25 Jul Webinar Presentation Slides 27289

Transcript

Cloud Security 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. Welcome! • • Type in questions using the Ask A Question button All audio is streamed over your computer – Having technical issues? Click the ? button Click Attachments button to find a printable copy of this presentation After the webinar, ISACA members may earn 1 CPE credit – Find a link to the Event Home Page on the Attachments button – Click the CPE Quiz link on the Event Home Page to access the quiz – Once you pass the quiz, you’ll receive a link to a printable CPE Certificate Tell us what you thought of this event by using the Feedback button. Question or suggestion? Email them to [email protected] 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. • • • • 2 Introduction Presenter: Maria Schuett • • • • • Certified Risk and Information Systems Control (CRISC) Security Consultant. Over 15 years of technical experience in information security Current role: Identity and Access Management Architect Co-authored the1st version of IBM’s Redguide, “Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security Published “Reduced Sign-On” manuscript in the Encyclopedia of Information Assurance (http://isbn.nu/9781420066203/). 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 3 Agenda • Cloud Computing – Adoption and Adaption • Cloud Security – Cloud Vendor – Your Organization – Managing Risks in Cloud Deployments 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 4 Definition • Cloud Computing “A style of computing in which scalable and elastic IT-enabled capabilities are provided as a service to external customers using Internet technologies." Gartner 2013 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 5 Cloud Market Trends • Cloud Market Trends – “By 2014, IT organizations in 30% of Global 1000 companies will broker (aggregate, integrate and customize) two or more cloud services for internal and external users, up from 5% today.” Gartner – “Demand remains high from buyers looking to cloud-based security services to address a lack of staff or skills, reduce costs or comply with security regulations quickly” – Eric Ahlm, Gartner – “Compliance will be key cloud market driver to 2016” - Gartner 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 6 Cloud Computing 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 7 Cloud Computing • Reasons for Adoption – Business Objectives • Increase revenue, reduce operational costs • Re-prioritize company focus – Evolving Technologies • Leverage existing technologies – Evolving Business Philosophy • Company Differentiation • Speed-to-market 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 8 Cloud Computing • Challenges in Adoption – Culture Change – IT and Business Alignment – Business Process Alignment – Customer Satisfaction 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 9 Cloud Computing • Reasons for Adaption – Achieve Business Agility • Automate to reduce manual steps • Improve resilience – IT and Business Alignment • IT as an enabler not a barrier • Business Process Alignment – Improve Security Controls • Understanding the big picture 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 10 Cloud Computing • Challenges in Adaption – Culture (customize or out-of-the-box) – Resource demands – Process Changes 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 11 Client-Vendor Relationship • The relationship is about  Establishing Trust  Due Diligence  Due Care Cloud Service Providers Vendor Client Vendor 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 12 Cloud Security • As a Cloud Service Provider: – Compliant to SSAE16 Auditing Standard – Compliant to regulations as per industry • Education – FERPA • Healthcare – HIPAA, HITECH – Compliant to Standards • PCI/DSS • ISO/IEC 27001 – Established Credibility 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 13 Cloud Security • As a Cloud Service Provider – Security Architecture of Service Offering • Depicting high availability, integrity, resiliency – Data Privacy Policies • Data classification and encryption • Location of Data – Data Centers – Operational Practices • Disaster Recovery, Change Management • Vulnerability Assessments, Security Policy 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 14 Cloud Security • Client culture change: – Basic Philosophy • Confidentiality, Integrity, Availability • Well-defined boundaries and accountability • Traditional IT roles aligned with business – New Philosophy • • • • New boundaries, externalized accountabilities Sustaining confidentiality, integrity, availability New business roles to align with cloud solutions New governance policies 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 15 Cloud Knowledge • As a Client: – General Knowledge about Cloud Services Source: http://www.tatvasoft.com/blog/2011/06/cloud-computing-architecture-model.html 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 16 Cloud Security “SaaS users have less control over security among the three fundamental delivery models in the cloud.” Source: http://link.springer.com/content/pdf/10.1186%2F1869-0238-4-5.pdf 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 17 Cloud Knowledge • As a Client: – Deployment models Source: http://www.centre4cloud.nl/nl/kennis-ontwikkeling/definition-cloud-computing/deployment-models/ 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 18 Cloud Security • As a Client: – Organization’s line of business – Assets – data, intellectual capital – Stakeholders, data owners – Regulations, standards, governance – Processes, and standard practices – Policies surrounding governance – Managing risks in cloud deployments 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 19 Cloud Security • Organization’s line of business – Healthcare, Insurance, Education • Data Management (CIA model) – – – – Type of Data (e.g. PII) Transmission of Data Location of Data Availability of Data • Stakeholders, data owners 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 20 Cloud Security • Compliance to Regulations and Standards – FERPA – HIPAA / HITECH – PCI/DSS • Governance – Policies surrounding cloud strategies 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 21 Cloud Security • Processes and standard practices • Contract Management – – – – Contract Review, Length of Contract, Penalties, etc Set expectations for SLA – Availability, Maintenance Ownership of intellectual capital Data recovery due to disaster or loss of business • Interoperability – – – – User Provisioning Federated Single Sign-on Integration to internal Applications Data transfers 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 22 Cloud Security Risk Management 2. Assess and classify assets, vulnerabilities and threats 1. Identifying new assets vulnerabilities, and threats 3. Respond to risks (avoid, mitigate, transfer, accept) 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 23 Risk Management Method 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 24 Risk Evaluation • Evaluate Cloud Vendor – Security Questionnaire • What’s your acceptance level, metrics – Evaluate answers, and artifacts – Evaluate architecture – Determine vendor’s dependency on other cloud service providers 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 25 Risk Evaluation • Evaluate Your Organization – Organization’s capabilities? – What type of service? – What type of changes are required? – What type of data? – Internal support for cloud solutions? 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 26 Risk Evaluation • Recommend approach before implementation – Pilot project – Establish metrics to measure readiness – Refine processes – Governance over the relationship via policies, business processes, due diligence, and due care 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 27 Cloud Security Approach for cloud services: • • • • Relationship - Collaboration and partnership Governance through risk management Knowing your capabilities as an organization Knowing your future cloud strategy – affected by lessons learned, measured ROI, etc. 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 28 Resources Extended Reading: • • • http://ssae16.com/ https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf http://link.springer.com/content/pdf/10.1186%2F1869-0238-4-5.pdf Cited quotes: • • • http://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-securitymarket-trends http://www.gartner.com/technology/topics/cloud-computing.jsp http://link.springer.com/content/pdf/10.1186%2F1869-0238-4-5.pdf 2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 29