Evelyn de Souza Chair Cloud Security Alliance Data Governance Chair/ Data Privacy and Compliance Leader Cisco Systems Cloud Security Alliance, 2015 Agenda Charter /Members What is Data Governance Data Governance Models (Under Development) Cloud Data Protection Model Activities Get Involved Cloud Security Alliance, 2015 1
Charter Propose a data governance framework to ensure the, availability, integrity and overall security and privacy of data in different cloud models. This framework would feed into the GRC stack with tie ins across the CAIQ, CCM and STAR Develop thought leadership materials to promote CSA s leadership in the the area of data governance in the cloud Please review our Data Governance Workgroup Charter Documenthttps://docs.google.com/a/cloudsecu rityalliance.org/document/d/1fhllar4knwpgc XwZEi4xtezzLQF9LHISlfElzJMTk30/edit Cloud Security Alliance, 2014. Fostering collaboration across: Key industry leaders from different verticals Membership Academia Industry analyst associations Vendor subject matter experts Do join our discussion on LinkedIn: CSA Cloud Data Governance Working Group Cloud Security Alliance, 2014. 2
Cloud Data Governance Challenges 1.Data Protection (65%) Is data safely protected while in motion, in use or stored in the cloud How is the availability of data in the cloud assured? 2. Security Management (42%) How are assurance levels effectively managed by the cloud provider Can I get a snapshot of the cloud provider s security management capabilities at any point 3. Compliance (53%) 4. Data Governance (73%) Can the cloud provider demonstrate that regulatory controls are implemented effectively and sustainably? Who owns/accesses/edits/mo difies my data in the cloud? Data does not equal a one-size fits all model How do you measure policy enforcement? How do you enforce policy? Over-emphasis on technology controls often leads to underlying weaknesses in processes Based upon informal survey with CISOs and InfoSec leaders from Dimension Data, Kloud, CSA Enterprise Council (43 InfoSec leaders worldwide from SP and Enterprise) and FSISAC Banking Leaders NEED to set up User Focus Groups to hone in by segment and industry Cloud Deployment Model Risks Private Community Least risk due to single ownership. Enterprise control over legal regulatory needs Moderate risk due to multitenancy however, common regulatory/legal needs Public SaaS Public IaaS Greatest risk due to least amount of control for consuming organization. Risk dependent on provider. Shared legal/regulatory needs High risk amount of risk. Shared model and shared regulatory/legal needs 3
Canonical Question Set Guidance V3 Data Life Cycle Phase 1 Categories Q1.1 Who V Create Store Use Data Discovery Location of Data Q1.2. V V QWhat V V V V Where When Aligning Governance Models to Security Frameworks Operational and support-oriented processes Compliance and security IT goals Four Inter-related Domains of COBIT Plan/Obs erve Source: ISACA Compliance and risk business goals Act Do/Orien t Check/D ecide Plan-Do-Check-Act Observe-Orient-Decide-Act 4
Example of Governance Framework Tied to CSA Cloud Controls Matrix 3 phases to govern are Plan (Plan and Organize) Do (Acquire and Implement, Deliver and Support) Check, Act (Monitor and Evaluate) Planning Processes Functional Processes Evaluation Processes 3. Business Continuity Management 1. Application & Interface Security 2. Audit Assurance & Compliance 5. Data Security and Information Lifecycle Management 6. Datacenter security 4. Change Control Management 8. Governance and Risk Management 7. Encryption and Key Management 14. Security Incident Management 12. Interoperability and Portability 9. Human Resources 15. Supply Chain Management 10. Identity and Access Management 11. Infrastructure and Virtualization Security 13. Mobile Security 16. Threat and Vulnerability Management Example of Governance Framework tied for CCM Data and Lifecycle Management Domain 5
Data Governance Milestones Stages Value of Security Risk Management AD HOC MANAGED DEFINED PROACTIVE OPTIMIZING Value driven Undefined data management policies Sporadic data issues communication Standardized process per organization/ Standardized data definitions and rules in place Quantitative management of data KPIs and tools for measurements in place Processes are centralized, controlled and measured Continuous process improvements way of life Real-time analysis and resolution Ad hoc processes / per data management Processes defined by individual technology functions PAGE 11 Exploring Toolsets for Cloud Data Governance Steps 1 2 3 4 http://clouddataprotection.org/cert/ 6
Contribute LinkedIn Group Consider joining us on LinkedIn: CSA Cloud Data Governance Working Group Mailing List Our mailing list is hosted on the Cloud Security Alliance listserv: https://lists.cloudsecurityalliance.org/mailman/listinfo/datagoverna nce References & Links Geospatial datalifecycle http://www.fgdc.gov/policyandplanning/a-16/stages-ofgeospatial-data-lifecycle-a16.pdf CCAQIS https://cloudsecurityalliance.org/research/cdg/ 7
??? Cloud Security Alliance, 2015 Cloud Security Alliance, 2015 8