I&IT Strategy & Cyber Security



Similar documents
Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Industry Engagement Event. CLOUD COMPUTING SOLUTIONS CONSULTATION EN /A November 13 th, 2014 Delta Hotel, Ottawa.

Logging In: Auditing Cybersecurity in an Unsecure World

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

Pharma CloudAdoption. and Qualification Trends

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Cloud Security Trust Cisco to Protect Your Data

Information Security Program CHARTER

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Cloudy with Showers of Business Opportunities and a Good Chance of. Security. Transforming the government IT landscape through cloud technology

Cybersecurity in the States 2012: Priorities, Issues and Trends

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Session 9: 20 Questions You Should Answer About Your Cyber Security Readiness Jeff Thomas, Partner, KPMG Ivan Alcoforado, Senior Manager, KPMG

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

How to ensure control and security when moving to SaaS/cloud applications

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

When Security, Privacy and Forensics Meet in the Cloud

Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division. U.S. Department of Agriculture

Building an Effective

Italy. EY s Global Information Security Survey 2013

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

Strategy for Management in Canadian Jurisdictions

Cloud Services Overview

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Protecting Data and Privacy in the Cloud

Leveraging Regulatory Compliance to Improve Cyber Security

Welcome. Panel. Cloud Computing New Challenges in Data Integrity and Security 13 November 2014

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

White Paper How Noah Mobile uses Microsoft Azure Core Services

Specialist Cloud Services. Acumin Cloud Security Resourcing

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Overview. What are operational policies? Development, adoption, implementation

Cloud Security. Are you on the train or the tracks? ISSA CISO Executive Forum April 18, Brian Grayek CISSP, CCSK, ITILv3

Aegon's Internal Cloud Broker

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

CYBERSECURITY SLAs: MANANGING REQUIREMENTS AT ARM S LENGTH

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

Security Issues in Cloud Computing

Caretower s SIEM Managed Security Services

Adopting Cloud Computing with a RISK Mitigation Strategy

SECURITY RISK MANAGEMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Strategies for Secure Cloud Computing

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Orchestrating the New Paradigm Cloud Assurance

Cloud Computing; What is it, How long has it been here, and Where is it going?

The Education Fellowship Finance Centralisation IT Security Strategy

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Securing the Microsoft Cloud

{Moving to the cloud}

EuroCloud Star Audit. A strong partnership that provides you with a competitive advantage

NIST Cloud Computing Security Reference Architecture (SP draft)

Developing National Frameworks & Engaging the Private Sector

VMware vcloud Air Security TECHNICAL WHITE PAPER

Managing Cloud Computing Risk

John Essner, CISO Office of Information Technology State of New Jersey

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Cloud Security. DLT Solutions LLC June #DLTCloud

Highlights & Next Steps

Securing the Microsoft Cloud

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

European Cloud Computing. Strategy. Cloud standards. Ken Ducatel DG CONNECT

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Securing the Cloud. Cloud Computer Security Techniques and Tactics. Vic (J.R.) Winkler. Technical Editor Bill Meine ELSEVIER

Emerging Approaches in a Cloud-Connected Enterprise: Containers and Microservices

Data In The Cloud: Who Owns It, and How Do You Get it Back?

Auditing Cloud Computing and Outsourced Operations

Cloud Security Strategies. Fabio Gianotti, Head of Cyber Security and Enterprise Security Systems

Course Content Summary ITN 267 Legal Topics in Network Security (3 Credits)

Hans Bos Microsoft Nederland.

Certified Information Security Manager (CISM)

Security Considerations for the Cloud

Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division

Transcription:

I&IT Strategy & Cyber Security Cloud Computing: Finding the Silver Lining AMCTO Information, Access, & Privacy Forum, Oct. 29 th 2015 UNCLASSIFIED

Topic Why do I care about security in the Cloud? How do I procure Cloud services with security in mind? Challenges, roles, and responsibilities Principles to leverage How secure (or vulnerable) are Cloud services? 2

Presenter Tim Dafoe, CISSP-ISSAP Senior Security Policy Advisor, I&IT Strategy & Cyber Security Division, Treasury Board Secretariat Chair of TBS/SCS Cloud Directors WG Participant, GC Cloud RFI Vendor Consultation Member, PSCIOC Cloud WG, PSCIOC FPT ICT Policy WG, National CIO Council Subcommittee for Information Protection Member, CAC-ITS SMC SC 27, CAC/ISO SMC TC 292 PbD Ambassador, Ontario IPC 3

Cloud Security Why do I care about security in the Cloud? Mostly the same reasons you (hopefully) cared before: Customer (or citizen) expectations, needs Service levels, keeping lights on, avoiding loss and (rising) cost of breaches/recovery, general interest re: organizational self-preservation Privacy (!), regulations, records, penalties, etc. New reasons: You ll have to care to achieve it Roles will be changing Preserving the Cloud value proposition 4

Risk and Cloud What risk are you managing now? and how? What processes are you using? Shadow IT/Cloud risk Cloud adoption is not a rationale to add needless levels of complexity to existing risk management Cautionary example: BYOE (Bring Your Own Encryption) Forensics and investigations Visibility, audit, incident response, contingency 5

Procurement, Contracts, SLAs How do I procure Cloud services with security in mind? What are your internal metrics today? Do you have an information classification model and do you use it? Provider contracts, T&Cs, SLAs are largely going to be static, take-it-or-leave-it propositions (this is a big deal for SaaS in particular). Understanding your metrics, requirements, etc. will allow you to determine if these propositions are acceptable. Manage risk, and face Cloud challenges head-on. 6

Challenges Vendor lock-in, portability, contingency Change control, notification, impact Deletion of data Key management Forensics, investigations, e-discovery Dashboards, visibility Insider threat (this means your employees, too) Persistent concerns re: jurisdiction / data sovereignty Supply chain, FOCI Billing, security/controls vs. value proposition Are your IT, EA, security, privacy, legal ready for this? 7

Reporting, Audit, Certification Understand this changing landscape in the context of your own metrics and requirements NIST / FedRAMP Cloud Security Alliance CCM, STAR, etc. SSAE16 SOC 1/2/3, Type I vs. Type II ISO/IEC 27018 (recently adopted by MS Azure, Google) Upcoming: ISO/IEC 27017 Security testing and evaluation vs. contracts, T&Cs What about your right to visibility, audit, reporting? 8

How secure/vulnerable is Cloud? it depends (sorry). What kind of information/transactions do you process? What threats are you defending against? What are your internal requirements and metrics? What are your customer/end-user expectations? How will you securely manage your Cloud services? Is FOCI a consideration for your sector? 9

How secure/vulnerable is Cloud?... but, also consider the following: Your perimeter isn t what it was anyway. You have insider threats, too what are you doing? Concerns such as VM sprawl aren t unique to Cloud. Traditional assurance and evaluation models now used for virtualized/abstracted platforms (CC, UK CPA, etc.). How secure is your DC? Do you already outsource? How good is your key management, right now? 10

Principles to consider Some collected (and credited) wisdom: Manage the risk you manage now George Takach Use the Cloud to secure the Cloud Ross Hartman, Bill Shin Own the root of trust, or your adversary will / get T&Cs right, or you ll end up in court Anil Karmel Your lock, your key Everyone in cryptography, ever? The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to implement UK Government 11

Conclusion Understand: your information, needs, internal metrics, threats what you re buying your regulatory context (privacy, records, etc.) industry reporting and certification models, levels roles, responsibilities, and provider metrics your contracts, terms of service, SLAs Ensure terms, SLAs align with your requirements Leverage good principles for Cloud adoption, security Face known challenges and manage risk 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information