Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile

Transcription

1 Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile Jerry Wertelecky, CPA, Fellow HKIoD & Managing Director

2 INTRODUCTION Jerry Wertelecky Country of Birth: United States Current Job : Managing Director Cloud Transformation & Security Solutions(CTSS) Residence: Permanent Resident of Hong Kong [email protected] Past Experience: Former Partner 29 Years with Ernst & Young Former United States Marine Favorite Sports: Boxing, American football, Basketball, Rugby

3 What is the difference between Outsourcing, Managed Services and Cloud Computing? Traditional Outsourcing is the use of a dedicated service provider(s) with direct secure access to compute, storage and network resources with little operational transparency. It is a very expensive IT model and service management is almost totally controlled by the service provider. (Traditional Data Center Model) Managed Services is basically can provide the same scope of services with much more transparency, flexibility, availability and most importantly security as the infrastructure was designed for rapid customer development and deployment using a lower cost model. Also specifically designed for mobile and cloud services. Cloud Computing is a managed service delivery model (CSP) providing full transparency, scalability, variable pricing using the internet as its main delivery backbone. (VLAN, private/hybrid and IP connections, public). Managed Services and CSPS are starting to blend!!

4 PWC 2014 Info Security Breach Survey

5 EY GISS Survey October 2014

6 In March 2015, the Internet Society Hong Kong (ISOC HK) and Cloud Security Alliance Hong Kong and Macau Chapter (CSA HK) performed a survey by telephone based on a structured Chinese questionnaire of 168 local SMEs coming from various industries including retail, manufacturing, Information and communications, imports/exports, financial services, etc. The questions try to address the following areas of concerns in terms of Cloud security: Policy design Physical security management Data privacy management System management Incident management Cloud technology adoption and application Understanding of CSPs privacy protection policy Overall Results More than 80% of the responding SMEs have adopted some kind of Cloud services, which represented a big jump from the 51% last year. security is still among their top consideration.

7 Policy design 63% of companies surveyed have security policies in place (14% increase from last year) 52% of companies surveyed have proper documentation on access rights management to data (decreased by 15%) 40% of companies surveyed perform security audit and certifications by external parties (increased by 38%).

8 Physical security 59% of the companies surveyed manage their IT systems with proper access rights and password control, as well as maintain appropriate audit trail 49% of the companies surveyed have people or teams in charge of hardware /software maintenance, as well as support and security

9 Data privacy management 56% of companies surveyed have good understanding of or have implemented data encryption; a slight increase from last year s survey (increased by 12%) 45% of companies surveyed have a data disposal policy established, which compares favorably with last year s result (increased by 13%).

10 System management 28% of the companies surveyed implemented a security patches policy, and it is not as good as last year (decreased by 33%). 71% of the companies surveyed installed firewall devices to further improve the security and it is slightly better than last year (increased by 6%).

11 Incident management 51% of the companies surveyed have established an Incident Response Plan and it s less than last year s result (decreased by 22%) 47% of the companies surveyed also have a Disaster Recovery Plan in place and this is less than last year s result as well (decreased by 25%).

12 Cloud technology adoption and application Nearly 83% of companies surveyed are using or planning to use Cloud services, indicating a big increase from last year s 55% The top two Cloud services used are and data storage Top two reasons for using Cloud services: Reliability and Security.

13 Understand SMEs readiness on privacy For those companies who use Cloud services: 69% follow the guidance from Office of the Privacy Commissioner for Personal Data (PCPD) to protect personal data 49% use CSPs who do not have transparency to their users on if and when their company or customer data will be deleted or returned 25% do not know if and when their CSPs will return or delete their company or customer data.

14 Understand SMEs readiness on privacy 30% use CSPs who do not/likely do not comply with guidance from PCPD to protect PD 18% do not know if their CSPs will comply with guidance from PCPD to protect PD Companies who do not use Cloud services, over 50% do not understand or care of the impact of the privacy related questions in this session.

15

16 Create a Combined Company/CSP Risk Management Profile

17 High Level Top risks Risk frequently associated with Cloud are not new Top risks include: Cloud Risk Management Loss of governance Data loss and leakage Loss of service or data availability Legal and regulatory risk lack of compliance Data quality and processing accuracy (SaaS, PaaS).

18 Cloud Risk Management Action Plan Top risks loss of governance Key mitigation activities include: Effective Provider selection and structured SLA development Effective Contract management of CSP Provider 3 rd party certification reports Interactive IT service management of the CSP.

19 Cloud Risk Management Action Plan Data Loss Leakage Key mitigation activities include: Data Classification Virtualization Hypervisor security Strong access controls Identity access management Integration with CSP Separation/isolation of sensitive systems-sandboxing Encryption end to end, Network, CPU and Storage Strong network configuration IDS, firewalls, IPS etc.

20 Cloud Risk Management Action Plan Top risks loss of service or data availability Key mitigation activities include: Thorough BIA analysis Service and availability testing--periodic Reputation, history, and sustainability assessment social media Strong network configuration establishment and monitoring Data sovereignty always should be considered.

21 Cloud Risk Management Action Plan Top risks data quality and processing accuracy (SaaS, PaaS) Key mitigation activities include: Stringent provider selection through RFI/RFP process Relevant reporting SSAE 16, ISO 27001, PCI-DSS, MTCS Integration of CSP controls and monitoring into Overall Company Risk Profile

22 Questions from listening Audience?