25 jul webinar presentation slides 27289

8/22/2019 25 Jul Webinar Presentation Slides 27289

1/29

2013 ISACA Webinar Program. 2013 ISACA. All rights reserved.

Cloud Security


2/29

2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 2

Welcome!

Type in questions using theAsk A Question button

All audio is streamed over your computer

Having technical issues? Click the ? button

ClickAttachments button to find a printable copy of this presentation

After the webinar, ISACA members may earn 1 CPE credit

Find a link to the Event Home Page on theAttachments button

Click the CPE Quiz link on the Event Home Page to access the quiz

Once you pass the quiz, you

ll receive a link to a printable CPECertificate

Tell us what you thought of this event by using the Feedback button.

Question or suggestion? Email them to [email protected]
mailto:[email protected]:[email protected]


3/29


Introduction

Presenter: Maria Schuett

Certified Risk and Information Systems Control (CRISC) Security Consultant.

Over 15 years of technical experience in information security

Current role: Identity and Access Management Architect

Co-authored the1st version of IBMs Redguide, Introducing the IBM Security

Framework and IBM Security Blueprint to Realize Business-Driven Security

Published Reduced Sign-On manuscript in the Encyclopedia of InformationAssurance (http://isbn.nu/9781420066203/).


4/29


Agenda

Cloud Computing Adoption and Adaption

Cloud Security Cloud Vendor

Your Organization

Managing Risks in Cloud Deployments


5/29


Definition

Cloud Computing

A style of computing in which scalable andelastic IT-enabled capabilities are provided

as a service to external customers using

Internet technologies."

Gartner 2013


6/29


Cloud Market Trends

Cloud Market Trends By 2014, IT organizations in 30% of Global 1000 companies will

broker (aggregate, integrate and customize) two or more cloudservices for internal and external users, up from 5% today. -

Gartner

Demand remains high from buyers looking to cloud-basedsecurity services to address a lack of staff or skills, reduce costsor comply with security regulations quickly Eric Ahlm, Gartner

Compliance will be key cloud market driver to 2016- Gartner


7/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 7

Cloud Computing



Cloud Computing

Reasons for Adoption Business Objectives

Increase revenue, reduce operational costs

Re-prioritize company focus Evolving Technologies

Leverage existing technologies

Evolving Business Philosophy

Company Differentiation

Speed-to-market



Cloud Computing

Challenges in Adoption Culture Change

IT and Business Alignment

Business Process Alignment Customer Satisfaction



Cloud Computing

Reasons for Adaption Achieve Business Agility

Automate to reduce manual steps

Improve resilience IT and Business Alignment

IT as an enablernot a barrier

Business Process Alignment

Improve Security Controls

Understanding the big picture



Cloud Computing

Challenges in Adaption Culture (customize or out-of-the-box)

Resource demands

Process Changes



Client-Vendor Relationship

The relationship is about

Establishing Trust

Due Diligence

Due Care

Client Vendor

Vendor

Cloud Service Providers



Cloud Security

As a Cloud Service Provider:

Compliant to SSAE16 Auditing Standard

Compliant to regulations as per industry

Education FERPA

Healthcare HIPAA, HITECH

Compliant to Standards

PCI/DSS ISO/IEC 27001

Established Credibility



Cloud Security

As a Cloud Service Provider

Security Architecture of Service Offering

Depicting high availability, integrity, resiliency

Data Privacy Policies

Data classification and encryption

Location of Data Data Centers

Operational Practices Disaster Recovery, Change Management

Vulnerability Assessments, Security Policy



Cloud Security

Client culture change: Basic Philosophy

Confidentiality, Integrity, Availability

Well-defined boundaries and accountabilityTraditional IT roles aligned with business

New Philosophy

New boundaries, externalized accountabilities

Sustaining confidentiality, integrity, availability

New business roles to align with cloud solutions

New governance policies



Cloud Knowledge

As a Client: General Knowledge about Cloud Services

Source: http://www.tatvasoft.com/blog/2011/06/cloud-computing-architecture-model.html



Cloud Security

SaaS users have less control over security amongthe three fundamental delivery models in the cloud.Source: http://link.springer.com/content/pdf/10.1186%2F1869-0238-4-5.pdf



Cloud Knowledge

As a Client: Deployment models

Source: http://www.centre4cloud.nl/nl/kennis-ontwikkeling/definition-cloud-computing/deployment-models/



Cloud Security

As a Client:

Organizations line of business

Assets data, intellectual capital

Stakeholders, data owners

Regulations, standards, governance

Processes, and standard practices

Policies surrounding governance

Managing risks in cloud deployments


20/29


Cloud Security

Organizations line of business

Healthcare, Insurance, Education

Data Management (CIA model)Type of Data (e.g. PII)

Transmission of Data

Location of Data

Availability of Data

Stakeholders, data owners


21/29


Cloud Security

Compliance to Regulations and Standards

FERPA

HIPAA / HITECH

PCI/DSS

Governance

Policies surrounding cloud strategies


22/29


Cloud Security

Processes and standard practices Contract Management

Contract Review, Length of Contract, Penalties, etc

Set expectations for SLA Availability, Maintenance Ownership of intellectual capital

Data recovery due to disaster or loss of business

Interoperability

User Provisioning Federated Single Sign-on

Integration to internal Applications

Data transfers


23/29


Cloud Security

2. Assess andclassifyassets,

vulnerabilitiesand threats

3. Respond torisks (avoid,

mitigate,transfer,accept)

1. Identifyingnew assets

vulnerabilities,and threats

Risk Management


24/29


Risk Management Method


25/29


Risk Evaluation

Evaluate Cloud Vendor

Security Questionnaire

Whats your acceptance level, metrics

Evaluate answers, and artifacts

Evaluate architecture

Determine vendors dependency on other

cloud service providers


26/29


Risk Evaluation

Evaluate Your Organization

Organizations capabilities?

What type of service?

What type of changes are required?

What type of data?

Internal support for cloud solutions?


27/29


Risk Evaluation

Recommend approach beforeimplementation

Pilot project

Establish metrics to measure readiness

Refine processes

Governance over the relationship via policies,

business processes, due diligence, and duecare


28/29


Cloud Security

Approach for cloud services:

Relationship - Collaboration and partnership

Governance through risk management

Knowing your capabilities as an organization

Knowing your future cloud strategy affectedby lessons learned, measured ROI, etc.


29/29

Resources

Extended Reading:

http://ssae16.com/

https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf

http://link.springer.com/content/pdf/10.1186%2F1869-0238-4-5.pdf

Cited quotes:

http://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trends

http://www.gartner.com/technology/topics/cloud-computing.jsp http://link.springer.com/content/pdf/10.1186%2F1869-0238-4-5.pdf
http://ssae16.com/https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdfhttp://link.springer.com/content/pdf/10.1186/1869-0238-4-5.pdfhttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.gartner.com/technology/topics/cloud-computing.jsphttp://link.springer.com/content/pdf/10.1186/1869-0238-4-5.pdfhttp://link.springer.com/content/pdf/10.1186/1869-0238-4-5.pdfhttp://www.gartner.com/technology/topics/cloud-computing.jsphttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://link.springer.com/content/pdf/10.1186/1869-0238-4-5.pdfhttps://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdfhttp://ssae16.com/

25 jul webinar presentation slides 27289

Documents