Cloud Computing Risks

Size: px
Start display at page:

Download "Cloud Computing Risks"

Transcription

1 ISSA PREEMINENT TRUSTED GLOBAL INFORMATION SECURITY COMMUNITY Cloud Computing Risks By Richard Mosher ISSA member, Kansas City, USA Chapter Cloud computing risks still include data privacy, availability, service provisioning, malicious attack, and regulaty compliance. Mitigating the risks, now me than ever befe, requires a mature vend management program in which cloud s are tasked contractually with guaranteeing the infmation security requirements of their customers. Abstract The most recent development in infmation technology suppt f cpate business is the growing use of cloud computing. This trend presents a unique set of risks to cpate data that must be specifically addressed when considering this option. The issues involved are as old as infmation security. The risks still include data privacy, availability, service provisioning, malicious attack, and regulaty compliance. The venue has changed as technologies have mphed. Mitigating the risks, now me than ever befe, requires a mature vend management program in which cloud service providers are tasked contractually with guaranteeing the infmation security requirements of their customers. Background Cloud computing began years ago with the development of services such as online application offerings through application s (ASPs), infrastructure s such as Internet s (ISPs), and functional s such as managed security services providers (MSSPs). Following the development of virtual technology and other technological innovations, cloud computing services are now defined within three categies. Infrastructure as a Service (IaaS) A computing infrastructure is delivered as a service, although the infrastructure, platfms, applications within the environment may be managed and suppted either internally by the external entity. Platfm as a Service (PaaS) Computing platfms are delivered as a service; the infrastructure is managed by the, but platfms applications within the environment may be managed and suppted either internally by the external entity. Software as a Service (SaaS) Computing applications are delivered as a service, and the infrastructure and platfms are managed by the, but the application may be managed suppted either internally by the external entity. Of necessity, each of these involves the external management of particular functions by the external provider. F instance, an external IDS/IPS service generally involves an infrastructure, platfm, and application managed by the in providing the function. Likewise, the provisioning of HR services through an external application such as ADP must be suppted by, and may be managed by, personnel. This picture is clouded to some extent because the industry recognizes that cloud environments may be external to the ganization, entirely within the ganization (private), a hybrid (a mix of the two). An alternate option is a community cloud, which is an external cloud provided by a service provider designed and configured to suppt a specific type of application data requirement, as in, f instance, a medical industry cloud designed to provide a HIPAA-compliant service. This discussion is focused exclusively on the risks involved in the use of clouds provided by providers external to the ganization in either a pure external, community hybrid cloud environment. 34

2 As is true f all outsourcing arrangements, external cloud computing services share a set of risks that are derived from the decision to permit cpate data to be processed by reside upon devices outside of the cpate environment and under the control of an outside ganization. Some of these risks are increased due to the inherent nature of cloud computing. Data privacy risks Access control The decision to move cpate data and/ documents to an external cloud environment by its very nature requires that individuals within the ganization may have access to the data submitted to the cloud environment if personnel need access to the data stage area in suppt of the service. 1 require that the limit access to the data/files to essential personnel only; conduct background checks of those individuals to whom access will be granted; maintain proper recds of approval, removal, and review of internal access to the data; monit access to the data; train internal staff on requirements to protect the data; and if needed f compliance purposes, provide repts to the ganization regarding access to the data recds by suppt staff. Internally, the ganization can Contractually obligate the to these requirements; and Monit vend compliance with the requirements. Internal segmentation Any cloud is likely to suppt multiple ganizations. If not properly structured and configured, the data architecture underlying the service could put the ganization s data at risk of disclosure to other ganizations. 2 require that the implement internal barriers/segmentation between the data of different ganizations; and conduct audits of data stage to confirm that the barriers are effective. Once again, this requires that the ganization contractually obligate and monit vend compliance. Sub-contracts Many cloud s themselves are composed of multiple layers of cloud services, with the iginally contracted provider using other cloud providers to suppt their own services. The ganization must therefe be prepared to enfce its needs within multiple layers of s through the iginally contracted. This issue is especially troublesome if the ganization is under legal and/ regulaty compliance requirements. If this is the case, the ganization is often held responsible f ensuring the compliance of its sub-contracts. The ganization will therefe want to know the identities of sub-contracts in der to be able to track their compliance status. This can only be ensured through appropriate contract language. 3 if the ganization is under an obligation to satisfy regulaty requirements, discuss this with the cloud vend, and, if possible, require that the provide the identities of all sub-contracts in der to confirm their compliance status; if this level of compliance moniting is not required, request that the agree contractually to enfce all identified requirements on its service providers as appropriate; require that the implement a vend management program to monit the compliance of its vends; and monit the s compliance with this requirement. Data ownership In the past it was not unusual f cloud s to claim ownership of all data/files submitted to their care, and to publicly state the right to redistribute all submitted documentation at will. 4 ensure that the acknowledges the primacy of the ganization s rights to the data submitted; contractually obligate the to limit use of the data to that approved by the ganization; and contractually require that the ganization s data be returned and deleted upon severing the relationship. 1 Cloud Security Alliance, Top Threats to Cloud Computing V1.0, March 2010, Threat #3: Malicious Insiders, p. 10 https://cloudsecurityalliance.g/topthreats/ csathreats.v1.0.pdf. 2 Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage, Hey, You, Get Off of My Cloud: Expling Infmation Leakage in Third-Party Compute Clouds, ACM, November Giles Hogben, Perspectives on Cloud Security in the European Landscape, Cloud Security Delivery Imperatives 2011, ISACA Virtual Seminar, April Carl Brooks, Cloud SLAs the next bugbear f enterprise IT, TechTarget.com 35

3 E-Discovery Because the data/files submitted are now suppted on systems belonging to an external entity (e.g., the cloud service provider), that data is now subject to discovery not only by legal actions targeting the ganization, but may also be at risk of discovery and disclosure by legal actions targeting the any one of its other customers service providers. The ganization s data may therefe be compromised due to legal actions that may may not directly involve the ganization. 5 6 To mitigate this, the ganization can ensure that the is bound contractually to notify the ganization of any required legal disclosure that may involve the ganization s data; and make internal plans to address e-disclosure needs in such an event. Data censship In some cases cloud providers retain to themselves the right to audit and cens any data submitted to the service. This can cause delays in the data posting process changes to the data itself that may be unacceptable. 7 contractually define any such activities on the part of the, and the process through which it is suppted; and require the to rept any such activities to the ganization. Encryption In the current state of the cloud processing industry, implementation of encryption f data at rest within the cloud remains relatively rare, is expensive when available. It has been identified within some cloud services that are designed to meet specific regulaty requirements, but is not available within me common cloud services. : use cloud services only f those data services that do not require data encryption f data privacy purposes; select a cloud that can provide encryption if required; confirm that the has implemented appropriate encryption controls; 5 Wendy Butler Curtis, Curtis Heckman, and Aaron Thp, Cloud Computing: ediscovery Issues and Other Risk, Orrick ediscovery Alert, June 28, Lucas Mearian, How data security can vapize in the cloud, Computerwld, October 15, security_can_vapize_in_the_cloud_. 7 Joseph Granneman, Data Protection and Access Control in the Cloud, Security and Compliance in the Cloud, ISACA Virtual Seminar, December confirm that the regularly tests those encryption controls; and ensure that appropriate key management practices are in place to suppt the encryption. Availability risks Service degradation External services through a cloud provider involve connections over the Internet, any section of which is subject to congestion and outages on a periodic basis. In addition, the service may be degraded by a malicious attack, either due to the diversion of resources caused by an attack on the, by the diversion of resources due to an attack upstream from the (an attack on one of their service providers) and resulting congestion on the telecommunication lines, by diversion of resources caused by a successful penetration and use of the service itself as the base f further attacks on other sites. use cloud services only f those applications f which degradation of service is not a significant issue; obtain redundant lines to the through alternate carriers that can provide alternate connecting lines to the service; and implement appropriate and feasible alternatives f services during periods of service degradation. Service outage Similarly, all s will, f one reason another, incur service outages and perfmance issues on a periodic basis. confirm that the has designed the service with adequate capacity and multiple service sources to limit outages; require a service level agreement with the provider with contractual penalties f less than acceptable availability perfmance levels; ensure that the defined level of availability is acceptable f business purposes; confirm that the has an active backup program and recovery plan, confirm that the recovery plan is tested regularly; determine if alternate service options are available f periods in which the service is not available; and implement appropriate and feasible alternatives f services during an outage. 36

4 Service provisioning risks Service changes As all IT professionals know, technology firms come and go. Cloud s may fail, be acquired, change their business models and discontinue a service at any time. As a result, the ganization may lose access to its data to the service upon sht notice. contractually require a specified minimum period of notice f service changes; identify alternate service options that can be activated upon need; and maintain an updated internal copy of the data f emergency use. Cost changes As with any outside service, costs f cloud services will change over time. Such changes can make this type of service less cost effective, jeopardizing the purpose behind using the service in the first place. To mitigate this, the ganization can ensure that service costs and changes are defined in the service contract; and evaluate the cost/benefit/risk trade-offs of the relationship during each contract renewal. Malicious activity risks Likelihood of attack Because cloud s suppt multiple businesses and must have their services available on the open Internet, they are at increased risk of being attacked through their website ptals. After all, attackers tend to prefer target-rich environments, and cloud s concentrate multiple targets within their service areas. This situation is made wse by the fact that they must make web suppt and administration tools available to their customers as a part of the nmal business model through the web ptal, thereby leaving these tools accessible to attackers as well. As a result, the ganization s data/files are at increased risk of compromise through an outside attack. 8 confirm that the follows recommended security best practices in the development and coding of its web application, including code reviews and appropriate application security steps within each level of its infrastructure; confirm that the perfms vulnerability and penetration tests on a periodic basis and remediates any issues identified; and confirm that these practices have been audited and shown to be in place and operationally effective. Regulaty compliance risks Audit recds In many cases the systems suppting cloud services are managed by personnel through their internal processes. Service providers, as is true f most ganizations, usually decline to provide internal operational details to external customers. Obtaining auditable recds f the systems can therefe be difficult. In addition, the audit tools available through individual s vary significantly. The tools available f this purpose must be evaluated f each service provider. Because verifying the functionality and controls of all suppting systems may be required f compliance with regulaty requirements, this becomes a significant risk. negotiate with a mechanism through which suppting systems can be audited and verified, either through an audit perfmed by the ganization s audit team through a third party verification using SSAE 16 SOC 1 and SOC 3 repts, and include this in the contract; obtain copies of previous relevant SAS 70/SSAE 16 repts conduct regular audits of the provider; and ensure that appropriate audit repts are mandated contractually to meet the needs of the ganization. Stage location Verifying the functionality and controls of all suppting systems may be required f compliance with regulaty requirements, becoming a significant risk. Typically, the may ste all part of the data/files on servers where it is convenient f them. This may include transferring the data to servers outside of the region country of igin. Such a situation may may not be permissible, based upon regulations under which the ganization operates. 9 8 Cloud Security Alliance, Top Threats to Cloud Computing V1.0, March 2010, Threat #1: Abuse and Nefarious Use of Cloud Computing, p. 8 https:// cloudsecurityalliance.g/topthreats/csathreats.v1.0.pdf. 9 Dr. Thomas Helbing, How the New EU Rules on Data Expt Affect Companies Running Cloud Computing and SaaS, cloudcomputing-vision.com, April 16,

5 require that the assess the ganization s legal and regulaty requirements, and determine if restrictions exist on whether it can permit its data to be sted outside of a specific legal jurisdiction; if the ganization faces this type of restriction, include a discussion of this issue with any s considered as s; if possible, agree contractually to stage location restrictions that will keep the ganization compliant with its regulaty needs; if this is not possible, exclude the from those to be considered f the service. Lack of breach notice In addition to all the other controls that are missing, the ganization using cloud services also loses insight into and control over mandated breach notifications. Me often than not, the ganization may not even know that a breach has occurred until it appears in the evening news. 10 use cloud resources f only those data applications that do not have regulaty compliance requirements; contract with a cloud that is willing to assert contractually that they will notify the ganization at once in the event of a possible breach. Compliance The issue of compliance validation f cloud computing applications is an open question. Little has been done in this area to date, and suppt f compliance requirements varies considerably between providers. 11 use cloud resources f only those data applications that do not have regulaty compliance requirements; contract with a cloud that is willing to assert contractually that they will maintain compliance with the regulation in question; and maintain a compliance verification program that validates the s compliance with the requirements. 10 Ariel Silverstone, Cloud Security: Danger (and Opptunity) Ahead, CSO Online, May 19, Opptunity_Ahead. 11 Cloud Computing: Benefits, risks and recommendations f infmation security, European Netwk and Infmation Security Agency (ENISA), November Mitigation summary The use of external resources f cloud computing in its current state involves a number of risks. The key to proper mitigation of the risks in cloud computing is to determine appropriate controls f all relevant security provider operations just as if they were internal, and then to contractually obligate the to comply with those controls. In the process of mitigating its risks, any ganization making use of cloud computing resources should take a number of key steps. 1. Evaluate the risks involved in the use of cloud computing f a specific data application, and determine if the benefits to be gained offset the risks and the costs. This is especially critical if any regulaty compliance requirements are involved. 2. Assess the available cloud computing s to determine if any can provide the needed service while providing appropriate suppt in mitigating the identified risks. 3. Perfm appropriate due diligence on the selected service provider to ensure their financial stability, and to confirm the promised suppt architecture is available. 4. Obtain copies of the SAS 70 the new SSAE 16 audit repts to confirm their controls, perfm an audit of the to confirm these details. 5. Ensure that the contract includes language specifying all required mitigating controls and repting. 6. Implement a vend management program to ensure ongoing compliance of the with all necessary controls and service levels. 7. Ensure that all other appropriate internal mitigating strategies and options are implemented. About the Auth Richard Mosher, CISSP, CBCP, CISA, CGEIT, QSA, is a professional consultant wking in infmation security, risk management, regulaty compliance, business continuity, and IT audit as a staff member of Experis, a ManpowerGroup company. He has 25 years of experience in infmation security, is a fmer ISSA chapter president, fmer ISSA International board member, and an ISSA Distinguished Fellow, and is a periodic contribut to the ISSA Journal. He may be reached at 38

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Managed Solution Center s TSM Managed Services FAQ

Managed Solution Center s TSM Managed Services FAQ Managed Solution Center s TSM Managed Services FAQ Frequently Asked Questions 1. Will this invalidate our IBM Warranty / Maintenance? No. IBM warranty will not be affected as TSM code is not being modified

More information

The Keys to the Cloud: The Essentials of Cloud Contracting

The Keys to the Cloud: The Essentials of Cloud Contracting The Keys to the Cloud: The Essentials of Cloud Contracting September 30, 2014 Bert Kaminski Assistant General Counsel, Oracle North America Ken Adler Partner, Loeb & Loeb LLP Akiba Stern Partner, Loeb

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

Cloud Security and Managing Use Risks

Cloud Security and Managing Use Risks Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access

More information

KEY TERMS FOR SERVICE LEVEL AGREEMENTS TO SUPPORT CLOUD FORENSICS

KEY TERMS FOR SERVICE LEVEL AGREEMENTS TO SUPPORT CLOUD FORENSICS Chapter 12 KEY TERMS FOR SERVICE LEVEL AGREEMENTS TO SUPPORT CLOUD FORENSICS Keyun Ruan, Joshua James, Joe Carthy and Tahar Kechadi Abstract As the adoption of cloud services increases, the importance

More information

Securing The Cloud With Confidence. Opinion Piece

Securing The Cloud With Confidence. Opinion Piece Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery

More information

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is

More information

Cloud Infrastructure Security

Cloud Infrastructure Security Cloud Infrastructure Security Dimiter Velev 1 and Plamena Zlateva 2 1 University of National and World Economy, UNSS - Studentski grad, 1700 Sofia, Bulgaria dvelev@unwe.acad.bg 2 Institute of Control and

More information

Security Issues On Cloud Computing

Security Issues On Cloud Computing Security Issues On Cloud Computing Pratibha Tripathi #1, Mohammad Suaib #2 1 M.Tech(CSE), Second year 2 Research Guide # Department of Computer Science and Engineering Abstract Integral University, Lucknow

More information

How to ensure control and security when moving to SaaS/cloud applications

How to ensure control and security when moving to SaaS/cloud applications How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk

More information

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility. FME Cloud Security Table of Contents FME Cloud Architecture Overview Secure Operations I. Backup II. Data Governance and Privacy III. Destruction of Data IV. Incident Reporting V. Development VI. Customer

More information

Cloud Computing and HIPAA Privacy and Security

Cloud Computing and HIPAA Privacy and Security Cloud Computing and HIPAA Privacy and Security This is just one example of the many online resources Practical Law Company offers. Christine A. Williams, Perkins Coie LLP, with PLC Employee Benefits &

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

While cloud computing may have many benefits, it comes with a financial and a business cost in terms of:

While cloud computing may have many benefits, it comes with a financial and a business cost in terms of: Cloud Computing Technology Spotlight Defined by The National Institute of Standards and Technology as the provision of computational resources on demand via a computer network, cloud computing s advantages

More information

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer What is Cloud Computing A model for enabling convenient, on-demand network access to a shared pool of configurable

More information

Governance and Control in the Cloud. Infrastructure as a Service

Governance and Control in the Cloud. Infrastructure as a Service 1 Governance and Control in the Cloud Infrastructure as a Service Cows 2 The Triumph of the Utility 3 Our Discussion 4 How we ll talk about Governance and Controls today Not an IT-assurance methodology

More information

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Cloud Assurance: Ensuring Security and Compliance for your IT Environment Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware

More information

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications

More information

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING 1. K.SURIYA Assistant professor Department of Computer Applications Dhanalakshmi Srinivasan College of Arts and Science for Womren Perambalur Mail: Surik.mca@gmail.com

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities

More information

Cloud Computing An Auditor s Perspective

Cloud Computing An Auditor s Perspective Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,

More information

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred

More information

Cloud Computing Risk and Rewards

Cloud Computing Risk and Rewards Cloud Computing Risk and Rewards John Lazarine Vice President and Chief Audit Executive Mark Salamasick Director of Center for Internal Auditing For Dallas CPA Society Convergence 2013 May 8, 2013 John

More information

Legal Issues in the Cloud: A Case Study. Jason Epstein

Legal Issues in the Cloud: A Case Study. Jason Epstein Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types

More information

Insights into Cloud Computing

Insights into Cloud Computing This article was originally published in the November 2010 issue of the Intellectual Property & Technology Law Journal. ARTICLE Insights into Cloud Computing The basic point of cloud computing is to avoid

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

TOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information

More information

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined

More information

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013 INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.

More information

CPA Practical Experience Requirements

CPA Practical Experience Requirements CPA Practical Experience Requirements Does my job qualify f experience verification? The qualifying period of practical experience can begin when future CPAs attain three conditions: 1. You start wking

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall. The Magical Cloud Lennart Franked Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall. 2014-10-20 Lennart Franked (MIUN IKS) The Magical Cloud 2014-10-20 1 / 35

More information

LOCAL AREA NETWORK (LAN) SUPPORT SERIES

LOCAL AREA NETWORK (LAN) SUPPORT SERIES LOCAL AREA NETWORK (LAN) SUPPORT SERIES Occ. Wk Prob. Effective Code No. Class Title Area Area Period Date 4826(3291) Local Area Netwk (LAN) Suppt Specialist I 02 734 6 mo. 12/23/96 4827(3291) Local Area

More information

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected

More information

Cloud security architecture

Cloud security architecture ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide

More information

Determines database requirements and prepares database design for highly complex systems.

Determines database requirements and prepares database design for highly complex systems. SENIOR APPLICATIONS DEVELOPER ERP Solutions Specialists DEFINITION: This is highly advanced technical supervisy wk in the analysis, planning, design, programming, and maintenance of computer applications.

More information

Cloud Computing in a Regulated Environment

Cloud Computing in a Regulated Environment Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2

More information

Cloud Security:Threats & Mitgations

Cloud Security:Threats & Mitgations Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer

More information

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions

More information

Security and Privacy in Cloud Computing

Security and Privacy in Cloud Computing Security and Privacy in Cloud Computing Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 2 02/01/2010 Threats, vulnerabilities, and enemies Goal Learn the cloud computing threat model

More information

Anatomy of a Cloud Computing Data Breach

Anatomy of a Cloud Computing Data Breach Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations

More information

The silver lining: Getting value and mitigating risk in cloud computing

The silver lining: Getting value and mitigating risk in cloud computing The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations

More information

GAIN CLARITY CRITICAL ISSUES. Your Data in the Cloud : Benefits & Risks GAIN CONTROL. berrydunn.com

GAIN CLARITY CRITICAL ISSUES. Your Data in the Cloud : Benefits & Risks GAIN CONTROL. berrydunn.com GAIN CLARITY CRITICAL ISSUES Your Data in the Cloud : Benefits & Risks berrydunn.com AGENDA Defining Cloud Services Benefits and Risks Core Requirements Myths about Clouds Is Your Data in the Cloud Secure?

More information

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com Cloud Computing Risks & Reality Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com What is Cloud Security The quality or state of being secure to be free from danger & minimize risk To be protected from

More information

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05 Cyber Risk Management Guidance Purpose This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on cyber risk management.

More information

I.1 SERVICE LEVEL AGREEMENT MATRIX. Bidders must complete the following SLA Matrix as applicable to category bid.

I.1 SERVICE LEVEL AGREEMENT MATRIX. Bidders must complete the following SLA Matrix as applicable to category bid. I.1 SERVICE LEVEL AGREEMENT MATRI Bidders must complete the following SLA Matrix as applicable to categy bid. SERVICE LEVELS, BY CLASS of SERVICE Unless otherwise specified, all classes of Voice, Connectivity

More information

www.pwc.com/mt Internal Audit Takes On Emerging Technologies

www.pwc.com/mt Internal Audit Takes On Emerging Technologies www.pwc.com/mt In Internal Audit Takes On Emerging Technologies Contents Introduction 2 Cloud Computing & Internal Audit 3 Smart Devices/ Technology & Internal Audit 6 Social Media & Internal Audit 8 Cyber

More information

Auditing Cloud Computing and Outsourced Operations

Auditing Cloud Computing and Outsourced Operations Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls

More information

SERVICE LEVEL AGREEMENT MATRIX

SERVICE LEVEL AGREEMENT MATRIX SERVICE LEVEL AGREEMENT MATRI SERVICE LEVELS, VoIP CnerStone Telephone s Level agreement provided herein is limited to the scope of services it is proposing in this response to the RFP. Specifically, our

More information

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen What Is The Cloud And How Can Your Agency Use It Tom Konop Mark Piontek Cathleen Christensen Video Computer Basics: What is the Cloud What is Cloud Computing Cloud Computing Basics The use of the word

More information

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Technology Risk Management

Technology Risk Management 1 Monetary Authority of Singapore Technology Risk Guidelines & Notices New Requirements for Financial Services Industry Mark Ames Director, Seminar Program ISACA Singapore 2 MAS Supervisory Framework Impact

More information

Wednesday, January 16, 2013

Wednesday, January 16, 2013 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500 Wednesday,

More information

KeyLock Solutions Security and Privacy Protection Practices

KeyLock Solutions Security and Privacy Protection Practices KeyLock Solutions Overview KeyLock Solutions hosts its infrastructure at Heroku. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout

More information

Cisco Cloud Assessments. Justin Tang

Cisco Cloud Assessments. Justin Tang Cisco Cloud Assessments Justin Tang Cisco Landscape Evolution of Cloud Assessments Performing Cloud Assessments Challenges 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Definition:

More information

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for

More information

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing Contents Introduction Why GRC Assessment Benefits of Cloud computing and Problem Statement Key Speculations & Problems faced by Cloud service user s in Today s time Threats, Vulnerabilities and related

More information

Cloud Computing. Introduction

Cloud Computing. Introduction Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

CLOUD MIGRATION. Celina Alexandre M6807

CLOUD MIGRATION. Celina Alexandre M6807 CLOUD MIGRATION M6807 S Content 1. Introduction 2. Methodology 3. Requirements Definition Phase 3.1. Strategy 3.2. Knowledge 06/05/15 2 Content 4. Analysis Phase 4.1. Aplications and Systems 4.2. Development

More information

Cloud Database Storage Model by Using Key-as-a-Service (KaaS)

Cloud Database Storage Model by Using Key-as-a-Service (KaaS) www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume 4 Issue 7 July 2015, Page No. 13284-13288 Cloud Database Storage Model by Using Key-as-a-Service (KaaS) J.Sivaiah

More information

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World July 30, 2015 Sutherland Webinar Michael Steinig 202.383.0804 Michael.Steinig@sutherland.com

More information

Cloud Computing: Compliance and Client Expectations

Cloud Computing: Compliance and Client Expectations Cloud Computing: Compliance and Client Expectations February 15, 2012 MOSS ADAMS LLP 1 TODAY S PRESENTERS Moderator Kevin Villanueva, CPA, CISA, CISM, CITP, CRISC Sr. Manager, Infrastructure and Security

More information

A hole in the cloud: Is cloud secure?

A hole in the cloud: Is cloud secure? A hole in the cloud: Is cloud secure? N. Vijaykumar Infosys Technologies Limited, Bangalore presented at Security in cloud is a key challenge! 70% 60% 50% 40% 30% 20% 10% 0% Data integrity tampering Hacker

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com Introduction to Cloud Computing Srinath Beldona srinath_beldona@yahoo.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?

More information

BYOD File Sharing - Go Private Cloud to Mitigate Data Risks. Whitepaper BYOD File Sharing Go Private Cloud to Mitigate Data Risks

BYOD File Sharing - Go Private Cloud to Mitigate Data Risks. Whitepaper BYOD File Sharing Go Private Cloud to Mitigate Data Risks BYOD File Sharing - Go Private Cloud to Mitigate Data Risks An Accellion Whitepaper BYOD File Sharing Go Private Cloud to Mitigate Data Risks Executive Summary The consumerization of IT and the popularity

More information

WHITE PAPER. How to choose and implement your cloud strategy

WHITE PAPER. How to choose and implement your cloud strategy WHITE PAPER How to choose and implement your cloud strategy INTRODUCTION Cloud computing has the potential to tip strategic advantage away from large established enterprises toward SMBs or startup companies.

More information

Assessing Risks in the Cloud

Assessing Risks in the Cloud Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research

More information

Security & Trust in the Cloud

Security & Trust in the Cloud Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer

More information

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Security, Compliance & Risk Management for Cloud Relationships Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Introductions & Poll Organization is leveraging the Cloud? Organization

More information

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015 NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X

More information

Cloud Computing: Risks and Auditing

Cloud Computing: Risks and Auditing IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center @IIAChicago #IIACHI Cloud Computing: Risks Auditing Phil Lageschulte/Partner/KPMG Sailesh Gadia/Director/KPMG

More information

Cloud Computing Thunder and Lightning on Your Horizon?

Cloud Computing Thunder and Lightning on Your Horizon? Cloud Computing Thunder and Lightning on Your Horizon? Overview As organizations automate more and more of their manual processes, the Internet is increasingly becoming an important tool in the delivery

More information

White Paper: Librestream Security Overview

White Paper: Librestream Security Overview White Paper: Librestream Security Overview TABLE OF CONTENTS 1 SECURITY OVERVIEW... 3 2 USE OF SECURE DATA CENTERS... 3 3 SECURITY MONITORING, INTERNAL TESTING AND ASSESSMENTS... 4 3.1 Penetration Testing

More information

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Security Threat Risk Assessment: the final key piece of the PIA puzzle Security Threat Risk Assessment: the final key piece of the PIA puzzle Curtis Kore, Information Security Analyst Angela Swan, Director, Information Security Agenda Introduction Current issues The value

More information

Data Privacy, Security, and Risk Management in the Cloud

Data Privacy, Security, and Risk Management in the Cloud Data Privacy, Security, and Risk Management in the Cloud Diana S. Hare, Associate General Counsel and Chief Privacy Counsel, Drexel University David W. Opderbeck, Counsel, Gibbons P.C. Robin Rosenberg,

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

Public Cloud Service Agreements: What to Expect & What to Negotiate. April 2013

Public Cloud Service Agreements: What to Expect & What to Negotiate. April 2013 Public Cloud Service Agreements: What to Expect & What to Negotiate April 2013 The Cloud Standards Customer Council THE Customer s Voice for Cloud Standards! Provide customer-led guidance to the multiple

More information

Some thoughts about cloud computing risks. Andris Soroka 28 th of January, 2015 Riga, Latvia

Some thoughts about cloud computing risks. Andris Soroka 28 th of January, 2015 Riga, Latvia Some thoughts about cloud computing risks Andris Soroka 28 th of January, 2015 Riga, Latvia Role of DSS in Cyber-security Development in Baltics Cyber-Security Awareness Raising Technology and knowledge

More information

LEGAL ISSUES IN CLOUD COMPUTING

LEGAL ISSUES IN CLOUD COMPUTING LEGAL ISSUES IN CLOUD COMPUTING RITAMBHARA AGRAWAL INTELLIGERE 1 CLOUD COMPUTING Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing

More information

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material

More information

What s the Path? Information Life-cycle part of Vendor Management

What s the Path? Information Life-cycle part of Vendor Management Disclaimer The materials provided in this presentation and any comments or information provided by the presenter are for educational purposes only and nothing conveyed or provided should be considered

More information

BYOD File Sharing Go Private Cloud to Mitigate Data Risks

BYOD File Sharing Go Private Cloud to Mitigate Data Risks AN ACCELLION WHITE PAPER BYOD File Sharing Go Private Cloud to Mitigate Data Risks Accellion, Inc. Tel +1 650 485-4300 1804 Embarcadero Road Fax +1 650 485-4308 Suite 200 www.accellion.com Palo Alto, CA

More information

Cloud Security Who do you trust?

Cloud Security Who do you trust? Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud

More information

AskAvanade: Answering the Burning Questions around Cloud Computing

AskAvanade: Answering the Burning Questions around Cloud Computing AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,

More information

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased

More information

Information Security: Cloud Computing

Information Security: Cloud Computing Information Security: Cloud Computing Simon Taylor MSc CLAS CISSP CISMP PCIRM Director & Principal Consultant All Rights Reserved. Taylor Baines Limited is a Registered Company in England & Wales. Registration

More information

Cloud Computing. Information Security and Privacy Considerations. April 2014

Cloud Computing. Information Security and Privacy Considerations. April 2014 Cloud Computing Information Security and Privacy Considerations April 2014 All-of-Government Cloud Computing: Information Security and Privacy Considerations April 2014 1 Crown copyright. This copyright

More information

Copyright 2014 Thomas Trappler All Rights Reserved

Copyright 2014 Thomas Trappler All Rights Reserved 1 Cloud Computing Risk Mitigation 2 Cloud Computing Risk Mitigation http://www.flickr.com/photos/61056899@n06/5751301741/sizes/l/in/photostream/ As with the adoption of any IT solution, The adoption of

More information

Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken )

Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken ) 23.11.2015 Jan Philipp Manager, Cyber Risk Services Enterprise Architect Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken ) Purpose today Introduction» Who I am

More information

{Moving to the cloud}

{Moving to the cloud} {Moving to the cloud} plantemoran.com doesn t mean outsourcing your security controls. Cloud computing is a strategic move. Its impact will have a ripple effect throughout an organization. You don t have

More information