CLOUD SOLUTIONS FOR REMOTE GAMING INDUSTRY

Size: px
Start display at page:

Download "CLOUD SOLUTIONS FOR REMOTE GAMING INDUSTRY"

Transcription

1 CLOUD SOLUTIONS FOR REMOTE GAMING INDUSTRY

2

3 Cloud Solutions - Guidelines for Remote Gaming Operators Consultation Paper Date: 31 October 2014

4 Foreword Cloud technologies have started to move beyond the hype and into the very fabric of today s enterprise management. With the majority of organisations now claiming to have adopted cloud solutions into at least part of their enterprise, we are now seeing the market mature to the point that cloud solutions are being used for mission critical enterprise activities and services. Over recent years, new lessons have been learnt, leading practices and challenges are emerging and a body of knowledge is now taking shape. The Lotteries and Gaming Authority of Malta (LGA) recognises the advantages and options cloud solutions provide to the remote gaming industry in general. It allows for significant cut in infrastructure and operational costs, better management and allocation of IT resources, flexibility and scalability of operations. However, we are cognisant of the fact that changing from one environment to another presents new challenges which operators and regulators alike are doing their best to address both from a policy and operational standpoint. It is the intention of the LGA to release guidelines for the Remote Gaming operators making use of cloud solutions. It will also allow facilities to be used as cloud service providers in defined circumstances for gaming transactions. This consultation is proposing a sharper focus on long-standing principles, with a clearer explanation of why they are important from a policy and regulatory perspective. These guidelines serve as a clear sign to the gaming industry that the LGA wants to be a prime mover in innovation and policy and is well positioned to react to these trends in order to safeguard the collective achievement of the gaming industry over the last 11 years. I, therefore strongly encourage all stakeholders to actively participate in this consultation document so that we make sure that the new policy on cloud solutions is well thought out and forward looking. To this effect, your opinions and insights on this matter are critical to keep Malta at the leading edge of technology and innovation. Joseph Cuschieri Executive Chairman Lotteries & Gaming Authority of Malta 4

5 Contents 1. Introduction Background Objectives Pre-consultation activities 8 2. The Authority s perspective on Cloud Computing Cloud Computing a definition Deployment Models Cloud Service Providers The Current Situation An overview of risks related to operating on a Cloud environment Security Confidentiality Integrity Availability Compliance Jurisdictional / Legal Relevant standards The Authority s proposal The Authority s position Scope Establishing the context Remote Gaming Components Proposed Approval Process The Authority s conformance kite mark Geographic locations Monitoring and review of the kite mark Control of operational documents & records A Risk-based approach Risks relating to the adoption of Cloud Computing Final Considerations Consultation procedure Consultation period Queries and contributions Questions to be addressed by stakeholders Direct interaction Transparency register Post-consultation Data Protection Statement - Data Protection Act (Chapter 440) 24 Appendix A Summary of consultation questions 25 Notes 26 5

6 Definitions Classes Cloud Computing Cloud Service Provider Financial data Licensee Player data Remote Gaming Operator/Operator Saas Paas Iaas As per the First Schedule to Regulation 3, Licences of the Remote Gaming Regulations 2004, SL In this paper the Authority has adopted the Cloud Security Alliance definition for Cloud Computing - see Section 2.1 in this Paper A Cloud Computing service provider, also referred to as CSP in this Paper Any data pertaining to the financial activity of a player As per the definition of licensee in Remote Gaming Regulations 2004, SL Any data which contributes or may contribute to the identification of a player An economic operator registered in Malta and licensed, or in the process of obtaining a license, to operate as a Remote Gaming Operator in accordance to the Remote Gaming Regulations 2004, SL Software-as-a-Service is software which is deployed over the internet and used by someone on a personal computer or local area network. Platform as a service is a category of cloud computing services that provides a computing platform and a solution stack as a service. The virtual delivery of computing resources in the form of hardware, networking, and storage services. It may also include the delivery of operating systems and virtualisation technology to manage the resources. 6

7 1. Introduction In 2004, Malta was the first country in Europe to identify the potential of this industry and enact the appropriate legislative framework to position the country as a leading global player in remote gaming regulation. With the regulatory and financial incentives in place, the portfolio of companies setting up their operations in Malta started to grow at a fast pace. Today, the Lotteries and Gaming Authority, hereafter referred to as the Authority, hosts a remote gaming industry that directly contributes 11% of GDP, employs more than 7,000 people and has direct and indirect economic benefits that have created a multiplier effect impacting many business sectors, including property, hospitality and corporate services. Over 250 remote gaming companies and 400 licenses are currently on the LGA s books, and the numbers keep growing steadily. Malta s huge success is underpinned by a package of incentives and other factors that make Malta a unique gaming jurisdiction of international repute. Our package includes corporate and personal tax incentives, a robust ICT infrastructure, an English-speaking population, a strong educational system and a regulatory framework that focuses on consumer protection, fairness of games, strict compliance and the prevention of money laundering and other crimes. In fact, other European jurisdictions have been looking at Malta as a role model to develop their national legal frameworks for remote gaming. Malta s reputation in this sector needs to be maintained and one way of achieving this is by being responsive to technological developments which bring with them benefits to stakeholders in the sector. However, developments such as Cloud Computing/Services, also present new or heightened levels of risks which need to be addressed and managed, in order to safeguard the jurisdiction s reputation and adequate levels of player protection. With this in mind, the Authority is launching this public consultation process in respect of Cloud Computing Solutions adoption by Remote Gaming Operators, with a view to gather insights and feedback from relevant stakeholders, industry experts, and other interested parties, on its proposals as set out in this consultation paper. 1.1 Background A number of remote gaming operators have, or are considering, leveraging the opportunities offered by the adoption of Cloud Computing Solutions in order to take advantage of the extensive benefits that may be achieved, including; better management and allocation of IT resources, flexibility, scalability and cost savings. The Authority recognises the advantages that cloud computing provides to licensees. It also recognises the fact that the adoption of cloud computing by operators may also provide competitive advantages to the Remote Gaming sector in Malta. However, migrating from the traditional environment to a cloud environment presents some disadvantages as well, in the form of new or heightened risks. The Authority believes that by setting out good practice, operators will be able to mitigate the risks that cloud computing introduces, meet the level of security and standards required by the Authority as well as attain the benefits offered by cloud computing. 7

8 1.2 Objectives It is the Authority s objective to establish guidelines and to set good practice requirements on the industry in respect of the use of cloud services for remote gaming. These guidelines should: a) Offer additional clarity on the use of cloud services, placing the obligations on the correct party. Therefore, making it clear as to who is responsible for what in the security process; b) Stipulate those reasonable steps which must be taken to protect the information from misuse, loss, unauthorised access, modification and other security breaches, regardless of where it is stored. 1.3 Pre-consultation activities The Authority has already received submissions on the subject matter from the Malta Remote Gaming Council Working Group and the Malta Chamber Remote Gaming Business Section and has taken these into consideration in arriving at its position and in compiling this this consultation paper. 8

9 2. The Authority s perspective on Cloud Computing 2.1 Cloud Computing a definition According to the Cloud Security Alliance, cloud computing is defined as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services). Cloud computing is a disruptive technology that has the potential to enhance collaboration, agility, scaling, and availability, and provides the opportunities for cost reduction through optimized and efficient computing. The cloud model envisages a world where components can be rapidly orchestrated, provisioned, implemented and decommissioned, and scaled up or down to provide an ondemand utility-like model of allocation and consumption. 2.2 Deployment Models Several security and privacy concerns within the cloud computing environment are similar to those of traditional non-cloud services, however amplified by external control over operators assets. Cloud computing also introduces new risks, which vary according to the deployment model and setup utilised by the operator. Moreover Cloud Service Providers (hereinafter referred to CSPs) offer a range of services to their customers such as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). The following is a summary of the different deployment models and some of the key elements that characterises each model Private Cloud This cloud infrastructure is for the exclusive use of a single licensee. No interaction with other entities is allowed within this type of cloud computing deployment model. In this case, physical or location-related considerations can still be closely controlled by the Authority as this particular cloud infrastructure can be located either on the operator s premises or at a Data Centre with dedicated servers. Building a private cloud seems to be the best option in terms of security Community Cloud In a community cloud, services are shared by a number of licensees with similar security requirements and need to store or process data of similar sensitivity. In some cases, all the entities are subject to common security policies. These security components in a community cloud make the level of risk lower than in a public cloud, however it remains higher than in a private cloud Security Although different classes of licensed remote gaming entities operate in the same sector, they may have adopted different security measures or security requirements. Consequently, other third party users hosted on the same CSP as that engaged by a remote gaming operator may have inferior security standards, security levels, procedures or Service Level Agreements (hereinafter referred to SLAs) for the same category of data exposing remote gaming operators to related risks. 9

10 Jurisdictional/Legal Compliance with garnishee orders, search warrants and seizures served to companies could be difficult to enforce if a particular operator hosts its business in a cloud shared by other companies Public Cloud In a public cloud, the CSPs share their infrastructure and resources among various unrelated enterprises and individuals. Public Cloud Services are generally considered as more risky, although the security related investment and the resources available to major Public Cloud Service Providers often exceed those of a typical licensee. Transition to a public cloud requires a transfer of responsibility and control to the cloud provider over information as well as system components that were previously under the organisation s direct control. This cloud infrastructure is shared by multiple tenants of the cloud service provider. These tenants have no relation to each other in the same space, therefore no common interest and concerns for security. A malicious attack on one tenant could have adverse impacts on other tenants of the same cloud environment, even if they are not the intended target Isolation Failure Multi-tenancy and shared resources are defining characteristic of both the Public and Community Cloud. High degrees of multi-tenancy over large numbers of platforms are needed for cloud computing to achieve the benefits of scale economies. The threats of these deployment models include the failure of mechanisms separating storage, memory, routing and even reputation between different tenants; the so-called guest-hopping attacks Security Security depends not only on the correctness and effectiveness of many components but also on the interactions among them. The challenge exists in understanding and securing these applications. Having to share an infrastructure with unknown outside parties can be a major drawback and requires a high level of assurance pertaining to the strength of the security mechanism used for logical separation. An attacker could pose as a consumer to exploit vulnerabilities from within the cloud environment, overcome the separation mechanisms, and gain unauthorised access. Access to organisational data and resources could also inadvertently be exposed to other consumers or be blocked from legitimate consumers through a configuration or software error, although this is a risk that is present also amongst non-cloud based deployments Governance Loss of control over both the physical and logical aspects of the system and data diminishes the organisation s ability to effect changes in security and privacy that are in the best interest of the operators. The ability to reduce capital investment for computing resources and simultaneously satisfy computational needs through reductions in operational costs is one of the main advantages of cloud computing. However, policies and procedures for privacy and security could be overlooked and the organisation put at risk. 10

11 Physical location On a public cloud, the physical location of the infrastructure is determined by the cloud provider as is the design and implementation of the reliability, resource pooling, scalability, and other logic needed in the support framework Hybrid Hybrid cloud is a model that allows enterprises to create a mixture of public, community and private clouds, depending on the level of trust required for their information assets. 2.3 Cloud Service Providers The flexibility, lower costs and scalability that cloud services can provide for remote gaming companies, are more than promising. This is even more so for global cloud service providers which have high resources and capabilities, providing services at considerable low costs also through economies of scale. Whether a CSP is a start-up with a small set up or one of the global cloud service providers, the security and privacy concerns are still considerable and the risks relevant to the Authority must be addressed, independently of the size and the popularity of the CSP. Strong privacy and security guarantees is what the industry and what the Authority demands. The following are further risks that large and international CSPs may introduce within the gaming industry Physical Security A major stumbling block to adopt cloud computing within the remote gaming industry seems to be the difficulty in establishing the geographical location of the physical servers. Use of an in-house computing centre allows an organisation to structure its computing environment and to know precisely where data is stored and what safeguards are used to protect the data. In contrast, a characteristic of many cloud computing services is that data is stored redundantly in multiple physical locations and detailed information about the location of an organisation s data is unavailable or not disclosed to the service consumer. This situation makes it difficult to ascertain whether sufficient safeguards are in place and whether legal and regulatory compliance requirements are being met Security Features Cloud service operators provide a number of features that are commonly used in any server environment to ensure adequate security. Nevertheless, many of them provide additional configurable options and for this reason it is the operator s responsibility to implement them in the most appropriate manner Governance CSPs may allow operators to make use of a private and isolated portion of the cloud without disclosing the physical location of the data and how it is processed. The Authority recognises that a cloud customer may find it difficult to exercise any meaningful control over the way a large (and perhaps global) cloud provider operates. The take it or leave it SLAs do not provide any opportunity for negotiations. However, it the Authority s view that simply because an operator chooses to contract for cloud computing services on the basis of the provider s standard terms and conditions, this does not exonerate the operator from its responsibilities in 11

12 this regard. The operator s deployment logical architecture - whether it is on physical or virtual servers - will still need to be approved by the Authority as is the current practice Legal Issues Such CSP s are many times transborder, and different jurisdictions have different legal requirements, especially concerning personal private information. The CSP will need to host its service in a manner that is fully compliant with EU data protection and other applicable laws. 2.4 The Current Situation The Authority must ensure that it has the right policy framework to mitigate any risks and to seize the full benefits of cloud computing. The Authority s current practice require that requests for the use of public or private cloud are dealt with on a case by case basis during the licensing process of a remote gaming operator. Operators argue that the current practices which require the tagging of servers run counter to the agility and benefits of a cloud environment. Tagging of servers is considered to be a redundant and obsolete requirement by operators. The Authority is at present considering the feasibility of alternative mechanisms or systems with a view to address this concern. There are a number of challenges that need to be addressed to ensure that the Authority s licensees maximise the benefits to be derived from adoption of a cloud computing environment whilst ensuring that the risks are mitigated. The six main areas set out in section 3, sub-sections 3.1 to 3.6, are some of the critical areas to be addressed if the Maltese jurisdiction is to become cloud-friendly and cloud-active. An additional and non-exhaustive list of risks introduced or amplified by the adoption of cloud can also be found in section

13 3. An overview of risks related to operating on a Cloud environment Cloud computing promises to have far-reaching effects on the systems and work practices of the licensees and the Authority. Emphasis on the cost and performance of cloud computing should be balanced with the fundamental security and privacy concerns the Authority and licensees have with these computing environments. Many of the features that make cloud computing attractive can also be at odds with traditional security models and controls. The first question to ask when evaluating a cloud environment is: Which information assets will a remote gaming operator migrate to the cloud environment? Information assets in the remote gaming industry can be broadly categorised as; data, applications and processes. These assets are commonly subjected to the threats set out in this section. In view of the generic nature of these risks, the Authority recognises that most of them can be mitigated with the adoption of adequate controls. 3.1 Security Information security is possibly the biggest concern for cloud users. Whilst security frameworks already exist, these are not sufficiently adopted across all the cloud deployment models. Illegal activities affecting cloud computing environments such as (identity and/or data) theft, fraud and malicious systems and data interference are threats to cloud users and service providers and can undermine their trust. Threats to data security include the ability of hackers to infiltrate cloud computing platforms and use cloud infrastructure to attack other machines which could lead to sensitive data leakage and data loss. If a multi-tenant cloud service database is not designed properly, a single flaw in one client s application could allow an attacker to get at not only that client s data, but all other clients data as well. Another key risk in a cloud computing environment is data loss: the prospect of having valuable data disappear without a trace. Loss of governance is also an issue when using cloud infrastructure. The operator necessarily cedes control to the cloud provider on a number of issues which may affect security. At the same time, the SLAs or controls implemented by CSPs may not provide the security levels required by the operator, thus leaving a gap in security defences. 3.2 Confidentiality There is a fear of moving sensitive data to the cloud. The confidentiality of specific data personal, gaming and financial - may be at greater risk where remote gaming functions are placed under the control of cloud systems, when compared to a traditional system. Cloud computing may increase the risk of account or data traffic hijacking depending on the CSPs inherent security design and confidentiality processes. 13

14 3.3 Integrity The integrity of transaction logs and gaming functionality may be at a heightened risk when remote gaming functions are under control of cloud systems. Technology vulnerabilities are a threat that needs to be addressed appropriately in any cloud based remote gaming service. Cloud service providers share infrastructure, platforms and applications to deliver their services in a scalable way. If an integral part is compromised, it exposes the entire environment to the potential of compromise and breach. 3.4 Availability The Authority considers the availability of gaming and financial transaction logs and customer accounts at heightened risk where remote gaming functions are under the hosted on cloud systems. Data are commonly the most valuable assets and the most probable targets of attacks. However, it is important not to overlook the risk relating to applications and processes. 3.5 Compliance Investment in achieving certifications (such as ISO and PCI DSS) as well as the licence granted to an operator by the Authority may be put at risk by migrating to the cloud if the CSP cannot: a) Provide evidence of compliance with the relevant requirements, or b) Does not permit audits by the operators. 3.6 Jurisdictional / Legal Cloud computing by its very nature, operates across national boundaries and across territories with different legal jurisdictions, within and beyond Europe. Legal and Jurisdictional issues associated with cloud computing could pose additional challenges including: a) Jurisdictional issues which may impair the Authority s ability to exercise its functions and powers as permitted by relevant laws and regulations; b) Inconsistencies/incompatibilities in laws and regulations across different jurisdictions in respect of Data Protection and Privacy rights of players and obligations on remote gaming operators arising there from; c) Ambiguity in determining who has the burden of preserving data when a client of a cloud computing provider gets sued; d) Compliance with garnishee orders, search warrants and possible seizures; e) Disaster recovery implications. Operators that are planning to adopt or that have adopted cloud computing must have a clear understanding of which rules apply, where and how. Among the EU directives and regulations that may impact Cloud services, the Privacy or Data Protection Directive is one of the most relevant and important. While there is no question that these requirements are designed to improve privacy in general, they may create barriers to the provision of cloud services. Consultation Questions Q1. Do you agree with the Authority s overview of risks in relation to cloud computing environments? Q2. Do you believe that there are other risks that need to be addressed? 14

15 4. Relevant standards In compiling its proposals for the purposes of this consultation, the Authority has identified relevant standards that have been taken into consideration. These include: a) ISO 27001: 2013: ISO/IEC is the best-known standard in the family providing requirements for an information security management system (ISMS). (International Standards Organisation: b) PCI DSS: The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security (Payment Card Industry Security Council: https://www.pcisecuritystandards.org/security_standards). Consultation Questions Q3. Do you agree with the standards which the Authority has identified as relevant and within the scope of these guidelines? Q4. What are your views, in terms of costs and feasibility, for compliance obligations arising from the need to obtain and maintain ISO 27001certifications andpci DSS Level 1 standards? 15

16 5. The Authority s proposal 5.1 The Authority s position An external publicly available cloud, provided from outside the Authority s approval process may be used for simple web servers, displaying informative web pages, landing pages and application servers. However any part of regulated game play, financial or registration process where personal, financial or game transaction information is processed and/or stored, may only be handled within a cloud environment, if these systems are considered by the Authority to be safe and secure under these guidelines. 5.2 Scope All personnel, products and processes which may affect the safety, security, fairness or legal status of any remote gaming operations if these are placed within a cloud infrastructure, shall be included in the Authority s standards and guidelines for operators making use of cloud computing. 5.3 Establishing the context The regulatory and jurisdictional risk appetite is low compared to commercial entities, so these standards and guidelines should be consistent with regulatory and jurisdictional risk threshold and objectives. Under the cloud computing paradigm, an operator relinquishes direct control over many aspects of security and privacy and in doing so, confers a high level of trust onto the cloud provider. At the same time, the Authority has the responsibility to protect information and information systems commensurate with the risk and magnitude of the harm resulting from unauthorised access, use, disclosure, disruption, modification or destruction. 5.4 Remote Gaming Components Challenges exist in understanding and determining the suitability of those cloud systems, and understanding the context in which the licensees operate and the consequences from the plausible threats it faces. This section categorises those remote gaming components that demand a secure and reliable platform. Critical components are: a) Random Number Generators (RNG s); b) Players Data see Definitions; c) Financial Data see Definitions; d) All instances of databases containing player and financial data intended for disaster recovery purposes. These components should be hosted on a Private Cloud environment model and shall be subject to the proposed approval process set out in section 6 16

17 Other components can be hosted on any other type Cloud environment model and shall also be subject to the proposed approval process also set out in section 6. Consultation Questions Q5. What are your views on the LGA s position on cloud computing? Q6. What are your views on the scope and definition of the critical components as proposed? Q7. What are your views on the Authority s position on the hosting location of the critical components, i.e. be hosted on a Private Cloud environment as opposed to any other of the cloud computing models presented in this paper? Q8. What are your views on the hosting location of other (non-critical) components? 17

18 6. Proposed Approval Process 6.1 The Authority s conformance kite mark Making use of a cloud computing environment requires a change in mind set. To realise the benefits of a cloud environment, it is necessary to accept that perimeters become logical rather than physical, dynamic rather than fixed. Whereas within a traditional computing model, rights/monitoring were tied to a physical machine and its location, the policies and privileges assigned to a virtual machine must change. This requires a re-think of new policies, new tools and new or updated operating practices. Certification is a proven technique for establishing trust. CSPs may either obtain a kite mark issued by the Authority or have their systems and controls assessed and/or inspected by the Authority on a case-by-case basis to verify that their setup meets the criteria established in the Authority s guidelines; in the latter case, all expenses will be incurred by the operator. The ISO and PCI DSS Level 1 standards will be used as a guideline standard for cloud service providers. Operators choosing a CSP which has the Authority s kite mark, may have their application for a licence placed on a fast-track. 6.2 Geographic locations Any operator on a cloud infrastructure must include a list of the premises and the geographic location of all sites where infrastructure used in a cloud system affects its remote gaming functionality and data, unless using a CSP that has been pre-approved by the Authority. 6.3 Monitoring and review of the kite mark CSPs shall conduct, at least annually, a detailed security audit of its cloud service performed by an independent third party and will be required to provide a copy of the assessment to the cloud customers and the Authority. The assessment can also be presented to new clients as it will be sufficiently detailed to allow the cloud customers to make an informed choice as to whether the provider s security is appropriate and will, in turn, help the operator to comply with these guidelines. The assessment shall include the physical, technical and organisational security measures that are in place. This audit is a pre-requisite to obtain the kite mark. 6.4 Control of operational documents & records Transition to a cloud service entails a transfer of the implementation of securing portions to the cloud provider. To fulfil the obligations of continuous monitoring, the Authority requires the full cooperation of the cloud provider. 6.5 A Risk-based approach The transition to an outsourced, public cloud computing environment is in many ways an exercise in risk management. Risk management entails identifying and assessing risk, and taking steps to reduce it to an acceptable level. 18

19 Assessing and managing risk in cloud computing systems requires continuous monitoring of the security state of the system, and can prove to be challenging, since significant portions of the computing environment are under the control of the cloud provider and likely beyond the organisation s preview. By virtue of the Remote Gaming regulations, the licensing requirements of the Authority, and the license conditions, a remote gaming operator, licensed by the Authority, may be obliged to carry out a system audit as well as a compliance audit. The existing comprehensive process to obtain and maintain a remote gaming licence remains unchanged. However where the use of a cloud computing infrastructure is being proposed, a risk assessment should be undertaken to assess whether cloud platform will meet the licensees needs and the authority s policies. Licensees using pre-approved cloud platforms may be able to fast track parts of the risk assessment of their application. A risk assessment should be a requirement as it is a cornerstone to the requirements of these guidelines. As a minimum the risk assessment submitted by the operator must address the risks listed in section 6.6. During the licencing process as well as during a licensee s operation, the Authority may require further information on how certain risks relating to cloud are being treated. As part of its licence application the operator shall also include the risk assessment methodology applied, the acceptable risk level from its point of view, a clear description of what information is being stored and processed on the cloud and what are the control measures in place to protect such information. These areas have been identified as important to assess: a) Logical isolation techniques employed in the multi-tenant software architecture of the cloud; b) Facilities for backup and recovery of data, and for sanitisation of data; c) Capabilities and processes for electronic discovery; d) Mechanisms used to control access to data, to protect data while at rest, in transit, and in use, and to expunge data when no longer needed; e) Mechanisms for secure authentication, authorisation, and other identity and access management functions; f) Facilities for incident response and disaster recovery. 6.6 Risks relating to the adoption of Cloud Computing The following is a non-exhaustive list of risks that an operator may face when making use of cloud computing. These risks shall be part of a risk assessment that needs to be submitted together with the policies and procedures made available as part of the licencing process. During the licencing process as well as during a licensee s operation, the Authority may require further information on how certain risks relating to cloud are being treated. The risk assessment shall take into consideration, as a minimum, all the risks mentioned in Table 1 as this shall assist the Authority in gauging how well prepared the operator is in using cloud computing services. If an operator is making use of a CSP that has obtained the Authority s kite mark than the operator would not need to provide an explanation of how some of these risk have been treated. 19

20 Table 1 Risk # Risk Description 1. Loss of governance. This risk also takes into consideration the changes to the CSP s terms and conditions and service levels whilst an operator is making use of its services. Such changes may also be a result of the CSP being acquired by a third party. 2. Inadequate maintenance of the systems and underlying infrastructure managed by the CSP. 3. Leakage of data during transfer within the cloud; between the operator and the cloud or between player and the cloud. 4. Insecure data storage. 5. Information not being erased thoroughly or in a timely manner by the CSP s systems following a command issued by the operator. 6. Unauthorised access to data through the management interface or any other system within the cloud or interfacing with the cloud. 7. Loss of privacy. 8. Unreliable service engine / APIs as well as isolation failure. 9. Loss incurred due to activities carried out by tenant(s) on the cloud. 10. Malicious activities by tenant(s) of the cloud or employees of the CSP. 11. Failure of the CSP s (or its providers) to provide an adequate level of service. This includes the risk of heightened dependency on the CSP as well as the complete cessation of a CSP s services. 12. Increased dependency on internet connectivity for the operator to manage its operation. 13. Inability for the Authority to confiscate hardware and carry out an investigation. 14. Loss of intellectual property. 15. Lack of IT resource capacity. 16. Denial of Service heightened due to use of the CSP s services. 17. Inability to achieve compliance with the Authority s requirements and other standards that an operator adheres to. 18. Non-compliance with legal requirements that both the CSP and operator have to follow. 19. Risk of the CSP moving to another jurisdiction that is deemed less safe than the one previously used. 6.7 Final Considerations Cloud computing is not a one-size-fits-all product and in many cases it needs to be tailored to fit the specific needs of an operator or market sector. The compliance issues that arise will depend on the type of cloud service in question. Any remote gaming operator considering a move to the cloud must have a clear understanding of its needs and compliance obligations in order to ensure that the services of cloud providers are engaged in a manner which adequately mitigate the identified risks. 20

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

How a Cloud Service Provider Can Offer Adequate Security to its Customers

How a Cloud Service Provider Can Offer Adequate Security to its Customers royal holloway s, How a Cloud Service Provider Can Offer Adequate Security to its Customers What security assurances can cloud service providers give their customers? This article examines whether current

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected

More information

How to ensure control and security when moving to SaaS/cloud applications

How to ensure control and security when moving to SaaS/cloud applications How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk

More information

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com Introduction to Cloud Computing Srinath Beldona srinath_beldona@yahoo.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?

More information

Cloud Computing in a Regulated Environment

Cloud Computing in a Regulated Environment Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Security in the Cloud: Visibility & Control of your Cloud Service Providers

Security in the Cloud: Visibility & Control of your Cloud Service Providers Whitepaper: Security in the Cloud Security in the Cloud: Visibility & Control of your Cloud Service Providers Date: 11 Apr 2012 Doc Ref: SOS-WP-CSP-0412A Author: Pierre Tagle Ph.D., Prashant Haldankar,

More information

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services organization providing innovative management and technology-based

More information

White Paper: Cloud Security. Cloud Security

White Paper: Cloud Security. Cloud Security White Paper: Cloud Security Cloud Security Introduction Due to the increase in available bandwidth and technological advances in the area of virtualisation, and the desire of IT managers to provide dynamically

More information

SECURITY THREATS TO CLOUD COMPUTING

SECURITY THREATS TO CLOUD COMPUTING IMPACT: International Journal of Research in Engineering & Technology (IMPACT: IJRET) ISSN(E): 2321-8843; ISSN(P): 2347-4599 Vol. 2, Issue 3, Mar 2014, 101-106 Impact Journals SECURITY THREATS TO CLOUD

More information

Cloud Computing in a Government Context

Cloud Computing in a Government Context Cloud Computing in a Government Context Introduction There has been a lot of hype around cloud computing to the point where, according to Gartner, 1 it has become 'deafening'. However, it is important

More information

Ensuring security the last barrier to Cloud adoption

Ensuring security the last barrier to Cloud adoption Ensuring security the last barrier to Cloud adoption Publication date: March 2011 Ensuring security the last barrier to Cloud adoption Cloud computing has powerful attractions for the organisation. It

More information

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

The NREN s core activities are in providing network and associated services to its user community that usually comprises: 3 NREN and its Users The NREN s core activities are in providing network and associated services to its user community that usually comprises: Higher education institutions and possibly other levels of

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

Cyber Security and Cloud Computing. Dr Daniel Prince Course Director MSc in Cyber Security d.prince@lancaster.ac.uk

Cyber Security and Cloud Computing. Dr Daniel Prince Course Director MSc in Cyber Security d.prince@lancaster.ac.uk Cyber Security and Cloud Computing Dr Daniel Prince Course Director MSc in Cyber Security d.prince@lancaster.ac.uk Scope of Today SME Attractors for Cloud Switching to the Cloud Public Private Hybrid Big

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred

More information

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Cloud Computing Security Considerations

Cloud Computing Security Considerations Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction

More information

CCBE GUIDELINES ON THE USE OF CLOUD COMPUTING SERVICES BY LAWYERS

CCBE GUIDELINES ON THE USE OF CLOUD COMPUTING SERVICES BY LAWYERS CCBE GUIDELINES ON THE USE OF CLOUD COMPUTING SERVICES BY LAWYERS CCBE guidelines on the use of cloud computing services by lawyers TABLE OF CONTENTS I. INTRODUCTION... 3 1. Scope of the guidelines...

More information

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao Guocui.gao@tufts.

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao Guocui.gao@tufts. Tufts University Department of Computer Science COMP 116 Introduction to Computer Security Fall 2014 Final Project Investigating Security Issues in Cloud Computing Guocui Gao Guocui.gao@tufts.edu Mentor:

More information

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is

More information

Can PCI DSS Compliance Be Achieved in a Cloud Environment?

Can PCI DSS Compliance Be Achieved in a Cloud Environment? royal holloway Can Compliance Be Achieved in a Cloud Environment? Organisations are considering whether to run -based systems in a cloud environment. The security controls in the cloud may be sufficient

More information

Cyber Security - What Would a Breach Really Mean for your Business?

Cyber Security - What Would a Breach Really Mean for your Business? Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber

More information

Security Considerations for Cloud Computing. Steve Ouzman Security Engineer

Security Considerations for Cloud Computing. Steve Ouzman Security Engineer Security Considerations for Cloud Computing Steve Ouzman Security Engineer AGENDA Introduction Brief Cloud Overview Security Considerations ServiceNow Security Overview Summary Cloud Computing Overview

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

Cloud Security Who do you trust?

Cloud Security Who do you trust? Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Cloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5

Cloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5 Cloud Computing: The atmospheric jeopardy Unique Approach Unique Solutions Salmon Ltd 2014 Commercial in Confidence Page 1 of 5 Background Cloud computing has its place in company computing strategies,

More information

Cloud Security Introduction and Overview

Cloud Security Introduction and Overview Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious

More information

Sytorus Information Security Assessment Overview

Sytorus Information Security Assessment Overview Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)

More information

Cloud Computing Toolkit

Cloud Computing Toolkit DEPARTMENT OF INFORMATION STUDIES, ABERYSTWYTH UNIVERSITY Cloud Computing Toolkit Guidance for outsourcing information storage to the cloud Nicole Convery 26/08/2010 Toolkit to guide information professionals

More information

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects Cloud Computing An insight in the Governance & Security aspects AGENDA Introduction Security Governance Risks Compliance Recommendations References 1 Cloud Computing Peter Hinssen, The New Normal, 2010

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

NSW Government. Cloud Services Policy and Guidelines

NSW Government. Cloud Services Policy and Guidelines NSW Government Cloud Services Policy and Guidelines August 2013 1 CONTENTS 1. Introduction 2 1.1 Policy statement 3 1.2 Purpose 3 1.3 Scope 3 1.4 Responsibility 3 2. Cloud services for NSW Government 4

More information

Cloud Infrastructure Security

Cloud Infrastructure Security Cloud Infrastructure Security Dimiter Velev 1 and Plamena Zlateva 2 1 University of National and World Economy, UNSS - Studentski grad, 1700 Sofia, Bulgaria dvelev@unwe.acad.bg 2 Institute of Control and

More information

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing: Contracting and Compliance Issues for In-House Counsel International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,

More information

Information Security: Cloud Computing

Information Security: Cloud Computing Information Security: Cloud Computing Simon Taylor MSc CLAS CISSP CISMP PCIRM Director & Principal Consultant All Rights Reserved. Taylor Baines Limited is a Registered Company in England & Wales. Registration

More information

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

GETTING THE MOST FROM THE CLOUD. A White Paper presented by GETTING THE MOST FROM THE CLOUD A White Paper presented by Why Move to the Cloud? CLOUD COMPUTING the latest evolution of IT services delivery is a scenario under which common business applications are

More information

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

Lot 1 Service Specification MANAGED SECURITY SERVICES

Lot 1 Service Specification MANAGED SECURITY SERVICES Lot 1 Service Specification MANAGED SECURITY SERVICES Fujitsu Services Limited, 2013 OVERVIEW OF FUJITSU MANAGED SECURITY SERVICES Fujitsu delivers a comprehensive range of information security services

More information

Securing The Cloud With Confidence. Opinion Piece

Securing The Cloud With Confidence. Opinion Piece Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery

More information

Information Security Team

Information Security Team Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface

More information

Microsoft Pty Ltd. Australian Financial System Inquiry: Response to request for further submissions

Microsoft Pty Ltd. Australian Financial System Inquiry: Response to request for further submissions Microsoft Pty Ltd Australian Financial System Inquiry: Response to request for further submissions August 2014 1 Response in relation to Chapter 9 of the Interim Report Microsoft is pleased to respond

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I.

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I. International Chamber of Commerce The world business organization Policy Statement Employee privacy, data protection and human resources Prepared by the Commission on E-Business, IT and Telecoms I. Introduction

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information

More information

BUSINESS MANAGEMENT SUPPORT

BUSINESS MANAGEMENT SUPPORT BUSINESS MANAGEMENT SUPPORT Business disadvantages using cloud computing? Author: Maikel Mardjan info@bm-support.org 2010 BM-Support.org Foundation. All rights reserved. EXECUTIVE SUMMARY Cloud computing

More information

Cloud Security Who do you trust?

Cloud Security Who do you trust? Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud

More information

Securing Your Data In The Cloud: an insiders perspective

Securing Your Data In The Cloud: an insiders perspective Securing Your Data In The Cloud: an insiders perspective INTRODUCTION As the increasing use of cloud computing and other technologies is changing the world of data management, keeping your data private

More information

International Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: 2347-3622, Volume-1, Issue-5, February 2014

International Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: 2347-3622, Volume-1, Issue-5, February 2014 An Overview on Cloud Computing Services And Related Threats Bipasha Mallick Assistant Professor, Haldia Institute Of Technology bipasm@gmail.com Abstract. Cloud computing promises to increase the velocity

More information

Polish Financial Supervision Authority. Guidelines

Polish Financial Supervision Authority. Guidelines Polish Financial Supervision Authority Guidelines on the Management of Information Technology and ICT Environment Security for Insurance and Reinsurance Undertakings Warsaw, 16 December 2014 Table of Contents

More information

Cloud computing: benefits, risks and recommendations for information security

Cloud computing: benefits, risks and recommendations for information security Cloud computing: benefits, risks and recommendations for information security Dr Giles Hogben Secure Services Programme Manager European Network and Information Security Agency (ENISA) Goals of my presentation

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Buyer s Guide. Buyer s Guide to Secure Cloud. thebunker.net Phone: 01304 814800 Fax: 01304 814899 info@thebunker.net

Buyer s Guide. Buyer s Guide to Secure Cloud. thebunker.net Phone: 01304 814800 Fax: 01304 814899 info@thebunker.net Buyer s Guide to Secure Cloud Buyer s Guide to Secure Cloud An executive guide to outsourcing IT infrastructure and data storage using Private Cloud as the foundation. Executives derive much confidence

More information

Cloud Computing. Bringing the Cloud into Focus

Cloud Computing. Bringing the Cloud into Focus Cloud Computing Bringing the Cloud into Focus November 2011 Introduction Ken Cochrane CEO, IT/NET Partner, KPGM Performance and Technology National co-leader IT Advisory Services KPMG Andrew Brewin Vice

More information

OUTSOURCING INVOLVING SHARED COMPUTING SERVICES (INCLUDING CLOUD) 6 July 2015

OUTSOURCING INVOLVING SHARED COMPUTING SERVICES (INCLUDING CLOUD) 6 July 2015 OUTSOURCING INVOLVING SHARED COMPUTING SERVICES (INCLUDING CLOUD) 6 July 2015 Disclaimer and Copyright While APRA endeavours to ensure the quality of this publication, it does not accept any responsibility

More information

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING 1. K.SURIYA Assistant professor Department of Computer Applications Dhanalakshmi Srinivasan College of Arts and Science for Womren Perambalur Mail: Surik.mca@gmail.com

More information

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.) Organizational risks 1 Lock-in Risk of not being able to migrate easily from one provider to another 2 Loss of Governance Control and influence on the cloud providers, and conflicts between customer hardening

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Assessing, Evaluating and Managing Cloud Computing Security

Assessing, Evaluating and Managing Cloud Computing Security Assessing, Evaluating and Managing Cloud Computing Security S.SENTHIL KUMAR 1, R.KANAKARAJ 2 1,2 ASSISTANT PROESSOR, DEPARTMENT OF COMMERCE WITH COMPUTER APPLICATIONS Dr.SNS RAJALAKSHMI COLLEGE OF ARTS

More information

Financial Services Guidance Note Outsourcing

Financial Services Guidance Note Outsourcing Financial Services Guidance Note Issued: April 2005 Revised: August 2007 Table of Contents 1. Introduction... 3 1.1 Background... 3 1.2 Definitions... 3 2. Guiding Principles... 5 3. Key Risks of... 14

More information

East African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

East African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud? East African Information Conference 13-14 th August, 2013, Kampala, Uganda Security and Privacy: Can we trust the cloud? By Dr. David Turahi Director, Information Technology and Information Management

More information

CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH

CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH March 2016 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer,

More information

www.pwc.com/mt Internal Audit Takes On Emerging Technologies

www.pwc.com/mt Internal Audit Takes On Emerging Technologies www.pwc.com/mt In Internal Audit Takes On Emerging Technologies Contents Introduction 2 Cloud Computing & Internal Audit 3 Smart Devices/ Technology & Internal Audit 6 Social Media & Internal Audit 8 Cyber

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM STORAGE SECURITY TUTORIAL With a focus on Cloud Storage Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members

More information

What Cloud computing means in real life

What Cloud computing means in real life ITU TRCSL Symposium on Cloud Computing Session 2: Cloud Computing Foundation and Requirements What Cloud computing means in real life Saman Perera Senior General Manager Information Systems Mobitel (Pvt)

More information

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015 NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X

More information

Data Protection Act. Conducting privacy impact assessments code of practice

Data Protection Act. Conducting privacy impact assessments code of practice Data Protection Act Conducting privacy impact assessments code of practice 1 Conducting privacy impact assessments code of practice Data Protection Act Contents Information Commissioner s foreword... 3

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online

More information

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004 A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments H Y T RUST: S OLUTION B RIEF Solve the Nosy Neighbor Problem in Multi-Tenant Environments Summary A private cloud with multiple tenants such as business units of an enterprise or customers of a cloud service

More information

Strategies for assessing cloud security

Strategies for assessing cloud security IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary

More information

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT

More information

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Vormetric Data Security Securing and Controlling Data in the Cloud

Vormetric Data Security Securing and Controlling Data in the Cloud Vormetric Data Security Securing and Controlling Data in the Cloud Vormetric, Inc. Tel: 888.267.3732 Email: sales@vormetric.com www.vormetric.com Table of Contents Executive Summary.........................................................3

More information

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 CONTENTS Page 1. Introduction 3-4 2. The Commission s Policy 5 3. Outsourcing

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES... Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation

More information

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers)

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) June 2011 DISCLAIMER: This document is intended as a general guide only. To the extent permitted by law,

More information

Cloud Computing for SCADA

Cloud Computing for SCADA Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry

More information

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0 ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright

More information