Transcript
Cloud Security
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
Welcome!
• • Type in questions using the Ask A Question button All audio is streamed over your computer – Having technical issues? Click the ? button Click Attachments button to find a printable copy of this presentation After the webinar, ISACA members may earn 1 CPE credit – Find a link to the Event Home Page on the Attachments button – Click the CPE Quiz link on the Event Home Page to access the quiz – Once you pass the quiz, you’ll receive a link to a printable CPE Certificate Tell us what you thought of this event by using the Feedback button. Question or suggestion? Email them to
[email protected]
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
• •
• •
2
Introduction
Presenter: Maria Schuett
• • • • • Certified Risk and Information Systems Control (CRISC) Security Consultant. Over 15 years of technical experience in information security Current role: Identity and Access Management Architect Co-authored the1st version of IBM’s Redguide, “Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security Published “Reduced Sign-On” manuscript in the Encyclopedia of Information Assurance (http://isbn.nu/9781420066203/).
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
3
Agenda
• Cloud Computing
– Adoption and Adaption
• Cloud Security
– Cloud Vendor – Your Organization – Managing Risks in Cloud Deployments
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
4
Definition
• Cloud Computing “A style of computing in which scalable and elastic IT-enabled capabilities are provided as a service to external customers using Internet technologies." Gartner 2013
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
5
Cloud Market Trends
• Cloud Market Trends
– “By 2014, IT organizations in 30% of Global 1000 companies will broker (aggregate, integrate and customize) two or more cloud services for internal and external users, up from 5% today.” Gartner – “Demand remains high from buyers looking to cloud-based security services to address a lack of staff or skills, reduce costs or comply with security regulations quickly” – Eric Ahlm, Gartner – “Compliance will be key cloud market driver to 2016” - Gartner
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
6
Cloud Computing
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
7
Cloud Computing
• Reasons for Adoption
– Business Objectives
• Increase revenue, reduce operational costs • Re-prioritize company focus
– Evolving Technologies
• Leverage existing technologies
– Evolving Business Philosophy
• Company Differentiation • Speed-to-market
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
8
Cloud Computing
• Challenges in Adoption
– Culture Change – IT and Business Alignment – Business Process Alignment – Customer Satisfaction
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
9
Cloud Computing
• Reasons for Adaption
– Achieve Business Agility
• Automate to reduce manual steps • Improve resilience
– IT and Business Alignment
• IT as an enabler not a barrier • Business Process Alignment
– Improve Security Controls
• Understanding the big picture
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
10
Cloud Computing
• Challenges in Adaption
– Culture (customize or out-of-the-box) – Resource demands – Process Changes
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
11
Client-Vendor Relationship
• The relationship is about Establishing Trust Due Diligence Due Care
Cloud Service Providers
Vendor
Client
Vendor
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
12
Cloud Security
• As a Cloud Service Provider:
– Compliant to SSAE16 Auditing Standard – Compliant to regulations as per industry
• Education – FERPA • Healthcare – HIPAA, HITECH
– Compliant to Standards
• PCI/DSS • ISO/IEC 27001
– Established Credibility
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
13
Cloud Security
• As a Cloud Service Provider
– Security Architecture of Service Offering
• Depicting high availability, integrity, resiliency
– Data Privacy Policies
• Data classification and encryption • Location of Data – Data Centers
– Operational Practices
• Disaster Recovery, Change Management • Vulnerability Assessments, Security Policy
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
14
Cloud Security
• Client culture change:
– Basic Philosophy
• Confidentiality, Integrity, Availability • Well-defined boundaries and accountability • Traditional IT roles aligned with business
– New Philosophy
• • • • New boundaries, externalized accountabilities Sustaining confidentiality, integrity, availability New business roles to align with cloud solutions New governance policies
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
15
Cloud Knowledge
• As a Client:
– General Knowledge about Cloud Services
Source: http://www.tatvasoft.com/blog/2011/06/cloud-computing-architecture-model.html
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
16
Cloud Security
“SaaS users have less control over security among the three fundamental delivery models in the cloud.”
Source: http://link.springer.com/content/pdf/10.1186%2F1869-0238-4-5.pdf
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
17
Cloud Knowledge
• As a Client:
– Deployment models
Source: http://www.centre4cloud.nl/nl/kennis-ontwikkeling/definition-cloud-computing/deployment-models/ 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
18
Cloud Security
• As a Client:
– Organization’s line of business – Assets – data, intellectual capital – Stakeholders, data owners – Regulations, standards, governance – Processes, and standard practices – Policies surrounding governance – Managing risks in cloud deployments
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
19
Cloud Security
• Organization’s line of business
– Healthcare, Insurance, Education
• Data Management (CIA model)
– – – – Type of Data (e.g. PII) Transmission of Data Location of Data Availability of Data
• Stakeholders, data owners
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
20
Cloud Security
• Compliance to Regulations and Standards
– FERPA – HIPAA / HITECH – PCI/DSS
• Governance
– Policies surrounding cloud strategies
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
21
Cloud Security
• Processes and standard practices
• Contract Management
– – – – Contract Review, Length of Contract, Penalties, etc Set expectations for SLA – Availability, Maintenance Ownership of intellectual capital Data recovery due to disaster or loss of business
• Interoperability
– – – – User Provisioning Federated Single Sign-on Integration to internal Applications Data transfers
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
22
Cloud Security
Risk Management
2. Assess and classify assets, vulnerabilities and threats
1. Identifying new assets vulnerabilities, and threats
3. Respond to risks (avoid, mitigate, transfer, accept)
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
23
Risk Management Method
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
24
Risk Evaluation
• Evaluate Cloud Vendor
– Security Questionnaire
• What’s your acceptance level, metrics
– Evaluate answers, and artifacts – Evaluate architecture – Determine vendor’s dependency on other cloud service providers
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
25
Risk Evaluation
• Evaluate Your Organization
– Organization’s capabilities? – What type of service? – What type of changes are required? – What type of data? – Internal support for cloud solutions?
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
26
Risk Evaluation
• Recommend approach before implementation
– Pilot project – Establish metrics to measure readiness – Refine processes – Governance over the relationship via policies, business processes, due diligence, and due care
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
27
Cloud Security
Approach for cloud services:
• • • • Relationship - Collaboration and partnership Governance through risk management Knowing your capabilities as an organization Knowing your future cloud strategy – affected by lessons learned, measured ROI, etc.
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
28
Resources
Extended Reading:
• • • http://ssae16.com/ https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf http://link.springer.com/content/pdf/10.1186%2F1869-0238-4-5.pdf
Cited quotes:
• • • http://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-securitymarket-trends http://www.gartner.com/technology/topics/cloud-computing.jsp http://link.springer.com/content/pdf/10.1186%2F1869-0238-4-5.pdf
2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.
29