Cloud Security and Managing Use Risks

Similar documents

Cloud Security. DLT Solutions LLC June #DLTCloud

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Cloud Computing Governance & Security. Security Risks in the Cloud

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

How To Protect Your Cloud Computing Resources From Attack

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Hans Bos Microsoft Nederland.

Security Issues in Cloud Computing

Cloud Security Introduction and Overview

Security Controls What Works. Southside Virginia Community College: Security Awareness

BMC s Security Strategy for ITSM in the SaaS Environment

Compliance and Cloud Computing

How To Protect Yourself From A Hacker Attack

THE BLUENOSE SECURITY FRAMEWORK

Key Considerations of Regulatory Compliance in the Public Cloud

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Cloud Computing An Auditor s Perspective

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Information Technology: This Year s Hot Issue - Cloud Computing

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

IT Audit in the Cloud

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Cloud Security Who do you trust?

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Auditing Cloud Computing and Outsourced Operations

Client Security Risk Assessment Questionnaire

Cloud Services Overview

Cloud models and compliance requirements which is right for you?

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

PCI Compliance for Cloud Applications

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

John Essner, CISO Office of Information Technology State of New Jersey

Anatomy of a Cloud Computing Data Breach

Orchestrating the New Paradigm Cloud Assurance

Securing the Service Desk in the Cloud

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Cloud Computing. Making legal aspects less cloudy. Erik Luysterborg Partner Cyber Security & Privacy Belgium EMEA Data Protection & Privacy Leader

Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile

Information Security: Cloud Computing

Cloud Security & Risk. Adam Cravedi, CISA Senior IT Auditor acravedi@compassitc.com

Securing Oracle E-Business Suite in the Cloud

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Securing The Cloud With Confidence. Opinion Piece

Data Privacy, Security, and Risk Management in the Cloud

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Cloud Computing Security Issues

Secure Cloud Computing through IT Auditing

Cisco Cloud Assessments. Justin Tang

05.0 Application Development

Managing Cloud Computing Risk

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Evaluating IaaS security risks

Security Considerations for the Cloud

Selecting a Cloud Service Provider (CSP)

Dispelling the Myths about Cloud Computing Security

How To Achieve Pca Compliance With Redhat Enterprise Linux

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Cloud Security Who do you trust?

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

Bridging the HIPAA/HITECH Compliance Gap

Security from a customer s perspective. Halogen s approach to security

How To Ensure Your Supplier Is Secure

White Paper How Noah Mobile uses Microsoft Azure Core Services

2014 HIMSS Analytics Cloud Survey

Anypoint Platform Cloud Security and Compliance. Whitepaper

Transcription:

Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare

Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access Controls Encryption Considerations Incidents and Response Threats and Risks

Regulatory Compliance FFIEC FISMA GLBA HIPAA/HITECH JCAHO PCI DSS SOX/MAR State Breach Laws

ISO 27001/27002 Risk Assessment X X X X X Security Policy X X X X X Organization of Information X X X X X Asset Management X X X Human Resources Management X X X X X Information Security Incident Reporting X X X X Business Continuity Management X X X X X Compliance X X X X X Communications and Operations Management X X X X X Access Control X X X X X IS Acqusition, Development, Maintenance X X X X Physical and Environmental Security X X X X X HIPAA Security HIPAA Privacy JCAHO GLBA SOX

External Audit SSAE 16 / SAS 70 Right to Audit Cloud Service Provider (CSP) IaaS, PaaS, SaaS and extensions Validate audit results using a controls framework Cloud Security Alliance Cloud Controls Matrix designed to provide fundamental security principles to guide cloud vendors and to assist customers in assessing the overall security risk of a cloud provider

Assessing Security Risk

Legal and ediscovery Contractual language CSP location and laws ediscovery requests End of service Data destruction Data recovery Escrow of data Indemnification Ownership of data Protection of IP

Formal Model Security Reference Architecture

Access Controls Authentication Authorization Administration Assurance

Authentication Simple or strong authentication User ID and password Multi-factor mechanisms Single / simplified sign-on User Device Service (IaaS / PaaS / SaaS) Federated

Authorization Discretionary Mandatory Role based access control Attribute based access control Administrative privileges Application programming interface Provisioning and de-provisioning

Administration Business continuity Disaster recovery Change management Patch management Segregation IaaS / PaaS / SaaS Logical / physical / virtual Personnel management Data destruction

Assurance

Encryption Considerations Secret (symmetric) and public key (asymmetric) Data/message confidentiality, integrity and non-repudiation Key and certificate infrastructure Enabling applications using encryption APIs Performance software vs. hardware

Key and Certificate Infrastructure Policy creation Trust and infrastructure design Proprietary or standards based Scalability and manageability Available services Generation, distribution, revocation and recovery of keys and certificates

Incidents and Response Policy Response plan Monitoring Processes, tools and technologies Notification Incident team Remediation Recovery Training

Threats and Risks The Notorious Nine in 2013 (Source: Cloud Security Alliance Feb 2013) 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues

Questions? Carl.Allen@imail.org