ncontrol grid cloud drexel

8/6/2019 nControl Grid Cloud Drexel

1/18

PRIVACY & SECURITY IN THE TIME

OF GRID/CLOUD COMPUTING

Steve Markey, PMP, CISSP, CIPP, CISM, CISA

Founder/Principal, nControl


2/18


3/18


4/18

GRI / I G: EPLOYMENT

Cloud D loym t odaliti s

ublic

mazon 3 & EC2

al sforc

Googl s & Docs

Zoho

Private

Cloud Im lementations Hosted Internally

ha

red

e

rvice

s/C

ha

rge

-ba

code

l

anaged

my P, icrosoftCR /Project/ harePoint

Hybrid

Dedicated ervers Over Private Lines


5/18

GRI / LOUD OMPUTING: OOLSOF

THOUGHT

DataCenter

Reduce Need for Rac ace, Hardware & erver oftware

Client oftware

Reduce Need for Client oftware

Derivativeof Terminal/ ainframe Era


6/18

GRID/ LOUD OMPUTING: ISSUES

Security

Privacy

O erations


7/18

GRID/ LOUD OMPUTING: ISSUES ONT.

Security

Controls

Logical

Physical

Standards/Certification

Public/PrivateSector

Industry

Heterogeneous Platforms

Windows/Linux/UNIX/ ndroid/ acOS X

Palm/Blac Berry/OS X


8/18


Privacy

Data

Ownershi

lows

Incident Res onse

Data Breach Notification


9/18


O erations

Single-Point-of- ailure

Stevethe Internet is downI am going home

Peri herals

How do I rint?

Vendor Over-Commitment

Bandwidth

StorageScalability

Data Recovery

Vendor Portability/Interoperability

OpenStandards


10/18

GRID/ LOUD OMPUTING:DRIVING BODIES

Groups/ ssociations

CloudSecurity lliance (CSA)

CSAGuide

Domains: CloudArchitecture, Governance & ER , Legal, Electronic

Discovery,Compliance &

Audit, Information Lifecycle anagement,Portability & Interoperability, Physical Security & BC/DR, DataCenter

Operations, Incident Response & Notification, ApplicationSecurity,

Encryption & Key anagement, Identity & Access anagement,

Storage, Virtualization.

ISACA

OWASP


11/18

GRID/ LOUD OMPUTING:SUGGESTIONS

Adoption

Standardization


12/18

GRID/ LOUD OMPUTING: DOPTION

Let Requirements DictateAdoption

RemoteAccess

Sales & ar eting

Non-Proprietary, Public Data

EmbraceGrid/CloudComputing Iteratively Non-essential to Essential

Non-Proprietary toProprietary

Public toConfidential

DataCenter thenClientSoftware

For Once; Let Vendors Dictate

WorldwideAdoption is Inevitable

EHR/PHR

Collaboration/Email/Portals

Document anagement Process/Project anagement


13/18

GRID/ LOUD OMPUTING: DOPTION ONT.

For Proprietary Applications/Systems

Deploy Internally-BuiltApps Before Embracing IaaS/PaaS

Wal Before You Run

EmbracePrivateor HybridClouds BeforePublic Clouds

Especially for Confidential Data

Peripherals

Use Virtual PrintServer

Ex. ThinPrint


14/18

GRID/ LOUD OMPUTING:

STANDARDIZATION

Security

Bestof BreedStandards

FISMA/NIST

ISO

HHS/CCHIT/HITRUST

Privacy

Parse Logical Instances

GroupSystems BasedonPrivacy/Security Reqs

Industry

Function

Geographic Area


15/18

GRID/ LOUD OMPUTING:

STANDARDIZATION

Operations

Single-Point-of-Failure

CachedFile Drives

Egnyte Local Cloud

Most Organizations Have Redundant DataCom How about your serviceproviders/vendors?

Bestof BreedStandards

FISMA/NIST

ISO

HHS/CCHIT/HITRUST

SAS-70 Type II


16/18

GRID/ LOUD OMPUTING: SA

SUGGESTIONS

IaaS

Deploy applications in run-time ina way that is abstracted

from the machine image.

PaaS

Use careful applicationdevelopmenttechniques to minimizepotential loc -in with the vendor.

SaaS

Perform dataextractionprocesses and bac updata

independent

o

fthe

vendo

r.

CSA: http://www.cloudsecurityalliance.org/ http://www.cloudsecurityalliance.org/guidance/csaguide.pdf


17/18

GRID/ LOUD OMPUTING:REAL WORLD

Twitter

Uses Google Docs, andanemployeeusinga weakpassword

ledtoa Data Breach oftheir onlinedata.

Lessons

PasswordStandards

Segregationof Duties

City of L.A.

Announcedplans to moveall e-mail and records retention

processes for city-based services ontothe grid (Google).

Lessons

Privacy/Compliance

ProjectManagement/ChangeManagement/VendorManagement


18/18

GRID/ LOUD OMPUTING: QUESTIONS

?

ncontrol grid cloud drexel

Documents