ISACA Case Study – Risk Ranking Cloud Computing Usages Case Study Background Information Cloud Application Google Apps Email (Free) Deployment Model Public Salesforce.com Public CRM Amazon Web Services EC2 1 Service Model PaaS SaaS Private(VPC) IaaS Owner Business Usage Data Classification Dependencies Business Unit – Alumni Relations Business Unit – Corporate Travel Marketing to Alumni Unclassified (Informational e-mail) 0 Recovery Time Objective 31 days Production Customer Relationship Management Development and Testing Restricted (Tax IDs, Banking Details, Fees and Rates) 7 4 hours Restricted (Copies of Production Authorization Requests) 0 None Development Team – Card Authorizations ISACA Case Study – Risk Ranking Cloud Computing Usages Solution - Risk Model Scoring Cloud Application Google Apps Email (Free) Salesforce.com CRM Amazon Web Services EC2 2 Deployment Service Model Model 5 3 Data Classification 1 Dependencies 1 Recovery Time Objective 1 Total Risk Score 11 5 1 3 3 5 18 1 5 3 1 1 11 ISACA Case Study – Risk Ranking Cloud Computing Usages Google Apps Free Comments: 3 Information alumni e-mail seems to be an appropriate use of public cloud computing, but keep in mind there are no service level or security guarantees Very easy to get e-mail services, web sites, calendaring, and chat services going. Requires only DNS registration Not many configurable options –limited to adding users, creating/managing groups, and granting access Upgrade to paid version needed for security features and service level expectations of a business - it’s probably fine for a small business owner ISACA Case Study – Risk Ranking Cloud Computing Usages Salesforce.com CRM Comments: 4 Application security settings require configuration (refer SFDC Best Practices document for more information), including: o Password complexity o Password expiration o Password length o Password history o Failed login attempts o Lockout period for failed password attempts o Inactivity Logoffs o Single Sign On o Mandatory HTTPS o IP address range restrictions – can be used to force access from corporate network through VPN o Security certificates o Security Hardware Tokens Fairly easy to understand and configure, but will probably require some changes to defaults to comply with enterprise standards More complex settings, like IP address restrictions and Single Sign On, definitely require involvement of your enterprise’s infrastructure SMEs Securing PII can be challenging – encrypted fields are available, but introduces use of digital certifications and complexity No apparent method to attach encrypted files to records or to encrypt the entire instance Must ensure effective use of user profiles for: o Limited Administrative Access o Segregation of Duties o Change Management (customization of screens, reports and, access) Seems to be marketed as a Lotus Notes replacement (complete with migration tools) – be alert for legacy Notes Databases being reinvented as Salesforce.com instances ISACA Case Study – Risk Ranking Cloud Computing Usages Amazon Web Services EC2 Comments: 5 Overall – this can be fairly complex to deploy in a secure and highly available manner and probably requires security and infrastructure architects, much like an internal infrastructure deployment Marketed to development teams – “no worries about infrastructure” – this could be a very efficient and appropriate use of cloud computing Secure use of EC2 requires the following to be configured (How many application developers have you ever known to be concerned about these?): o Network segments o Virtual Private Cloud (VPC) o Virtual Private Network (VPN) to Amazon Encrypted file system must be deployed for storage if privacy is required by your organization Must avoid “shared” Amazon Machine Images (AMIs) - there are no security guarantees and they run a high risk of malicious and/or insecure configuration Must import VMWare image to ensure use of corporate image approved by your security organization – however it is only available for Windows 2008 server Must have process for patching virtual servers or images or a process for rapid and effective redeployment of new server images (and associated applications) o Replacing images, instead of patching, may be a big paradigm shift for many organizations Must deploy to multiple geographic regions to avoid single points of geographic failure at Amazon Must have diverse network connectivity at your organization to avoid single points of failure at your organization