CC Security : European contribute?

Transcription

1 CC Security : European contribute? Security : critical Cloud World CERT - "Computer Emergency Response Team"

2 What cloud is not! A new paradigm not a new technology Not a product nor a system... rather a MODEL Live the paradox implying ICT players, infrastructural incumbent as well advise intermediation and final user New Mindset New Vision

3 A new paradigm not a new technology Who is ruling on Cloud among consulting firms?

4 Why Cloud is Cloud?

5 A new paradigm not a new technology CC : Understanding conceptual implication Consequence on multitudes One person event Multiple Identity REST event Volatility and virtuality Non locality IDS > IPS Never forgotten Obli vion

6 Security : critical Cloud World European position on CC Security after 10 years?

7 Security : critical Cloud World European position on CC Security : conclusive opinion Since we are in a time of belt- tightening, this new economic model for computing has found fertile ground and is seeing massive global investment Cloud s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and costeffective

8 CC Security : European contribute? Security : critical Cloud World CERT - "Computer Emergency Response Team"

9 European Community Actions Security : critical Cloud World

10 Critical uncertainty of the change! Risky Challenge Era WWW WHO : No improvvisation Networks Knowledegment rather than constraint skills WHAT : Evaluation and analisys Information Ecosystem rather than Data Center WHERE : Evolution of data culture Dissemination and Diffusion rather than P2P communication

11 Risky Challenge Era Major implication of multi-disciplinary CC Evaluation Cloud Cube Model 1. Impiego di un Cloud Computing Architectural Framework; 2. Governance & Enterprise Risk Management; 3. Rispetto delle esigenze di tipo legale; 4. Capacità di Electronic Discovery; 5. Compliance ed Audit; 6. Information Lifecycle Management; 7. Portability ed Interoperability; 8. Funzioni di Business Continuity e Disaster Recovery; 9. Controllo delle Data Center Operation; 10. Incident Response, Notification e Remediation; 11. Getione dell Application Security; 12. Crittografia e gestione delle chiavi; 13. Identity & Access Management; 14. Storage; 15. Virtualizzazione.

12 Risky Challenge Era Major implication of multi-professionalities CC Evaluation 1. Sw Programmers (APIs( APIs); 2. Data Center engineers (facilities( and premises); 3. Assessment auditor (GRC( GRC); 4. Network specialist (modelling( solution); 5. C-Providers C (deployement( deployement); 6. Regulatory expert and lawyers (geo( geo-jurisdition); 7. Data Security expert (accountability( / Digital Identity mngmt); 8. Return Of Investment (econometrics( ); 9. Board of Property CEO, CIO (decision( strategy); 10. Incident Response Staff (Policy( SLA); 11. Disaster recovery engineers (Planning( Planning); 12. Data Security and Protection advisors (Privacy( & Ownerships); 13. End users operators (training( and teachings); 14. Data banking and Data Storage IT Managers (KB( revenue); 15. Virtualization (DRM,( Ownership and data property).

13 No more Products but Services Risky Challenge Era What is going to represent the CC? Bridget Treacy, Partner and Lead UK Data Protection and Cyber Security, Hunton & Williams Personal data lies at the heart of our global economy. Some commentators characterise data as the new oil, or the new currency. Successful organisations understand their data assets and the laws that impact how they can use data to deliver new services, and greater value. They also understand the risks of failing to manage their data, which may include regulatory enforcement, fines, or reputational harm. Data protection is now a mainstream risk issue, for all organisations.

14 CC Cautions of detractors Trouble in paradise with the Dark Cloud Is it because cloud computing is lighter than air, or is it really ly a tectonic plate shift? While four of us (including myself) put cloud c on top of the list, two others poured cold water on the trend. Security : critical Cloud World Is cloud computing hype, or something riskier? most larger enterprises are not ready for the cloud. cloud will be more likely seen among smaller enterprises. The problem isn t with the cloud, it s with YOU The cloud is just as wonderful today as it was yesterday, or a few f weeks ago. The problem is, cloud technology has advanced to the point where it s too comfortable and easy to use. People have forgotten the dangers inherent in storing all your prized possessions p on someone else s servers

15 Technological singularity Security : critical Cloud World The Singularity: From XML Web services to Intelligent Agents Collapsing complexity: Building ultra-lean lean businesses XML Web services and application integration Systems complexity everyone s problem is also yours Plug and Play Business Integration On Demand: One-Click Everywhere Digital Identity and utility computing Intelligent Agents and Autonomic Commerce Change Impact and Opportunities E-Democracy and e-government e future network-based agents, rather than a buy, build and install model

16 Garante italiano della Privacy (2011): I potenziali vantaggi del cloud computing certamente possono promuovere la sistematizzazione delle infrastrutture, la riorganizzazione dei flussi informativi, la razionalizzazione dei costi e quindi in generale favorire, nel caso sia del mondo imprenditoriale, sia della pubblica amministrazione. servizi più moderni, efficienti e funzionali in linea con le esigenze di crescita di un moderno Sistema Paese. Security : critical Cloud World Europe 2020 : why CC is a big deal?

17 Excursus accademico e competenze Ricercatore e docente universitario Biotecnologia e QA biomedicale Total Quality Management - Auditor Data Protection Officer Privacy & Safety Writer Company ICT Security advisory Expertise & skills Scientific Ghost-writer Lead Auditor ICT Governance ITIL, COBIT Lead Analyst IT Security, Risk Mngmt, OHSAS Integrator & Advisor on 231, Dlg191/07, Dlg81/08 Data protection officer, CDA Privacy, Security & Safety Advisor CC STAR CSA Internal Auditor Certificazioni Accreditamenti e affiliazioni EMAS EMAS2 ISO 14001:2005 ISO 20000:2010 ISO 27001:2009 AM CISA - ISACA TÜV DPO (ISO 17024:2005) Ref. FEDERPRIVACY BSI - CSA Italian Chapter AIPSI, AIP, ISSA

18 Security : critical Cloud World

19 Security : critical Cloud World