Cloud Computing Risks
|
|
- Ethelbert Cain
- 8 years ago
- Views:
Transcription
1 ISSA PREEMINENT TRUSTED GLOBAL INFORMATION SECURITY COMMUNITY Cloud Computing Risks By Richard Mosher ISSA member, Kansas City, USA Chapter Cloud computing risks still include data privacy, availability, service provisioning, malicious attack, and regulaty compliance. Mitigating the risks, now me than ever befe, requires a mature vend management program in which cloud s are tasked contractually with guaranteeing the infmation security requirements of their customers. Abstract The most recent development in infmation technology suppt f cpate business is the growing use of cloud computing. This trend presents a unique set of risks to cpate data that must be specifically addressed when considering this option. The issues involved are as old as infmation security. The risks still include data privacy, availability, service provisioning, malicious attack, and regulaty compliance. The venue has changed as technologies have mphed. Mitigating the risks, now me than ever befe, requires a mature vend management program in which cloud service providers are tasked contractually with guaranteeing the infmation security requirements of their customers. Background Cloud computing began years ago with the development of services such as online application offerings through application s (ASPs), infrastructure s such as Internet s (ISPs), and functional s such as managed security services providers (MSSPs). Following the development of virtual technology and other technological innovations, cloud computing services are now defined within three categies. Infrastructure as a Service (IaaS) A computing infrastructure is delivered as a service, although the infrastructure, platfms, applications within the environment may be managed and suppted either internally by the external entity. Platfm as a Service (PaaS) Computing platfms are delivered as a service; the infrastructure is managed by the, but platfms applications within the environment may be managed and suppted either internally by the external entity. Software as a Service (SaaS) Computing applications are delivered as a service, and the infrastructure and platfms are managed by the, but the application may be managed suppted either internally by the external entity. Of necessity, each of these involves the external management of particular functions by the external provider. F instance, an external IDS/IPS service generally involves an infrastructure, platfm, and application managed by the in providing the function. Likewise, the provisioning of HR services through an external application such as ADP must be suppted by, and may be managed by, personnel. This picture is clouded to some extent because the industry recognizes that cloud environments may be external to the ganization, entirely within the ganization (private), a hybrid (a mix of the two). An alternate option is a community cloud, which is an external cloud provided by a service provider designed and configured to suppt a specific type of application data requirement, as in, f instance, a medical industry cloud designed to provide a HIPAA-compliant service. This discussion is focused exclusively on the risks involved in the use of clouds provided by providers external to the ganization in either a pure external, community hybrid cloud environment. 34
2 As is true f all outsourcing arrangements, external cloud computing services share a set of risks that are derived from the decision to permit cpate data to be processed by reside upon devices outside of the cpate environment and under the control of an outside ganization. Some of these risks are increased due to the inherent nature of cloud computing. Data privacy risks Access control The decision to move cpate data and/ documents to an external cloud environment by its very nature requires that individuals within the ganization may have access to the data submitted to the cloud environment if personnel need access to the data stage area in suppt of the service. 1 require that the limit access to the data/files to essential personnel only; conduct background checks of those individuals to whom access will be granted; maintain proper recds of approval, removal, and review of internal access to the data; monit access to the data; train internal staff on requirements to protect the data; and if needed f compliance purposes, provide repts to the ganization regarding access to the data recds by suppt staff. Internally, the ganization can Contractually obligate the to these requirements; and Monit vend compliance with the requirements. Internal segmentation Any cloud is likely to suppt multiple ganizations. If not properly structured and configured, the data architecture underlying the service could put the ganization s data at risk of disclosure to other ganizations. 2 require that the implement internal barriers/segmentation between the data of different ganizations; and conduct audits of data stage to confirm that the barriers are effective. Once again, this requires that the ganization contractually obligate and monit vend compliance. Sub-contracts Many cloud s themselves are composed of multiple layers of cloud services, with the iginally contracted provider using other cloud providers to suppt their own services. The ganization must therefe be prepared to enfce its needs within multiple layers of s through the iginally contracted. This issue is especially troublesome if the ganization is under legal and/ regulaty compliance requirements. If this is the case, the ganization is often held responsible f ensuring the compliance of its sub-contracts. The ganization will therefe want to know the identities of sub-contracts in der to be able to track their compliance status. This can only be ensured through appropriate contract language. 3 if the ganization is under an obligation to satisfy regulaty requirements, discuss this with the cloud vend, and, if possible, require that the provide the identities of all sub-contracts in der to confirm their compliance status; if this level of compliance moniting is not required, request that the agree contractually to enfce all identified requirements on its service providers as appropriate; require that the implement a vend management program to monit the compliance of its vends; and monit the s compliance with this requirement. Data ownership In the past it was not unusual f cloud s to claim ownership of all data/files submitted to their care, and to publicly state the right to redistribute all submitted documentation at will. 4 ensure that the acknowledges the primacy of the ganization s rights to the data submitted; contractually obligate the to limit use of the data to that approved by the ganization; and contractually require that the ganization s data be returned and deleted upon severing the relationship. 1 Cloud Security Alliance, Top Threats to Cloud Computing V1.0, March 2010, Threat #3: Malicious Insiders, p csathreats.v1.0.pdf. 2 Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage, Hey, You, Get Off of My Cloud: Expling Infmation Leakage in Third-Party Compute Clouds, ACM, November Giles Hogben, Perspectives on Cloud Security in the European Landscape, Cloud Security Delivery Imperatives 2011, ISACA Virtual Seminar, April Carl Brooks, Cloud SLAs the next bugbear f enterprise IT, TechTarget.com 35
3 E-Discovery Because the data/files submitted are now suppted on systems belonging to an external entity (e.g., the cloud service provider), that data is now subject to discovery not only by legal actions targeting the ganization, but may also be at risk of discovery and disclosure by legal actions targeting the any one of its other customers service providers. The ganization s data may therefe be compromised due to legal actions that may may not directly involve the ganization. 5 6 To mitigate this, the ganization can ensure that the is bound contractually to notify the ganization of any required legal disclosure that may involve the ganization s data; and make internal plans to address e-disclosure needs in such an event. Data censship In some cases cloud providers retain to themselves the right to audit and cens any data submitted to the service. This can cause delays in the data posting process changes to the data itself that may be unacceptable. 7 contractually define any such activities on the part of the, and the process through which it is suppted; and require the to rept any such activities to the ganization. Encryption In the current state of the cloud processing industry, implementation of encryption f data at rest within the cloud remains relatively rare, is expensive when available. It has been identified within some cloud services that are designed to meet specific regulaty requirements, but is not available within me common cloud services. : use cloud services only f those data services that do not require data encryption f data privacy purposes; select a cloud that can provide encryption if required; confirm that the has implemented appropriate encryption controls; 5 Wendy Butler Curtis, Curtis Heckman, and Aaron Thp, Cloud Computing: ediscovery Issues and Other Risk, Orrick ediscovery Alert, June 28, Lucas Mearian, How data security can vapize in the cloud, Computerwld, October 15, security_can_vapize_in_the_cloud_. 7 Joseph Granneman, Data Protection and Access Control in the Cloud, Security and Compliance in the Cloud, ISACA Virtual Seminar, December confirm that the regularly tests those encryption controls; and ensure that appropriate key management practices are in place to suppt the encryption. Availability risks Service degradation External services through a cloud provider involve connections over the Internet, any section of which is subject to congestion and outages on a periodic basis. In addition, the service may be degraded by a malicious attack, either due to the diversion of resources caused by an attack on the, by the diversion of resources due to an attack upstream from the (an attack on one of their service providers) and resulting congestion on the telecommunication lines, by diversion of resources caused by a successful penetration and use of the service itself as the base f further attacks on other sites. use cloud services only f those applications f which degradation of service is not a significant issue; obtain redundant lines to the through alternate carriers that can provide alternate connecting lines to the service; and implement appropriate and feasible alternatives f services during periods of service degradation. Service outage Similarly, all s will, f one reason another, incur service outages and perfmance issues on a periodic basis. confirm that the has designed the service with adequate capacity and multiple service sources to limit outages; require a service level agreement with the provider with contractual penalties f less than acceptable availability perfmance levels; ensure that the defined level of availability is acceptable f business purposes; confirm that the has an active backup program and recovery plan, confirm that the recovery plan is tested regularly; determine if alternate service options are available f periods in which the service is not available; and implement appropriate and feasible alternatives f services during an outage. 36
4 Service provisioning risks Service changes As all IT professionals know, technology firms come and go. Cloud s may fail, be acquired, change their business models and discontinue a service at any time. As a result, the ganization may lose access to its data to the service upon sht notice. contractually require a specified minimum period of notice f service changes; identify alternate service options that can be activated upon need; and maintain an updated internal copy of the data f emergency use. Cost changes As with any outside service, costs f cloud services will change over time. Such changes can make this type of service less cost effective, jeopardizing the purpose behind using the service in the first place. To mitigate this, the ganization can ensure that service costs and changes are defined in the service contract; and evaluate the cost/benefit/risk trade-offs of the relationship during each contract renewal. Malicious activity risks Likelihood of attack Because cloud s suppt multiple businesses and must have their services available on the open Internet, they are at increased risk of being attacked through their website ptals. After all, attackers tend to prefer target-rich environments, and cloud s concentrate multiple targets within their service areas. This situation is made wse by the fact that they must make web suppt and administration tools available to their customers as a part of the nmal business model through the web ptal, thereby leaving these tools accessible to attackers as well. As a result, the ganization s data/files are at increased risk of compromise through an outside attack. 8 confirm that the follows recommended security best practices in the development and coding of its web application, including code reviews and appropriate application security steps within each level of its infrastructure; confirm that the perfms vulnerability and penetration tests on a periodic basis and remediates any issues identified; and confirm that these practices have been audited and shown to be in place and operationally effective. Regulaty compliance risks Audit recds In many cases the systems suppting cloud services are managed by personnel through their internal processes. Service providers, as is true f most ganizations, usually decline to provide internal operational details to external customers. Obtaining auditable recds f the systems can therefe be difficult. In addition, the audit tools available through individual s vary significantly. The tools available f this purpose must be evaluated f each service provider. Because verifying the functionality and controls of all suppting systems may be required f compliance with regulaty requirements, this becomes a significant risk. negotiate with a mechanism through which suppting systems can be audited and verified, either through an audit perfmed by the ganization s audit team through a third party verification using SSAE 16 SOC 1 and SOC 3 repts, and include this in the contract; obtain copies of previous relevant SAS 70/SSAE 16 repts conduct regular audits of the provider; and ensure that appropriate audit repts are mandated contractually to meet the needs of the ganization. Stage location Verifying the functionality and controls of all suppting systems may be required f compliance with regulaty requirements, becoming a significant risk. Typically, the may ste all part of the data/files on servers where it is convenient f them. This may include transferring the data to servers outside of the region country of igin. Such a situation may may not be permissible, based upon regulations under which the ganization operates. 9 8 Cloud Security Alliance, Top Threats to Cloud Computing V1.0, March 2010, Threat #1: Abuse and Nefarious Use of Cloud Computing, p. 8 cloudsecurityalliance.g/topthreats/csathreats.v1.0.pdf. 9 Dr. Thomas Helbing, How the New EU Rules on Data Expt Affect Companies Running Cloud Computing and SaaS, cloudcomputing-vision.com, April 16,
5 require that the assess the ganization s legal and regulaty requirements, and determine if restrictions exist on whether it can permit its data to be sted outside of a specific legal jurisdiction; if the ganization faces this type of restriction, include a discussion of this issue with any s considered as s; if possible, agree contractually to stage location restrictions that will keep the ganization compliant with its regulaty needs; if this is not possible, exclude the from those to be considered f the service. Lack of breach notice In addition to all the other controls that are missing, the ganization using cloud services also loses insight into and control over mandated breach notifications. Me often than not, the ganization may not even know that a breach has occurred until it appears in the evening news. 10 use cloud resources f only those data applications that do not have regulaty compliance requirements; contract with a cloud that is willing to assert contractually that they will notify the ganization at once in the event of a possible breach. Compliance The issue of compliance validation f cloud computing applications is an open question. Little has been done in this area to date, and suppt f compliance requirements varies considerably between providers. 11 use cloud resources f only those data applications that do not have regulaty compliance requirements; contract with a cloud that is willing to assert contractually that they will maintain compliance with the regulation in question; and maintain a compliance verification program that validates the s compliance with the requirements. 10 Ariel Silverstone, Cloud Security: Danger (and Opptunity) Ahead, CSO Online, May 19, Opptunity_Ahead. 11 Cloud Computing: Benefits, risks and recommendations f infmation security, European Netwk and Infmation Security Agency (ENISA), November Mitigation summary The use of external resources f cloud computing in its current state involves a number of risks. The key to proper mitigation of the risks in cloud computing is to determine appropriate controls f all relevant security provider operations just as if they were internal, and then to contractually obligate the to comply with those controls. In the process of mitigating its risks, any ganization making use of cloud computing resources should take a number of key steps. 1. Evaluate the risks involved in the use of cloud computing f a specific data application, and determine if the benefits to be gained offset the risks and the costs. This is especially critical if any regulaty compliance requirements are involved. 2. Assess the available cloud computing s to determine if any can provide the needed service while providing appropriate suppt in mitigating the identified risks. 3. Perfm appropriate due diligence on the selected service provider to ensure their financial stability, and to confirm the promised suppt architecture is available. 4. Obtain copies of the SAS 70 the new SSAE 16 audit repts to confirm their controls, perfm an audit of the to confirm these details. 5. Ensure that the contract includes language specifying all required mitigating controls and repting. 6. Implement a vend management program to ensure ongoing compliance of the with all necessary controls and service levels. 7. Ensure that all other appropriate internal mitigating strategies and options are implemented. About the Auth Richard Mosher, CISSP, CBCP, CISA, CGEIT, QSA, is a professional consultant wking in infmation security, risk management, regulaty compliance, business continuity, and IT audit as a staff member of Experis, a ManpowerGroup company. He has 25 years of experience in infmation security, is a fmer ISSA chapter president, fmer ISSA International board member, and an ISSA Distinguished Fellow, and is a periodic contribut to the ISSA Journal. He may be reached at Richard.mosher@experis.com. 38
Security Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationManaged Solution Center s TSM Managed Services FAQ
Managed Solution Center s TSM Managed Services FAQ Frequently Asked Questions 1. Will this invalidate our IBM Warranty / Maintenance? No. IBM warranty will not be affected as TSM code is not being modified
More informationThe Keys to the Cloud: The Essentials of Cloud Contracting
The Keys to the Cloud: The Essentials of Cloud Contracting September 30, 2014 Bert Kaminski Assistant General Counsel, Oracle North America Ken Adler Partner, Loeb & Loeb LLP Akiba Stern Partner, Loeb
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationCloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security
More informationCloud Computing and HIPAA Privacy and Security
Cloud Computing and HIPAA Privacy and Security This is just one example of the many online resources Practical Law Company offers. Christine A. Williams, Perkins Coie LLP, with PLC Employee Benefits &
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationKEY TERMS FOR SERVICE LEVEL AGREEMENTS TO SUPPORT CLOUD FORENSICS
Chapter 12 KEY TERMS FOR SERVICE LEVEL AGREEMENTS TO SUPPORT CLOUD FORENSICS Keyun Ruan, Joshua James, Joe Carthy and Tahar Kechadi Abstract As the adoption of cloud services increases, the importance
More informationSecuring The Cloud With Confidence. Opinion Piece
Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery
More informationSecurity Issues On Cloud Computing
Security Issues On Cloud Computing Pratibha Tripathi #1, Mohammad Suaib #2 1 M.Tech(CSE), Second year 2 Research Guide # Department of Computer Science and Engineering Abstract Integral University, Lucknow
More informationHow to ensure control and security when moving to SaaS/cloud applications
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
More informationCloud Computing Governance & Security. Security Risks in the Cloud
Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud
More informationSecuring The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
More informationCloud Infrastructure Security
Cloud Infrastructure Security Dimiter Velev 1 and Plamena Zlateva 2 1 University of National and World Economy, UNSS - Studentski grad, 1700 Sofia, Bulgaria dvelev@unwe.acad.bg 2 Institute of Control and
More informationWhile cloud computing may have many benefits, it comes with a financial and a business cost in terms of:
Cloud Computing Technology Spotlight Defined by The National Institute of Standards and Technology as the provision of computational resources on demand via a computer network, cloud computing s advantages
More informationSecuring and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer What is Cloud Computing A model for enabling convenient, on-demand network access to a shared pool of configurable
More informationCloud Assurance: Ensuring Security and Compliance for your IT Environment
Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware
More informationTable of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.
FME Cloud Security Table of Contents FME Cloud Architecture Overview Secure Operations I. Backup II. Data Governance and Privacy III. Destruction of Data IV. Incident Reporting V. Development VI. Customer
More informationGovernance and Control in the Cloud. Infrastructure as a Service
1 Governance and Control in the Cloud Infrastructure as a Service Cows 2 The Triumph of the Utility 3 Our Discussion 4 How we ll talk about Governance and Controls today Not an IT-assurance methodology
More informationCloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC
Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications
More informationSECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING
SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING 1. K.SURIYA Assistant professor Department of Computer Applications Dhanalakshmi Srinivasan College of Arts and Science for Womren Perambalur Mail: Surik.mca@gmail.com
More informationTOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information
More informationStrategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security
Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities
More informationCloud Computing An Auditor s Perspective
Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationLegal Issues in the Cloud: A Case Study. Jason Epstein
Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types
More informationAnnex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015
Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred
More informationCloud Computing Risk and Rewards
Cloud Computing Risk and Rewards John Lazarine Vice President and Chief Audit Executive Mark Salamasick Director of Center for Internal Auditing For Dallas CPA Society Convergence 2013 May 8, 2013 John
More informationInsights into Cloud Computing
This article was originally published in the November 2010 issue of the Intellectual Property & Technology Law Journal. ARTICLE Insights into Cloud Computing The basic point of cloud computing is to avoid
More informationLOCAL AREA NETWORK (LAN) SUPPORT SERIES
LOCAL AREA NETWORK (LAN) SUPPORT SERIES Occ. Wk Prob. Effective Code No. Class Title Area Area Period Date 4826(3291) Local Area Netwk (LAN) Suppt Specialist I 02 734 6 mo. 12/23/96 4827(3291) Local Area
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationCPA Practical Experience Requirements
CPA Practical Experience Requirements Does my job qualify f experience verification? The qualifying period of practical experience can begin when future CPAs attain three conditions: 1. You start wking
More informationINFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013
INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationThe Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.
The Magical Cloud Lennart Franked Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall. 2014-10-20 Lennart Franked (MIUN IKS) The Magical Cloud 2014-10-20 1 / 35
More informationCPNI VIEWPOINT 01/2010 CLOUD COMPUTING
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More informationDetermines database requirements and prepares database design for highly complex systems.
SENIOR APPLICATIONS DEVELOPER ERP Solutions Specialists DEFINITION: This is highly advanced technical supervisy wk in the analysis, planning, design, programming, and maintenance of computer applications.
More informationSummary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL
Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined
More informationCloud security architecture
ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide
More informationCloud Computing in a Regulated Environment
Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationCloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week
Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions
More informationSecurity and Privacy in Cloud Computing
Security and Privacy in Cloud Computing Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 2 02/01/2010 Threats, vulnerabilities, and enemies Goal Learn the cloud computing threat model
More informationwww.pwc.com/mt Internal Audit Takes On Emerging Technologies
www.pwc.com/mt In Internal Audit Takes On Emerging Technologies Contents Introduction 2 Cloud Computing & Internal Audit 3 Smart Devices/ Technology & Internal Audit 6 Social Media & Internal Audit 8 Cyber
More informationAuditing Cloud Computing and Outsourced Operations
Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls
More informationThe silver lining: Getting value and mitigating risk in cloud computing
The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations
More informationI.1 SERVICE LEVEL AGREEMENT MATRIX. Bidders must complete the following SLA Matrix as applicable to category bid.
I.1 SERVICE LEVEL AGREEMENT MATRI Bidders must complete the following SLA Matrix as applicable to categy bid. SERVICE LEVELS, BY CLASS of SERVICE Unless otherwise specified, all classes of Voice, Connectivity
More informationCloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com
Cloud Computing Risks & Reality Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com What is Cloud Security The quality or state of being secure to be free from danger & minimize risk To be protected from
More informationFEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose
FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05 Cyber Risk Management Guidance Purpose This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on cyber risk management.
More informationCloud Computing: Compliance and Client Expectations
Cloud Computing: Compliance and Client Expectations February 15, 2012 MOSS ADAMS LLP 1 TODAY S PRESENTERS Moderator Kevin Villanueva, CPA, CISA, CISM, CITP, CRISC Sr. Manager, Infrastructure and Security
More informationGAIN CLARITY CRITICAL ISSUES. Your Data in the Cloud : Benefits & Risks GAIN CONTROL. berrydunn.com
GAIN CLARITY CRITICAL ISSUES Your Data in the Cloud : Benefits & Risks berrydunn.com AGENDA Defining Cloud Services Benefits and Risks Core Requirements Myths about Clouds Is Your Data in the Cloud Secure?
More informationSERVICE LEVEL AGREEMENT MATRIX
SERVICE LEVEL AGREEMENT MATRI SERVICE LEVELS, VoIP CnerStone Telephone s Level agreement provided herein is limited to the scope of services it is proposing in this response to the RFP. Specifically, our
More informationWhat Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen
What Is The Cloud And How Can Your Agency Use It Tom Konop Mark Piontek Cathleen Christensen Video Computer Basics: What is the Cloud What is Cloud Computing Cloud Computing Basics The use of the word
More informationWednesday, January 16, 2013
Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500 Wednesday,
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationCloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing
Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for
More informationTechnology Risk Management
1 Monetary Authority of Singapore Technology Risk Guidelines & Notices New Requirements for Financial Services Industry Mark Ames Director, Seminar Program ISACA Singapore 2 MAS Supervisory Framework Impact
More informationAHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS
AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals
More informationKeyLock Solutions Security and Privacy Protection Practices
KeyLock Solutions Overview KeyLock Solutions hosts its infrastructure at Heroku. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout
More informationOWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect
OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud
More informationCisco Cloud Assessments. Justin Tang
Cisco Cloud Assessments Justin Tang Cisco Landscape Evolution of Cloud Assessments Performing Cloud Assessments Challenges 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Definition:
More informationAnatomy of a Cloud Computing Data Breach
Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations
More informationCloud Computing. Introduction
Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationCloud Computing and Records Management
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationHow To Secure Cloud Computing
A hole in the cloud: Is cloud secure? N. Vijaykumar Infosys Technologies Limited, Bangalore presented at Security in cloud is a key challenge! 70% 60% 50% 40% 30% 20% 10% 0% Data integrity tampering Hacker
More informationHow To Choose A Cloud Computing Solution
WHITE PAPER How to choose and implement your cloud strategy INTRODUCTION Cloud computing has the potential to tip strategic advantage away from large established enterprises toward SMBs or startup companies.
More informationCloud Computing: Risks and Auditing
IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center @IIAChicago #IIACHI Cloud Computing: Risks Auditing Phil Lageschulte/Partner/KPMG Sailesh Gadia/Director/KPMG
More informationAssessing Risks in the Cloud
Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research
More informationNETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
More informationSecurity Threat Risk Assessment: the final key piece of the PIA puzzle
Security Threat Risk Assessment: the final key piece of the PIA puzzle Curtis Kore, Information Security Analyst Angela Swan, Director, Information Security Agenda Introduction Current issues The value
More informationBYOD File Sharing - Go Private Cloud to Mitigate Data Risks. Whitepaper BYOD File Sharing Go Private Cloud to Mitigate Data Risks
BYOD File Sharing - Go Private Cloud to Mitigate Data Risks An Accellion Whitepaper BYOD File Sharing Go Private Cloud to Mitigate Data Risks Executive Summary The consumerization of IT and the popularity
More informationSecurity & Trust in the Cloud
Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer
More informationCloud Computing Thunder and Lightning on Your Horizon?
Cloud Computing Thunder and Lightning on Your Horizon? Overview As organizations automate more and more of their manual processes, the Internet is increasingly becoming an important tool in the delivery
More informationWhite Paper: Librestream Security Overview
White Paper: Librestream Security Overview TABLE OF CONTENTS 1 SECURITY OVERVIEW... 3 2 USE OF SECURE DATA CENTERS... 3 3 SECURITY MONITORING, INTERNAL TESTING AND ASSESSMENTS... 4 3.1 Penetration Testing
More informationSecurity, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32
Security, Compliance & Risk Management for Cloud Relationships Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32 Introductions & Poll Organization is leveraging the Cloud? Organization
More informationPublic Cloud Service Agreements: What to Expect & What to Negotiate. April 2013
Public Cloud Service Agreements: What to Expect & What to Negotiate April 2013 The Cloud Standards Customer Council THE Customer s Voice for Cloud Standards! Provide customer-led guidance to the multiple
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationLEGAL ISSUES IN CLOUD COMPUTING
LEGAL ISSUES IN CLOUD COMPUTING RITAMBHARA AGRAWAL INTELLIGERE 1 CLOUD COMPUTING Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing
More informationData Privacy, Security, and Risk Management in the Cloud
Data Privacy, Security, and Risk Management in the Cloud Diana S. Hare, Associate General Counsel and Chief Privacy Counsel, Drexel University David W. Opderbeck, Counsel, Gibbons P.C. Robin Rosenberg,
More informationCloud Security Who do you trust?
Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationKey Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing
Contents Introduction Why GRC Assessment Benefits of Cloud computing and Problem Statement Key Speculations & Problems faced by Cloud service user s in Today s time Threats, Vulnerabilities and related
More informationCLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
More informationCloud Database Storage Model by Using Key-as-a-Service (KaaS)
www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume 4 Issue 7 July 2015, Page No. 13284-13288 Cloud Database Storage Model by Using Key-as-a-Service (KaaS) J.Sivaiah
More informationSome thoughts about cloud computing risks. Andris Soroka 28 th of January, 2015 Riga, Latvia
Some thoughts about cloud computing risks Andris Soroka 28 th of January, 2015 Riga, Latvia Role of DSS in Cyber-security Development in Baltics Cyber-Security Awareness Raising Technology and knowledge
More informationValidating Enterprise Systems: A Practical Guide
Table of Contents Validating Enterprise Systems: A Practical Guide Foreword 1 Introduction The Need for Guidance on Compliant Enterprise Systems What is an Enterprise System The Need to Validate Enterprise
More informationCloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World
Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World July 30, 2015 Sutherland Webinar Michael Steinig 202.383.0804 Michael.Steinig@sutherland.com
More informationWhat s the Path? Information Life-cycle part of Vendor Management
Disclaimer The materials provided in this presentation and any comments or information provided by the presenter are for educational purposes only and nothing conveyed or provided should be considered
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationCloud Computing Security Issues
Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security, marchany@vt.edu Something Old, Something New New: Cloud describes the use of a collection of services, applications,
More informationBYOD File Sharing Go Private Cloud to Mitigate Data Risks
AN ACCELLION WHITE PAPER BYOD File Sharing Go Private Cloud to Mitigate Data Risks Accellion, Inc. Tel +1 650 485-4300 1804 Embarcadero Road Fax +1 650 485-4308 Suite 200 www.accellion.com Palo Alto, CA
More informationStrategies for assessing cloud security
IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary
More informationVERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK
HANDBOOK VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK CONSIDERATIONS FOR SERVICE ADOPTION Version 1.0 July 2014 VerisignInc.com CONTENTS 1. WHAT IS A DDOS PROTECTION SERVICE? 3 2. HOW CAN VERISIGN
More informationSecurity Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken )
23.11.2015 Jan Philipp Manager, Cyber Risk Services Enterprise Architect Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken ) Purpose today Introduction» Who I am
More informationCLOUD MIGRATION. Celina Alexandre M6807
CLOUD MIGRATION M6807 S Content 1. Introduction 2. Methodology 3. Requirements Definition Phase 3.1. Strategy 3.2. Knowledge 06/05/15 2 Content 4. Analysis Phase 4.1. Aplications and Systems 4.2. Development
More information{Moving to the cloud}
{Moving to the cloud} plantemoran.com doesn t mean outsourcing your security controls. Cloud computing is a strategic move. Its impact will have a ripple effect throughout an organization. You don t have
More information