Cloud Computing Security Audit

Similar documents
Strategies for assessing cloud security

Security Issues in Cloud Computing

Security & Trust in the Cloud

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

WORKDAY CONCEPT: EMPLOYEE SELF SERVICE

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc.

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Securing the Cloud Infrastructure

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Open Certification Framework. Vision Statement

Cloud Computing Governance & Security. Security Risks in the Cloud

Securing the Microsoft Cloud

Security in the Cloud: Visibility & Control of your Cloud Service Providers

Certified Information Security Manager (CISM)

Clinical Trials in the Cloud: A New Paradigm?

Security and Cloud Computing

Security Issues in Cloud Computing

Cloud Computing: Background, Risks and Audit Recommendations

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

How To Understand Cloud Computing

6 Cloud computing overview

How Microsoft is taking Privacy by Design to Work. Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015

IT Audit in the Cloud

Cloud Security Trust Cisco to Protect Your Data

Information Security Management System for Microsoft s Cloud Infrastructure

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

全 球 資 安 剖 析, 您 做 確 實 了 嗎? Albert Yung Barracuda Networks

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

GoodData Corporation Security White Paper

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Israeli Law Information and Technology Authority. Privacy and Data Security in the Cloud - The Israeli Perspective

Enabling Multi-Tenancy with NetApp MultiStore

Microsoft s Compliance Framework for Online Services

Anypoint Platform Cloud Security and Compliance. Whitepaper

What Cloud computing means in real life

Delivering IT Security and Compliance as a Service

Using AWS in the context of Australian Privacy Considerations October 2015

Cloud security architecture

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Essential Characteristics of Cloud Computing: On-Demand Self-Service Rapid Elasticity Location Independence Resource Pooling Measured Service

Netzwerkvirtualisierung? Aber mit Sicherheit!

How to Ensure IT Compliance Without Compromising Innovation. Nik Teshima, IBM Phil Odence, Black Duck

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

The problem of cloud data governance

Cloudbuz at Glance. How to take control of your File Transfers!

Securing Virtual Applications and Servers

Private Cloud Database Consolidation with Exadata. Nitin Vengurlekar Technical Director/Cloud Evangelist

Data Processing Agreement for Oracle Cloud Services

Simplify IT. With Cisco Application Centric Infrastructure. Roberto Barrera VERSION May, 2015

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

Accelerating Cloud adoption with Security Level Agreements automation, monitoring and industry standards compliance

Trust but Verify. Vincent Campitelli. VP IT Risk Management

Cloud Security Introduction and Overview

Cloud Security Certification

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

VMware vcloud Air Security TECHNICAL WHITE PAPER

eeye Digital Security Product Training

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

A.Prof. Dr. Markus Hagenbuchner CSCI319 A Brief Introduction to Cloud Computing. CSCI319 Page: 1

Cloudy with Showers of Business Opportunities and a Good Chance of. Security. Transforming the government IT landscape through cloud technology

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

TOOLS and BEST PRACTICES

Vendor Risk Management Financial Organizations

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

ONLINE FILE SHARING: WHO S IN CONTROL? Dave Ewart Sr. Director of Product Marketing

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cisco Intercloud Fabric Security Features: Technical Overview

Information Security Risk Management

Security Architecture Principles A Brief Introduction. Mark Battersby , Oslo

QRadar SIEM 6.3 Datasheet

Profile. Business solutions with a difference

SOLUTION WHITE PAPER. BMC Manages the Full Service Stack on Secure Multi-tenant Architecture

Lecture 02b Cloud Computing II

How To Secure Cloud Computing

Cloud Security: The Grand Challenge

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Transcription:

Cloud Computing Security Audit Teddy Sukardi tedsuka@indo.net.id Indonesia IT Consultant Association IKTII Chairman

Agenda The data center and the cloud Concerns with cloud implementation The role of cloud audit as a solution Suggestions for implementation

Background Role of information technology continue to increase in the financial, commerce, public services, education and many other sectors The demand for data center has followed along and raised concern about eficiency and risk management Additional regulations about data center(s) will be issued and implemented nation wide in Indonesia Cloud computing has played a strategic role offering efficiency besides progress in the traditional data center role.

Traditional vs Cloud Data Center trends from Cisco Global Cloud Index By 2018, 78% of workloads will be processed by cloud data centers; 22% will be processed by traditional data centers. From 2013 to 2018 overall data center workloads will grow 190 % cloud workloads will grow 290 % Workload density (workload per physical server) growth from 2013 to 2018 for cloud data centers from 5.2 to 7.5 for traditional data centers from 2.2 to 2.5

Public vs Private Cloud Data Centers from Cisco Global Cloud Index In 2018 31 % will be in public cloud data centers, up from 22 per cent in 2013 In 2018 69 % will be in private cloud data centers, down from 78 percent in 2013

Cloud Computing Definition NIST model

Multi Tenancy Use of same resources or application by multiple consumers that may belong to same organization or different organization. Visibility of residual data or trace of operations by other user or tenant. Need for policy-driven enforcement, segmentation, isolation, governance, service levels, and chargeback/billing models for different consumer constituencies. Choices: public cloud providers service offering on an individual user basis private cloud hosting, an organization may segment users as different business units sharing a common infrastructure

Multi Tenancy From a provider s perspective An architectural and design approach to enable economies of scale, availability, management, segmentation, isolation, and operational efficiency. Leverage shared infrastructure, data, metadata, services, and applications across many different consumers.

Deployment Model

Mapping The Cloud Model to Control and Compliance

Cloud Security Risks Security controls in cloud computing are no different than security controls in any IT environment. Because of the cloud service models employed, the operational models, and the technologies used to enable cloud services, cloud computing may present different risks to an organization than traditional IT solutions. An organization s security posture is characterized by the maturity, effectiveness, and completeness of the risk-adjusted security controls implemented. These controls are implemented in layers ranging from the facilities (physical security), the network infrastructure (network security), the IT systems (system security) and the information & applications (application security) Controls are implemented at the people and process levels, such as separation of duties and change management, respectively. The security responsibilities of both the provider and the consumer greatly differ between cloud service models.

Compliance Issues 1) Regulatory implications for using a particular cloud service or providers, giving particular attention to any cross-border or multi-jurisdictional issues when applicable 2) Assignment of compliance responsibilities between the provider and customer, including indirect providers (i.e.,the cloud provider of your cloud provider) 3) Provider capabilities for demonstrating compliance, including document generation, evidence production, and process compliance, in a timely manner 4) Relationships between customer, providers and auditors (both the customer's and provider's) to ensure required (and appropriately restricted) access and alignment with governance requirements

Cloud Security Standards ISO/IEC 27017: Cloud Computing Security and Privacy Management System-Security Controls ISO/IEC 27036-x: Multipart standard for the information security of supplier relationship management that is planned to include a part relevant to the cloud supply chain

The Role of Audit Audit have been one method to provide assurance that operational risk management activities are thoroughly tested and reviewed. Audit for Cloud must be independently conducted and should be designed to reflect best practice, appropriate resources, and tested protocols and standards. Both internal and external audit and controls are important, for both the customer and provider.

Policy and Practise Suggestions To have a right to audit clause in the contract in order to give customers the ability to audit the cloud provider. To use a normative specification in the right to audit to ensure mutual understanding of expectations. To have a right to transparency clause with specified access rights especially in highly regulated industries For Providers to review, update, and publish their information security documents and GRC processes regularly (or as required), including vulnerability analysis and related remediation decisions and activities. For third-party auditors to be mutually disclosed or selected in advance, jointly by provider and customer. For all parties to agree to use a common certification assurance framework for IT governance and security controls.

References from: 1) Cloud Security Alliance 2) Cisco Global Cloud Index: Forecast and Methodology 2013 2018 White Paper

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information