1 Selecting a Cloud Service Provider (CSP) Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud Essentials Principal, ncontrol, LLC Adjunct Professor President, Cloud Security Alliance Delaware Valley Chapter (CSA-DelVal)
2 Selecting a CSP Presentation Overview Cloud Overview Selection Considerations, Criteria & Tools Case Studies
3 Selecting a CSP Cloud Overview Why should you care about the cloud?
4 Cloud Computing Trends Numbers Numbers around CC are always impressive: 80% fortune companies 1000 will pay to use cloud computing services and 30% will pay for infrastructure. Gartner At this moment, the 5 major search engines together have computers Market : 42 billon: IDC 95 billion: Merrill Lynch 33% of IT business will be in Cloud Computing Gartner 8 Microsoft data centre in Chicago: servers 8 Source: Open Group
5 Selecting a CSP What is Cloud Computing? Re-branded IT Business Model Application Service Provider (ASP) IT Outsourcing (ITO) Confusion Hosting Virtualization Service Provider
8 Selecting a CSP Selection Considerations, Criteria & Tools Risky Business Security Guidance Privacy & Data Protection Rules Service Provider / Consumer Process Alignment Portability / Interoperability Contractual / Legal Agreements Industry Tools & Tricks
9 Selecting a CSP Partly Cloudy with a chance of risk! The Cloud is perceived as risky business. Lack of Control Regulatory Compliance Hacks, outages, disasters.oh my! Source: Youtube
10 Security Guidance Selecting a CSP Existing Certifications / Attestations SAS 70 Type II / SSAE 16 / ISAE 3402 ISO / 2 ISO BITS Shared Assessments PCI DSS HIPAA / HITECH Guidance Specifically for the Cloud Cloud Security Alliance (CSA) Guide v3.0 CSA Security, Trust & Assurance Registry (STAR) ENISA Cloud Computing Risk Assessment NIST SP Guidelines Security / Privacy for a Public Cloud
11 Privacy & Data Protection Rules Jurisdictions* Regional: EU DPA National: PIPEDA, GLBA, HIPAA / HITECH, COPPA, Safe Harbor Statutory: Bavarian, CA SB 1386 / 24, MA 201 CMR 17, NV SB 227 Data Flow & Jurisdictional Adherence Backups CSP Big Data: Traditional, Sensory (e.g. Logs, Metadata) & Social Business / Organizational Ecosystem Contract Clauses European Model Contract Clauses PCI DSS Privacy Best Practices Selecting a CSP Generally Accepted Privacy Principles (GAPP) * Not all inclusive.
12 Svc Provider / Consumer Process Alignment Change / Configuration Management Process, process & some more process. Automated configuration management? Maturity Model Vendor Loading / Off-loading Provisioning / De-provisioning Disaster Recovery Selecting a CSP Business / Organizational Ecosystem Maturity Model
13 Svc Provider / Consumer Process Alignment Incident Response Selecting a CSP Computer Security Incident Response Team (CSIRT) Digital Forensics Legal Hold / Litigation Response / e-discovery Electronic Discovery Reference Model (EDRM) Federal Rules of Civil Procedure (FRCP) 30(b)(6) Records and Information Management (RIM) Generally Accepted Recordkeeping Principles (GARP ) Information Governance Reference Model (IGRM) Information Lifecycle Management (ILM) MIKE2.0
14 Selecting a CSP Portability / Interoperability Software Data Third Parties
15 Selecting a CSP Contractual / Legal Agreements Service Level Agreements (SLA) Uptime Data Ownership Escrow Data Include Sensory Data, Metadata Exit Clause Testing Disaster Recovery Incident Response Legal Hold / Litigation Response / e-discovery Right to Audit Vendor & Vendor s Vendors Privacy Impact Assessments (PIA) Additional Clauses European Model Contract Clauses
16 Selecting a CSP
17 Selecting a CSP Industry Tools & Tricks Cloud Strategic Roadmap Matrices & Software Cloud Brokers
18 Selecting a CSP Industry Tools & Tricks Cloud (Consumer) Strategic Roadmap Business Model Alignment Centralized / Decentralized Industry Vertical Ecosystem Awareness (Customers, Partners, Vendors) Project Portfolio Management (PPM) Assimilate Cloud Projects» Involves many stakeholders (business, PMO, IT, etc.). Phased Implementation Approach Private Hybrid Public Basic Advanced Services
19 Selecting a CSP Industry Tools & Tricks Cloud (Provider) Strategic Roadmap Business Model / Product Line Scalability e-discovery, Authentication, Encryption, Scanning» Organic» Merger & Acquisition Longevity / Sustainability Industry / Jurisdiction Focus Ecosystem Awareness Technology / Enterprise Architecture (TOGAF, SABSA, ITIL)
23 Gravitant, Inc. All Rights Reserved. cloudmatrix Version 5.0 cloudwiz TM Step 1: Plan Capacity Capacity planning is a vital component of cloud computing adoption that involves understanding necessary resource requirements in order to meet the anticipated needs of customers and users. Companies who are able to predict their computing needs can reserve capacity and plan for their predicted usage based on their IT budgets. Other models allow organizations to utilize an on-demand, payper-use model which may be more economical.
24 Gravitant, Inc. All Rights Reserved. cloudmatrix Version 5.0 cloudwiz TM Step 2: Compare Vendors Once a cloudwiz user has filled out their current resource utilization and projected demand, they can then compare vendors, side-byside. Our inbuilt standardized vendor catalog allows cloud users to compare prices from multiple providers in an expedia-like interface and then optimize for the best vendor based on individual goals and constraints such as cost, QoS and best match.
25 Gravitant, Inc. All Rights Reserved. cloudmatrix Version 5.0 cloudwiz TM Step 3: Analyze ROI As a cloudwiz user compares vendors across cost, QoS and other constraints, they can also determine ROI Benefits to analyze the effects of selecting a particular provider.
26 Selecting a CSP Industry Tools & Tricks Cloud Brokers RightScale CloudFloor Skydera enstratus
28 Case Study: Choosing a PaaS CSP Background Mid-sized Capital Management Firm FINRA Regulated Outsourced IT with hardware onsite. Drivers Cost Compliance Technologies Cloud Computing Microsoft Exchange / Office 365 Exchange Online Onsite Symantec Enterprise Vault
29 Case Study: Choosing a PaaS CSP Limitations Budget Skill-sets Resources Monitoring Risks Cloud Computing System / Software Interoperability Availability Vendor Management: Contractual / SLA Omissions Scope Creep Data Ownership
30 Case Study: Choosing a PaaS CSP Lessons Learned Better Safe Than Sorry Follow GLBA Safeguards Many Moving (Technical) Parts Use Existing Vendors e-discovery Helped Next Steps Cloud Computing Onsite Journaling Testing BCP / DR, Incident Response System Architecture Upgrades
31 Case Study: Choosing an IaaS CSP Background Venture capital funded pharmacy service provider. Small HIPAA / HITECH Business Associate Level 4 PCI Service Provider Drivers Cost Savings Core Competency Focus Technologies Cloud Computing Open-source solutions at a co-location facility. Leverages third party / upstream system providers.
32 Case Study: Choosing an IaaS CSP Limitations Buying / Negotiating Power HIPAA / HITECH / PCI Requirements Third Party Systems Risks Cloud Computing Jurisdiction Availability Cloud / Third Party Ecosystem Reliance
33 Case Study: Choosing an IaaS CSP Lessons Learned Bigger is not better. Standardize Technology Ask for the documentation from attestations. Sticker Shock Next Steps Cloud Computing Work with the CSP Conduct a PIA. Test incident response plans.
34 Cloud Computing Presentation Take Aways There Are No Silver Bullets Think Cloud Strategy & Business Ecosystem You Are Not Alone Leverage CSA, BITS & NIST s Research Leverage Industry Tools, Tips & Tricks Compare Apples to Apples Technology Pricing SLAs
Information Technology Outsourcing 2nd Edition Global Technology Audit Guide (GTAG ) 7 Information Technology Outsourcing 2nd Edition June 2012 GTAG Table of Contents Table of Contents...1 Executive Summary...2
1 Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors Scott Woodison Executive Director, Compliance and Enterprise Risk Office of Internal Audit and Compliance
Creating Effective Cloud Computing Contracts for the Federal Government Best Practices for Acquiring IT as a Service A joint publication of the In coordination with the Federal Cloud Compliance Committee
Best Practices for Cloud-Based Information Governance Autonomy White Paper Index Introduction 1 Evaluating Cloud Deployment 1 Public versus Private Clouds 2 Better Management of Resources 2 Overall Cloud
Brochure Best practices for cloud-based information governance Autonomy Cloud solutions Information governance in the cloud Key advantages to cloud computing Cloud computing alleviates adoption complexity,
WHITE PAPER How to choose and implement your cloud strategy INTRODUCTION Cloud computing has the potential to tip strategic advantage away from large established enterprises toward SMBs or startup companies.
RESPONSIVE ENTERPRISE COMPUTING SERVICES Cloud Solutions A Silver Lining for Intelligence Missions Salient Federal Solutions Proprietary Information For comments or questions regarding this white paper,
Data Intensive Storage Services for Cloud Environments Dimosthenis Kyriazis National Technical University of Athens, Greece Athanasios Voulodimos National Technical University of Athens, Greece Spyridon
Software Asset Management High Risk, High Reward January 2014 Andy Deas email@example.com Travis Markowitz firstname.lastname@example.org Eli Black email@example.com Contents What is Software Asset Management
SOME CLOUDS ARE MEANT TO BE KEPT PRIVATE Addressing the Application Needs of Business for Sensitive Data & Customized Applications WHITE PAPER Contents 1. EXECUTIVE SUMMARY 2. INTRODUCTION 3. THE RIGHT
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,
Cloud Computing: Transforming the Enterprise Cloud computing is not just a trend. It is changing the way IT organizations drive business value. THINK SMART. ACT FAST. FLEX YOUR BUSINESS. EXECUTIVE SUMMARY
Approach to Information Security Architecture Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera About TeliaSonera TeliaSonera provides network access and telecommunication services that help
Journey to Cloud 9 Navigating a path to secure cloud computing Alastair Broom Solutions Director, Integralis March 2012 Navigating a path to secure cloud computing 2 Living on Cloud 9 Cloud computing represents
Cloud Security & Risk Adam Cravedi, CISA Senior IT Auditor firstname.lastname@example.org Agenda About Compass Overcast - Cloud Overview Thunderheads - Risks in the Cloud The Silver Lining - Security Approaches
hottopic ARMA International s MAKING THE JUMP TO THE CLOUD? How to Manage Information Governance Challenges www.arma.org Governance for Protecting Information in the Cloud Barclay T. Blair If your organization
Office of the Chief Information Security Officer Centers for Medicare & Medicaid Services 7500 Security Boulevard Baltimore, Maryland 21244-1850 Risk Management Handbook Volume III Standard 3.2 FINAL Version
Risk perception and risk management in cloud computing: Results from a case study of Swiss companies Nathalie Brender Haute Ecole de Gestion de Genève Campus de Battelle, Bâtiment F 7 route de Drize, 1227
Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls
WHITE PAPER An Introduction to Cloud Computing in the Federal Public Sector AUGUST 2010 2010 BY APPTIS, INC. ALL RIGHTS RESERVED. The intended audience of this document comprises senior technical executives,
INFORMATION SECURITY BRIEFING 01/2010 CLOUD COMPUTING MARCH 2010 This briefing note is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
The Microsoft Office 365 Buyer s Guide for the Enterprise Guiding customers through key decisions relative to online communication and collaboration solutions. Version 2.0 April 2011 Note: The information