Some thoughts about cloud computing risks. Andris Soroka 28 th of January, 2015 Riga, Latvia

Similar documents
IBM Security Intelligence Strategy

and Security in the Era of Cloud

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Security Threat Risk Assessment: the final key piece of the PIA puzzle

The Current State of Cyber Security

The Magazine for IT Security. May issue 3. sör alex / photocase.com

How To Secure Cloud Computing

Cybersecurity The role of Internal Audit

Cloud Computing Risk and Rewards

Cloud computing: benefits, risks and recommendations for information security

How to Choose the Right Security Information and Event Management (SIEM) Solution

Cybersecurity in the States 2012: Priorities, Issues and Trends

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

IBM Security Strategy

The Evolution of Application Monitoring

Enterprise Software Security Strategies

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Big Data, Big Risk, Big Rewards. Hussein Syed

Pharma CloudAdoption. and Qualification Trends

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Dynamic Security for the Hybrid Cloud

Security Intelligence

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

White. Paper. Rethinking Endpoint Security. February 2015

Cloud and Security (Cloud hacked via Cloud) Lukas Grunwald

External Supplier Control Requirements

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Information Security and Risk Management

Security Risk Management Strategy in a Mobile and Consumerised World

FINRA Publishes its 2015 Report on Cybersecurity Practices

How To Protect Your Cloud Computing Resources From Attack

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Developing National Frameworks & Engaging the Private Sector

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

Information Security for the Rest of Us

Staying Ahead of the Cyber Security Game. Nigel Tan ASEAN Technical Leader IBM Security

CaaS Think as a bad guy Petr Hněvkovský, CISA, CISSP HP Enterprise Security

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Global IT Security Risks

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

ISSN: (Online) Volume 2, Issue 5, May 2014 International Journal of Advance Research in Computer Science and Management Studies

Hedge Funds & the Cloud: The Pros, Cons and Considerations

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

The Protection Mission a constant endeavor

Cloud Security Who do you trust?

2012 Bit9 Cyber Security Research Report

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Cybersecurity and internal audit. August 15, 2014

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Simple. Smart. Professional. A 2BSecured Company

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

August 6, Technology 101 for the Corporate Lawyer

Simplifying Security & Compliance Innovating IT Managed Services. Data Security Threat Landscape and IT General Controls

How to Lead the People in a Program Based Environment

Incident Handling in the Cloud and Audit s Role

Personal Information Threats & Risks: Responding to an Evolving Landscape with an Integrated Data Protection Approach

Think STRENGTH. Think Chubb. Cyber Insurance. Andrew Taylor. Asia Pacific Zone Product Manager Chubb Pro PI, Media, Cyber

Cybersecurity: Protecting Your Business. March 11, 2015

Address C-level Cybersecurity issues to enable and secure Digital transformation

Qualification Specification. Level 4 Certificate in Cyber Security and Intrusion For Business

PCI Compliance for Cloud Applications

Italy. EY s Global Information Security Survey 2013

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Cloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5

Dispelling the vapor around Cloud Security

QUESTIONS & RESPONSES #2

Ragy Magdy Regional Channel Manager MEA IBM Security Systems

Information Security in Business: Issues and Solutions

Technology Risk Management

Do not forget the basics!!!!!

Ahead of the threat with Security Intelligence

The Cloud, Virtualization, and Security

Plan of Attack 5 Step Plan

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES

Defending Against Cyber Security Threats to the Payment and Banking Systems

Security and Privacy in Cloud Computing

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

Scott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

MANAGING CYBERSECURITY INVESTIGATIONS

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Protecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11

Changing the Enterprise Security Landscape

How Companies Can Improve Website & Web Application Security. Even with a Tight IT Budget

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Global IT Security Risks: 2012

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Addressing Security for Hybrid Cloud

Cloud Security. Vaughan Harper IBM Security Architect

Attachment A. Identification of Risks/Cybersecurity Governance

Cyber Security in the Commercial Sector IDC Private Study: Final Report. Steve Conway Earl Joseph Bob Sorensen July 24, 2015

Transcription:

Some thoughts about cloud computing risks Andris Soroka 28 th of January, 2015 Riga, Latvia

Role of DSS in Cyber-security Development in Baltics Cyber-Security Awareness Raising Technology and knowledge transfer Cyber Security Portfolio Only Trusted Advisor to its Customers Game changer

DSS ITSEC 2014

Today s realities in the world Escalating Attacks Increasing Complexity Resource Constraints Designer Malware Spear Phishing Persistence Backdoors Increasingly sophisticated attack methods Disappearing perimeters Accelerating security breaches Constantly changing infrastructure Too many products from multiple vendors; costly to configure and manage Inadequate and ineffective tools Struggling security teams Too much data with limited manpower and skills to manage it all Managing and monitoring increasing compliance demands

In 2014 to date, roughly 1 in 7 people on the entire planet have been impacted by a data leak. Business has to worry..

Some key facts, statistics globally 70 % 614 % Mobile malware growth of security executives have cloud and mobile concerns 2013 IBM CISO Survey in just one year 2012-2013 Juniper Mobile Threat Report and traditional security practices are unsustainable 85 security 45 vendors tools from IBM client example 83 % of enterprises have difficulty finding the security skills they need 2012 ESG Research

Cyber security in the Baltic States Challenges of «C» Level excutives (business, IT etc.) Political (external and internal) Technological (risks, threats, fraud, attacks, leaks) Economical (budget reality, competition, costs ) Legal (compliances, regulations etc.) Professional (HR, information quantity) Psychological ( traditions / knowledge / trust)

Shift to Cloud security good or bad?

Shift to Cloud security

Cloud primary has the same ITSEC areas

IT Security controls - «to do» list Business part Business processes analysis from tech perspective Assessment and management of cyber security risks Related technological part Inventory of devices and software Secure configuration of everything (end-users, devices) Vulnerability assessment and management Malware defenses, application security, pen tests Wifi security Mobile security Data security Continuos skills training and learning Access control and visibility Audit, monitoring, analysis, incident response and more

But now everything connected to the cloud

Shift to Cloud security concerns... Psychology factor Trust we don t want to give our data away Latvia is small... Level of maturity of the cloud computing Any new technology needs time to proove itself Who wants to be a «testing sheep» and risk..and.. (50/50) Cyber-criminals Clouds are at risk because cybercriminals choose best ROI they attack «watering holes» and...clouds Legislation, responsibility, control International cooperation at world wide level is still a huge challenge, but how otherwise can you catch bad guys and solve problems...

Cloud of course has challenges... ENISA «Cloud Computing Risk Assessment» recent reseach describes at least 25 big, known cloud couputing major risks, issues..

Shift to Cloud security the Good

Economy of scale security perspective.. More security for same money.. Better security experts for same money Reduced costs of IT.. Near instant provisioning Service on demand Availability from any location Redundancy No down-time 24x7x365 And so on...

Shift to Cloud security the Risk perspective Insiders!!! Data risks location, transit Loss of control & governance Limited data available from cloud service provider (logs, location of data, responsibilities, 3rd parties..) External penetration tests not allowed Usually no forensics tools are available Outsourcing is not known or visible Audit not allowed, sometimes important to meet compliance criteria Lack of complince with international regulations (EU data protection regula, ENISA cloud certification, intelectual property rights etc.) 3rd party solutions (f.i. Encryption software) Overbooking or Isolation (DDoS attacks, not especially on you) Lock-in! It is sometimes not so easy to change cloud provider)

Some final slides about risks... Deployment Model Risk Profile Public Community Private Higher Likelihood of Data Security, Privacy, and Control Breach Lower

Some final slides about risks... Service Model Risk Profile IaaS PaaS SaaS Higher Impact of Loss of Control & Security Breach Lower

Some final slides...cont. Cloud Risk Ranking Example Attribute High (5) Med (3) Low (1) Deployment Model Public Community Private Service Model IaaS PaaS SaaS Data Security level Secret Restricted Unclassified Physical Hosting Site Undefined Int'l Location Domestic Location SOX Critical Yes No Dependent Apps Greater than 10 4 to 10 0 to 3 Recovery Time Region Supported 4 Hours Europe or Global 7 Days US 31 Days All other

Some final slides...cont. Deployment Model Considerations High Medium Low Deploy Model Public Community Private Public - Security and privacy are not a priority - Service level agreements may not exist - Private environments provide adequate security and privacy - Service level agreements should exist Private

Some final slides...cont. Service Model Considerations High Medium Low Service Model IaaS PaaS SaaS IaaS - Issues may impact all hosted applications and data - No control over foundational general controls - PaaS - Impact limited to outsourced platform - SaaS - Impact limited to applications and data SaaS

Some final slides...cont. Data Security Considerations High Medium Low Security Level Secret Restricted Unclassified Secret - Difficult to enforce security standards when outsourcing - Difficult to demonstrate compliance with regulations like GLBA - Security and privacy is not a concern (good candidate for cloud computing) Unclassified

Shift to Cloud security Dependent Applications Number of Apps High Medium Low Greater than 10 4 to 9 Less than 3 > 10 - Implies complexity and greater organizational significance - Implies simplicity and less organizational significance < 3

Conclusion... Cloud computing is not a new technology. Cloud computing is a new business model. It is a way of delivering computing resources and this is here to stay. Adopt it as soon as you can and make even more successful business. Before moving to cloud involve professionals to help to understand what part, how, when, where, by whom, why would be reasonable (by costs, risks, investment measures) to be moved to cloud. And which cloud. Like famous Latvian poet once said «One who d be able to change would also be able to continue exist!»

Think security first www.dss.lv andris@dss.lv +371 29162784

Think security first Credits to ENISA, ISACA papers and presentations, Dr Giles Hogben, Dr.Evangelos Ouzounis, Kiran Kumar, Matt McMillon, Donald Gallien and many others

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information