I&IT Strategy & Cyber Security

Transcription

1 I&IT Strategy & Cyber Security Cloud Computing: Finding the Silver Lining AMCTO Information, Access, & Privacy Forum, Oct. 29 th 2015 UNCLASSIFIED

2 Topic Why do I care about security in the Cloud? How do I procure Cloud services with security in mind? Challenges, roles, and responsibilities Principles to leverage How secure (or vulnerable) are Cloud services? 2

3 Presenter Tim Dafoe, CISSP-ISSAP Senior Security Policy Advisor, I&IT Strategy & Cyber Security Division, Treasury Board Secretariat Chair of TBS/SCS Cloud Directors WG Participant, GC Cloud RFI Vendor Consultation Member, PSCIOC Cloud WG, PSCIOC FPT ICT Policy WG, National CIO Council Subcommittee for Information Protection Member, CAC-ITS SMC SC 27, CAC/ISO SMC TC 292 PbD Ambassador, Ontario IPC 3

4 Cloud Security Why do I care about security in the Cloud? Mostly the same reasons you (hopefully) cared before: Customer (or citizen) expectations, needs Service levels, keeping lights on, avoiding loss and (rising) cost of breaches/recovery, general interest re: organizational self-preservation Privacy (!), regulations, records, penalties, etc. New reasons: You ll have to care to achieve it Roles will be changing Preserving the Cloud value proposition 4

5 Risk and Cloud What risk are you managing now? and how? What processes are you using? Shadow IT/Cloud risk Cloud adoption is not a rationale to add needless levels of complexity to existing risk management Cautionary example: BYOE (Bring Your Own Encryption) Forensics and investigations Visibility, audit, incident response, contingency 5

6 Procurement, Contracts, SLAs How do I procure Cloud services with security in mind? What are your internal metrics today? Do you have an information classification model and do you use it? Provider contracts, T&Cs, SLAs are largely going to be static, take-it-or-leave-it propositions (this is a big deal for SaaS in particular). Understanding your metrics, requirements, etc. will allow you to determine if these propositions are acceptable. Manage risk, and face Cloud challenges head-on. 6

7 Challenges Vendor lock-in, portability, contingency Change control, notification, impact Deletion of data Key management Forensics, investigations, e-discovery Dashboards, visibility Insider threat (this means your employees, too) Persistent concerns re: jurisdiction / data sovereignty Supply chain, FOCI Billing, security/controls vs. value proposition Are your IT, EA, security, privacy, legal ready for this? 7

8 Reporting, Audit, Certification Understand this changing landscape in the context of your own metrics and requirements NIST / FedRAMP Cloud Security Alliance CCM, STAR, etc. SSAE16 SOC 1/2/3, Type I vs. Type II ISO/IEC (recently adopted by MS Azure, Google) Upcoming: ISO/IEC Security testing and evaluation vs. contracts, T&Cs What about your right to visibility, audit, reporting? 8

9 How secure/vulnerable is Cloud? it depends (sorry). What kind of information/transactions do you process? What threats are you defending against? What are your internal requirements and metrics? What are your customer/end-user expectations? How will you securely manage your Cloud services? Is FOCI a consideration for your sector? 9

10 How secure/vulnerable is Cloud?... but, also consider the following: Your perimeter isn t what it was anyway. You have insider threats, too what are you doing? Concerns such as VM sprawl aren t unique to Cloud. Traditional assurance and evaluation models now used for virtualized/abstracted platforms (CC, UK CPA, etc.). How secure is your DC? Do you already outsource? How good is your key management, right now? 10

11 Principles to consider Some collected (and credited) wisdom: Manage the risk you manage now George Takach Use the Cloud to secure the Cloud Ross Hartman, Bill Shin Own the root of trust, or your adversary will / get T&Cs right, or you ll end up in court Anil Karmel Your lock, your key Everyone in cryptography, ever? The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to implement UK Government 11

12 Conclusion Understand: your information, needs, internal metrics, threats what you re buying your regulatory context (privacy, records, etc.) industry reporting and certification models, levels roles, responsibilities, and provider metrics your contracts, terms of service, SLAs Ensure terms, SLAs align with your requirements Leverage good principles for Cloud adoption, security Face known challenges and manage risk 12