{Moving to the cloud}
|
|
- Antony Fletcher
- 8 years ago
- Views:
Transcription
1 {Moving to the cloud} plantemoran.com doesn t mean outsourcing your security controls.
2 Cloud computing is a strategic move. Its impact will have a ripple effect throughout an organization.
3 You don t have to look far to find an article extoling the benefits of cloud computing. After all, by sharing information technology (IT) resources in the cloud, businesses and government agencies of all sizes can leverage their people more effectively. Moreover, cloud service providers (CSPs) can offer shared IT services economically through maximizing IT systems (hardware and software) and systems administration personnel. In addition to lowering one s capital investment, cloud computing provides mobility and can often provide platform-agnostic services. The mobility has the potential to increase the productivity of individuals by providing anytime, anywhere, and from-any-platform access to services and applications. Another potential major benefit of cloud computing is that organizations can leverage what others (CSPs in this case) have built and get back to focusing on their core competencies. An appropriate cloud strategy has the potential to drive innovation not only by changing how IT services are delivered and administered but also the way a business operates. Thus, cloud computing is a strategic move, not an IT-only decision. The impact of such a strategy will have a ripple effect throughout an organization, so the decision to invest in cloud technology should not be taken lightly. So far we ve discussed the positives of adopting a cloud strategy, but as Spiderman s Uncle Ben once said, With great power comes great responsibility ; after all, cloud computing means entrusting one of your most valuable assets data to a third-party provider. That provider has the responsibility of providing assurances that your data is safe at all times. Although Service Organization Control (SOC) standards provide some level of assurances, currently there are no concrete laws or standards that can assure whether a particular CSP is safe or not. As an organization evaluating a cloud strategy, the onus is on you to conduct the due diligence to secure assurances from the CSP that your data is safe in their hands. (We should note that cloud computing isn t necessarily good in all instances and for all data. As an organization, you must weigh the cost benefit for the strategy and proceed accordingly.) According to meritalk.com, the government sector alone could realize savings of up to $14 billion annually by using cloud-based services. So why aren t more organizations jumping at it? You guessed it data security. It s paramount, then, that we find ways to ensure the security and privacy of data in the cloud so that we all can safely reap the full benefits of this continually evolving technology. 1
4 There are significant efforts by both the private and public sector such as CSA (Cloud Security Alliance), GSA (Government Security Agency), and NIST (National Institute for Standards Technology) to provide tools to assess and select cloud computing services that satisfy security requirements. Standards are a critical component of our ability to realize the true potential of cloud computing, and NIST is working closely with the industry on the development of standards to support cloud computing infrastructure, metrics, interoperability, and assurance. Cloud computing won t realize its true potential until more CSPs and buyers fully understand security requirements in the cloud. So, in its current state, if a cloud strategy is adopted, does that mean that you re at the mercy of CSP security offerings/controls, or that you no longer have control of your data? No not with the right amount of due diligence. By asking the right questions of the CSP, you should be able to realize the potential of the cloud yet sleep well at night knowing that your data is safe and you re in control of it. By establishing basic security requirements early and asking key questions, companies can position projects for success and avoid common security-related issues. Various levels of cloud services can be procured, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Regardless of the service, there are some baseline questions to ask of the CSP. The more you rely on the CSP to provide turnkey services such as the SaaS model, the deeper understanding you need to have on how your data is secured and controlled. So, if I was looking to migrate some or all of my mission-critical and sensitive data to a CSP offering, here are the key security related questions that I would ask. The questions below are targeted to a CSP providing SaaS, but a majority of them would apply to an IaaS or a PaaS offering as well. Who s managing my data? Ask about the qualifications and backgrounds of the cloud company s staff. These administrators have privileged access to your data; you should know who they are. Also ask about how new hires are screened and ongoing checks (such as random testing and background checks). Ask about other business partners that may have direct or indirect access to your data. For example, if they re outsourcing their systems backup to someone else, what controls are in place to secure your data? 2
5 Where s the data actually located, and will the data be replicated at other data centers? Many enterprises must comply with regulations that are based on the data s geographic location. Based on your regulatory requirements, are there requirements regarding where in the world your data may be stored? Compliance requirements may restrict how data is exported to other countries and dictate what security measures need to be in place and what auditing standards you need to comply with. You should also be familiar with local privacy laws and regulations where the data is going to be stored. Local laws may provide for a government or litigant s right to inspect data being stored by the CSP. Can you take that chance? Strong policies and practices that address legal and regulatory requirements such as data security, data exporting, compliance and auditing standards, data retention, legal discovery, and data destruction should be in place by the CSP. As an organization, these policies and practices should be reviewed by your legal and regulatory experts to ensure that they adequately meet your needs. Between you and the CSP, it should be mapped out how data storage is handled and whether their policies put you in compliance with your regulatory requirements. For companies operating in the United States, Canada, or Europe, there are a number of regulatory requirements and standards in effect, including ISO 27002, Safe Harbor, ITIL, and COBIT. Understanding your data location requirements will ensure you make the best choice for your cloud CSP. What access controls are in place? Just because physical control is being transferred doesn t mean you re giving up your right to know what controls are in place to limit risk. CSPs need to disclose the exact data access control processes that dictate their administrators actions, and you should have a full understanding of who can access what data and under what conditions. Ask how the access controls are tested and how frequently. How will my data be physically secured and separated from other customers? Typically, in a cloud environment, there are some areas where resources can be shared by multiple clients of the CSP. A good CSP needs to clearly explain how your vital business data is segregated and secured from other clients. Some CSPs place all of their clients programs and data in one big application instance and use custom-built code to prevent customers from seeing each other s data; this is unacceptable, as custom code creates too much of a risk. It s critical that CSPs use standard proven practices, namely data encryption. When CSPs use encryption, however, they must also provide evidence that their encryption and other security methods have been tested, fine-tuned, and proven to be effective. Be sure to question the level and type of encryption algorithms. In addition, in scenarios where common hardware resources are used by the CSP, the use of Virtual LAN (VLAN), VPN (Virtual Private Networks), and Virtual Machines (VM) is preferred. How s my data encrypted? More important than physical security is data encryption. There are two types of data data at rest and data in transit. You need to be aware of how both types are secured. The questions to ask are: a. How does the CSP secure data at rest? The CSP should always encrypt data on storage devices (e.g., hard drives and back-ups) to avoid data breaches. b. How secure is the data while it s in transit within the cloud (system-to-system) and between the users and the CSP? Data in transit should always be encrypted, authenticated, and its integrity protected. This ensures that nobody can read or modify the data as it passes through the potential dangers of both public and private networks. There are very well established standards (TLS, IPsec, AES) for doing this that should be in practice by the CSP. 3
6 What authentication mechanisms are supported by the CSP? The most common form of providing access to data is via the use of passwords. If sensitive data is at stake, a 1-pass authentication such as a password only will not be adequate. A 2-pass authentication such as the use of passwords along with tokens and certificates is recommended. For larger organizations, the CSP should be able to use standards such as LDAP (Lightweight Directory Access Protocol) and SAML (Security Assertion Markup Language) to integrate with your directory services or identity management systems prior to authenticating users and determining their permissions. Using these tools ensures that the CSP always has up-to-date information on authorized users to prevent unauthorized access. What happens if there s a data breach? You should always be prepared for a data breach. The CSP should have appropriate proactive processes and technologies in place to detect if an application or data is under attack; this means an Incident Response Plan (IRP) should be in place. What are the CSP s response times if there s a security breach, and what s its notification process? Request a history of security breaches and how they were handled by the CSP. How transparent was the organization with its responses? Even if you re satisfied with the CSP s IRP, as an organization, you should plan for how you d respond to your clients in the event of a security breach at the CSP. There may be a misconception that as you transfer computing resources and responsibilities, you re also transferring financial liabilities for data loss, corruption, or business interruption. This is rarely the case unless you ve explicitly addressed these items during your contract negotiations, making the CSP responsible for such losses. One thing to check on is the CSP s Technology Errors & Omissions policy and/ or Cyber Liability coverage, typically a part of its primary insurance policy. The Technology Errors and Omissions insurance provides coverage for costs associated with the malfunction of a policyholder s (CSP) product or service, including the cost of fixing the error, replacing the product, and the lost business clients may experience because of the product s/service s failure. Can the CSP pass muster with the auditors? Every business has certain conditions they must meet for regulatory compliance. Depending upon the type of data that you will store at the CSP, it may be a requirement to locate a provider that has undergone a security assessment by a third party. For example, FedRAMP (Federal Risk and Authorization Management Program), although still in its infancy, will require any organization that wishes to store federal government-related data to undergo an accreditation process to ensure proper security controls are in place to protect that data. Customers need to find out whether the cloud CSP conducts regular security audits and what its processes are for accommodating the needs of the customer s auditors as well. Ask whether you ll be able to conduct your own security audit (penetration testing). Can you audit the CSP s data security control? In the event of a security breach, will you be able to conduct a forensic investigation to determine what caused the incident? Is your cloud computing service SAS 70/SSAE 16 compliant? Even though the SOC/SSAE16 does not offer assurances from all aspects, it s certainly a step in the right direction. Cloud users should be wary of cloud CSPs that claim a SOC/SSAE16 report as proof that its offerings are secure. The SOC/SSAE16 only demonstrates that the CSP has a methodical and repeatable process to its operations and appropriate safeguards to protect its IT assets. A comprehensive due diligence effort or the use of a third-party service are currently the primary means of validating the security offerings of the CSP. 4
7 What is CSP s stability factor? What happens to your data if your cloud service CSP goes out of business or is bought out by another company? What guarantees can your cloud CSP give regarding its long-term viability? What mechanisms are in place to guarantee the return of your data in the event of a bankruptcy or other business shutdown or turnover? At the termination of the contract, what guarantees does the CSP provide for the timely transition, removal, and destruction of your data? These must explicitly be addressed in your contract. Does the CSP offer backup and recovery services? If the provider offers back-up services, what type of services are offered just data recovery, or is the CSP able to offer up more, such as spinning up virtual machines and providing access to both applications and data? Do you have a say in where the data is backed up to? (See data encryption and regulatory/compliance requirements.) What are the contract terms? Contract terms generally favor the CSP. Unlike typical contracts where there s a partnership-style relationship between companies, cloud services are different due to the high degree of contract standardization and services being delivered. An unlikely but possible scenario: what happens to your data and services if the CSP s assets are frozen by law enforcement or regulatory authorities due to CSP or a CSP client s activities? This situation has happened and put some organizations out of business when the FBI seized the servers of the CSP for fraud investigation, rendering its clients data inaccessible. 5
8 Beyond the standard terms and conditions typically found in most contracts, a cloud service contract should address at a minimum the following: service levels, data security breach notification, legal process notification, use of customer data, confidentiality and security requirements, intellectual property rights, compliance with European data protection laws, limitation of liability and damages, indemnity, representations and warranties, terms for renewal of the contract or termination, termination assistance, and secure destruction of customer data at termination. For this venture to be successful there should be trust between you and the CSP. The CSP should honestly answer all questions and supply all information that you request. There should be total transparency on questions related to security, availability, data integrity, and data privacy. If the CSP refuses to answer, is vague in its response, or cannot provide responses in writing, it s best to move on. By identifying what s important to you, you can build your own scorecard for rating the various CSPs. Remember, these questions are only a piece of the puzzle to help identify a viable solution. Other factors such as cost, business requirements, scalability, and availability should also be taken into consideration prior to making that commitment. As an alternative, third-party services are available that provide a rating scale or assessment rating on a CSP s security, governance, risk management, and compliance. Cloud services have come a long way since their inception. There are many techniques and technologies used today to secure the cloud, and more are coming. Keep an eye out for cutting-edge technologies such as self-protecting data, trusted monitors, and searchable encryption to enhance cloud security. In the meantime, ask questions. This is one endeavor you don t implement first and question later. 6
9 The Cloud Security Alliance (CSA), a not-for-profit organization that exists to promote security best practices within cloud computing, has published its security guide that provides additional details and questions to examine prior to adopting a cloud strategy. This security guide is available at three major building blocks infrastructure os/backoffice apps applications System Software Database Operating System Servers Network Storage SaaS PaaS IaaS Cloud Security Alliance Cloud Services IT RESOURCES 7
10 The Authors Judy Wright Sri Chalasani joe oleksak
11 plantemoran.com 9
12 plantemoran.com
AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS
AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals
More informationClouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst
Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment
More informationSecuring The Cloud With Confidence. Opinion Piece
Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More information5 Things to Look for in a Cloud Provider When it Comes to Security
5 Things to Look for in a Cloud Provider When it Comes to Security In This Paper Internal technology services that lack resources, rigor or efficiencies are prime candidates for the cloud Understand the
More informationInformation Technology: This Year s Hot Issue - Cloud Computing
Information Technology: This Year s Hot Issue - Cloud Computing Presented by: Alan Sutin Global IP & Technology Practice Group GREENBERG TRAURIG, LLP ATTORNEYS AT LAW WWW.GTLAW.COM 2011. All rights reserved.
More informationVirginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101
Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro
More informationAnnex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015
Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred
More informationThe silver lining: Getting value and mitigating risk in cloud computing
The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations
More informationSRG Security Services Technology Report Cloud Computing and Drop Box April 2013
SRG Security Services Technology Report Cloud Computing and Drop Box April 2013 1 Cloud Computing In the Industry Introduction to Cloud Computing The term cloud computing is simply the use of computing
More informationCloud Computing in a Regulated Environment
Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2
More informationGET CLOUD EMPOWERED. SEE HOW THE CLOUD CAN TRANSFORM YOUR BUSINESS.
GET CLOUD EMPOWERED. SEE HOW THE CLOUD CAN TRANSFORM YOUR BUSINESS. Cloud computing is as much a paradigm shift in data center and IT management as it is a culmination of IT s capacity to drive business
More informationData Privacy, Security, and Risk Management in the Cloud
Data Privacy, Security, and Risk Management in the Cloud Diana S. Hare, Associate General Counsel and Chief Privacy Counsel, Drexel University David W. Opderbeck, Counsel, Gibbons P.C. Robin Rosenberg,
More informationInsights into Cloud Computing
This article was originally published in the November 2010 issue of the Intellectual Property & Technology Law Journal. ARTICLE Insights into Cloud Computing The basic point of cloud computing is to avoid
More informationCloud Computing Governance & Security. Security Risks in the Cloud
Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationIBM Cognos TM1 on Cloud Solution scalability with rapid time to value
IBM Solution scalability with rapid time to value Cloud-based deployment for full performance management functionality Highlights Reduced IT overhead and increased utilization rates with less hardware.
More informationClinical Trials in the Cloud: A New Paradigm?
Marc Desgrousilliers CTO at Clinovo Clinical Trials in the Cloud: A New Paradigm? Marc Desgrousilliers CTO at Clinovo What is a Cloud? (1 of 3) "Cloud computing is a model for enabling convenient, on-demand
More informationWrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors
1 Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors Scott Woodison Executive Director, Compliance and Enterprise Risk Office of Internal Audit and Compliance
More informationHow To Choose A Cloud Computing Solution
WHITE PAPER How to choose and implement your cloud strategy INTRODUCTION Cloud computing has the potential to tip strategic advantage away from large established enterprises toward SMBs or startup companies.
More information10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015
10 Considerations for a Cloud Procurement Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015 www.lbmctech.com info@lbmctech.com Purpose: Cloud computing provides public sector organizations
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationWhite Paper How Noah Mobile uses Microsoft Azure Core Services
NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah
More informationConsiderations for Outsourcing Records Storage to the Cloud
Considerations for Outsourcing Records Storage to the Cloud 2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage
More informationCyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
More informationCloud Security Introduction and Overview
Introduction and Overview Klaus Gribi Senior Security Consultant klaus.gribi@swisscom.com May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious
More informationCloud Security. DLT Solutions LLC June 2011. #DLTCloud
Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions
More informationOverview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
More informationMicrosoft Azure. White Paper Security, Privacy, and Compliance in
White Paper Security, Privacy, and Compliance in Security, Privacy, and Compliance in Executive Summary The adoption of cloud services worldwide continues to accelerate, yet many organizations are wary
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More informationAddressing Cloud Computing Security Considerations
Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft
More informationHedge Funds & the Cloud: The Pros, Cons and Considerations
Hedge Funds & the Cloud: The Pros, Cons and Considerations By Mary Beth Hamilton, Director of Marketing, Eze Castle Integration The increased use of cloud-based services is undeniable. Analyst firm Forrester
More informationSELECTING AN ENTERPRISE-READY CLOUD SERVICE
21 Point Checklist for SELECTING AN ENTERPRISE-READY CLOUD SERVICE Brought to you by Introduction The journey to the cloud is well underway, and it s easy to see why when 84% of CIOs report cutting application
More informationReport on Hong Kong SME Cloud Adoption, Security & Privacy Readiness Survey
Report on Hong Kong SME Cloud Adoption, Security & Privacy Readiness Survey Produced by Internet Society Hong Kong and Cloud Security Alliance (Hong Kong & Macau Chapter) Sponsored by Microsoft Hong Kong
More informationLegal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009
Legal Issues Associated with Cloud Computing Laurin H. Mills May 13, 2009 What Is Cloud Computing? The cloud is a metaphor for the Internet Leverages the connectivity of the Internet to optimize the utility
More informationBMC s Security Strategy for ITSM in the SaaS Environment
BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...
More informationCloud Computing: Risks and Auditing
IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center @IIAChicago #IIACHI Cloud Computing: Risks Auditing Phil Lageschulte/Partner/KPMG Sailesh Gadia/Director/KPMG
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More informationData Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture
Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture 2 Data Security and Privacy Principles for IBM SaaS Contents 2 Introduction
More informationAll Clouds Are Not Created Equal THE NEED FOR HIGH AVAILABILITY AND UPTIME
THE NEED FOR HIGH AVAILABILITY AND UPTIME 1 THE NEED FOR HIGH AVAILABILITY AND UPTIME All Clouds Are Not Created Equal INTRODUCTION Companies increasingly are looking to the cloud to help deliver IT services.
More informationAuditing Cloud Computing and Outsourced Operations
Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls
More informationHow To Protect Yourself From A Hacker Attack
Cybersecurity Demystified: Information Technology Security Trends Joe Oleksak, Plante Moran Agenda Data Security Trends Example Attacks Industry Examples An Answer 1 Who Are The Victims? Targets - victims
More information2 0 1 4 F G F O A A N N U A L C O N F E R E N C E
I T G OV E R NANCE 2 0 1 4 F G F O A A N N U A L C O N F E R E N C E RAJ PATEL Plante Moran 248.223.3428 raj.patel@plantemoran.com This presentation will discuss current threats faced by public institutions,
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationGoodData Corporation Security White Paper
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
More informationSecuring the Microsoft Cloud
Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and customers to fully embrace and benefit from cloud services. We are committed
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationUnderstanding Financial Cloud Services
Understanding Financial Cloud Services A Complete Guide for Hedge Funds About RFA RFA (Richard Fleischman & Associates) has been a Financial Cloud and trusted technology partner to our financial services
More informationCLOUD COMPUTING. 11 December 2013 TOWNSHIP OF KING TATTA 1
CLOUD COMPUTING (outsourcing records storage) TATTA SRINIVASA RECORDS MANAGER 11 December 2013 TOWNSHIP OF KING TATTA 1 Cloud computing A style of computing where scalable and elasticity ITenabled capabilities
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationData In The Cloud: Who Owns It, and How Do You Get it Back?
Data In The Cloud: Who Owns It, and How Do You Get it Back? Presented by Dave Millier, Soban Bhatti, and Oleg Sotnikov 2013 Sentry Metrics Inc. Agenda Reasons for Cloud Adoption How Did My Data Get There?
More informationCloud Computing An Auditor s Perspective
Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationHosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com
Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on
More informationThe Intersection of 21st Century Risk Management and Data: Risk Allocation and Mitigation for Customer Data Breaches
The Intersection of 21st Century Risk Management and Data: Risk Allocation and Mitigation for Customer Data Breaches Ethan D. Lenz, CPCU, and Christopher C. Cain, Foley & Lardner LLP Data. It has always
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationCloud Computing and HIPAA Privacy and Security
Cloud Computing and HIPAA Privacy and Security This is just one example of the many online resources Practical Law Company offers. Christine A. Williams, Perkins Coie LLP, with PLC Employee Benefits &
More informationOPEN DATA CENTER ALLIANCE USAGE MODEL: Provider Assurance Rev. 2.0
OPEN DATA CENTER ALLIANCE USAGE MODEL: Provider Assurance Rev. 2.0 Table of Contents Legal Notice...3 Executive Summary...4 Purpose...5 Taxonomy...6 Usage Model Diagram...6 Usage Model Details...6 Usage
More informationCloud Security Alliance and Standards. Jim Reavis Executive Director March 2012
Cloud Security Alliance and Standards Jim Reavis Executive Director March 2012 About the CSA Global, not for profit, 501(c)6 organization Over 32,000 individual members, 120 corporate members, 60 chapters
More informationData Protection: From PKI to Virtualization & Cloud
Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security
More informationRecommendations for companies planning to use Cloud computing services
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
More informationCloud Computing Risk Assessment
Cloud Computing Risk Assessment A Case Study Sailesh Gadia, CISA, ACA, CPA, CIPP, is a director/senior manager at KPMG s advisory practice in Minneapolis, Minnesota, USA. He has an extensive background
More informationProtecting Data and Privacy in the Cloud
Protecting Data and Privacy in the Cloud Contents 1 3 6 9 12 13 Protecting Data and Privacy in the Cloud an Introduction Building Services to Protect Data Protecting Data in Service Operations Empowering
More informationGain Efficiency, Cost Savings and Compliance with Iron Mountain s Portfolio of Services
ONE SOLUTION Maximize the Business Value of Your Information Gain Efficiency, Cost Savings and Compliance with Iron Mountain s Portfolio of Services In today s world, information whether in paper or digital
More informationEnterprise Architecture Review Checklist
Enterprise Architecture Review Checklist Software as a Service (SaaS) Solutions Overview This document serves as Informatica s Enterprise Architecture (EA) Review checklist for Cloud vendors that wish
More informationCLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service
Cloud Computing Best Practices Cloud Computing Best Practices Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service Overview Cloud Computing
More informationKroll Ontrack VMware Forum. Survey and Report
Kroll Ontrack VMware Forum Survey and Report Contents I. Defining Cloud and Adoption 4 II. Risks 6 III. Challenging Recoveries with Loss 7 IV. Questions to Ask Prior to Engaging in Cloud storage Solutions
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationCloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile
Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile Jerry Wertelecky, CPA, Fellow HKIoD & Managing Director INTRODUCTION Jerry Wertelecky Country of Birth: United States Current
More informationCLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013
CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street
More informationWhat Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.
What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model
More informationAnypoint Platform Cloud Security and Compliance. Whitepaper
Anypoint Platform Cloud Security and Compliance Whitepaper 1 Overview Security is a top concern when evaluating cloud services, whether it be physical, network, infrastructure, platform or data security.
More informationThe Elephant in the Room: What s the Buzz Around Cloud Computing?
The Elephant in the Room: What s the Buzz Around Cloud Computing? Warren W. Stippich, Jr. Partner and National Governance, Risk and Compliance Solution Leader Business Advisory Services Grant Thornton
More informationAssessing Risks in the Cloud
Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research
More informationA COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE
A COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE Contents How to Buy Cloud-to-Cloud Backup...................... 4 Wait What is Cloud-to-Cloud Backup?.....................
More informationCloud Computing; What is it, How long has it been here, and Where is it going?
Cloud Computing; What is it, How long has it been here, and Where is it going? David Losacco, CPA, CIA, CISA Principal January 10, 2013 Agenda The Cloud WHAT IS THE CLOUD? How long has it been here? Where
More informationCloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security
Russ Dietz Vice President & Chief Technology Officer Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security By Russ Dietz Vice President & Chief
More informationCLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
More informationUnderstanding Enterprise Cloud Governance
Understanding Enterprise Cloud Governance Maintaining control while delivering the agility of cloud computing Most large enterprises have a hybrid or multi-cloud environment comprised of a combination
More informationSecurity Considerations for the Cloud
June 6, 2012 Security Considerations for the Cloud Presented by: Mac McMillan CEO CynergisTek, Inc. Chair, HIMSS Privacy & Security Policy Task Force 1 2012 NIST/OCR Conference Agenda Threat Implications
More informationDropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description
Dropbox for Business Secure file sharing, collaboration and cloud storage G-Cloud Service Description Table of contents Introduction to Dropbox for Business 3 Security 7 Infrastructure 7 Getting Started
More informationINFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013
INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationSECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP
SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson
More informationCloud Computing Contracts. October 11, 2012
Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best
More informationGET CLOUD EMPOWERED. SEE HOW THE CLOUD CAN TRANSFORM YOUR BUSINESS.
GET CLOUD EMPOWERED. SEE HOW THE CLOUD CAN TRANSFORM YOUR BUSINESS. Cloud computing is as much a paradigm shift in data center and IT management as it is a culmination of IT s capacity to drive business
More informationSTORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM
STORAGE SECURITY TUTORIAL With a focus on Cloud Storage Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members
More informationThe Essential Security Checklist. for Enterprise Endpoint Backup
The Essential Security Checklist for Enterprise Endpoint Backup IT administrators face considerable challenges protecting and securing valuable corporate data for today s mobile workforce, with users accessing
More informationCloud Computing Security Issues and Controls
Cloud Computing Security Issues and Controls ACC 626 Information System Assurance & Computer-Assisted Auditing Peter Shih-Hsien Chen June 30th, 2013 Table of Contents Introduction... 1 History of Cloud
More informationEGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY
Bridging The Gap Between Healthcare & Hipaa Compliant Cloud Technology and outsource computing resources to external entities, would provide substantial relief to healthcare service providers. Data stored
More informationCloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015
Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015 2015 CloudeAssurance Page 1 Table of Contents Copyright and Disclaimer... 3 Appendix A: Introduction... 4 Appendix
More informationCloud Data Security. Sol Cates CSO @solcates scates@vormetric.com
Cloud Data Security Sol Cates CSO @solcates scates@vormetric.com Agenda The Cloud Securing your data, in someone else s house Explore IT s Dirty Little Secret Why is Data so Vulnerable? A bit about Vormetric
More informationVMware vcloud Air Security TECHNICAL WHITE PAPER
TECHNICAL WHITE PAPER The Shared Security Model for vcloud Air The end-to-end security of VMware vcloud Air (the Service ) is shared between VMware and the customer. VMware provides security for the aspects
More informationCONTROLLING CLOUDS: BEYOND SAFETY
CONTROLLING CLOUDS: BEYOND SAFETY GORDON HAFF (@ghaff) CLOUD EVANGELIST 22 OCTOBER 2013 ABOUT ME Red Hat Cloud Evangelist Twitter: @ghaff Google+: Gordon Haff Email: ghaff@redhat.com Blog: http://bitmason.blogspot.com
More informationAUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM
GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups
More informationSecuring the Service Desk in the Cloud
TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,
More informationRequirements for Technology Outsourcing
Requirements for Technology Outsourcing Table of Contents Revision History... 3 Overview... 4 Service Provider Selection... 5 Service Delivery Models... 5 Legal Considerations... 5 Security Assessments...
More information