2015 - the cloud for managers @ riga business school - dss - cloud risks and some thoughts
Post on 16-Jul-2015
162 Views
Preview:
TRANSCRIPT
Role of DSS in Cyber-security
Development in Baltics Cyber-Security Awareness Raising
Technology and knowledge transfer
Cyber Security Portfolio Only
Trusted Advisor to its Customers
Game changer
Today’s realities in the world
Escalating Attacks Increasing Complexity Resource Constraints
• Increasingly sophisticated attack methods
• Disappearing perimeters
• Accelerating security breaches
• Constantly changing infrastructure
• Too many products from multiple vendors; costly to configure and manage
• Inadequate and ineffective tools
• Struggling security teams
• Too much data with limited manpower and skills to manage it all
• Managing and monitoring increasing compliance demands
Spear Phishing
Persistence
Backdoors
Designer Malware
Business has to worry..
In 2014 to date, roughly 1 in 7
people on the entire planet
have been impacted
by a data leak.
Some key facts, statistics globally
83%
of enterprises have difficulty
finding the security skills they need 2012 ESG Research
85 security tools from
45 vendors IBM client example
…and traditional security practices are unsustainable
of security executives have
cloud and mobile concerns 2013 IBM CISO Survey
70% Mobile malware growth
in just one year 2012-2013 Juniper Mobile Threat Report
614%
Cyber security in the Baltic States
Challenges of «C» Level excutives (business, IT etc.)
Political (external and internal)
Technological (risks, threats, fraud, attacks, leaks)
Economical (budget reality, competition, costs…)
Legal (compliances, regulations etc.)
Professional (HR, information quantity)
Psychological ( traditions / knowledge / trust)
IT Security controls - «to do» list
Business part
Business processes analysis from tech perspective
Assessment and management of cyber security risks
Related technological part
Inventory of devices and software
Secure configuration of everything (end-users, devices)
Vulnerability assessment and management
Malware defenses, application security, pen tests
Wifi security
Mobile security
Data security
Continuos skills training and learning
Access control and visibility
Audit, monitoring, analysis, incident response and more
Shift to Cloud security – concerns...
Psychology factor Trust – we don’t want to give our data away
Latvia is small...
Level of maturity of the cloud computing Any new technology needs time to proove itself
Who wants to be a «testing sheep» and risk..and.. (50/50)
Cyber-criminals Clouds are at risk because cybercriminals choose best
ROI – they attack «watering holes» and...clouds
Legislation, responsibility, control International cooperation at world wide level is still a huge
challenge, but how otherwise can you catch bad guys and
solve problems...
Cloud of course has challenges...
ENISA «Cloud Computing Risk Assessment» recent reseach
describes at least 25 big, known cloud couputing major risks,
issues..
Economy of scale – security perspective..
More security for same
money..
Better security experts
for same money
Reduced costs of IT..
Near instant
provisioning
Service on demand
Availability from any
location
Redundancy
No down-time
24x7x365
And so on...
Shift to Cloud security – the Risk perspective
Insiders!!!
Data risks – location, transit
Loss of control & governance
Limited data available from cloud service provider (logs,
location of data, responsibilities, 3rd parties..)
External penetration tests not allowed
Usually no forensics tools are available
Outsourcing is not known or visible
Audit not allowed, sometimes important to meet compliance
criteria
Lack of complince with international regulations (EU data
protection regula, ENISA cloud certification, intelectual property
rights etc.)
3rd party solutions (f.i. Encryption software)
Overbooking or Isolation (DDoS attacks, not especially on you)
Lock-in! It is sometimes not so easy to change cloud provider)
Some final slides about risks...
Deployment Model Risk Profile
Higher Lower
Public Private Community
Likelihood of
Data Security,
Privacy, and
Control Breach
Some final slides about risks...
Service Model Risk Profile
Higher Lower
IaaS SaaS PaaS
Impact of Loss of
Control & Security
Breach
Some final slides...cont.
Attribute High (5) Med (3) Low (1)
Deployment Model Public Community Private
Service Model IaaS PaaS SaaSData Security level Secret Restricted Unclassified
Physical Hosting Site Undefined Int'l Location Domestic Location
SOX Critical Yes No
Dependent Apps Greater than 10 4 to 10 0 to 3
Recovery Time 4 Hours 7 Days 31 DaysRegion Supported Europe or Global US All other
Cloud Risk Ranking Example
Some final slides...cont.
Deployment Model Considerations
High Medium Low
Deploy Model
Public Community Private
- Security and privacy are not a priority
- Service level agreements may not exist
- Private environments provide adequate security and privacy
- Service level agreements should exist
Public
Private
Some final slides...cont.
Service Model Considerations
High Medium Low
Service Model
IaaS PaaS SaaS
- Issues may impact all hosted applications and data
- No control over foundational general controls
- PaaS - Impact limited to outsourced platform
- SaaS - Impact limited to applications and data
IaaS
SaaS
Some final slides...cont.
Data Security Considerations
High Medium Low
Security Level
Secret Restricted Unclassified
- Difficult to enforce security standards when outsourcing
- Difficult to demonstrate compliance with regulations like GLBA
- Security and privacy is not a concern (good candidate for cloud computing)
Secret
Unclassified
Shift to Cloud security
Dependent Applications
High Medium Low
Number of Apps
Greater than 10 4 to 9 Less than 3
- Implies complexity and greater organizational significance
- Implies simplicity and less organizational significance
> 10
< 3
Conclusion...
Cloud computing is not a new technology. Cloud computing
is a new business model. It is a way of delivering computing
resources and this is here to stay. Adopt it as soon as you can
and make even more successful business.
Before moving to cloud – involve professionals to help to
understand what part, how, when, where, by whom, why
would be reasonable (by costs, risks, investment measures)
to be moved to cloud. And which cloud.
Like famous Latvian poet once said – «One who’d be able
to change would also be able to continue exist!»
top related