25 jul webinar presentation slides 27289
TRANSCRIPT
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
1/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved.
Cloud Security
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
2/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 2
Welcome!
Type in questions using theAsk A Question button
All audio is streamed over your computer
Having technical issues? Click the ? button
ClickAttachments button to find a printable copy of this presentation
After the webinar, ISACA members may earn 1 CPE credit
Find a link to the Event Home Page on theAttachments button
Click the CPE Quiz link on the Event Home Page to access the quiz
Once you pass the quiz, you
ll receive a link to a printable CPECertificate
Tell us what you thought of this event by using the Feedback button.
Question or suggestion? Email them to [email protected]
mailto:[email protected]:[email protected] -
8/22/2019 25 Jul Webinar Presentation Slides 27289
3/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 3
Introduction
Presenter: Maria Schuett
Certified Risk and Information Systems Control (CRISC) Security Consultant.
Over 15 years of technical experience in information security
Current role: Identity and Access Management Architect
Co-authored the1st version of IBMs Redguide, Introducing the IBM Security
Framework and IBM Security Blueprint to Realize Business-Driven Security
Published Reduced Sign-On manuscript in the Encyclopedia of InformationAssurance (http://isbn.nu/9781420066203/).
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
4/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 4
Agenda
Cloud Computing Adoption and Adaption
Cloud Security Cloud Vendor
Your Organization
Managing Risks in Cloud Deployments
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
5/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 5
Definition
Cloud Computing
A style of computing in which scalable andelastic IT-enabled capabilities are provided
as a service to external customers using
Internet technologies."
Gartner 2013
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
6/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 6
Cloud Market Trends
Cloud Market Trends By 2014, IT organizations in 30% of Global 1000 companies will
broker (aggregate, integrate and customize) two or more cloudservices for internal and external users, up from 5% today. -
Gartner
Demand remains high from buyers looking to cloud-basedsecurity services to address a lack of staff or skills, reduce costsor comply with security regulations quickly Eric Ahlm, Gartner
Compliance will be key cloud market driver to 2016- Gartner
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
7/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 7
Cloud Computing
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
8/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 8
Cloud Computing
Reasons for Adoption Business Objectives
Increase revenue, reduce operational costs
Re-prioritize company focus Evolving Technologies
Leverage existing technologies
Evolving Business Philosophy
Company Differentiation
Speed-to-market
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
9/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 9
Cloud Computing
Challenges in Adoption Culture Change
IT and Business Alignment
Business Process Alignment Customer Satisfaction
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
10/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 10
Cloud Computing
Reasons for Adaption Achieve Business Agility
Automate to reduce manual steps
Improve resilience IT and Business Alignment
IT as an enablernot a barrier
Business Process Alignment
Improve Security Controls
Understanding the big picture
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
11/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 11
Cloud Computing
Challenges in Adaption Culture (customize or out-of-the-box)
Resource demands
Process Changes
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
12/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 12
Client-Vendor Relationship
The relationship is about
Establishing Trust
Due Diligence
Due Care
Client Vendor
Vendor
Cloud Service Providers
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
13/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 13
Cloud Security
As a Cloud Service Provider:
Compliant to SSAE16 Auditing Standard
Compliant to regulations as per industry
Education FERPA
Healthcare HIPAA, HITECH
Compliant to Standards
PCI/DSS ISO/IEC 27001
Established Credibility
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
14/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 14
Cloud Security
As a Cloud Service Provider
Security Architecture of Service Offering
Depicting high availability, integrity, resiliency
Data Privacy Policies
Data classification and encryption
Location of Data Data Centers
Operational Practices Disaster Recovery, Change Management
Vulnerability Assessments, Security Policy
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
15/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 15
Cloud Security
Client culture change: Basic Philosophy
Confidentiality, Integrity, Availability
Well-defined boundaries and accountabilityTraditional IT roles aligned with business
New Philosophy
New boundaries, externalized accountabilities
Sustaining confidentiality, integrity, availability
New business roles to align with cloud solutions
New governance policies
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
16/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 16
Cloud Knowledge
As a Client: General Knowledge about Cloud Services
Source: http://www.tatvasoft.com/blog/2011/06/cloud-computing-architecture-model.html
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
17/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 17
Cloud Security
SaaS users have less control over security amongthe three fundamental delivery models in the cloud.Source: http://link.springer.com/content/pdf/10.1186%2F1869-0238-4-5.pdf
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
18/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 18
Cloud Knowledge
As a Client: Deployment models
Source: http://www.centre4cloud.nl/nl/kennis-ontwikkeling/definition-cloud-computing/deployment-models/
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
19/292013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 19
Cloud Security
As a Client:
Organizations line of business
Assets data, intellectual capital
Stakeholders, data owners
Regulations, standards, governance
Processes, and standard practices
Policies surrounding governance
Managing risks in cloud deployments
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
20/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 20
Cloud Security
Organizations line of business
Healthcare, Insurance, Education
Data Management (CIA model)Type of Data (e.g. PII)
Transmission of Data
Location of Data
Availability of Data
Stakeholders, data owners
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
21/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 21
Cloud Security
Compliance to Regulations and Standards
FERPA
HIPAA / HITECH
PCI/DSS
Governance
Policies surrounding cloud strategies
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
22/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 22
Cloud Security
Processes and standard practices Contract Management
Contract Review, Length of Contract, Penalties, etc
Set expectations for SLA Availability, Maintenance Ownership of intellectual capital
Data recovery due to disaster or loss of business
Interoperability
User Provisioning Federated Single Sign-on
Integration to internal Applications
Data transfers
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
23/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 23
Cloud Security
2. Assess andclassifyassets,
vulnerabilitiesand threats
3. Respond torisks (avoid,
mitigate,transfer,accept)
1. Identifyingnew assets
vulnerabilities,and threats
Risk Management
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
24/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 24
Risk Management Method
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
25/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 25
Risk Evaluation
Evaluate Cloud Vendor
Security Questionnaire
Whats your acceptance level, metrics
Evaluate answers, and artifacts
Evaluate architecture
Determine vendors dependency on other
cloud service providers
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
26/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 26
Risk Evaluation
Evaluate Your Organization
Organizations capabilities?
What type of service?
What type of changes are required?
What type of data?
Internal support for cloud solutions?
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
27/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 27
Risk Evaluation
Recommend approach beforeimplementation
Pilot project
Establish metrics to measure readiness
Refine processes
Governance over the relationship via policies,
business processes, due diligence, and duecare
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
28/29
2013 ISACA Webinar Program. 2013 ISACA. All rights reserved. 28
Cloud Security
Approach for cloud services:
Relationship - Collaboration and partnership
Governance through risk management
Knowing your capabilities as an organization
Knowing your future cloud strategy affectedby lessons learned, measured ROI, etc.
-
8/22/2019 25 Jul Webinar Presentation Slides 27289
29/29
Resources
Extended Reading:
http://ssae16.com/
https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
http://link.springer.com/content/pdf/10.1186%2F1869-0238-4-5.pdf
Cited quotes:
http://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trends
http://www.gartner.com/technology/topics/cloud-computing.jsp http://link.springer.com/content/pdf/10.1186%2F1869-0238-4-5.pdf
http://ssae16.com/https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdfhttp://link.springer.com/content/pdf/10.1186/1869-0238-4-5.pdfhttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.gartner.com/technology/topics/cloud-computing.jsphttp://link.springer.com/content/pdf/10.1186/1869-0238-4-5.pdfhttp://link.springer.com/content/pdf/10.1186/1869-0238-4-5.pdfhttp://www.gartner.com/technology/topics/cloud-computing.jsphttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://www.itpro.co.uk/cloud-security/19614/gartner-sets-out-cloud-security-market-trendshttp://link.springer.com/content/pdf/10.1186/1869-0238-4-5.pdfhttps://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdfhttp://ssae16.com/