Cloud Security Strategies. Fabio Gianotti, Head of Cyber Security and Enterprise Security Systems



Similar documents
Taking a Data-Centric Approach to Security in the Cloud

Can Cloud Providers Guarantee Data Privacy & Sovereignty?

Addressing Information Protection, Privacy & Sovereignty Concerns in Cloud Applications

Four steps to improving cloud security and compliance

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Cloud Security Introduction and Overview

Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister

Security Issues in Cloud Computing

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Architecting the Cloud

Big Data, Big Risk, Big Rewards. Hussein Syed

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

best practice guide The Three Pillars of a Secure Hybrid Cloud Environment

Orchestrating the New Paradigm Cloud Assurance

Managing Cloud Computing Risk

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Key Considerations of Regulatory Compliance in the Public Cloud

Cloud Security Specialist Certification Self-Study Kit Bundle

Cloud Security and Managing Use Risks

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Enterprise Mobility Suite (EMS) Overview

Hybrid Wide-Area Network Application-centric, agile and end-to-end

SECURING SENSITIVE DATA WITHIN AMAZON WEB SERVICES EC2 AND EBS

How to ensure control and security when moving to SaaS/cloud applications

AskAvanade: Answering the Burning Questions around Cloud Computing

Cisco IOS Public-Key Infrastructure: Deployment Benefits and Features

Securing and protecting the organization s most sensitive data

Securing Government Clouds Preparing for the Rainy Days

opinion piece Fragmenting DLP assessment, implementation, and management is counter-intuitive

How To Secure Cloud Computing

Flexible Cloud Services to Compete

INSITE. Dimension Data s monitoring offering

Best Practices for a BYOD World

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Readiness Consulting Services

Software-as-a-service Delivery: The Build vs. Buy Decision

Agenda. Company Platform Customers Partners Competitive Analysis

Cloud models and compliance requirements which is right for you?

opinion piece IT Security and Compliance: They can Live Happily Ever After

The Cloud Computing Revolution: Beyond the Hype

How To Protect Yourself From A Hacker Attack

Cloud Security Trust Cisco to Protect Your Data

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Cloud-Security: Show-Stopper or Enabling Technology?

Cloud Computing and Records Management

Security and Privacy in Cloud Computing

Cloud Courses Description

University of Pittsburgh Security Assessment Questionnaire (v1.5)

How To Manage An Ip Telephony Service For A Business

Using AWS in the context of Australian Privacy Considerations October 2015

HIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered.

Trend Micro Cloud Security for Citrix CloudPlatform

Analyzing HTTP/HTTPS Traffic Logs

A HELPING HAND TO PROTECT YOUR REPUTATION

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Cloud Readiness Workshop

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY

BIG DATA: Big Opportunity, Big Headaches Protect your Big Data with data security

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Data In The Cloud: Who Owns It, and How Do You Get it Back?

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

AVANTGARD Hosting and Managed Services

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

Deploying a Geospatial Cloud

Addressing Security for Hybrid Cloud

7 Demands Enterprises Must Make from Cloud Providers

Transcription:

Cloud Security Strategies Fabio Gianotti, Head of Cyber Security and Enterprise Security Systems London, 14 October 2015

UNICREDIT AT A GLANCE Employees: more than 146.600 Branches: 8.403 Banking operations in 17 countries International network spanning: ~ 50 countries Global player in asset management: 221 bn in managed assets Market leader in Central and Eastern Europe leveraging on the region's structural strengths 2

A COMPLEXITY TO BE MANAGED The approach to ICT Security Governance follows different paths UniCredit landscape is complex Different country regulations Different approaches to cloud adoption due to high-number and the geographical distribution of UniCredit Data Centers Cloud adoption strategy for Data Centers consolidation framework, and Business Enabler Strong ICT Security governance is both mandatory and strongly recommended Last but not least : Judgment of European Court of Justice in CASE C-362/14 declaring the Commission's US Safe Harbor Decision invalid.any Ideas from ENISA team? 3

WHERE CLOUD DATA ARE LOCATED AND WHICH LAW IS APPLIED USA Federal CALEA, CCRA, CIPA, COPPA, EFTA, FACTA, ECPA, FCRA, FISMA, FERPA, GLBA, HIPAA, HITECH, PPA, RFPA, Safe Harbor, US PATRIOT Act Canada PIPEDA, FOIPPA, PIPA United Kingdom ICO Privacy and Electronic Communications Regulations Europe Privacy laws in 28 countries European Union EU Data Protection Directive, State Data Protection Laws South Korea Network Utilization and Data Protection Act Japan Personal Information Protection Act Mexico Personal Data Protection Law Colombia Data Privacy Law 1266 US States Breach notification in 46 states Chile Protection of Personal Data Act Brazil Article 5 of Constitution Argentina Personal Data Protection Act, Information Confidentiality Law Morocco Data Protection Act Israel Protection of Privacy Law (PPL) South Africa Electronic Communications and Transactions Act India Information Technology Act Thailan d Official Information Act B.E. 2540 Singapore Personal & Financial Data Protection Acts Taiwan Computer-Processed Personal Data Protection Hong Kong Personal Data Privacy Ordinance Australia National Privacy Principals, State Privacy Bills, Email Spam and Privacy Bills Philippines Propose Data Privacy Law New Zealand Privacy Amendment Act 4

SEVERAL COMPONENTS TO BE ADDRESSED (in order to set a comprehensive Cloud security strategy) 5 Cloud Security Strategy A comprehensive program and strategy to embed security throughout the enterprise s cloud lifecycle with Security Dashboard monitoring Integration Interoperability Lock in / portability Security Analytics Administration console Public / Private / Hybrid models Secure connection to other systems and data Event Management Platform & Software Applications Threat and vulnerability identification / Access Control Monitoring / Management Application vulnerability management and remediation Integration Platform & Software Governance Cloud Security Strategy Infrastructure Data Users & Identity Governance Define processes and policies (ownership, connectivity, privacy, audit / wipe) Legal (NDA, SLA, licensing) Audit and Compliance Identify preferred suppliers / service level for business Business Continuity Training & Awareness Data Data Classification Data Backup, Retention Data Ownership, Segregation Risk Assessments Encryption / Tokenization Data loss prevention Secure storage, secure disposal Audit and forensics Users & Identity Roles and authorization levels and authentication Evaluation / monitoring of usage patterns Program awareness and education Infrastructure Security functionality Network configuration Cloud hardening Vulnerability management Infrastructure operations

UNICREDIT CLOUD SECURITY EVALUATION DASHBOARD Rete di Lab 6

IS THERE ANY DIFFERENCE BETWEEN DATA AND THEIR APPLICATIONS IN THE CLOUD? Yes, the law is applied to the data, not to the application If you can encrypt the data, then the cloud provider has no access to the data This might change how responsibilities are allocated from a compliance point of view according to the countries where your business is 7

CLOUD READY PROGRAM Cloud Ready overview declines the Group CIO Global and Group CIO ICT Security cloud strategy and feasibility, in order to design a sustainable and common UniCredit Service Platform/ Framework. Rete di Lab Cloud computing is a new way of delivering computing & services resources, not a new technology. Computing services ranging from data storage and process to software on demand to launch new timeto-market business proposition in UniCredit multichannel perspective. The massive concentrations of resources and data could represent a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost-effective in terms of IT security perspective. It is important to note that cloud computing can refer to several different service types, including Application/Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Lastly API rest exposure, for B to B and B to C customers services. 8

FINAL TAKE-AWAYS Cloud benefits in terms of elasticity, scalability, on-demand computing power growing list of providers Companies must be structured (or re-structured) in order to deal with a new generation of risk evaluation, and address the best cloud strategic and omni-comprehensive approach (data protection, application security, network security, encryption, file sharing, local and global regulation, compliance, log management, identity management, KPI & SLA, etc), in order to deploy a strong and sustainable security governance. Companies must raise the bar on ongoing security activities, while addressing at least three key-points to the respective cloud provider: Setting the minimum security level expected Managing the increasing complexity with different and new monitoring points Putting on the table technical skills, more and more sophisticated with a holistic view Bridging the gap between requirements, risks and skills 9 Fabio.gianotti@unicredit.eu

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information