Central Jersey IIA Cloud Computing: The Basics and Beyond Protecting Data in the Cloud
|
|
- Rudolf Charles
- 8 years ago
- Views:
Transcription
1 Central Jersey IIA Cloud Computing: The Basics and Beyond Protecting Data in the Cloud Dr. Yonesy F. Nuñez, CISSP, CISM, ISSAP, ISSMP, CRISC, CGEIT, MCSE, ISSPCS Manager, NYM IT Risk & Security Assurance
2 General Security Advantages Shifting public data to a external cloud reduces the exposure of the internal sensitive data Cloud homogeneity makes security auditing/testing simpler Clouds enable automated security management Redundancy / Disaster Recovery 2
3 Security Relevant Cloud Components Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elastic Elements: Storage, Processing, and Virtual Networks 3
4 Provisioning Service Advantages Rapid reconstitution of services Enables availability - Provision in multiple data centers / multiple instances Advanced honey net capabilities Challenges Impact of compromising the provisioning service 4
5 Data Storage Services Advantages Data fragmentation and dispersal Automated replication Provision of data zones (e.g., by country) Encryption at rest and in transit Automated data retention Challenges Isolation management / data multi-tenancy Storage controller - Single point of failure / compromise? Exposure of data to foreign governments 5
6 Cloud Processing Infrastructure Advantages Ability to secure masters and push out secure images Challenges Application multi-tenancy Reliance on hypervisors Process isolation / Application sandboxes 6
7 Cloud Support Services Advantages On demand security controls (e.g., authentication, logging, firewalls ) Challenges Additional risk when integrated with customer applications Needs certification and accreditation as a separate application Code updates 7
8 Cloud Network and Perimeter Security Advantages Distributed denial of service protection VLAN capabilities Perimeter security (IDS, firewall, authentication) Challenges Virtual zoning with application mobility 8
9 Cloud Security Advantages Part 1 Data Fragmentation and Dispersal Dedicated Security Team Greater Investment in Security Infrastructure Fault Tolerance and Reliability Greater Resiliency Hypervisor Protection Against Network Attacks Possible Reduction of C&A Activities (Access to Pre-Accredited Clouds) 9
10 Cloud Security Advantages Part 2 Simplification of Compliance Analysis Data Held by Unbiased Party (cloud vendor assertion) Low-Cost Disaster Recovery and Data Storage Solutions On-Demand Security Controls Real-Time Detection of System Tampering Rapid Re-Constitution of Services Advanced Honeynet Capabilities 10
11 Cloud Security Challenges Part 1 Data dispersal and international privacy laws EU Data Protection Directive and U.S. Safe Harbor program Exposure of data to foreign government and data subpoenas Data retention issues Need for isolation management Multi-tenancy Logging challenges Data ownership issues Quality of service guarantees 11
12 Cloud Security Challenges Part 2 Dependence on secure hypervisors Attraction to hackers (high value target) Security of virtual OSs in the cloud Possibility for massive outages Encryption needs for cloud computing Encrypting access to the cloud resource control interface Encrypting administrative access to OS instances Encrypting access to applications Encrypting application data at rest Public cloud vs.. internal cloud security Lack of public SaaS version control 12
13 Additional Issues Issues with moving PII and sensitive data to the cloud Privacy impact assessments Using SLAs to obtain cloud security Suggested requirements for cloud SLAs Issues with cloud forensics Contingency planning and disaster recovery for cloud implementations Handling compliance FISMA HIPAA SOX PCI SAS 70 Audits 13
14 The Why and How of Cloud Migration There are many benefits that explain why to migrate to clouds Cost savings, power savings, green savings, increased agility in software deployment Cloud security issues may drive and define how we adopt and deploy cloud computing solutions 14
15 Balancing Threat Exposure and Cost Effectiveness Private clouds may have less threat exposure than community clouds which have less threat exposure than public clouds. Massive public clouds may be more cost effective than large community clouds which may be more cost effective than small private clouds. Doesn t strong security controls mean that I can adopt the most cost effective approach? 15
16 Cloud Migration and Cloud Security Architectures Clouds typically have a single security architecture but have many customers with different demands Clouds should attempt to provide configurable security mechanisms Organizations have more control over the security architecture of private clouds followed by community and then public This doesn t say anything about actual security Higher sensitivity data is likely to be processed on clouds where organizations have control over the security model 16
17 Putting it Together Most clouds will require very strong security controls All models of cloud may be used for differing tradeoffs between threat exposure and efficiency There is no one cloud. There are many models and architectures. How does one choose? 17
18 Migration Paths for Cloud Adoption Use public clouds Develop private clouds Build a private cloud Procure an outsourced private cloud Migrate data centers to be private clouds (fully virtualized) Build or procure community clouds Organization wide SaaS PaaS and IaaS Disaster recovery for private clouds Use hybrid-cloud technology Workload portability between clouds 18
19 What, When, How to Move to the Cloud Identify the asset(s) for cloud deployment Data Applications/Functions/Process Evaluate the asset Determine how important the data or function is to the org 19
20 Evaluate the Asset How would we be harmed if the asset became widely public & widely distributed? An employee of our cloud provider accessed the asset? The process of function were manipulated by an outsider? The process or function failed to provide expected results? The info/data was unexpectedly changed? The asset were unavailable for a period of time? 20
21 Map Asset to Models 4 Cloud Models Public Private, internal, on premise Private, external Community -Hybrid Which cloud model addresses your security concerns? 21
22 Map Data Flow Map the data flow between your organization, cloud service, customers, other nodes Essential to understand whether & HOW data can move in/out of the cloud Sketch it for each of the models Know your risk tolerance! 22
23 Cloud Domains Service contracts should address these 13 domains Architectural Framework Governance, Enterprise Risk Mgt Legal, e-discovery Compliance & Audit Information Lifecycle Mgt Portability & Interoperability 23
24 Cloud Domains Security, Business Continuity, Disaster Recovery Data Center Operations Incident Response Issues Application Security Encryption & Key Mgt Identity & Access Mgt Virtualization 24
25 Security Stack IaaS: entire infrastructure from facilities to HW PaaS: application, Middleware, database, messaging supported by IaaS SaaS: self contained operating environment: content, presentation, apps, mgt 25
26 Security Stack Concerns Lower down the stack the cloud vendor provides, the more security issues the consumer has to address or provide Who do you trust? 26
27 Key Takeaways SaaS Service levels, security, governance, compliance, liability expectations of the service & provider are contractually defined PaaS, IaaS Customer sysadmins manage the same with provider handling platform, infrastructure security 27
28 Security Pitfalls How cloud services are provided confused with where they are provided Well demarcated network security border is not fixed Cloud computing implies loss of control 28
29 Overall Security Concerns Gracefully lose control while maintaining accountability even if operational responsibility falls upon 3 rd parties Provider, user security duties differ greatly between cloud models 29
30 Key Challenges We aren t moving to the cloud.. We are reinventing within the cloud Confluence of technology and economic innovation Disrupting technology and business relationships Pressure on traditional organizational boundaries Gold Rush mentality, backing into 20 year platform choice Challenges traditional thinking How do we build standards? How do we create architectures? What is the ecosystem required to managed, operate, assess and audit cloud systems?
31 Thinking about Threats Technology Unvetted innovations within the S-P-I stack Well known cloud architectures Business How cloud dynamism is leveraged by customers/providers E.g. provisioning, elasticity, load management Old threats reinvented: must defend against the accumulation of all vulnerabilities ever recorded, Dan Geer-ism Malware in the cloud, for the cloud Lots of black box testing
32 Evolving Threats 1/2 Unprotected APIs / Insecure Service Oriented Architecture Hypervisor Attacks L1/L2 Attacks (Cache Scraping) Trojaned AMI Images VMDK / VHD Repurposing Key Scraping Infrastructure DDoS
33 Evolving Threats 2/2 Web application (mgt interface!) XSRF XSS SQL Injection Data leakage Poor account provisioning Cloud provider insider abuse Financial DDoS "Click Fraud
34 Lots of Governance Issues Cloud Provider going out of business Provider not achieving SLAs Provider having poor business continuity planning Data Centers in countries with unfriendly laws Proprietary lock-in with technology, data formats Mistakes made by internal IT security several orders of magnitude more serious
35 Governance Identify, implement process, controls to maintain effective governance, risk mgt, compliance Provider security governance should be assessed for sufficiency, maturity, consistency with user ITSEC process 35
36 3 rd Party Governance Request clear documents on how facility & services are assessed Require definition of what provider considers critical services, info Perform full contract, terms of use due diligence to determine roles, accountability 36
37 Governance & ERM A portion of cloud cost savings must be invested into provider scrutiny Third party transparency of cloud provider Financial viability of cloud provider. Alignment of key performance indicators Increased frequency of 3 rd party risk assessments
38 Legal Plan for both an expected and unexpected termination of the relationship and an orderly return of your assets. Find conflicts between the laws the cloud provider must comply with and those governing the cloud customer Gain a clear expectation of the cloud provider s response to legal requests for information. Secondary uses of data Cross-border data transfers
39 Electronic Discovery Cloud Computing challenges the presumption that organizations have control over the data they are legally responsible for. Cloud providers must assure their information security systems are capable to preserve data as authentic and reliable. Metadata, log files, etc. Mutual understanding of roles and responsibilities: litigation hold, discovery searches, expert testimony, etc.
40 e-discovery Functional: which functions & services in the Cloud have legal implications for both parties Jurisdictional: which governments administer laws and regulations impacting services, stakeholders, data assets Contractual: terms & conditions 40
41 e-discovery Both parties must understand each other s roles - Litigation hold, Discovery searches - Expert testimony Provider must save primary and secondary (logs) data Where is the data stored? laws for cross border data flows 41
42 e-discovery Plan for unexpected contract termination and orderly return or secure disposal of assets You should ensure you retain ownership of your data in its original form 42
43 Security Audit - Hard to maintain with your security/regulatory requirements, harder to demonstrate to auditors - Right to Audit clause - Analyze compliance scope - Regulatory impact on data security - Evidence requirements are met - Does the provider have SAS 70 Type II, ISO 27001/2 audit statements? 43
44 Information Management Data security (CIA) Data Location All copies, backups stored only at location allowed by contract, SLA and/or regulation Compliant storage (EU mandate) for storing e-health records 44
45 Information Lifecycle Management Understand the logical segregation of information and protective controls implemented Understand the privacy restrictions inherent in data entrusted to your company, how it impacts legality of using cloud provider. Data retention assurance easy, data destruction may be very difficult. Recovering true cost of a breach: penalties vs. risk transference
46 Portability, Interoperability When you have to switch cloud providers Contract price increase Provider bankruptcy Provider service shutdown Decrease in service quality Business dispute 46
47 Portability & Interoperability Understand and implement layers of abstraction For Software as a Service (SaaS), perform regular data extractions and backups to a usable format For Infrastructure as a Service (IaaS), deploy applications in runtime in a way that is abstracted from the machine image. For Platform as a Service (PaaS), careful application development techniques and thoughtful architecture should be followed to minimize potential lock-in for the customer. loose coupling using SOA principles Understand who the competitors are to your cloud providers and what their capabilities are to assist in migration. Advocate open standards.
48 Compliance & Audit Classify data and systems to understand compliance requirements Understand data locations, copies Maintain a right to audit on demand Need uniformity in comprehensive certification scoping to beef up SAS 70 II, ISO 2700X
49 Traditional, BCM/DR Greatest concern is insider threat Cloud providers should adopt as a security baseline the most stringent requirements of any customer. Compartmentalization of job duties and limit knowledge of customers. Onsite inspections of cloud provider facilities whenever possible. Inspect cloud provider disaster recovery and business continuity plans. Identify physical interdependencies in provider infrastructure.
50 Security, Business Continuity, Disaster Recovery Centralization of data = greater insider threat from within the provider Require onsite inspections of provider facilities Disaster recovery, Business continuity, etc. SAS 70 Type II, WebTrust, SysTrust 50
51 Data Center Operations How does provider perform: On-demand self service Broad network access Resource pooling Rapid elasticity Measured service 51
52 Data Center Operations Compartmentalization of systems, networks, management, provisioning and personnel. Know cloud provider s other clients to assess their impact on you Understand how resource sharing occurs within your cloud provider to understand impact during your business fluctuations. For IaaS and PaaS, the cloud provider s patch management policies and procedures have significant impact Cloud provider s technology architecture may use new and unproven methods for failover. Customer s own BCP plans should address impacts and limitations of Cloud computing. Test cloud provider s customer service function regularly to determine their level of mastery in supporting the services.
53 Incident Response - Cloud apps aren t always designed with data integrity andsecurity in mind - Does provider keep app, firewall, IDS logs? - Does provier deliver snapshots of your virtual environment? - Sensitive data must be encrypted for data breach regulations 53
54 Incident Response Any data classified as private for the purpose of data breach regulations should always be encrypted to reduce the consequences of a breach incident. Cloud providers need application layer logging frameworks to provide granular narrowing of incidents to a specific customer. Cloud providers should construct a registry of application owners by application interface (URL, SOA service, etc.). Cloud providers and customers need defined collaboration for incident response.
55 Application Security Different trust boundaries for IaaS, PaaS, SaaS What is the provider s web application security? Secure inter-host communication channel 55
56 Application Security Importance of secure software development lifecycle magnified IaaS, PaaS and SaaS create differing trust boundaries for the software development lifecycle, which must be accounted for during the development, testing and production deployment of applications. For IaaS, need trusted virtual machine images. Apply best practices available to harden DMZ host systems to virtual machines. Securing inter-host communications must be the rule, there can be no assumption of a secure channel between hosts Understand how malicious actors are likely to adapt their attack techniques to cloud platforms
57 Storage Understand the storage architecture and abstraction layers to verify that the storage subsystem does not span domain trust boundaries. Ascertain if knowing storage geographical location is possible. Understand the cloud provider s data search capabilities. Understand cloud provider storage retirement processes. Understand circumstances under which storage can be seized by a third party or government entity. Understand how encryption is managed on multi-tenant storage. Can the cloud provider support long term archiving, will the data be available several years later?
58 Encryption From a risk management perspective, unencrypted data existent in the cloud may be considered lost by the customer. Application providers who are not controlling backend systems should assure that data is encrypted when being stored on the backend. Use encryption to separate data holding from data usage. Segregate the key management from the cloud provider hosting the data, creating a chain of separation. When stipulating standard encryption in contract language
59 Encryption, Key Management Encrypt data in transit, at rest, backup media Secure key store Protect encryption keys Ensure encryption is based on industry/government standards. - NO proprietary standard Limit access to key stores Key backup & recoverability - Test these procedures 59
60 Identity & Access Management Must have a robust federated identity management architecture and strategy internal to the organization. Insist upon standards enabling federation: primarily SAML, WS-Federation and Liberty ID-FF federation Validate that cloud provider either support strong authentication natively or via delegation and support robust password policies that meet and exceed internal policies. Understand that the current state of granular application authorization on the part of cloud providers is non-existent or proprietary. Consider implementing Single Sign-on (SSO) for internal applications, and leveraging this architecture for cloud applications. Using cloud-based Identity as a Service providers may be a useful tool for abstracting and managing complexities such as differing versions of SAML, etc.
61 Identity and Access Management Determine how provider handles: Provisioning, de-provisioning Authentication Federation Authorization, user profile mgt 61
62 Virtualization Virtualized operating systems should be augmented by third party security technology. The simplicity of invoking new machine instances from a VM platform creates a risk that insecure machine images can be created. Secure by default configuration needs to be assured by following or exceeding available industry baselines. Virtualization also contains many security advantages such as creating isolated environments and better defined memory space, which can minimize application instability and simplify recovery. Need granular monitoring of traffic crossing VM backplanes Provisioning, administrative access and control of virtualized operating systems is crucial
63 Virtualization What type of virtualization is used by the provider? What 3 rd party security technology augments the virtual OS? Which controls protect admin interfaces exposed to users? 63
64 64
65 Summary There are many security implications to consider when utilizing a cloud environment. Keeping your mind open and understanding the issues is essential to a protecting your data in the Cloud. 65
66 Section 2 Planning your Cloud Computing Audit 66
67 Planning Your Audit Defining your audit objectives Boundaries of review (e.g., cloud environment in-use or under consideration, types of cloud services, technical boundaries) Identify and document business risk associated with cloud solution Identification of audit resources requirement Requisite knowledge in information governance, IT management, network, data, contingency and encryption controls Proficient in risk assessment, information security components of IT architecture, threat & vulnerabilities and internet-based data processing Knowledge of web services standards such as OASIS and WSS Define deliverables and communication (e.g. communication to various stakeholders, nature of deliverables, timing, etc.) 67
68 s Cloud Assurance Framework Data Governance Right to Audit & Third Party Reviews Provider Continuity Portability and Interoperability SLA Management Interface Management Legal Compliance & e-discovery Contract Terms & Escrow Compliance FISMA SOX GLBA ISO PCI Cloud Strategy & Business Case Incident Management Dashboard & Reporting IaaS SaaS Private Public Technology Process People Community PaaS Hybrid BPaaS License Management Cloud Provider Management Enterprise Risk Management Metering and Usage Cloud Governance Monitoring Cloud Architecture Functional Implications Change Management Information Security Collaboration Capacity Planning Metrics & SLA Information Risk Management 68
69 Assessing Technical Architecture Service Delivery Application Security Data Security & Integrity Identity & Access Management Virtualization Provisioning P F T P F T P F T P F T P F T IaaS SaaS Private Public Technology Process People Community PaaS Hybrid BPaaS Infrastructure Management Configuration Management Asset Management Virtualization Anti Virus Patch Management Release Management P F T P F T P F T P F T P F T P F T Servers Storage Network Infrastructure P F T P F T Power/Cooling P F T People P Process F Flow Technology T 69
70 #1 Shadow Cloud Practices Will Surface Audit Focus Areas Data Governance Right to Audit & Third Party Reviews Provider Continuity Portability and Interoperability SLA Management Interface Management Legal Compliance & e-discovery Contract Terms & Escrow Compliance FISMA SOX GLBA ISO PCI Cloud Strategy & Business Case Incident Management Dashboard & Reporting IaaS SaaS Private Public Technology Process People Community PaaS Hybrid BPaaS License Management Cloud Provider Management Enterprise Risk Management Metering and Usage Functional Implications Change Management Information Security Collaboration Capacity Planning Metrics & SLA Information Risk Management
71 #1 Shadow Cloud Practices Will Surface Risk Area Scenario Unauthorized use of Public Cloud Services is a common problem. Client X was using over 25 different CSPs spanning across their ERP, HR, Fixed Assets, CRM, Support, Collaboration, Ticketing System, etc. Majority of these cloud services were procured with the knowledge and approval of IT / Procurement bypassing procedures put in place by our client to manage and maintain security and data protection. Governance over Cloud Adoption Audit Considerations 1. Functional Implications Has the company establish a companywide documented policy for appropriate use of Cloud Computing Services? Has an information management liaison been established to manage an inventory of CSPs, evaluate policies of on/off boarding? Including backout policy considerations? 2. Information Security Collaboration Has an education and awareness program to communicate the risks associated with unauthorized use of Public Cloud Services? Has IT performed an assessment on security? interfaces? 71
72 #2 Don t just sign on the dotted line Risk Area Scenario Contracts with Cloud Providers often lack key security requirements important to the organization (e.g. security breach, location of data, service termination). This is most prevalent when business users procure services outside of the normal channels in order to get the service up and running quickly. Cloud Provider Contract (Terms/Conditions) Audit Considerations 1. Has all Cloud Services undergone a formal risk assessment as a preliminary step to contract negotiation? 2. Have the following been considered as part of contract negotiations -: Confidentiality, Limitation of Liability, Indemnification, Service Termination, Service Level Agreements and Non-Performance Clauses, Software Escrow, Security Incident Procedures, Ownership Changes, Privacy, Jurisdiction, Notification, and Modifications? 3. Is there a process in place to review the periodically the commitment of the Cloud Provider throughout the course of the contract? 72
73 #3 You will need to retain Ownership for Access Roles and Permissions Application Security Service Delivery Infrastructure Management Infrastructure Data Security & integrity Identity & Access Management Virtualization Provisioning Configuration Management Asset Management Virtualization Anti Virus Patch Management Release Management Servers Storage Network Power/Cooling Audit Focus Areas
74 #3 You will retain ownership for Roles and Permissions Risk Area Scenario Access control mechanisms for Cloud Providers are typically separate from internal processes and fall outside approved and documented methods to manage access. Client X utilized a CSP to perform and allowed contractors to perform some day-today finance functions. As part of their access, the contractors were also able to see quarterend and year-end information which should have been restricted. Identity and Access Management Audit Considerations 1. Provisioning Does the current access controls of the Cloud service provider meet existing company requirements for roles and permissions? 2. Identity and Access Management Has the company determine if the company s Access Control Procedures require modification to meet the needs of extending to a Cloud Provider e.g. IAM Federation. How have we evaluated the complexities of auditing APIs, Hypervisors, Virtualized environments? 74
75 #4 - Moving to the Cloud Doesn t Mean Farming Out Your IT Management Responsibilities Audit Focus Areas Application Security Service Delivery Infrastructure Management Infrastructure Data Security & integrity Identity & Access Management Virtualization Provisioning Configuration Management Asset Management Virtualization Anti Virus Patch Management Release Management Servers Storage Network Power/Cooling 75
76 #4 - Moving to the Cloud Doesn t Mean Farming Out Your IT Management Responsibilities Risk Area Scenario Client X adopted a cloud based ERP solution. Change management processes have not been established for changes made to scripts and the 30 customizations they had made to their ERP. In addition, a staging environment was not procured containing a mirror of production data was not available to conduct sufficient testing. Cloud Release and Configuration Management Audit Considerations 1. Configuration management Have a change management log been established that requires change board approvals? 2. Release management Have policies for release management been adequately established for to cloud-based ERP solution? Does a change board exists? Has a QA environment that contains sufficient data to conduct scenario testing is procured? 3. SOC Report Have all user control considerations from SOC report have been fully considered? 76
77 #5 No One Will Care More About Your Data Than You Audit Focus Areas Data Governance Right to Audit & Third Party Reviews Provider Continuity Portability and Interoperability SLA Management Interface Management Legal Compliance & e-discovery Contract Terms & Escrow Compliance FISMA SOX GLBA ISO PCI Cloud Strategy & Business Case Incident Management Dashboard & Reporting IaaS SaaS Private Public Technology Process People Community PaaS Hybrid BPaaS License Management Cloud Provider Management Enterprise Risk Management Metering and Usage Functional Implications Change Management Information Security Collaboration Capacity Planning Metrics & SLA Information Risk Management
78 #5 No One Will Care More About Your Data Than You Risk Area Scenario Data/information to be stored in the Cloud should adhere to the guidance provided for information/data protection including the risk of data being targeted by an Advanced Persistent Threat. Client X s legal department had moved case management to a CSP. The data is stored in a multi-tenancy environment. When internal audit requested for assurance over controls, the SAS70 for the data center where the application is hosted was provided. Data Protection and Rights to Audit Audit Considerations 1. Data Protection Security Has a Data Classification scheme to data/information considered for a Cloud Solution? Has the company evaluated the need for a Digital Rights Management (DRM) or Data Loss Prevention (DLP) solution been considered? 2. Have the contracts been reviewed by legal (rights & obligations), internal audit (rights to audit) and IT (service level agreements)? 78
79 #6 - Bad Processes Will Not Become Good Processes By Just Moving To The Cloud Risk Area Scenario Client X moved to a SaaS CRM solution 2 years ago as the company was growing significantly and they realized it was difficult to manage its customer data. Today, the company realizes that retrieval of customer data was a significantly manual process through compilation of spreadsheets given the complexity of customer hierarchy and lack of integration between its ERP. Portability and Interoperability and Data Integrity Audit Considerations 1. Have we considered all our reporting requirements in the context of the company prior to moving to a CSP? What about the data architecture? Data governance and customer data dictionary? 2. Has integration and interfaces with existing systems been fully considered? 79
80 #7 It s like your phone bill. If you don t review your minutes, be prepared to pay the price Risk Area Scenario Invoices provided by Cloud Provider for bursting revenue is in excess of what is truly consumed by the company. In addition, there isn t a process to monitor the monthly consumption of data used to determine if a move to a higher subscription package is required. Metering and Bursting Revenue Audit Considerations 1. Are there processes in place to monitor the data usage and any bursting charges incurred? 2. Has the company evaluated what the appropriate subscription package based on total company consumption of bandwidth? 3. Have we considered requesting an independent assessment on the data provided by the company or its internal controls? 80
81 #8 Everybody wants to be in the cloud. It s not that simple Risk Area Scenario Client X had just completed building a successful SaaS based solution for it s products. To meet the increased high transaction volume from this move, they decided to develop a private IaaS solution. Project Risk and Third Party Management CSP Audit Considerations 1. What was the evaluation undertaken to determine fit in-terms of experience and skill set when selecting an system integrator for a Cloud based solution? (e.g. integrations?, data cleansing?) They had engaged the CSP to help implement the solution and after 6 months, found that while technically strong the CSP did not have the right process knowledge, change management expertise and sufficient understanding of the clients business. 81
82 Summary - Plan for Success Engage in the strategy for moving to the cloud Understand your company s rationale for adopting cloud Review impacted business activities in as is and to be state Assess capabilities of existing personnel to manage transition and to perform roles in new state Treat the move as a process not a project Assess risk and build a plan to manage accordingly 82
83 Closing Comments Cloud Reporting: What exists today Cloud customers gather information through inefficient activities often led by vendor management or procurement functions: Provider self-assessments, typically focus on security policies Responses to customer-prepared questionnaires Service level agreements (SLAs) describing the provider s obligations Third-party SAS 70 (now SSAE 16) reports Other certifications PCI, ISO 27002, HIPAA, FISMA, etc. Do not address comprehensively address the service offering and the relevant compliance requirements from the perspective of the customer s needs or expectations Are not focused on the cloud provider s unique service offering 83
84 Closing Comments Cloud Reporting: Looking forward No globally recognized framework exists and may not for the foreseeable future Consideration Point AICPA Service Organization Reports Custom Attest SOC 1 / SSAE16 (Replacement for SAS70 6/11) SOC2 SOC3 AICPA suggested scope Controls over financial reporting. Used in conjunction with an audit of users financial statements Controls relevant to compliance or operations, which could include (*) Security Availability and processing integrity Confidentiality Privacy Data integrity and ownership (*) Use of AICPA Trust Principles Required Management defined Can include controls relevant and unique to Operations, Billing, Technology Security, Privacy and beyond Intended Audience Restricted use General Use (with public seal); Generally restricted use but may be unrestricted Content of Report Management s assertion Management s description of service organization s system Description of controls Report may be Type 1 (Design only or Type 2 (Design and Operating Effectiveness) opinion on control effectiveness Management assertion Unaudited system description opinion of control effectiveness Management assertion opinion on control effectiveness AICPA Attestation Standard SSAE 16 AT 101, Attest Engagements 84
85 Stay Engaged as the Cloud Evolves Cloud computing is fundamentally changing business across all industries and markets Keeping pace with the change and adapting as it evolves is key for all cloud adopters, including IT compliance and audit professionals More resources
86 Areas of Expertise Security Governance, Strategy and Compliance Data Privacy and Protection Security Frameworks and Regulatory Compliance Security Risk Assessments Payment Card Industry (PCI) Strategy and Compliance Readiness Secure Network Architecture and Design Security Information and Event Management Systems Emerging Technologies (i.e. Mobile Devices, Cloud Computing) Dr. Yonesy F. Nuñez Manager Contact Details: Phone: Background: Yonesy is a Manager in the New York Metro IT Risk and Security Assurance Practice and has 14 years of experience delivering Information Security services. Yonesy has led efforts to create and institute comprehensive information security programs for a variety of industries. He works with various clients to balance security, risk, IT operations, threat-vector landscape, and business objectives to enable efficient business decisions in preparation of and during severe crisis events. He has managed and successfully supported internal audit engagements as they relate to application security, outsourced development, network security, threat and vulnerability assessment, attack and penetration, business impact analyses, incident management, multi-tenancy cloud environments reviews, business continuance and disaster recovery plans, Data Loss Prevention, and IT Risk assessments. He is a nationally respected Speaker and Instructor for Information Security Strategy, Industry Regulations and Compliance, Cloud Computing, Data Encryption, Virtual Computing, and IT Audit. He holds numerous information security, risk, and governance certifications. He has a B.S. in Finance and Computer Information Systems from Manhattan College, an M.S. in Information Systems Engineering from The Polytechnic Institute of NYU, and a Doctorate in Computing, Information Assurance and Security from Pace University. Relevant Projects and Experience: Led global efforts in IT Governance, Security and Compliance including: - Global Data Privacy / Information Security Strategy - Global SOX ITGC Testing - Organizational Strategy - ISO 27001:4 Control Framework - Technical Remediation - Application security development / secure coding - Japan PPI, European Data Directives, Safe Harbor, ITAR IT Audit External Audit Support Security Framework Development Threat and vulnerability / Attack and Penetration / Application Security Disaster Recovery / Data Center Reviews Business Continuity Management TPA: Cloud Computing FISMA Virtualized Environments Outsourcing Application Development Security Internet Vulnerability and Attack & Penetration Assessment Current Certifications CGEIT - Certified in the Governance of Enterprise IT CRISC - Certified in Risk and Information Systems Control CISM - Certified Information Security Manager CISSP - Certified Information Systems Security Professional ISSAP - Information Systems Security Architecture Professional ISSMP - Information Systems Security Management Professional ISSPCS - International Systems Security Professional Certification Scheme MCSE: Microsoft Certified Systems Engineer MCSA: Microsoft Certified Systems Administrator Security + Subject Matter Expert Member of ISSA, ISACA, Infragard, and ALPFA
Cloud Computing Security Issues
Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security, marchany@vt.edu Something Old, Something New New: Cloud describes the use of a collection of services, applications,
More informationAssessing Risks in the Cloud
Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research
More informationOWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect
OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud
More informationSecuring The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationSecurity & Trust in the Cloud
Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer
More informationCloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter
Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute
More informationCloud Computing. Cloud Computing An insight in the Governance & Security aspects
Cloud Computing An insight in the Governance & Security aspects AGENDA Introduction Security Governance Risks Compliance Recommendations References 1 Cloud Computing Peter Hinssen, The New Normal, 2010
More informationSecuring and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer What is Cloud Computing A model for enabling convenient, on-demand network access to a shared pool of configurable
More informationSecuring The Cloud With Confidence. Opinion Piece
Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery
More informationCloud Computing: Background, Risks and Audit Recommendations
Cloud Computing: Background, Risks and Audit Recommendations October 30, 2014 Table of Contents Cloud Computing: Overview 3 Multiple Models of Cloud Computing 11 Deployment Models 16 Considerations For
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationAuditing Cloud Computing and Outsourced Operations
Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls
More informationCloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security
More informationAbout the Presenter About the Cloud Security Alliance Guidance 1.0 Getting Involved Call to Action
Governance, Risk Management, Compliance, & Audit An Overview of Cloud Security Alliance s Security Guidance for Critical Areas of Focus in Cloud Computing July 23, 2009 Agenda About the Presenter About
More informationGoals. What is Cloud Computing? 11/11/2010. Understand what cloud computing is and how. Understand the challenges and advantages of cloud computing
Goals Cloud Computing COMP755 Understand what cloud computing is and how it functions Understand the challenges and advantages of cloud computing Many slides were created by Peter Mell, Tim Grance of NIST
More informationSecuring Oracle E-Business Suite in the Cloud
Securing Oracle E-Business Suite in the Cloud November 18, 2015 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation Agenda The
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationKey Considerations of Regulatory Compliance in the Public Cloud
Key Considerations of Regulatory Compliance in the Public Cloud W. Noel Haskins-Hafer CRMA, CISA, CISM, CFE, CGEIT, CRISC 10 April, 2013 w_haskins-hafer@intuit.com Disclaimer Unless otherwise specified,
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationCloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs
Cloud Computing In a Post Snowden World Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs Guy Wiggins Director of Practice Management Kelley Drye & Warren
More informationWhat Cloud computing means in real life
ITU TRCSL Symposium on Cloud Computing Session 2: Cloud Computing Foundation and Requirements What Cloud computing means in real life Saman Perera Senior General Manager Information Systems Mobitel (Pvt)
More informationObjectives. To understand Cloud Computing Issues. Foundational Elements of Cloud Computing Security & Privacy Cloud Migration Paths Risks in Cloud
TEL2813/IS2621 Security Management James Joshi Associate Professor Lecture 6 Feb 26, 2015 Cloud Computing Security and Privacy Issues Objectives To understand Cloud Computing Issues Foundational Elements
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationOverview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
More informationCloud Assurance: Ensuring Security and Compliance for your IT Environment
Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware
More informationStrategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security
Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities
More informationSecurity, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32
Security, Compliance & Risk Management for Cloud Relationships Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Introductions & Poll Organization is leveraging the Cloud? Organization
More informationGovernance and Control in the Cloud. Infrastructure as a Service
1 Governance and Control in the Cloud Infrastructure as a Service Cows 2 The Triumph of the Utility 3 Our Discussion 4 How we ll talk about Governance and Controls today Not an IT-assurance methodology
More informationHow to ensure control and security when moving to SaaS/cloud applications
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
More informationIT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011
IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011 Cloud Basics Cloud Basics The interesting thing about cloud computing is that we've redefined cloud computing to include everything
More informationCloud Security Alliance: Industry Efforts to Secure Cloud Computing
Cloud Security Alliance: Industry Efforts to Secure Cloud Computing Jim Reavis, Executive Director September, 2010 Cloud: Dawn of a New Age Art Coviello - the most overhyped, underestimated phenomenon
More informationAddressing Cloud Computing Security Considerations
Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft
More informationSecurity and Privacy in Cloud Computing
Security and Privacy in Cloud Computing - Study Report Sai Lakshmi General Manager Enterprise Security Solutions 2 Agenda Background & Objective Current Scenario & Future of Cloud Computing Challenges
More informationClouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst
Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment
More information{Moving to the cloud}
{Moving to the cloud} plantemoran.com doesn t mean outsourcing your security controls. Cloud computing is a strategic move. Its impact will have a ripple effect throughout an organization. You don t have
More informationCloud Security: The Grand Challenge
Dr. Paul Ashley IBM Software Group pashley@au1.ibm.com Cloud Security: The Grand Challenge Outline Cloud computing: the pros, the cons, the blind spots Security in the cloud - what are the risks now and
More informationThe Elephant in the Room: What s the Buzz Around Cloud Computing?
The Elephant in the Room: What s the Buzz Around Cloud Computing? Warren W. Stippich, Jr. Partner and National Governance, Risk and Compliance Solution Leader Business Advisory Services Grant Thornton
More informationCloud Computing Governance & Security. Security Risks in the Cloud
Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud
More informationCloud Security Introduction and Overview
Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious
More informationTop 10 Cloud Risks That Will Keep You Awake at Night
Top 10 Cloud Risks That Will Keep You Awake at Night Shankar Babu Chebrolu Ph.D., Vinay Bansal, Pankaj Telang Photo Source flickr.com .. Amazon EC2 (Cloud) to host Eng. Lab testing. We want to use SalesForce.com
More informationOpen Data Center Alliance Usage: Provider Assurance Rev. 1.1
sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS
More informationConcurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services
Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services organization providing innovative management and technology-based
More informationEnterprise Architecture Review Checklist
Enterprise Architecture Review Checklist Software as a Service (SaaS) Solutions Overview This document serves as Informatica s Enterprise Architecture (EA) Review checklist for Cloud vendors that wish
More informationCA Cloud Overview Benefits of the Hyper-V Cloud
Benefits of the Hyper-V Cloud For more information, please contact: Email: sales@canadianwebhosting.com Ph: 888-821-7888 Canadian Web Hosting (www.canadianwebhosting.com) is an independent company, hereinafter
More informationCloud Computing for SCADA
Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry
More informationCLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationThe Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing
Your Platform of Choice The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing Mark Cravotta EVP Sales and Service SingleHop LLC Talk About Confusing? Where do I start?
More informationLEGAL ISSUES IN CLOUD COMPUTING
LEGAL ISSUES IN CLOUD COMPUTING RITAMBHARA AGRAWAL INTELLIGERE 1 CLOUD COMPUTING Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing
More informationHow To Protect Your Cloud Computing Resources From Attack
Security Considerations for Cloud Computing Steve Ouzman Security Engineer AGENDA Introduction Brief Cloud Overview Security Considerations ServiceNow Security Overview Summary Cloud Computing Overview
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationCloud Computing: Risks and Auditing
IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center @IIAChicago #IIACHI Cloud Computing: Risks Auditing Phil Lageschulte/Partner/KPMG Sailesh Gadia/Director/KPMG
More informationOrchestrating the New Paradigm Cloud Assurance
Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems
More informationSECURE CLOUD COMPUTING
Outline SECURE CLOUD COMPUTING Introduction (of many buzz words) References What is Cloud Computing Cloud Computing Infrastructure Security Cloud Storage and Data Security Identity Management in the Cloud
More informationCloud Courses Description
Courses Description 101: Fundamental Computing and Architecture Computing Concepts and Models. Data center architecture. Fundamental Architecture. Virtualization Basics. platforms: IaaS, PaaS, SaaS. deployment
More informationINTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS
INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS CLOUD COMPUTING Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing
More informationIBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation
IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing
More informationSoftware as a Service: Guiding Principles
Software as a Service: Guiding Principles As the Office of Information Technology (OIT) works in partnership with colleges and business units across the University, its common goals are to: substantially
More informationGoodData Corporation Security White Paper
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
More informationCloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC
Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications
More informationCAN NUCLEAR INSTALLATIONS AND RESEARCH CENTERS ADOPT CLOUD COMPUTING?
CAN NUCLEAR INSTALLATIONS AND RESEARCH CENTERS ADOPT CLOUD COMPUTING? Ameer Pichan School of Electrical Engineering & Computing Curtin University, Australia What is it? Similar to other services net r
More informationCloud Computing: Compliance and Client Expectations
Cloud Computing: Compliance and Client Expectations February 15, 2012 MOSS ADAMS LLP 1 TODAY S PRESENTERS Moderator Kevin Villanueva, CPA, CISA, CISM, CITP, CRISC Sr. Manager, Infrastructure and Security
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationEast African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?
East African Information Conference 13-14 th August, 2013, Kampala, Uganda Security and Privacy: Can we trust the cloud? By Dr. David Turahi Director, Information Technology and Information Management
More informationCloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week
Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationAskAvanade: Answering the Burning Questions around Cloud Computing
AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More informationSecuring the Microsoft Cloud
Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and customers to fully embrace and benefit from cloud services. We are committed
More informationData Protection: From PKI to Virtualization & Cloud
Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security
More informationCloud Computing; What is it, How long has it been here, and Where is it going?
Cloud Computing; What is it, How long has it been here, and Where is it going? David Losacco, CPA, CIA, CISA Principal January 10, 2013 Agenda The Cloud WHAT IS THE CLOUD? How long has it been here? Where
More informationCloud Computing An Internal Audit Perspective. Heather Paquette, Partner Tom Humbert, Manager
Cloud Computing An Internal Audit Perspective Heather Paquette, Partner Tom Humbert, Manager March10 2011 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationCloud Computing An Auditor s Perspective
Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationSTORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM
STORAGE SECURITY TUTORIAL With a focus on Cloud Storage Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationBuilding Secure Cloud Applications. On the Microsoft Windows Azure platform
Building Secure Cloud Applications On the Microsoft Windows Azure platform Contents 1 Security and the cloud 3 1.1 General considerations 3 1.2 Questions to ask 3 2 The Windows Azure platform 4 2.1 Inside
More informationCloud Essentials for Architects using OpenStack
Cloud Essentials for Architects using OpenStack Course Overview Start Date 18th December 2014 Duration 2 Days Location Dublin Course Code SS906 Programme Overview Cloud Computing is gaining increasing
More informationCloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation
Cloud Security Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs peterjopling 2011 IBM Corporation Cloud computing impacts the implementation of security in fundamentally new ways
More informationResidual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)
Organizational risks 1 Lock-in Risk of not being able to migrate easily from one provider to another 2 Loss of Governance Control and influence on the cloud providers, and conflicts between customer hardening
More informationCloud Service Rollout. Chapter 9
Cloud Service Rollout Chapter 9 Cloud Service Topics Cloud service rollout plans vary depending on the type of cloud service SaaS, PaaS, or IaaS and the vendor. Unit Topics Identifying vendor roles and
More informationInformation Technology: This Year s Hot Issue - Cloud Computing
Information Technology: This Year s Hot Issue - Cloud Computing Presented by: Alan Sutin Global IP & Technology Practice Group GREENBERG TRAURIG, LLP ATTORNEYS AT LAW WWW.GTLAW.COM 2011. All rights reserved.
More informationTop 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World
Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationSECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP
SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson
More informationKeeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?
Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? IIA San Francisco Chapter October 11, 2011 Agenda Introductions Cloud computing overview Risks and audit strategies
More informationCloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive
Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise
More informationInternational Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: 2347-3622, Volume-1, Issue-5, February 2014
An Overview on Cloud Computing Services And Related Threats Bipasha Mallick Assistant Professor, Haldia Institute Of Technology bipasm@gmail.com Abstract. Cloud computing promises to increase the velocity
More informationStudy concluded that success rate for penetration from outside threats higher in corporate data centers
Auditing in the cloud Ownership of data Historically, with the company Company responsible to secure data Firewall, infrastructure hardening, database security Auditing Performed on site by inspecting
More informationNETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
More informationExpert Reference Series of White Papers. Understanding NIST s Cloud Computing Reference Architecture: Part II
Expert Reference Series of White Papers Understanding NIST s Cloud Computing Reference Architecture: Part II info@globalknowledge.net www.globalknowledge.net Understanding NIST s Cloud Computing Reference
More informationBest Practices for Sourcing Cloud Computing Services
Best Practices for Sourcing Cloud Computing Services Marc Lindsey Partner Levine, Blaszak, Block & Boothby, LLP MLindsey@LB3Law.com Disclaimer This presentation is for informational purposes only and does
More informationCAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST
CENTER FOR ADVANCED SECURITY TRAINING 618 Designing and Implementing Cloud Security About EC-Council Center of Advanced Security Training () The rapidly evolving information security landscape now requires
More informationAHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS
AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More information