Virginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101

Similar documents
On Premise Vs Cloud: Selection Approach & Implementation Strategies

Cloud Computing; What is it, How long has it been here, and Where is it going?

F G F O A A N N U A L C O N F E R E N C E

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Security Issues in Cloud Computing

Cloud Computing An Auditor s Perspective

1 The intersection of IAM and the cloud

Managing Cloud Computing Risk

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

HARNESSING THE POWER OF THE CLOUD

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Practical and ethical considerations on the use of cloud computing in accounting

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

TENDER NOTICE No. UGVCL/SP/III/608/GPRS Modem Page 1 of 6. TECHNICAL SPECIFICATION OF GPRS based MODEM PART 4

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Nine Steps to Smart Security for Small Businesses

John Essner, CISO Office of Information Technology State of New Jersey

Quick guide: Using the Cloud to support your business

Security Controls What Works. Southside Virginia Community College: Security Awareness

Cloud Security Who do you trust?

Electronic Records Storage Options and Overview

Cloud Computing: Risks and Auditing

Assessing Risks in the Cloud

Private & Hybrid Cloud: Risk, Security and Audit. Scott Lowry, Hassan Javed VMware, Inc. March 2012

Cloud Services Overview

Cloud Security for Federal Agencies

Cloud Computing. What is Cloud Computing?

Cloud-Security: Show-Stopper or Enabling Technology?

Securing The Cloud With Confidence. Opinion Piece

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

SANS Top 20 Critical Controls for Effective Cyber Defense

Data In The Cloud: Who Owns It, and How Do You Get it Back?

Leveraging the Cloud for Your Business

Private vs. Public Cloud Solutions

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Hedge Funds & the Cloud: The Pros, Cons and Considerations

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

The Protection Mission a constant endeavor

Orchestrating the New Paradigm Cloud Assurance

Outline. What is cloud computing? History Cloud service models Cloud deployment forms Advantages/disadvantages

Bringing the Cloud into Focus. A Whitepaper by CMIT Solutions and Cadence Management Advisors

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Cloud Computing for SCADA

Cloud Courses Description

Cloud Security and Managing Use Risks

Cloud Security: The Grand Challenge

Information Technology General Controls And Best Practices

Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit

Lecture 02a Cloud Computing I

Security Threat Risk Assessment: the final key piece of the PIA puzzle

How To Protect Yourself From A Hacker Attack

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

CloudCheck Compliance Certification Program

The Elephant in the Room: What s the Buzz Around Cloud Computing?

Research Paper Available online at: A COMPARATIVE STUDY OF CLOUD COMPUTING SERVICE PROVIDERS

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Security and Managed Services

HIPAA/HITECH Compliance Using VMware vcloud Air

Cloud Computing TODAY S TOPICS WHAT IS CLOUD COMPUTING? ICAC Webinar Cloud Computing September 4, What Cloud Computing is and How it Works

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

What Cloud computing means in real life

CLOUD COMPUTING SECURITY ISSUES

The Cloud at Crawford. Evaluating the pros and cons of cloud computing and its use in claims management

Executive s Guide to Cloud Access Security Brokers

Five keys to a more secure data environment

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

University of Pittsburgh Security Assessment Questionnaire (v1.5)

How To Protect Your Cloud Computing Resources From Attack

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

EXIN Cloud Computing Foundation

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Addressing Cloud Computing Security Considerations

Compliance and the Cloud: What You Can and What You Can t Outsource

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

Adopting Cloud Computing with a RISK Mitigation Strategy

CLOUD COMPUTING An Overview

Information Blue Valley Schools FEBRUARY 2015

Cybersecurity Health Check At A Glance

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Data Management Policies. Sage ERP Online

Transcription:

Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance

Presenters John Montoro President & CEO of RealTime Accounting Solutions, a cloud-based provider of accounting, payroll and financial reporting services 34 years as an auditor and consultant to local governments in Virginia Ted Brown Manager at Network Alliance, provider of cloud IT infrastructure and software support services 10 years experience developing and implementing innovative IT solutions to a diverse client base

Agenda Cloud Service Models Security Controls Your responsibilities and questions you need to ask Enterprise risk management and the cloud Cloud user experience

Presentation Goals Gain an overview of cloud services models and their pros and cons Review the basics of cloud security Obtain an understanding of ERM risks and responses Understand your responsibilities as a cloud user

Who is in the cloud? What is in the cloud? This is my cloud

Harnessing the Power of the Cloud Journal of Accountancy Article, April 2014 Technology continues to transform the accounting profession. Cloud computing and mobile devices have untethered CPAs from their desks and desktops, allowing them to do work and access data on a virtually anytime, anywhere basis. Technology continues to break down geographic and market barriers, creating unprecedented opportunities for CPA firms and for CPAs in business and government.

Harnessing the Power of the Cloud Journal of Accountancy Article, April 2014 The internet also brings danger. Security breaches such as those at Target and Nieman Marcus show how cybercriminals are ready to exploit weaknesses to gain access to confidential financial information. CPAs leveraging the web for their organizations need to be aware of the security concerns and protect themselves and their clients and companies data.

Cloud Service Models SaaS (Software as a service) SaaS is a cloud model where an application is hosted through a company, which typical resides at a datacenter, and allows a pay-per use model across the internet. Designed for end users, and is most common use of the cloud SaaS examples are: Salesforce, GoToMeeting, Google Apps, Office 365 Benefits of SaaS SaaS provider maintains and updates their product or products Ease of use with teams outside organization Mobile access is typically inherent in the system Use software where demand spikes (tax deadlines) with out having to pay for full license. Cons of SaaS Data of the application is not permitted to be hosted externally by legislation or other regulations.

Cloud Service Models PaaS (Platform as a service) A computing platform that typically include operating system, programming language, database and web server. Designed to create applications and typically used by developers PaaS examples: Heroku, OpenShift, force.com Benefits of PaaS No capital cost of building own solution PaaS provider maintains all underlying layers of hardware and software. Focus on work flow management Ease of development where external parties need to interact Cons of PaaS Applications requires specific hardware and software Program Language lock in User is responsible for managing the application and the data

Cloud Service Models IaaS (Infrastructure as a service) Computer infrastructure such as virtual /physical servers, storage, and networking are provided on a monthly subscription. Designed for virtualization of servers and desktops Examples: Rackspace, Amazon EC2, Windows Azure Benefits of IaaS No capital cost of building own solution (OP x vs Cap X) Service Provider owns the hardware and is responsible for housing, running and maintaining their infrastructure. Allows for dynamic Scaling Cons of IaaS Regulatory compliance of outsourcing data storage Good to know Users are responsible for patching, securing and maintaining servers they have subscribed to.

Cloud Service Models SaaS + IaaS =? (IT Outsourcing Model) Virtual desktop environment where virtual /physical servers, storage, and networking software and support are provided and maintained on a monthly basis. Basically an outsourced IT department Examples: Network Alliance, Proxios, others Benefits of IT Outsourcing model Service Provider owns the hardware and is responsible for housing, running and maintaining their infrastructure. Service provider installs and maintains all software applications Significantly reduces or eliminates the need for in house IT staff Cons of IT Outsourcing model Cost effectiveness is dependent on size of organization and extent of computer use

Network Security What security is in place today?

Top 20 Critical Security Controls

History of Critical Security Controls Critical Security Controls were created to improve risk posture against real-world threats.

Basics in Network Security Physical Security of Servers Physical Security of Data on Computers Firewall Intrusion Protection System AntiVirus Protection Up-to-date Operating System and AntiVirus

Does the Cloud provide better security for your data?

Who is Responsible for Cloud Security? Cloud security falls on both the provider and the end user Responsibility is different for each cloud computing models SaaS Responsibility of security the platform and infrastructure falls on the provider IaaS Shared responsibilities. User is required to secure provisioned services Provider is required to secure underlying hardware and datacenter IT Outsource - Responsibility of security the platform and infrastructure falls on the provider Identify the security gaps - know what you are buying, understand the contract and terms, and when in doubt - ask

6 Questions to ask 1. What is the encryption strategy? 2. How do you isolate data from other customers? 3. How is user access monitored? 4. What is the backup and disaster strategy? 5. What boundary defenses are in place? 6. What is the drive wiping policy?

End user Responsibilities Your data is your data and you are liable Understand the cloud model you are using Ask many questions and talk to references Understand insurance coverage for cloud stored data Have a backup plan End point Security Any device you use should be secured Malware Detection on end points Office should still have firewall and boundary defenses

End User Responsibilities Password enforcement Typically the weakest link in security chain Recommend Change every 45 days String of text 8 or more characters Combination of numbers, symbols, upper and lower case letters If possible deploy dual factor authentication into the cloud

The Cloud According to COSO Research commissioned by COSO Published in 2012

COSO: The Opportunities Cost savings: paying for what you use Speed of deployment Scalability and better alignment of technology resources Decreased effort in managing technology Environmental benefits

COSO: The Risks Disruptive force: by facilitating change and innovation Residing in same risk ecosystem as the CSP and other tenants Lack of transparency Reliability and performance Vendor lock-n and lack of application portability or interoperability Security and compliance concerns High-value cyber attack targets Risk of data leakage IT organizational changes Cloud service provider viability

COSO: Recommended Risk Responses Risk Unauthorized cloud activity Response Cloud policies and controls Lack of transparency Assessments of the CSP control environment Security, compliance data leakage and data jurisdiction Transparency and relinquishing direct control Data classification policies and processes Management oversight and operations monitoring controls

COSO: Recommended Risk Responses Risk Reliability, performance, high-value cyber attack target Noncompliance with regulations Response Incident management Monitoring of the external environment Vendor lock-in Preparation of an exit strategy Noncompliance with disclosure requirements New disclosures in financial reporting

Is your Cloud Provider HIPAA Ready? Source: IT Business Edge Article 1 2 3 4 5 6 7 8 9 10 Policies People Access controls Encrypted data in transit Encrypted data at rest Monitoring Breach notification Disaster recovery Data location Experience and organization-wide awareness Security program that meet the specific policies and procedures required by HIPAA Dedicated person on-site Controls that include electronic identification and limit physical on-site data access For healthcare data, drives must be encrypted and accounted for, including backups Daily operational procedures that log and monitor looking for suspicious activities An incident response process Address the recovery or continuation of technology infrastructure Know where your cloud is! Should be stored in the US Provider with a proven track record.

User Perspective the Virtual Desktop Environment RealTime Accounting s IT structure No servers on site All employees work in a virtual desktop environment A paperless office (well, almost) Multiple ways to connect to the internet Provider owns server equipment, installs software and updates Provides customer support We manage password access

User Perspective the Virtual Desktop Environment RealTime Accounting s IT structure more complex Document manager is a SaaS and separately managed Payroll software syncs to on site server maintained by our payroll partner Several access points to software applications Several ways to transfer data to and from our clients Email Drop box Hot folder

User Perspective: Documents stored in the Cloud - Can you throw away the paper? Security clearly an issue Some considerations with document management Versioning Chain of evidence Ability to redact

Questions? Contact information John Montoro jmontoro@rta-solutions.com Ted Brown tbrown@networkalliance.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information