Paper presentation on Business Assurance in 21 st Century

Submitted by LAXMI NARASIMHA BODDU MBA 2 nd Year, Department of Management Studies, Indian Institute of Technology Roorkee

Business Assurance in 21st Century

Page 1

INDEX
1. Introduction.........3

2. Cloud computing in developing countries [1].4 3. Challenges with clouds..4 4. Challenges of Integration of Business [5].......5 5. Global Representative [5]..6 6. Major Threats of Cloud computing [6]...7 6.1 Abuse and Nefarious use of cloud computing..7 6.2 Insecure Interface and APIs........8 6.3 Shared Technology Issues.....8 6.4 Data Loss or Leakage.... 8 6.5 Unknown Risk Profile....9 7. Indian Context....9 7.1 7.1 ADHAR Project threats.9 8. Key Stakeholders in creating safe cloud [5]..... 10 9. Future of Cloud computing..10 10. A Modular approach.....11

References...13

Business Assurance in 21st Century

Page 2

1. Introduction
Information age demands adaption Rapid development and improvement of Information Technology changed business environment. Several years into the future when we can look back on the decade from the vantage point of the 21st century, speed may be the one word that stands above other possible descriptors for the 1990s. Speed, as in the rate at which new ideas are transmitted to every corner of the globe. Speed, as in the rapidity with which market niches are created and abandoned. Speed, as in the ever shortening product to market cycles. Speed, as in the roll-out of new business ventures. And speed, as in the accelerating rate of technological change. Speed is also the one word which best describes the key business drivers, influencing the management of information systems. Speed in business demands flexibility in management and technology to respond to rapidly changing market conditions Speed, Flexibility, Responsiveness. We heard these words over and over from senior information systems executives. Speed of the organization growth is driven by the core competency delivery. Today we have unbundling, disintermediation and focus on core competences, which mean that organizations no longer conduct all the activities to deliver goods and services they now rely on a complex web of multiple external partners not just for inputs but for logistics, service and support activities. Organizations in developing countries need to concentrate more on core competencies, when initial investments in business is low, more specialized skilled organizations will take birth, and business integration is driving force for better growth. Cloud computing is the evolving concept which is aiding these new born organizations and Integration of the business is leading the business in to better rate of growth in business. Focusing on the threats and advantages of the present business environment is the main objective of the paper.

Business Assurance in 21st Century

Page 3

2. Cloud computing in developing countries [1]

Thanks to ongoing advances in IT infrastructure and far more sophisticated applications, individuals and organizations around the world have the ability to connect to data and computing resources anywhere and anytime. Cloud computing offers an opportunity to create entirely new type of business and business models that couldnt have been imagined or werent possible only few years ago. In addition, they open up new markets including vast number of mobile phones users that previously werent reachable. The New York Times recently reported that Wilfred Mworia, a 22 years old developer in Nairobi, Kenya, built an iPhone app using only an online iPhone simulator (iPhone service isnt available in Kenya), which he can sell all over the world [2] This is how the cloud computing can help for the birth of new business models. In the light of envision of such businesses cloud computing service offering is becoming lucrative business in this developing countries. In India, cloud computing is projected to grow from a $50 million industry in 2009 to a $15billion industry by 2013. One major concern for the small organizations is charges of Cloud and agreements of service level agreement(SLA).

3. Challenges with clouds

First generation cloud offerings, requires the end customer to understand the trade-offs that the service provider has made in order to offer computing to them at such lower prices. Cloud computing service providers typically define an SLA as some guarantee of how much of the time the server, the platform or the application will be available. For example, a well known cloud provider guarantees an availability level of 99.999% uptime, or 5 minutes a year, with a 10% discount on charges for any month in which it is not achieved. However their infrastructure in not designed to reach five nines of uptime they are effectively offering a 10% discount on their services in exchange for the benefit of claiming that level of reliability. If customer really needs five-nines of uptime, a 10% discount is not going to even come close to the cost of lost revenue, breach of end user service level, or loss of market share due to credibility issue. One more hazards of shared infrastructure is that one customer usage pattern may affect other customer
Business Assurance in 21st Century Page 4

performance, addressing this problem is an expense that vendor must balance against the selling price. Dave Durkee founder and technical director of ENKI says From what we have seen in the last four years of providing IaaS and PaaS, most customers do not have a strong understanding of how much downtime their business can tolerate or what the cost are for such downtime[3]

Mark D. Ryan professor in Computing Security and EPSRC Leadership Fellow in the School of Computer Science at the University of Birmingham, U.K. expresses other side of the coin i.e. Privacy concerns of Cloud computing in his view point and this is one of the major concerns at present. The problem of Data privacy is general is of course well known, but cloud computing magnifies it.[4] Cloud computing means entrusting data to information systems that are managed by external parties on remote servers in the cloud. Cloud computing raises privacy and confidentiality concerns because the service provider necessarily has access to all the data, and could accidentally or deliberately disclose it or use it for unauthorized purposes. The mere existence of the data makes the system administrator vulnerable to bribery, coercion, and/or cracking attempts. For example administrator is a researcher and a research conference papers are kept on cloud, the data potentially puts them in conflicts.

4. Challenges of Integration of Business [5]

Modern organizations sit in a complex web of customers and external suppliers that can span the globe. From an information perspective, the standards that organizations can adopt to protect their information are constantly evolving to satisfy changing business models, regulatory and other requirements. One of the challenges facing organizations are the multitude of assurance frameworks, which in many cases result in duplication and ultimately inefficiencies, but also may leave gaps resulting in greater risk to organizations. Since technology plays a key role in this dynamic business environment characterized by high numbers of short-term relationships, the increasing reliance on third parties to handle ones
Business Assurance in 21st Century Page 5

information, if not effectively managed, can represent a significant risk to organizations. This ultimately means that organizations are forced to gain assurance from more third parties while lacking the tools to do so with an efficient and scalable approach. Added to this is the complexity of multiple professional, regulatory and expert bodies that have created a number of disparate standards to help protect and secure information. Current assurances models typically operate in isolation and are predominantly focused internally on protecting an organization and its information, and do not easily extend to its partners, suppliers, and customers. Organisations are thus faced with three issues: 1. Difficulty in defining generally accepted standards for protecting information in the increasingly dynamic business environment 2. Lack of a common standard to apply across the value chain / business cycle 3. Incompatible assurance frameworks and the inability to share translate existing assurance practices by third parties.

5. Global Representative [5]

First there was the integrated organization with a self contained value chain, whereby a single organisation would carry out the primary and secondary activities needed to deliver goods and / or services to its customers. Today we have unbundling, disintermediation and focus on core competences, which mean that organizations no longer conduct all the activities to deliver goods and services they now rely on a complex web of multiple external partners not just for inputs but for logistics, service and support activities. To make this complex web of organizations work, information has to be shared across multiple organizations and in multiple ways. This information may contain trade secrets, intellectual property and / or personal information and it needs to be protected according to business impact as well as satisfying regulatory and legal requirements. The acquiring organization needs to understand the information security arrangements of both potential and actual partners and be able to answer several questions, including:

Business Assurance in 21st Century

Page 6

What level of protection are the partners capable of applying to my information (including information I have been trusted with by my customers)? How do their practices compare my arrangements? How well do they comply with relevant regulation and legislation? How do potential partners practices compare against each other?

Gaining assurance in this landscape is often the responsibility of the end customer assuring themselves that the primary contractor, and in many cases the subcontractors do not represent an unacceptable risk to the business. Subsequently the cost is borne by the end customer; equally the primary contractor is often faced with multiple end customers demanding assurance in differing ways. However, with the results of assurance activities not being shared between end customers the primary contractor is faced with multiple duplicating activities consuming considerable resources.

6. Major Threats of Cloud computing [6]

6.1 Abuse and Nefarious use of cloud computing
Description:

IaaS providers offer their customers the illusion of unlimited compute, network, and storage capacity often coupled with a frictionless registration process where anyone with a valid credit card can register and immediately begin using cloud services. Some providers even offer free limited trial periods. By abusing the relative anonymity behind these registration and usage models, spammers, malicious code authors, and other criminals have been able to conduct their activities with relative impunity. PaaS providers have traditionally suffered most from this kind of attacks; however, recent evidence shows that hackers have begun to target IaaS vendors as well. Future areas of concern include password and key cracking, DDOS, launching dynamic attack points, hosting malicious data, botnet command and control, building rainbow tables, and CAPTCHA solving farms.
Examples: 1. IaaS offerings have hosted the Zeus botnet, InfoStealer trojan horses, and downloads for Microsoft Office and Adobe PDF exploits. 2. Additionally, botnets have used IaaS servers for command and control functions. Spam continues to be a problem as a defensive measure, entire blocks of IaaS network addresses have been publicly blacklist.

Business Assurance in 21st Century

Page 7

6.2 Insecure Interface and APIs

Description:

Cloud Computing providers expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. Provisioning, management, orchestration, and monitoring are all performed using these interfaces. The security and availability of general cloud services is dependent upon the security of these basic APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. Furthermore, organizations and third parties often build upon these interfaces to offer value-added services to their customers. This introduces the complexity of the new layered API; it also increases risk, as organizations may be required to relinquish their credentials to third parties in order to enable their agency.
Examples: 1. Anonymous access and/or reusable tokens or passwords, clear-text authentication or transmission of content, inflexible access controls or improper authorizations, limited monitoring and logging capabilities, unknown service or API dependencies.

6.3 Shared Technology Issues

Description:

IaaS vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture. To address this gap, a virtualization hypervisor mediates access between guest operating systems and the physical compute resources. Still, even hypervisors have exhibited flaws that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform. A defense in depth strategy is recommended, and should include compute, storage, and network security enforcement and monitoring. Strong compartmentalization should be employed to ensure that individual customers do not impact the operations of other tenants running on the same cloud provider. Customers should not have access to any other tenants actual or residual data, network traffic, etc.
Examples: 1. Joanna Rutkowskas Red and Blue Pill exploits 2. Kortchinksys CloudBurst presentations.

6.4 Data Loss or Leakage

Description:

There are many ways to compromise data. Deletion or alteration unlinking a record from a larger context may render it unrecoverable, of records without a backup of the original content is an obvious example. as can storage on unreliable media. Loss of an encoding key may result in
Business Assurance in 21st Century Page 8

effective destruction. Finally, unauthorized parties must be prevented from gaining access to sensitive data. The threat of data compromise increases in the cloud, due to the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.
Examples:

Insufficient authentication, authorization, and audit (AAA) controls; inconsistent use of encryption and software keys; operational failures; persistence and reminisce challenges: disposal challenges; risk of association; jurisdiction and political issues; data center reliability; and disaster recovery.

6.5 Unknown Risk Profile

Description:

One of the tenets of Cloud Computing is the reduction of hardware and software ownership and maintenance to allow companies to focus on their core business strengths. This has clear financial and operational benefits, which must be weighed carefully against the contradictory security concerns complicated by the fact that cloud deployments are driven by anticipated benefits, by groups who may lose track of the security ramifications. Versions of software, code updates, security practices, vulnerability profiles, intrusion attempts, and security design, are all important factors for estimating your companys security posture. Information about who is sharing your infrastructure may be pertinent, in addition to network intrusion logs, redirection attempts and/or successes, and other logs. Security by obscurity may be low effort, but it can result in unknown exposures. It may also impair the in-depth analysis required highly controlled or regulated operational areas.
Examples: 1. IRS asked Amazon EC2 to perform a C&A; Amazon refused. 2. Heartland Data Breach: Heartlands payment processing systems were using known-vulnerable software and actually infected, but Heartland was willing to do only the bare minimum and comply with state laws instead of taking the extra effort to notify every single customer, regardless of law, about whether their data has been stolen.

7. Indian Context
7.1 ADHAR Project threats
1. Aadhar India project is to be accomplished by private companies. Foreign companies may also be included in it. Hence individual data of people will not be safe. 2. Centralization of data will create various kinds of problems to government and people.
Business Assurance in 21st Century Page 9

3. Finding of personal details of person will become too easier. Hence this will be unsafe in terms of privacy. 4. If this is used for bank transaction or ATM cum Debit cum Credit cards, it will make easier for bad people of society to misuse them. People will find the card as very useful tool for us but this will also create some insecurity for us. Centralization might turned to be a danger in future. Hence it is expected to keep safety of data specially as this would be electronic computer database and we specially government are facing hacking of our computer data.

8. Key Stakeholders in creating safe cloud [5]

The following details the key stakeholders that define the need or Standards for effecting control or gaining assurance.
PCI DSS; Data security Standard Cloud security alliance SP800; National Institute of Standards and Technology ISO/IEC 27XXX; International Standards Organization Shared assessments program ; Financial service roundtable Cobit; ISACA ISAE; 3402; International federation of accounts ISF Standard of good practice for Information Security and Information security for external suppliers; Information Security Forum 9. Common Assurance maturity model; CAMM 1. 2. 3. 4. 5. 6. 7. 8.

9. Future of Cloud computing

Without any tangible collaboration and consistency between the various assurance frameworks organizations are forced to develop and implement a subjective body of knowledge that best articulates their risk appetite. Such activities are invariably resource intensive, both in terms of development, but equally the supplier is potentially required to provide individual responses for each customer. There exists a business need to develop a mechanism that allows suppliers to respond once, and share with many. Such a development will provide significant efficiencies for the supplier, in that a single (or a small number of) assessments can be used by multiple
Business Assurance in 21st Century Page 10

customers. Equally, this would enable customers to quickly assess the large number of third parties in their supply chain without individually assessing each third party provider. An additional advantage of such an approach is that it would provide transparency in the assurance of the supply chain. In particular, suppliers could understand the detailed

requirements placed upon them before entering a contractual agreement with customers. Any such mechanism would allow contributing organizations to: 1. Self-assess their security; OR 2. Be assessed by an independent organization The results of assessments could be: 1. Published by suppliers on their website 2. Submitted to independent trusted authorities for certification / confirmation 3. Held by an independent authority for potential customers to examine 4. Published and made available globally to buyers, suppliers, auditors etc. Moreover such a repository could allow organizations to advertise their services, and level of Information Assurance maturity to potential customers. Such an approach would make it easier for organizations to select suppliers and partners based on the maturity of their information assurance practices. The authors of this paper and organizations they represent fully support the need for a global approach and repository. Moreover, it is agreed that such an initiative and repository should be independent and not for profit in order to ensure its focus, provide transparency and secure wider endorsement.

10.

A Modular approach

The global repository, or Third Party Assurance Centre will support in the first instance a select number of assurance frameworks. Support would be enabled in a modular fashion, whereby a user could select the appropriate modules based on business requirements, as depicted in the below figure
Business Assurance in 21st Century Page 11

Business Assurance in 21st Century

Page 12

References
1. Samuel Greengard, Communications of the ACM 2. The New May 2010 | Vol.53 | No.5- NEWS York Times,

http://www.nytimes.com/2008/07/20/business/worldbusiness/20ping.html 3. Dave Durkee, Communications of the ACM 4. Mark D. Ryan, Communications of the ACM May 2010 | Vol.53 | No.5 - Practice January 2011 | Vol.54 | No.1 - Viewpoint

5. Business Assurance for 21st century White paper http://www.common-assurance.com/ 6. Top Threats to cloud computing by Cloud security alliance, https://cloudsecurityalliance.org/

Business Assurance in 21st Century

Page 13