Implementing secure cloud services

Size: px
Start display at page:

Download "Implementing secure cloud services"

Transcription

1 Cloud Security Company85 Executive Guide Implementing secure cloud services An executive guide to assessing your cloud maturity Understand the major security implications of moving to the cloud Get practical advice on how to implement cloud services securely Assess your cloud maturity posture with our instant test 1

2 Company85 Executive Guide Cloud Security CONTENTS About this guide 3 Introduction 4 What s driving cloud security concerns? 5 Tackling security in the cloud 8 Instant test: 20 questions 12 Scores on the doors: your cloud maturity posture 14 Next steps 14 Glossary 15 References 15 An independent perspective This document has been prepared by the security and privacy practice of Company85. As a technology-agnostic consultancy of over 20 years standing, Company85 has no product sales agenda. We provide an independent perspective and impartial advice for those moving to cloud computing. We are familiar with using cloud services ourselves, as well as advising FTSE100 corporations, and local/national government clients, so we are well-placed to discuss the strategic and practical considerations of cloud security and governance. 2

3 Cloud Security Company85 Executive Guide Only 32% of companies believe the cost savings associated with cloud computing outweigh security considerations for their organisation ncircle 2011 Cloud Computing Trends Survey About this guide What this guide will do for you Security is often cited as a major obstacle to adoption of cloud computing, but it doesn t have to be that way. This brief executive guide will help you: Understand the major security implications of moving to the cloud Get practical advice on how to implement cloud services securely Assess your cloud maturity posture with our instant cloud security test How to use this guide For organisations moving to cloud, this guide highlights the major governance and legal considerations that should be taken into account alongside security controls when planning any migration. For organisations already using cloud services, the assessment questions on page 12 provide a handy checklist to ensure that current governance and best practice is up to scratch. The guide assumes a general awareness of some common terminology, but a brief glossary is included on page 15. Who should read this guide This guide is appropriate for business and IT executives who wish to gain an overview of issues affecting security in the cloud. For more detailed information on any of the subjects discussed, the author welcomes comments and enquiries. Executive summary In 2012, 80 per cent of new commercial enterprise apps will be deployed on cloud platforms, while four out of five businesses are planning to move services to the cloud. Clearly, the momentum behind cloud is now unstoppable. It has been suggested by than 50 per cent of Global 1000 companies will have stored customer-sensitive data in the public cloud by the end of 2016, although this assumption is based on the expectation that cloud security technologies, governance and insurance will evolve at a sufficiently rapid pace. Cloud security is about addressing the same identity management, encryption, detection and forensics issues IT departments have always faced, along with them taking responsibility for governing how and where data is stored and accessed in the cloud. This document examines the current state of play regarding cloud security and outlines practical steps that you can take to plan your cloud security needs. We look at the typical security challenges facing organisations today such as: Ensuring cloud service providers (CSPs) are in compliance with your security policies, especially once you expand to use multiple CSPs Protecting your critical information in multi-tenanted cloud environments. Addressing the legal and contractual issues posed by the globally distributed infrastructures used by many CSPs We then look at some of the possible solutions to these challenges: Updating governance, risk and compliance (GRC) frameworks to address the management of CSPs Auditing of CSPs by you and third parties Consideration of the legal and contractual implications of placing each application s data within a CSP Perhaps most importantly, having an exit plan in place for when the arrangement with the CSP ends We also look at some of the recent developments affecting CSP security issues: Independent, third-party certification of CSPs Availability of specialist insurance 3

4 Company85 Executive Guide Cloud Security At year-end 2016, more than 50 percent of Global 1000 companies will have stored customer-sensitive data in the public cloud Gartner Group Introduction With good reason, security is consistently raised as a major concern when organisations are considering cloud-based services. With cyber attacks increasingly focused on commercial gain, and with incidents of data leakage constantly in the headlines, organisations must ensure their data assets are well protected when they put them into the hands of a third-party. Organisations react in different ways to the challenge of the security in the cloud some believe the benefits outweigh the concerns and push forward with adoption, while others see the issue as a showstopper. At Company85, our experience is that although the security aspects need careful consideration they can be effectively managed, allowing firms to realise the benefits of cloud without putting their sensitive data at excessive risk. In this guide we give an overview of the major issues impacting cloud security and provide some practical guidance on what you can do about them. cloud insurance will become commonplace, providing businesses with the assurance that they ll be compensated in the case of data loss or security breach. So where does that leave things now? Many organisations have already carried out migrations of low-risk services, such as analytics, or to brands which have achieved industry wide acceptance such as Salesforce. Often this is done to test the concept before considering migration of more critical applications. At Company85, we are seeing more and more enquiries from clients looking to migrate service layers into the cloud. Having an appropriate security and governance model in place is the most important prerequisite for these clients. At the moment the projected assurances predicted by Gartner may not be fully in place, but we believe that as with so many other aspects of cloud computing a substantial part of security is about addressing the same issues (identity management, detection and forensics, and encryption) that IT departments have always faced. Cloud trends Cloud is already well-established. IDC claims that in 2012, 80 per cent of new commercial enterprise apps will be deployed on cloud platformsi, while KPMG s 2011 Cloud Survey of over 900 global companies found four out of five businesses were moving or plan to move some of their computing needs to cloud servicesii. Despite the early rumours of hype, cloud is now seen as a game changer by many in the industry, with the potential of delivering competitive advantage through scalability, flexibility or cost reduction. For many organisations the question has moved on from should we move to cloud? to how do we move to cloud?. However, achieving security for cloud environments is a top concern for organisations. The Symantec 2011 Global State of the Cloud survey, for example, identified that per cent of respondents have concerns about potential risks, including malware, hacker-based theft, data leakage or breach, denial-of-service (DoS) attacks, adverse compliance audit findings and inability of recovering data for a court caseiii. Those concerns are real, but there s no denying where the endgame lies. At year-end 2016, more than 50 per cent of Global 1000 companies will have stored customer-sensitive data in the public cloud, claims Gartneriv. As cloud computing security improves and becomes subject to insurance policies and independent certifications, organisations will feel more comfortable about putting sensitive data in the cloud. In due course, commentators assure us, independent 4 Primary threats and vulnerabilities in a cloud environment

5 Cloud Security Company85 Executive Guide In the jungle of multi-tenant data, you need to trust the cloud provider that your information will not be exposed Datamonitor What s driving cloud security concerns? The multi-tenancy conundrum Governance A cloud infrastructure is generally multi-tenancy, with a decoupling of specific hardware resources and applications. Within this jungle of multi-tenant data, you need to trust the cloud provider that your information will not be exposed. In a multi-tenant cloud environment ensuring separation of data is also a major concern, especially where infrastructure is shared. Where, exactly, does the data reside? If cloud continues to grow as expected, it is likely organisations will have to expand their existing governance structures to support multiple cloud suppliers and multiple services models: software-as-aservice (SaaS), platform-as-a-service (PaaS), and infrastructure-as-aservice (IaaS). The impact of governance in the cloud on each of these models, compared with traditional on-premise and hosted enviroments, is depicted below. Organisations need to be vigilant around issues such as how customer boundaries are enforced and how passwords are assigned, protected and changed. Cloud service providers (CSPs) typically work with numbers of third parties, and we would advise organisations to gain information about those companies which could potentially access their data. Being a CSP does not necessarily mean that you provide physical hosting. An important consideration for cloud service customers, especially those responsible for highly sensitive data, is to find out about the hosting company used by the provider and if possible seek an independent audit of their security status. Data privacy Traditionally organisations have derived some confidence knowing their data sits on assets they own, often in buildings they own, which are secured and managed by staff they employ. The most extreme contrast to this would be a public cloud, where your data can sit in multiple buildings, often across multiple countries and be accessed by a potentially large number of unknown CSP staff. For most organisations the reality will sit somewhere between these examples, but the problem of ensuring private data is protected is a real one. If personal data is leaked or commercially sensitive information is lost it is unlikely the resulting reputational or financial damage will be covered within your contract with the CSP. Access control Many large organisations today are still grappling with the problem of controlling access to a diverse portfolio of systems and applications. Ensuring that access for leavers is removed in a timely manner across every application, that access is reviewed as staff change roles, and that personal mobile device access is controlled are ongoing problems that are only made worse by cloud. Who has control in a cloud environment? As shown, control increases in favour of the CSP the deeper you move into the cloud, but this does not absolve you from your responsibility for security. Governance, risk and compliance (GRC) remains with your organisation. It is paramount that organisations have robust audit and monitoring frameworks in place to ensure that risk is managed across a potentially diverse supply chain, and that service levels and contractual obligations are met. Cloud creates further islands of access control which require new processes and tooling. While tools are available to help with some aspects, this is an area that is still maturing so it may not be easy to find a single solution that meets all your requirements. 5

6 Company85 Executive Guide Cloud Security Microsoft has told Office365 users that they cannot guarantee that EU-stored data, held in EU based data centres, will not leave the European Economic Area under any circumstances as they are a US Company governed by the Patriot Act Regulatory and compliance issues Cloud s special status, in which so many parties can be involved, can muddy the waters concerning legal and regulatory issues and responsibilities. You are still responsible for complying with regulations and monitoring compliance even if the service is provided by a third party, but ensuring compliance across an abstract cloud solution is a very different to a traditional in-house solution. Passing down liability to your cloud service provider within the legal contract may be prohibitively expensive. Gartner has claimed that by 2016, 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service. It seems likely that in due course there will be third party certification processes. Some commentators suggest that there will be a strong tie to cloud computing insurance, as the safer a cloud is, the lower companies insurance premiums will be when using that cloud. CSPs may embrace this as an opportunity to prove just how secure they are v. Although cloud computing is generally perceived as a technology issue, from a security perspective it is good governance, demonstrable compliance and robust agreements that are paramount. While technological security solutions are still maturing, the only real challenge there is making sure everything works as it should. What cloud has introduced is a situation where you no longer have direct control over where data sits. What is the policy for archiving and deleting data? How do you retrieve data if it s needed to demonstrate compliance, or to support a court case? What data can be be lawfully accessed by another country s judiciary without your permission? If an organisation has not prepared thoroughly in these areas, there s really little point in starting to think about the technology implications and solutions in the cloud. Multi-country infrastructures Many cloud providers have put in place multi-country infrastructures to provide better economies of scale. This means your data could easily end up in any country around the world, potentially as a result of an automated process requiring no review or approval. This could conflict with local privacy legislation or put your data at risk if that country s privacy laws are less stringent than those of the EU, and according to a paper presented at the 2009 IEEE International Conference on Services Computing, jurisdiction and legal status form a large question looming like a dark cloud on the horizon... is stuff in the cloud on the same legal footing as stuff in your data centre? vi US Patriot Act Many cloud providers are US companies governed by the US Patriot Act. This could well put non-us organisations in conflict with local privacy legislation or commitments to their clients, as US CSPs are legally required to surrender information to the US government on request, regardless of which country the data is stored in. For companies planning on using US CSPs, this poses a significant obstacle to cloud adoption. Alistair Maughan, partner at law firm Morrison & Foerster, revealed in 2010 that the Patriot Act has already impacted the UK government, saying he d worked on a case where the UK government was unknowingly sharing data with US authorities, which was allowed because of the Patriot Act. Maughan added that for now this was very good news for UK-based cloud service providers, as this will work to their advantage when clients are choosing between vendors. vii Proposed European regulation In January 2012 the European Commission released its proposal for a new data protection framework. It will be the most significant global legislative development affecting the collection, use and protection of personal information for 15 years. The proposed laws will require all businesses collecting personal data in the EU to make changes to the way they collect and process that data, with an emphasis on explicit consent, data portability and the right to be forgotten through deletion. The laws will also apply to personal data handled abroad by companies that are active in the EU and that offer services to EU citizens. The proposed changes are intended to give individuals more control over, and easier access to, their personal data and to improve the quality of information about what happens to that data once individuals decide to share it. Although only at a consultative stage, 6

7 Cloud Security Company85 Executive Guide Traditional insurance products are unlikely to provide the scope of coverage required by the proposed regulation covering data breach and cyber liability Lawrence Graham LLP key issues arising from this proposal are expected to tighten up both regulatory compliance and cloud security compliance. The law firm Lawrence Graham LLP identifies the following practical implications viii : Deploying the right privacy policies and consent forms will become increasingly important Organisations must examine what data needs to be encrypted to mitigate the effect of a data breach Encouragement will be given to associations to develop codes of conduct as well as certification mechanisms, data protection seals and the like in order to allow individuals to quickly assess the level of data protection and data security offered by particular organisations (providing evidence of compliance will be critical) Traditional insurance products are unlikely to provide the scope of coverage required by the proposed regulation covering data breach and cyber liability Data controllers will need to review their contracts with CSPs to ensure that responsibilities are clearly set out (Lawrence Graham points out that CSPs may treat the new laws as an opportunity to demonstrate higher levels of security than their peers) This last point is underlined by another European Union initiative, announced in September 2011, proposing that CSPs will become legally liable for data breaches. The Binding Safe Processor Rules (BSPR) will require CSPs to agree liability should any data offences occur at their data centres. Advocates argue that this will effectively act as an accreditation scheme for CSPs. Eduardo Ustaran, partner at law firm Field Fisher Waterhouse, suggests CSPs would sign up because it would give them a selling point ix. If they refused, they would be seen as unsafe to use. Current exposure to security and privacy breaches Aside from legal and regulatory issues, there are questions to be answered around security technology and how it is employed in a cloud environment. Variance in cloud service provider security As the trend toward tighter regulation underlines, standards of security continue to vary, both between individual CSPs and between countries. In a survey by Ponemon Institute in 2010 x, CSPs were asked How confident are you that cloud applications and resources supplied by your organisation are secure? Their responses were revealing. Only 43 per cent were confident with private cloud and even fewer 39 per cent were confident with public cloud. This reinforces the need for any organisation contracting a cloud service to take its own steps to protect against security and privacy risks. The same survey highlighted differences in attitudes to cloud security between US and European CSPs. For example, in Europe the help desk supervisor is twice as likely to be responsible for cloud security as in the US. Perhaps reflecting the more litigious nature of business in the US, the legal function is nearly twice as likely to be responsible for cloud security as its European counterpart. Denial-of-service exposure While denial-of-service (DoS) and distributed denial-of-service attacks (DDoS) are nothing new, it s not just the corporate website that s the target now put any services into the public cloud with open access across the internet and they become a DoS target. Even large, technology-savvy firms such as Google and Amazon have been hit by highly publicised attacks. As recently as October 2011, researchers demonstrated an account hijacking attack on Amazon Web Services that they believe could affect other cloud computing services as well xi. Ustaran points out that to gain accreditation, CSPs would have to prove their security models were adequate: Cloud service providers would be given an accreditation from their data protection authority. 7

8 Company85 Executive Guide Cloud Security Is stuff in the cloud on the same legal footing as stuff in your data centre? International Institute of Information Technology Tackling security in the cloud GRC and legal considerations Understand your requirements and establish a GRC framework Before you sign a contract with a CSP it is important work to out your governance, risk and compliance (GRC) requirements based around recognised standards such as ISO/IEC27002:5, Information Security Forum, NIST, COBIT, ITIL and Cloud Security Alliance. The Cloud Security Alliance provides useful frameworks for building your cloud security response. Therefore, you need to establish what you need across multiple security zones, balancing costs, security and privacy considerations. These in turn can be used to prescribe meaningful SLAs for quantitative and qualitative assessment and risk management. Service level agreements As with any service provider contract, you should negotiate clear service level agreements (SLAs) for your CSP. These should include, but not be limited to, clear metrics around performance (both networking and computing), provisioning, change management, patching, disaster recovery, data backup/restoration, and vulnerability remediation. Must haves. In the cloud, GRC goes hand in hand with enhanced security 8 To ensure your data is safe in the cloud at all times, make sure you think about the following: Who has access to your data? Where is your data held? What is the CSP doing with it? How is the CSP protecting it? How is the CSP deleting it to ensure that there is no residual data remnant? In fact, there is a clear need to ensure that contractual arrangements with any outsourced data provider are put in place to govern the circumstances in which data is deleted. In July 2011, as the News International phone-hacking investigation gathered pace, Parliament approached its outsourced data provider to ask for clarity on data it might have deletedxii. This underlines that there are legal requirements for certain information to be retrievable, and with more and more services and applications being outsourced to the cloud, ability to demonstrate compliance may well be one of the main reasons companies will choose to outsource in future.

9 Cloud Security Company85 Executive Guide Cloud security had not yet distinguished itself as a field separate from information assurance. Its security metrics are currently synonymous with what a security professional would refer to as a third-party or vendor security audit J Bayuk, Stevens Institute of Technology Audit As with any other environment, regular auditing of your CSPs to ensure compliance with your agreed policies is critical. CSPs may be reluctant to allow you access to audit, so this needs to be agreed up front prior to signing any contract. Some CSPs have a queue of clients looking to undertake audits, so it may be that a regular audit by a recognised third party to an applicable standard meets much of the requirement. Indeed, there are moves under way to establish independent certification of CSPs. Security metrics Security metrics are quantitative measurements to assess security operations. They help the organisation to make decisions about various aspects of security, which include security architectures and controls over the effectiveness and efficiency of security operations. Security metrics are valuable at IT managerial level and to stakeholders who are questioning the security impacts on business process and activities. Security operations frequently demand high expenditures, and security metrics provide comprehensible rationale for these costs. The US National Institute for Standards and Technology (NIST) Security Metric Identification Framework characterises security metrics into three types as follows: Implementation metrics intended to demonstrate progress in implementing information security programmes, security controls, and related policies and procedures Third party relationships You are only as strong as your weakest link. In corporate environments, your weakest link could be integration with your partners. In the case of CSPs, this is even more likely due to the necessary integration of various third parties and applications into the cloud environment. You need to ascertain how your CSP enforces security processes for integration with any third parties that they use, whether there is a certification process to make sure that third party applications are secure, and that hackers cannot get into the CSP environment through one of these partners. CSP termination/exit There will come a time when any outsourcing arrangement reaches a termination date. It s possible this will arise because services and applications are being brought back in house, but in a cloud situation the driver may well be a commercial imperative to move to a new supplier, or to take account of merger and acquisition activity. The point is that a clear exit plan should be included in the contract from the outset, to ensure that data is retrievable securely and in as pain-free way as possible, and that all residual data is destroyed. With the possibility that data may have been replicated across multiple storage environments, sites and countries, it follows that a clear audit trail must be maintained throughout the life of the relationship. Effectiveness/efficiency metrics intended to monitor the programme-level processes and that system level security controls are implemented correctly, operating as intended as well as meeting the desired outcomes Impact metrics intended to articulate the impact of information security on an organisation s business objectives 9

10 Company85 Executive Guide Cloud Security 94% of organisations are planning to allow staff to bring their own devices to work by 2013 Survey commissioned by Citrix, 2011 Security controls Security controls underpin good governance in the cloud, but have the potential to offer low-hanging fruit and quick wins. One approach is to build an internal or private cloud using your own security solutions. Private cloud allows you to work out the features and service levels you need from a cloud service to support your application before committing to a contract. Like any transformation, identify low-risk applications to try out the new technology. In the context of security that could mean targeting applications that are non-critical, and that do not contain personal or business sensitive data. Physical security It s important to assess the physical security barriers that your CSP (and its contracted hosting providers, if separate) has/have in place. Physical security should be even tighter than at your own premises, because you have no control over the actions of CSP/contractor employees. Infrastructure security In the recent months, aggressive marketing by various cloud providers has made it easier for hackers to get accounts and plant botnets. Cloud is also susceptible to many more denial-of-service (DoS) attacks than other computing models. CSPs need to ensure that their perimeter is secure and barrier to attacks is robust. You need to find out what measures your CSP deploys to keep the bad guys out: Do they have strong network firewalls? How are they kept updated? Do they have good intrusion detection systems/intrusion protection systems (IDS/IPS) in place? How do they monitor the events? Do they have security event and incident management (SEIM) or log management software in place? Client security Don t overlook your own client side. Browsers, browser plug-ins and thin clients used by your staff are a key point of vulnerability so make sure they are as secure as possible. Encryption Even if a third-party gains access to your data, if it s encrypted and they don t have the key it can stay protected. You need to consider at-rest, in-transit and in-use data to be fully covered. Management of the keys with encryption is crucial. If a CSP installs the key, understanding who will have access and how you can control and audit access is very important. In some cases you may require that keys are only handled by your own staff. Virtualisation security Almost all cloud providers use virtualisation to provide economies of scale and optimal distributed architecture. Virtualisation has its own set of security issues and you need to understand what security process your CSP has for its virtualisation environment, and how it identifies, tests and fixes vulnerabilities. Access controls CSPs need to consider major issues around access control, such as authentication, non-repudiation, user management and much more. It is imperative to understand the standards and mechanisms in place for: User provisioning Management of the credential authentication process Visibility and control Dedicated virtual private networks (VPNs) Federated identity process and how it is managed Registration and authentication processes and controls It is not enough to rely simply on the CSP s contract, as most organisations have specific policies in place governing access to different levels of data by different employees. As Subashini and Kavitha point out, the SaaS model must be flexible enough to incorporate the specific policies put forward by the organisation. xiv Once you begin to use multiple CSPs, managing access becomes even more complex. It is advisable to look for solutions that offer a level of automation/synchronisation with your existing ID management solutions and that do not rely on manual processes. As researchers have pointed out, the browser is still very limited in its capacities as an authentication centre for cloud computing. xiii 10

11 Cloud Security Company85 Executive Guide Not every commercial Web application software developer or business that creates custom applications will fix its code in a timely manner Information Week, September 2011 Consumerisation One of the key benefits of cloud is that applications become accessible remotely via mobile devices. Organisations that are early adopters of cloud tend to be early adopters of these technologies too. Consumerisation of user devices (also referred to as bring-your-own-device, or BYOD) whereby individuals connect to the corporate network or direct to cloud using personal PDAs, iphones, tablets and so on (that have not been issued by the business) pose a new risk. result of personal technologies being used in the workplace. Businesses need to consider context-aware security capabilities that adapt access policies to device, user and location. Application security With over 80 per cent of attacks happening through web applications, application security has become a critical element in the overall cloud decision making process. Although the exposure is similar to what you would have in your own private environment, with cloud it is likely to be on a massive scale and you may not have any control over it. Therefore, you need to consider: Does security ownership transfer to the infrastructure provider? How does the migration to cloud impact your software development lifecycle? What measures are in place to protect against common vulnerabilities such as cross-site scripting, SQL injection and so forth? API security and management Do you allow employees to use personal devices for work? Source: Aberdeen Group, 2011 Encryption key management Vulnerability assessment, identification and remediation Personal devices are more likely to be used in a cloud environment than within a traditional corporate network because the whole cloud model is driven by subscription-based services. This, in turn, is setting user expectations such that the cloud/personal device combination is becoming a default standard for work and leisure. In a global survey published in January 2012, 88 per cent of executives reported that employees were already using their personal computing technologies for business purposes. xv This trend toward consumerisation has been corroborated by many CIOs with whom Company85 comes into contact, and its effect is to multiply the headaches associated with granting and withdrawing access privileges. Whereas corporate laptops were typically refreshed over a three-year cycle, consumers may upgrade personal devices as often as once a year. The use of insecure personal devices is surprisingly commonplace, and represents a severe threat whether used within or outside a cloud environment. The same survey cited above suggested that 55 per cent of companies had already experienced a security breach as a 11

12 Company85 Executive Guide Cloud Security Instant test: 20 questions to assess your cloud maturity posture Here are 20 critical areas that need to be addressed in a secure cloud environment. Score 0 if you are not happy that you have each area fully covered, and score 1 if you are happy. 1. Risk assessment Have you carried out a comprehensive risk assessment exercise for migration to cloud services, identified mitigating controls to address the risks identified, and do you have an on-going risk management programme? 2. Physical security Have you specified and agreed physical security policies with your CSP and are there provisions to audit compliance? 3. People Have you specified and agreed pre-screening and background checks of the CSP staff and/or any CSP third party that will manage your cloud services? 4. Data loss prevention (DLP) Have you specified your DLP requirements, whereby data is protected at rest, in transit and in use across the network and at the endpoints, as well as logging of security incidents? 5. Infrastructure security Have you specified network security requirements to your CSP such as infrastructure virtualisation, firewalls, platform hardening standards, patching, intrusion detection/ intrusion protection systems (IDS/IPS), security operating centre (SOC), event monitoring and log management to monitor the events? 6. Access control Are you satisfied that the CSP is providing adequate standards for provisioning of users, including credential management; the level of control you have; dedicated VPN; federated identity process and how it is managed; whether OpenIDs be used for registration and authentication? 7. Application security Have you specified appropriate security countermeasures and controls to your CSP for the following: Cross-site scripting and cross-site request forgery (CSRF)? SQL database server injection? Session management? Software development life cycle (SDLC)? Application program interfaces (APIs)? Encryption keys and key management? Vulnerability management / penetration testing? 8. Licensing model Have you defined a software and hardware licensing model with your CSP, e.g: per user (user is granted a licence to use an application); per device (an application is granted a licence on a per-device or per-processor basis); enterprise (licensing model covers all devices and users)? 9. Virtualisation security Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? Are utilities that can significantly manage virtualised partitions (ex. shutdown, clone, etc.) appropriately restricted and monitored? Does the virtual machine management infrastructure include a tamper audit or software integrity function to detect changes to the build/configuration of the virtual machine? 10. Data backup Are you satisfied with where your CSP will be keeping your data backups and is the data at rest encrypted? 11. Access to data and eforensic capability Have you confirmed, agreed and put into the SLA with the CSP rights of access to data in general, as well as access for local governments and e-discovery provisions for law enforcement bodies to collect evidential electronic data? 12

13 Cloud Security Company85 Executive Guide 12. Escrow arrangements Have you made escrow arrangements for your source and object code with the CSP or sought an independent third party to ensure access to your code if you are changing CSP? 13. Service performance metrics and monitoring Have you defined acceptable service performance KPI/ KRI metrics and how they will be monitored? 14. Incident management Have you defined incident handling and escalation processes with the CSP? Are the following satisfactory: detecting, identifying, analysing and responding to incidents; incident handling processes (both during the incident and post analysis); real time security monitoring (RTSM) service; severity levels and escalation process; eforensics data and forensic image of virtual servers; metrics reporting? 15. Legal compliance Have you fully explored the legal issues associated with: Physical location of your data and legal jurisdiction? Requirements of Data Protection Act and requirements for personal data and data processed outside of the European Economic Area (EEA)? Liability of the CSP in the event of a data breach? Intellectual property rights, trade secrets or privileged information? Third party access to your stored data? 16. Business continuity and disaster recovery Does your CSP have a business continuity and disaster recovery plan in place that is regularly tested and have you ensured that: The backup can restore recovery time objective (RTO) type performance and recovery point objective (RPO) and that they are clearly set out in the SLA? 17. CSP independent certification Does your CSP have independent audit assurance and attestation against: Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organisation (formerly SAS70) type II reporting and ISO27002 certification? 18. CSP third parties Have you confirmed with your CSP that they rigorously enforce and audit third party CSPs that they use in providing the overall service to you against agreed SLAs and security provisions? 19. Regulatory compliance Have you specified any regulatory and compliance requirements in your SLA with the CSP for Data Protection Act, 1998 for any personal information processed, data breach notification for the CSP and any third parties they use, PCI data if you are processing credit card information, FSA compliance, Sarbanes Oxley Act, US Patriot Act, Safe Harbour Pact? 20. CSP termination and exit Have you an agreed upon process in the SLA with the CSP that will ensure smooth transition to another provider inclusive of all: Application/source code? Data portability? Intellectual property? Data backups? backups? Escrow arrangements for your source and object code with the CSP or sought an independent third party to ensure access to your code if you are changing CSP? Total score: See over for analysis. CSP and the layers of service providers (managed service providers for backup, network service providers for WAN, etc.), are all willing to live up to the service level agreement (SLA) and meet your DR requirements? 13

14 Company85 Executive Guide Cloud Security Scores on the doors: your cloud maturity posture The higher your score, the more mature your cloud maturity posture is. By carrying out the exercise you should have been able to identify any areas requiring remediation. The following categorisation may also be of help. 0: None No cloud approach currently taken 1-4: Initial Awareness of cloud security understanding established, and some groups beginning to implement elements of cloud in terms of low risk applications and data. 5-8: Repeatable Cloud security risk assessments and approach have been decided upon and applied. The approach has not been widely accepted and redundant or overlapping approaches exist; it may be informally defined. 9-12: Defined The approach has been reviewed and accepted by affected parties. There has been buy-in to the documented approach and the approach is always (or nearly always) followed : Managed Cloud security is likely to have been effectively defined, managed, and audited via a formal governance structure. Appropriate metrics may be being gathered, reported and acted upon : Optimising Metrics are probably being consistently gathered and are being used to incrementally improve the capability. Assets are proactively maintained to ensure relevancy and correctness. The potential for market mechanisms to be used to leverage inter-cloud operations has been established. Next steps It is critical that, in order to protect your business, you independently assess any existing or potential CSP providing you with public or private cloud services. From an internal perspective, cloud will always be cheaper and easier to implement if you get it right first before outsourcing to a third party. The cloud maturity posture self-assessment questionnaire scratches the surface of cloud security, but illustrates the deep-level, comprehensive approach taken by Company85 consultants. We work with business and technology stakeholders, providing bespoke and packaged services and actionable recommendations to identify lowhanging fruit and build confidence in your solution. If you re planning a cloud migration, need to kickstart or accelerate an existing project, or need an independent assessment of your current cloud maturity posture, we can help. We can review your plans and help devise a roadmap that will deliver quick wins while enhancing and extending cloud security. About Company85 Company85 are independent experts in enterprise-class information protection and data centre transformation. We provide agnostic advisory and project services to private and public sector organisations, from blue-chip FTSE100 corporations to local authorities and regional police forces. Headquartered in London, Company85 delivers projects in the UK and internationally in Europe, Africa and the Middle East. Our unique blend of expertise in security, optimisation, consolidation and managed services is backed up with a strong heritage, the exceptional pedigree of our people, and the referenceability and quality of our client and partner relationships. Company85 was a medallist in the organisational excellence category of the UK IT Awards 2011, was shortlisted as Channel Service Provider of the Year 2011, and was shortlisted as Specialist Business Continuity Company of the Year Company85 is a Technology/Professional Services Group Member of BCS, the chartered institute for IT. 14

15 Cloud Security Company85 Executive Guide Glossary API Application programming interface BC / Business continuity Keeping all aspects of a business functioning during disruptive events BSPR Binding Safe Processor Rules: proposed European legislation that will require CSPs to agree liability should any data offences occur at their data centres BYOD Bring your own device (personal phones, tablet etc) Cloud (computing) A model for enabling convenient, on-demand network access to a shared pool of resources (e.g. networks, servers, applications, storage and services) that can rapidly provisioned and released with minimal management effort or service provider interaction - NIST COBIT A framework for IT management governance CSP Cloud service provider CSRF / cross-site request forgery An attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated CSS / cross-site scripting Injection of malicious scripts into an otherwise benign and trusted web site Data loss prevention (DLP) Detection and and prevention of unauthorised use and transmission of confidential information DDoS / distrbuted denial-of-service attack DoS attack involving multiple systems attacking a single target DoS / denial-of-service attack Attempt to make a computer or network resource unavailable DR / Disaster recovery Process, policies and procedures related to recovery or replication of systems GRC Governance, risk and compliance IaaS Infrastructure-as-a-service IDS Intrusion detection system IPS intrusion protection system ITIL IT Infrastructure Library service management standard KPI Key performance indicator KRI Key risk indicator NIST National Institute of Standards and Technology: US federal technology agency PaaS Platform-as-a-service Patriot Act A law enacted in the US, primarily aimed at terrorism prevention RPO Recovery point objective RTO Recovery time objective RTSM Real time security monitoring SaaS Software-as-a-service SEIM Security event and incident management SOC Security operating/operations centre SQL injection n attack in which malicious code is run on the SQL database VPN Virtual private network Virtualisation Hiding the physical characteristics of a computing platform from users References i ii iii linkedin_2011sep_worldwide_stateofcloudsurvey iv v vi pdf vii viii ix x Security of Cloud Computing Providers Study, Ponemon Institute 31 December 2010 xi xii xiii xiv xv 15

16 Company85 Executive Guide Cloud Security 16 Company85 Limited Warnford Court 29 Throgmorton Street London EC2N 2AT t: +44 (0) f: +44 (0) Company85, the Company85 logo and 'accomplish more' are trademarks or registered trademarks of Company85 Limited in the United Kingdom and in other territories. Other company, product and service names are the property of their respective owners. This publication is issued for general guidance only. Copyright Company85 Limited All Rights Reserved.

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

How to ensure control and security when moving to SaaS/cloud applications

How to ensure control and security when moving to SaaS/cloud applications How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? Contents Introduction.... 3 What Types of Network Security Services are Available?... 4 Penetration Testing and Vulnerability Assessment... 4 Cyber

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

AskAvanade: Answering the Burning Questions around Cloud Computing

AskAvanade: Answering the Burning Questions around Cloud Computing AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,

More information

Cyber Security and Cloud Computing. Dr Daniel Prince Course Director MSc in Cyber Security d.prince@lancaster.ac.uk

Cyber Security and Cloud Computing. Dr Daniel Prince Course Director MSc in Cyber Security d.prince@lancaster.ac.uk Cyber Security and Cloud Computing Dr Daniel Prince Course Director MSc in Cyber Security d.prince@lancaster.ac.uk Scope of Today SME Attractors for Cloud Switching to the Cloud Public Private Hybrid Big

More information

INCIDENT RESPONSE CHECKLIST

INCIDENT RESPONSE CHECKLIST INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged

More information

Cloud Computing Security Considerations

Cloud Computing Security Considerations Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

Securing Your Data In The Cloud: an insiders perspective

Securing Your Data In The Cloud: an insiders perspective Securing Your Data In The Cloud: an insiders perspective INTRODUCTION As the increasing use of cloud computing and other technologies is changing the world of data management, keeping your data private

More information

CESG Certification of Cyber Security Training Courses

CESG Certification of Cyber Security Training Courses CESG Certification of Cyber Security Training Courses Supporting Assessment Criteria for the CESG Certified Training (CCT) Scheme Portions of this work are copyright The Institute of Information Security

More information

WHITE PAPER. How to choose and implement your cloud strategy

WHITE PAPER. How to choose and implement your cloud strategy WHITE PAPER How to choose and implement your cloud strategy INTRODUCTION Cloud computing has the potential to tip strategic advantage away from large established enterprises toward SMBs or startup companies.

More information

Enterprise level security, the Huddle way.

Enterprise level security, the Huddle way. Enterprise level security, the Huddle way. Security whitepaper TABLE OF CONTENTS 5 Huddle s promise Hosting environment Network infrastructure Multiple levels of security Physical security System & network

More information

Email archives: no longer fit for purpose?

Email archives: no longer fit for purpose? RESEARCH PAPER Email archives: no longer fit for purpose? Most organisations are using email archiving systems designed in the 1990s: inflexible, non-compliant and expensive May 2013 Sponsored by Contents

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance 3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security

More information

Dispelling the vapor around Cloud Security

Dispelling the vapor around Cloud Security Dispelling the vapor around Cloud Security The final barrier to adopting cloud computing is security of their data and applications in the cloud. The last barrier to cloud adoption This White Paper examines

More information

Securing the Service Desk in the Cloud

Securing the Service Desk in the Cloud TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,

More information

THOUGHT LEADERSHIP. Journey to Cloud 9. Navigating a path to secure cloud computing. Alastair Broom Solutions Director, Integralis

THOUGHT LEADERSHIP. Journey to Cloud 9. Navigating a path to secure cloud computing. Alastair Broom Solutions Director, Integralis Journey to Cloud 9 Navigating a path to secure cloud computing Alastair Broom Solutions Director, Integralis March 2012 Navigating a path to secure cloud computing 2 Living on Cloud 9 Cloud computing represents

More information

Cloud Security:Threats & Mitgations

Cloud Security:Threats & Mitgations Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer

More information

Lot 1 Service Specification MANAGED SECURITY SERVICES

Lot 1 Service Specification MANAGED SECURITY SERVICES Lot 1 Service Specification MANAGED SECURITY SERVICES Fujitsu Services Limited, 2013 OVERVIEW OF FUJITSU MANAGED SECURITY SERVICES Fujitsu delivers a comprehensive range of information security services

More information

Cloud Computing in a Regulated Environment

Cloud Computing in a Regulated Environment Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

How to Turn the Promise of the Cloud into an Operational Reality

How to Turn the Promise of the Cloud into an Operational Reality TecTakes Value Insight How to Turn the Promise of the Cloud into an Operational Reality By David Talbott The Lure of the Cloud In recent years, there has been a great deal of discussion about cloud computing

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Cloud Assurance: Ensuring Security and Compliance for your IT Environment Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware

More information

Cloud Computing for SCADA

Cloud Computing for SCADA Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry

More information

DOBUS And SBL Cloud Services Brochure

DOBUS And SBL Cloud Services Brochure 01347 812100 www.softbox.co.uk DOBUS And SBL Cloud Services Brochure enquiries@softbox.co.uk DOBUS Overview The traditional DOBUS service is a non-internet reliant, resilient, high availability trusted

More information

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment

More information

FACING SECURITY CHALLENGES

FACING SECURITY CHALLENGES 24 July 2013 TimeTec Cloud Security FACING SECURITY CHALLENGES HEAD-ON - by Mr. Daryl Choo, Chief Information Officer, FingerTec HQ Cloud usage and trend Cloud Computing is getting more common nowadays

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects Cloud Computing An insight in the Governance & Security aspects AGENDA Introduction Security Governance Risks Compliance Recommendations References 1 Cloud Computing Peter Hinssen, The New Normal, 2010

More information

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is

More information

Cloud Computing: Risks and Auditing

Cloud Computing: Risks and Auditing IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center @IIAChicago #IIACHI Cloud Computing: Risks Auditing Phil Lageschulte/Partner/KPMG Sailesh Gadia/Director/KPMG

More information

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions

More information

Buyer s Guide. Buyer s Guide to Secure Cloud. thebunker.net Phone: 01304 814800 Fax: 01304 814899 info@thebunker.net

Buyer s Guide. Buyer s Guide to Secure Cloud. thebunker.net Phone: 01304 814800 Fax: 01304 814899 info@thebunker.net Buyer s Guide to Secure Cloud Buyer s Guide to Secure Cloud An executive guide to outsourcing IT infrastructure and data storage using Private Cloud as the foundation. Executives derive much confidence

More information

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value IBM Solution scalability with rapid time to value Cloud-based deployment for full performance management functionality Highlights Reduced IT overhead and increased utilization rates with less hardware.

More information

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS CLOUD COMPUTING Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing

More information

Secure Cloud Computing through IT Auditing

Secure Cloud Computing through IT Auditing Secure Cloud Computing through IT Auditing 75 Navita Agarwal Department of CSIT Moradabad Institute of Technology, Moradabad, U.P., INDIA Email: nvgrwl06@gmail.com ABSTRACT In this paper we discuss the

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

IT Enterprise Services

IT Enterprise Services IT Enterprise Services Capita Private Cloud Agile Infrastructure-as-a-Service (IaaS) Cloud potential unleashed Cloud computing at its best Cloud is now an integral part of every IT strategy. It reduces

More information

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com Introduction to Cloud Computing Srinath Beldona srinath_beldona@yahoo.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?

More information

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model

More information

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0 ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Ensuring security the last barrier to Cloud adoption

Ensuring security the last barrier to Cloud adoption Ensuring security the last barrier to Cloud adoption Publication date: March 2011 Ensuring security the last barrier to Cloud adoption Cloud computing has powerful attractions for the organisation. It

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

1 America Square, London 30 th May 2012. Cloud Computing: What Are My Options?

1 America Square, London 30 th May 2012. Cloud Computing: What Are My Options? 1 America Square, London 30 th May 2012 Cloud Computing: What Are My Options? Agenda Introductions and Your Challenges The Cloud @ Frontier Technology Infrastructure as a Service Cloud for Business Continuity

More information

Orchestrating the New Paradigm Cloud Assurance

Orchestrating the New Paradigm Cloud Assurance Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems

More information

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected

More information

Securing The Cloud With Confidence. Opinion Piece

Securing The Cloud With Confidence. Opinion Piece Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

White Paper: Cloud Security. Cloud Security

White Paper: Cloud Security. Cloud Security White Paper: Cloud Security Cloud Security Introduction Due to the increase in available bandwidth and technological advances in the area of virtualisation, and the desire of IT managers to provide dynamically

More information

White Paper on CLOUD COMPUTING

White Paper on CLOUD COMPUTING White Paper on CLOUD COMPUTING INDEX 1. Introduction 2. Features of Cloud Computing 3. Benefits of Cloud computing 4. Service models of Cloud Computing 5. Deployment models of Cloud Computing 6. Examples

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

Vodafone Cloud & Hosting Services. Gary Goodenough 13 th November 2015

Vodafone Cloud & Hosting Services. Gary Goodenough 13 th November 2015 Vodafone Cloud & Hosting Services Gary Goodenough 13 th November 2015 1 So, you ll all know Vodafone for these 2 But, we also do this and this 3 4 Market trends and customer challenges Your World/ Our

More information

www.pwc.co.uk Cyber security Building confidence in your digital future

www.pwc.co.uk Cyber security Building confidence in your digital future www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in

More information

Security & Trust in the Cloud

Security & Trust in the Cloud Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer

More information

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material

More information

How a Cloud Service Provider Can Offer Adequate Security to its Customers

How a Cloud Service Provider Can Offer Adequate Security to its Customers royal holloway s, How a Cloud Service Provider Can Offer Adequate Security to its Customers What security assurances can cloud service providers give their customers? This article examines whether current

More information

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Security, Compliance & Risk Management for Cloud Relationships Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Introductions & Poll Organization is leveraging the Cloud? Organization

More information

CLOUD MIGRATION STRATEGIES

CLOUD MIGRATION STRATEGIES CLOUD MIGRATION STRATEGIES Faculty Contributor: Dr. Rahul De Student Contributors: Mayur Agrawal, Sudheender S Abstract This article identifies the common challenges that typical IT managers face while

More information

Information Security: Cloud Computing

Information Security: Cloud Computing Information Security: Cloud Computing Simon Taylor MSc CLAS CISSP CISMP PCIRM Director & Principal Consultant All Rights Reserved. Taylor Baines Limited is a Registered Company in England & Wales. Registration

More information

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing: Contracting and Compliance Issues for In-House Counsel International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,

More information

Guardian365. Managed IT Support Services Suite

Guardian365. Managed IT Support Services Suite Guardian365 Managed IT Support Services Suite What will you get from us? Award Winning Team Deloitte Best Managed Company in 2015. Ranked in the Top 3 globally for Best Managed Service Desk by the Service

More information

Cloud Security Introduction and Overview

Cloud Security Introduction and Overview Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Secure Enterprise Mobility Management. Cloud-Based Enterprise Mobility Management. White Paper: soti.net

Secure Enterprise Mobility Management. Cloud-Based Enterprise Mobility Management. White Paper: soti.net Secure Enterprise Mobility Management White Paper: Cloud-Based Enterprise Mobility Management soti.net Background Facing a business environment of constant change and increasing complexity, enterprises

More information

Addressing Cloud Computing Security Considerations

Addressing Cloud Computing Security Considerations Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft

More information

Sytorus Information Security Assessment Overview

Sytorus Information Security Assessment Overview Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)

More information

Safeguarding the cloud with IBM Dynamic Cloud Security

Safeguarding the cloud with IBM Dynamic Cloud Security Safeguarding the cloud with IBM Dynamic Cloud Security Maintain visibility and control with proven security solutions for public, private and hybrid clouds Highlights Extend enterprise-class security from

More information

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.) Organizational risks 1 Lock-in Risk of not being able to migrate easily from one provider to another 2 Loss of Governance Control and influence on the cloud providers, and conflicts between customer hardening

More information

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Beyond passwords: Protect the mobile enterprise with smarter security solutions IBM Software Thought Leadership White Paper September 2013 Beyond passwords: Protect the mobile enterprise with smarter security solutions Prevent fraud and improve the user experience with an adaptive

More information

Five keys to a more secure data environment

Five keys to a more secure data environment Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

More information

Cloud Security and Managing Use Risks

Cloud Security and Managing Use Risks Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access

More information

Assessing Risks in the Cloud

Assessing Risks in the Cloud Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research

More information

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS

More information

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise

More information

Technology Risk Management

Technology Risk Management 1 Monetary Authority of Singapore Technology Risk Guidelines & Notices New Requirements for Financial Services Industry Mark Ames Director, Seminar Program ISACA Singapore 2 MAS Supervisory Framework Impact

More information

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data

More information

Security & Cloud Services IAN KAYNE

Security & Cloud Services IAN KAYNE Security & Cloud Services IAN KAYNE CloudComponents CLOUD SERVICES Dynamically scalable infrastructure, services and software based on broad network accessibility NETWORK ACCESS INTERNAL ESTATE CloudComponents

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

Kroll Ontrack VMware Forum. Survey and Report

Kroll Ontrack VMware Forum. Survey and Report Kroll Ontrack VMware Forum Survey and Report Contents I. Defining Cloud and Adoption 4 II. Risks 6 III. Challenging Recoveries with Loss 7 IV. Questions to Ask Prior to Engaging in Cloud storage Solutions

More information

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for

More information

Cloud Computing. What is Cloud Computing?

Cloud Computing. What is Cloud Computing? Cloud Computing What is Cloud Computing? Cloud computing is where the organization outsources data processing to computers owned by the vendor. Primarily the vendor hosts the equipment while the audited

More information

Can security conscious businesses really adopt the Cloud safely?

Can security conscious businesses really adopt the Cloud safely? Can security conscious businesses really adopt the Cloud safely? January 2014 1 Phone: 01304 814800 Fax: 01304 814899 info@ Contents Executive overview The varied Cloud security landscape How risk assessment

More information

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

SRG Security Services Technology Report Cloud Computing and Drop Box April 2013

SRG Security Services Technology Report Cloud Computing and Drop Box April 2013 SRG Security Services Technology Report Cloud Computing and Drop Box April 2013 1 Cloud Computing In the Industry Introduction to Cloud Computing The term cloud computing is simply the use of computing

More information

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing

More information

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015 NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X

More information

Why Cloud CompuTing ThreaTens midsized enterprises and WhaT To do about it

Why Cloud CompuTing ThreaTens midsized enterprises and WhaT To do about it The Cloud Threat Why Cloud CompuTing ThreaTens midsized enterprises and WhaT To do about it This white paper outlines the concerns that often prevent midsized enterprises from taking advantage of the Cloud.

More information

East African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

East African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud? East African Information Conference 13-14 th August, 2013, Kampala, Uganda Security and Privacy: Can we trust the cloud? By Dr. David Turahi Director, Information Technology and Information Management

More information

Cloud Security: An Independent Assessent

Cloud Security: An Independent Assessent Cloud Security: An Independent Assessent A Quantix White Paper Dec 2010 Call us on: 0115 983 6200 Visit us on-line at: www.quantix-uk.com E-mail us at : enquiries@quantix-uk.com Why are people concerned

More information

Leveraging the Private Cloud for Competitive Advantage

Leveraging the Private Cloud for Competitive Advantage Leveraging the Private Cloud for Competitive Advantage Introduction While it is universally accepted that organisations will leverage cloud solutions to service their IT needs, there is a lack of clarity

More information