Selecting a Cloud Service Provider (CSP)



Similar documents
Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Cloud Security and Managing Use Risks

Cloud Security Certification

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Key Considerations of Regulatory Compliance in the Public Cloud

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Cloud Services Overview

The Cloud Security Alliance

TOOLS and BEST PRACTICES

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Orchestrating the New Paradigm Cloud Assurance

Cisco Cloud Assessments. Justin Tang

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

How To Manage Cloud Data Safely

Cloud Computing Security Issues

Auditing Cloud Computing and Outsourced Operations

GRC Stack Research Sponsorship

Hans Bos Microsoft Nederland.

Assessing Risks in the Cloud

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

John Essner, CISO Office of Information Technology State of New Jersey

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Computing: Legal Risks and Best Practices

How To Improve Your Business

Cloud models and compliance requirements which is right for you?

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

Protecting Data and Privacy in the Cloud

Compliance and the Cloud: What You Can and What You Can t Outsource

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Cloud Computing Governance & Security. Security Risks in the Cloud

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

Cloud Computing An Auditor s Perspective

Cloud Computing Risks and Considerations for a Successful Implementation. Andrew Ellsweig, Director Nicholas Zaky, Manager

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Audit and Cloud Trust Protocol. By David Lingenfelter 2011

Legal Issues in the Cloud: A Case Study. Jason Epstein

Cloud Security & Risk. Adam Cravedi, CISA Senior IT Auditor acravedi@compassitc.com

Managing Cloud Computing Risk

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors

Private & Hybrid Cloud: Risk, Security and Audit. Scott Lowry, Hassan Javed VMware, Inc. March 2012

Information Technology: This Year s Hot Issue - Cloud Computing

Cloud Computing: Background, Risks and Audit Recommendations

LEGAL ISSUES IN CLOUD COMPUTING

2014 HIMSS Analytics Cloud Survey

Adopting Cloud Computing with a RISK Mitigation Strategy

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

How to ensure control and security when moving to SaaS/cloud applications

Security Controls What Works. Southside Virginia Community College: Security Awareness

Close-Up on Cloud Security Audit

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Global Efforts to Secure Cloud Computing. Jason Witty President, Cloud Security Alliance Chicago

On Premise Vs Cloud: Selection Approach & Implementation Strategies

Altius IT Policy Collection Compliance and Standards Matrix

How To Choose A Cloud Computing Solution

penelope athena software SOFTWARE AS A SERVICE INFORMATION PACKAGE case management software

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

SECURE CLOUD COMPUTING

Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division

Building an Effective

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Cloud Computing What Auditors need to know

Cloud Computing: Risks and Auditing

Clinical Trials in the Cloud: A New Paradigm?

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

Tips For Buying Cloud Infrastructure

custom hosting for how you do business

THOUGHT LEADERSHIP. Journey to Cloud 9. Navigating a path to secure cloud computing. Alastair Broom Solutions Director, Integralis

Information Security: Cloud Computing

Seeing Though the Clouds

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Security Issues in Cloud Computing

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Transcription:

Selecting a Cloud Service Provider (CSP) Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK, CompTIA Cloud Essentials Principal, ncontrol, LLC Adjunct Professor President, Cloud Security Alliance Delaware Valley Chapter (CSA-DelVal)

Selecting a CSP Presentation Overview Cloud Overview Selection Considerations, Criteria & Tools Case Studies

Selecting a CSP Cloud Overview Why should you care about the cloud?

Cloud Computing Trends Numbers Numbers around CC are always impressive: 80% fortune companies 1000 will pay to use cloud computing services and 30% will pay for infrastructure. Gartner At this moment, the 5 major search engines together have 2.000.000 computers Market : 42 billon: IDC 95 billion: Merrill Lynch 33% of IT business will be in Cloud Computing Gartner 8 Microsoft data centre in Chicago: 610.000 servers 8 Source: Open Group

Selecting a CSP What is Cloud Computing? Re-branded IT Business Model Application Service Provider (ASP) IT Outsourcing (ITO) Confusion Hosting Virtualization Service Provider

Selecting a CSP Selection Considerations, Criteria & Tools Risky Business Security Guidance Privacy & Data Protection Rules Service Provider / Consumer Process Alignment Portability / Interoperability Contractual / Legal Agreements Industry Tools & Tricks

Selecting a CSP Partly Cloudy with a chance of risk! The Cloud is perceived as risky business. Lack of Control Regulatory Compliance Hacks, outages, disasters.oh my! Source: Youtube

Security Guidance Selecting a CSP Existing Certifications / Attestations SAS 70 Type II / SSAE 16 / ISAE 3402 ISO 27001 / 2 ISO 27036 BITS Shared Assessments PCI DSS HIPAA / HITECH Guidance Specifically for the Cloud Cloud Security Alliance (CSA) Guide v3.0 CSA Security, Trust & Assurance Registry (STAR) ENISA Cloud Computing Risk Assessment NIST SP 800-144 Guidelines Security / Privacy for a Public Cloud

Privacy & Data Protection Rules Jurisdictions* Regional: EU DPA National: PIPEDA, GLBA, HIPAA / HITECH, COPPA, Safe Harbor Statutory: Bavarian, CA SB 1386 / 24, MA 201 CMR 17, NV SB 227 Data Flow & Jurisdictional Adherence Backups CSP Big Data: Traditional, Sensory (e.g. Logs, Metadata) & Social Business / Organizational Ecosystem Contract Clauses European Model Contract Clauses PCI DSS Privacy Best Practices Selecting a CSP Generally Accepted Privacy Principles (GAPP) * Not all inclusive.

Svc Provider / Consumer Process Alignment Change / Configuration Management Process, process & some more process. Automated configuration management? Maturity Model Vendor Loading / Off-loading Provisioning / De-provisioning Disaster Recovery Selecting a CSP Business / Organizational Ecosystem Maturity Model

Svc Provider / Consumer Process Alignment Incident Response Selecting a CSP Computer Security Incident Response Team (CSIRT) Digital Forensics Legal Hold / Litigation Response / e-discovery Electronic Discovery Reference Model (EDRM) Federal Rules of Civil Procedure (FRCP) 30(b)(6) Records and Information Management (RIM) Generally Accepted Recordkeeping Principles (GARP ) Information Governance Reference Model (IGRM) Information Lifecycle Management (ILM) MIKE2.0

Selecting a CSP Portability / Interoperability Software Data Third Parties

Selecting a CSP Contractual / Legal Agreements Service Level Agreements (SLA) Uptime Data Ownership Escrow Data Include Sensory Data, Metadata Exit Clause Testing Disaster Recovery Incident Response Legal Hold / Litigation Response / e-discovery Right to Audit Vendor & Vendor s Vendors Privacy Impact Assessments (PIA) Additional Clauses European Model Contract Clauses

Selecting a CSP

Selecting a CSP Industry Tools & Tricks Cloud Strategic Roadmap Matrices & Software Cloud Brokers

Selecting a CSP Industry Tools & Tricks Cloud (Consumer) Strategic Roadmap Business Model Alignment Centralized / Decentralized Industry Vertical Ecosystem Awareness (Customers, Partners, Vendors) Project Portfolio Management (PPM) Assimilate Cloud Projects» Involves many stakeholders (business, PMO, IT, etc.). Phased Implementation Approach Private Hybrid Public Basic Advanced Services

Selecting a CSP Industry Tools & Tricks Cloud (Provider) Strategic Roadmap Business Model / Product Line Scalability e-discovery, Authentication, Encryption, Scanning» Organic» Merger & Acquisition Longevity / Sustainability Industry / Jurisdiction Focus Ecosystem Awareness Technology / Enterprise Architecture (TOGAF, SABSA, ITIL)

Industry Tools & Tricks Matrices & Software Matrices Audit / Compliance Focused» CSA Consensus Assessments Initiative Questionnaire» CSA Cloud Controls Matrix» BITS Enterprise Cloud Self-Assessment Software Selecting a CSP VMware Cloud Readiness Self-Assessment (CRSA) Bit Titan MigrationWiz Gravitant cloudwiz

Gravitant, Inc. All Rights Reserved. cloudmatrix Version 5.0 cloudwiz TM Step 1: Plan Capacity Capacity planning is a vital component of cloud computing adoption that involves understanding necessary resource requirements in order to meet the anticipated needs of customers and users. Companies who are able to predict their computing needs can reserve capacity and plan for their predicted usage based on their IT budgets. Other models allow organizations to utilize an on-demand, payper-use model which may be more economical.

Gravitant, Inc. All Rights Reserved. cloudmatrix Version 5.0 cloudwiz TM Step 2: Compare Vendors Once a cloudwiz user has filled out their current resource utilization and projected demand, they can then compare vendors, side-byside. Our inbuilt standardized vendor catalog allows cloud users to compare prices from multiple providers in an expedia-like interface and then optimize for the best vendor based on individual goals and constraints such as cost, QoS and best match.

Gravitant, Inc. All Rights Reserved. cloudmatrix Version 5.0 cloudwiz TM Step 3: Analyze ROI As a cloudwiz user compares vendors across cost, QoS and other constraints, they can also determine ROI Benefits to analyze the effects of selecting a particular provider.

Selecting a CSP Industry Tools & Tricks Cloud Brokers RightScale CloudFloor Skydera enstratus

Case Study: Choosing a PaaS CSP Background Mid-sized Capital Management Firm FINRA Regulated Outsourced IT with hardware onsite. Drivers Cost Compliance Technologies Cloud Computing Microsoft Exchange / Office 365 Exchange Online Onsite Symantec Enterprise Vault

Case Study: Choosing a PaaS CSP Limitations Budget Skill-sets Resources Monitoring Risks Cloud Computing System / Software Interoperability Availability Vendor Management: Contractual / SLA Omissions Scope Creep Data Ownership

Case Study: Choosing a PaaS CSP Lessons Learned Better Safe Than Sorry Follow GLBA Safeguards Many Moving (Technical) Parts Use Existing Vendors e-discovery Helped Next Steps Cloud Computing Onsite Journaling Testing BCP / DR, Incident Response System Architecture Upgrades

Case Study: Choosing an IaaS CSP Background Venture capital funded pharmacy service provider. Small HIPAA / HITECH Business Associate Level 4 PCI Service Provider Drivers Cost Savings Core Competency Focus Technologies Cloud Computing Open-source solutions at a co-location facility. Leverages third party / upstream system providers.

Case Study: Choosing an IaaS CSP Limitations Buying / Negotiating Power HIPAA / HITECH / PCI Requirements Third Party Systems Risks Cloud Computing Jurisdiction Availability Cloud / Third Party Ecosystem Reliance

Case Study: Choosing an IaaS CSP Lessons Learned Bigger is not better. Standardize Technology Ask for the documentation from attestations. Sticker Shock Next Steps Cloud Computing Work with the CSP Conduct a PIA. Test incident response plans.

Cloud Computing Presentation Take Aways There Are No Silver Bullets Think Cloud Strategy & Business Ecosystem You Are Not Alone Leverage CSA, BITS & NIST s Research Leverage Industry Tools, Tips & Tricks Compare Apples to Apples Technology Pricing SLAs

References ISO 27036: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=59648 CSA CAIQ: https://cloudsecurityalliance.org/research/cai/ CSA CCM: https://cloudsecurityalliance.org/research/ccm/ CSA STAR: https://cloudsecurityalliance.org/star/ CSA Guide: https://cloudsecurityalliance.org/research/security-guidance/ BITS Enterprise Cloud Self-Assessment: http://sharedassessments.org/media/pdf-enterprisecloud-sa.pdf ENISA Risk Assessment: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment NIST SP 800-144: http://csrc.nist.gov/publications/drafts/800-144/draft-sp-800-144_cloud-computing.pdf Core CloudInspect: https://www.corecloudinspect.com/microsite/index.html McAfee Database Security Scanner (DSS): http://www.mcafee.com/us/products/security-scanner-fordatabases.aspx ARMA GARP: http://www.arma.org/garp/ IGRM: http://www.edrm.net/projects/igrm EDRM: http://www.edrm.net/ MIKE2.0: http://mike2.openmethodology.org/ VMware CRSA: http://getcloudready.vmware.com/crsa/ Bit Titan MigrationWiz: https://www.migrationwiz.com/secure/default.aspx Gravitant cloudwiz: http://www.gravitant.com/cloudwiz-home.html RightScale: http://www.rightscale.com/ CloudFloor: http://www.cloudfloor.com/ Skydera: http://www.skydera.com/ enstratus: http://enstratus.com/ Cloud Computing

Cloud Computing Personal References ISACA Journal, Auditing Your Non-Relational, Distributed Database System : http://www.isaca.org/journal/current-issue/pages/default.aspx ISACA Journal, "Testing Your Incident Response Plan": http://www.isaca.org/journal/current- Issue/Pages/default.aspx PenTest Magazine, "Scanning Your Cloud Environment": http://pentestmag.com/client-side-exploits-pentest- 082011/ e-discovery 2.0: In the Cloud: https://s3.amazonaws.com/ncontrol-docs/csa11_session-smarkey.ppt Security in the Cloud: https://s3.amazonaws.com/ncontrol-docs/cloud_computing-security.ppt System Architecture & Engineering for the Cloud: https://s3.amazonaws.com/ncontrol- Docs/Cloud_Computing-Architecture_Engineering.ppt Cloud Computing Primer: https://s3.amazonaws.com/ncontrol-docs/cloud_computing-basic.ppt Cloud Computing - Authentication & Encryption: https://s3.amazonaws.com/ncontrol- Docs/Cloud_Computing_Security-Session_II.ppt Cloud Computing - Application & Virtualization Security: https://s3.amazonaws.com/ncontrol- Docs/Cloud_Computing_Security-Session_III.ppt

Questions? Contact Email: steve@ncontrol-llc.com Twitter: @markes1, @casdelval2011 LI: http://www.linkedin.com/in/smarkey

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information