the perfect storm: threats and risks in the cloud · isaca valencia - v congress 2011-november the...
TRANSCRIPT
2011-NovemberISACA Valencia - V Congress
The Perfect Storm:Threats and Risks in the Cloud
Ramsés GallegoCISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt
Security Strategist & EvangelistQuest Software
ISACA’s Guidance & Practices Committee Member
Right to Audit
Privacy
User Access
Emerging
IdentitySurety
TrustIsolation
TraceabilityArchitectures
Competitive Advantage
Web ServicesEvidence gathering
Data Location
Compliance
Confidence
Web 2.0
MetricsWorkflow
VirtualizationDispute resolution
Incident handling
Data Segregation
Recovery
Resilience
ForensicsMaturity Models
2011-NovemberISACA Valencia - V Congress
Number 1 on the list of ‘10 strategic technologies’ of all the analysts
The biggest evolution in technology that can have an impact similar to the birth of the Internet
‘Unless you’ve been under a rock recently, you’ve probably heard Cloud Computing as the next revolution in IT’ - CFO Magazine
What is Cloud?
A pay-as-you-go model for using applications, development platforms and/or IT infrastructure
7
What is Cloud?
Manage operational and business risk
Manage risk
• Compliance• Asset protection• Continuity Management
Better CAPEX and OPEX management
Manage cost
• Optimize resources• Automate processes
Align investments with corporate objectives
Align IT investments
• IT Portfolio Management• Value Management• Process Management
Optimal value providing effective and efficient
services
Improve service
• Service Availability• Service Management
Corporate mandates
2011-NovemberISACA Valencia - V Congress
Optimized use of infrastructure
Cost savings
Dynamic scalability
Optimized software development lifecycle
Reduced deployment time
Cloud Benefits
2011-NovemberISACA Valencia - V Congress
Data locationShared infrastructureTransparency on policies and proceduresOwnership of dataPropietary APIs and vendor lock-inInformation protection for forensic analysisIdentity and Access ManagementLegal requirementsData deletion on SaaS or PaaS
Cloud Challenges
Source: ISACA – Global Status Report on the Governance of Enterprise IT (GEIT) - 2011
Reasons for not using Cloud
79%
12%
9%
Cloud Adoption
Security concerns Manageability Cost
15
30
45
6059%
27%
17%
7%Priorities
Security ManagementMonitoring Availability
Sources: IBM survey 2010, Ponemon Institute, CA Technologies, ISACA, ENISA, CSA
Cloud domains
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Business Continuity and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Ope
ratin
g in
the
Clo
udG
overning the Cloud
2011-NovemberISACA Valencia - V Congress
From CSA Top Threats ResearchTrust: Lack of Provider transparency. Impacts Governance, Risk & Compliance Data: Leakage, Loss or Storage in unfriendly geographyInsecure Cloud softwareMalicious use of Cloud servicesAccount/Service HijackingMalicious InsidersCloud-specific attacks
Key Cloud Security problems
2011-NovemberISACA Valencia - V Congress
How is identity and access managed in the Cloud? Where will my data be geographically located? How securely is my data handled? How is access by privileged users controlled? How is data protected against privileged user abuse? What levels of isolation are supported? How is my data protected in virtual environments? How are the systems protected against Internet threats? How are activities monitored and logged? What kind of information security certification do you have?
10 questions to ask to the Cloud
THANK YOURamsés Gallego
CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black BeltSecurity Strategist & Evangelist - Quest Software
2011-NovemberISACA Valencia - V Congress
THANK YOUGRACIAS
Ramsés GallegoCISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt
Security Strategist & EvangelistQuest Software