and just agree. It was my great privilege to share training and dialogue surrounding the risks of Virtualization and how auditors must apply new models to prevent those bad outcomes.  So without a breach of confidentiality, let me say Thank You to Susan, Tony, Lawrence, Jim, Jon, Ralph, Jennifer, Usha, Rishi, Pat, Mike, Arasu, Jay, Kathleen, Colin, Peter, Ray, Arun, John, Arvind, and likely a few who did not put a name on their cards, for the following list of great points in our discussion.

Red Flags:

When members of the ISACA Silicon Valley monthly meeting were asked to write down concepts from Cloud and Virtualization discussion that represent distinct “red flags” or points of risk in their audit review, the attendees of the January 19th event felt concerns about:

  • Data leakage (5 comments)
  • Complex Network Topology is hard to represent on a per customer basis
  • BCP, as affected by new services
  • Usage-based costs, where use might be unpredictable
  • Ownership of data, where the path of information might not be understood
  • Provider usage of customer data, especially in providers who state by contract that they are not accountable to your privacy or the geographic location of your data
  • Single factor authentication
  • Need for monitoring tools in Workplace Virtualization, Storage Virtualization, and Network Virtualization, but existing resources may not know they exist
  • Single Point of Failure SPoF devices, where Virtual Appliances carry shared risk of many users
  • Data portability (as in easy to move, easy to take) (3 comments)
  • Cloud provider is subpoenaed / court ordered to turn over data and does so without informing you
  • Cloud provider’s dependency on external third party providers is not transparent or not understood
  • Data governance – lack of process or maturity around
  • Multi-tenancy is not resolved – lack of inventory to show where placement of customer package creates “concentration risk” or “placement risk”
  • ITAR and classified information is problematic
  • Data center “known operations” vs. cloud “unknown” operations
  • Lack of standardization in operations prior to creating template VM, what’s meant to be recoverable might be a one off
  • Use-based licensing and charge back where duplicate data, such as Virtual Machine Copying could create duplicate license (compliance issue)
  • Auditing cloud service – (need for everyone to leverage recent guidance from ISACA
  • Capacity to assess the risk of cascading failures, where providers are not inclined to share their detail internal BCP design
  • Information transmitted from satellite
  • ERM modules not including cloud controls
  • Capacity to correctly segregate manufacturing systems from areas under cloud controls
  • A plan to monitor your data as you adopt SaaS, IaaS and Paas
  • How to centralize and monitor reporting
  • Who and How should organizations be responsible (RACI) for data confidentiality in cloud services
  • Extending corporate compliance requirements to the vendor contract management process
  • Inability to get customer reports beyond what the Cloud Service will supply
  • Reliability – in case of service provider outage, and business continuity plan
  • Connectivity and Access to critical information during a provider outage
  • Segregation of duties in companies that are selling and serving PaaS and SaaS on their IaaS infrastructure.
  • Scenarios of destruction where attack targets a single customer, but takes out everyone on the same block, in the same state, or even the same country (5 days down in Sweden)
  • Trend to respond to efficiency by using more, example shooting 4 rolls of film on a trip, as opposed to 300 shots using a digital camera
  • Ability to get a provider to supply SOC I feedback in a timely manner
  • Knowing who performs  network administration for remote users, and what and who is connecting to SaaS such as Salesforce.com, Box.net

Add your voice to the RiskWatch.  Tweet with us.  What do you think about the list from our dialogue?

More about the January 19th event:  Speaker, Robin Basham, M.Ed, M.IT, CISSP, ITSM, CISA, CGEIT, CRISC, ACC, CRP and VRP, Managing Partner, EnterpriseGRC Solutions Inc.
Main Menu