trust in the cloud
DESCRIPTION
Trust in the CloudTRANSCRIPT
1 © Copyright 2011 EMC Corporation. All rights reserved.
Trust in the Cloud
Sam Curry Chief Technical Officer (GTM) RSA, the Security Division of EMC
Copyright © 2011 EMC Corporation. All rights reserved.
2 © Copyright 2011 EMC Corporation. All rights reserved.
Organizations around the world have high hopes for the cloud’s
ability to transform IT infrastructures, applications, and information
management. They truly believe it
can revolutionize business.
But, before they can trust that the cloud is safe for
real business, they need a secure foundation of dynamic controls and trustworthy measurement.
Trust in the Cloud: Proof Not Promises
3 © Copyright 2011 EMC Corporation. All rights reserved.
Challenges for Trust in the Cloud
Sustaining Compliance in an environment with numerous and complex requirements
Enabling Business growth and evolving eGRC needs
Resource Constraints
Improving Operational and IT Effectiveness Acquiring skills,
knowledge and expertise
4 © Copyright 2011 EMC Corporation. All rights reserved.
Increasing Compliance Requirements
4
PCI DSS SOX Regulation
We made it through SOX, then PCI. But I’m faced with more and more
regulations. We need a more efficient way to manage compliance with multiple
regulations and standards. ”
“
State, Federal & International
Privacy Mandates
Forecast Calls for
More Regulation
5 © Copyright 2011 EMC Corporation. All rights reserved.
Negative Consequences of Inadequate GRC
Lack of consensus leading to
underfunded initiatives
“ ”
Attrition and missed deadlines “ ”
Higher Implementation
costs and solution performance
issues
“
”
Reduced Operational effectiveness with inefficient workflows and processes
“ ”
Potential for failed audits and
assessments
“ ”
6 © Copyright 2011 EMC Corporation. All rights reserved.
Implications of Challenges
Security and compliance
concerns stall the adoption of virtualization
Missing opportunity for “better than physical”
security
CISOs need to manage security and compliance
across virtual and physical IT
7 © Copyright 2011 EMC Corporation. All rights reserved.
eGRC Strategy can Help
7
Achieve Consensus
Business Process Automation
Clear Priorities
ROI
8 © Copyright 2011 EMC Corporation. All rights reserved.
Business Impact without eGRC
Compliance initiatives are tackled as individual projects
“ ”
Managers struggle to prioritize resources to mitigate risks and deficiencies based on risk exposure.
“
”
Compliance data scattered across multiple silos
“ ”
Resources are wasted manually collecting and re-assembling data rather than analyzing the impact of the data on the business
“
”Business is assessed multiple times for the same requirements
“
”
9 © Copyright 2011 EMC Corporation. All rights reserved.
Business Outcomes Business Impacts
Solution Outcomes
Transparency and accountability: Knowing the status or exceptions and unresolved issues
“
”
Threats are identified and remediation actions are easily prioritized and tracked
“
”
Partnerships and consistency across business silos
“
”
Isolated data is transformed into sustainable processes
“
”
Compliance initiatives are tackled as individual projects
“ ”
Managers struggle to prioritize threats by their potential impact to the business.
“
”
Compliance data scattered across multiple silos
“ ”
Policy exceptions go untracked and pose risk to the business
“
”
Ask once, Answer Many: Reduction or elimination of redundant assessments
“
”
9
Visibility Collaboration Accountability Automation Efficiency
Compliance reporting is stored in spreadsheets and represent one point-in-time
“
”
10 © Copyright 2011 EMC Corporation. All rights reserved.
Enabling the Cycle of Risk and Compliance
Remediate Findings and Manage Exceptions
Consolidate and Visualize
Compliance Efforts
Prioritize Deficiencies and
Risks
10
Document Your Control Framework and Identify Risks
11 © Copyright 2011 EMC Corporation. All rights reserved.
Enabling GRC
11
12 © Copyright 2011 EMC Corporation. All rights reserved.
The Case for eGRC Strategy Planning
Applications Information Infrastructure
Databases
Operations
Personnel Procedures Workflow Management
Business (Finance & Legal)
IT & Technology
Laws Regulations Business Optimization
eGRC Strategy Planning aligns requirements
across organizational functions with different
and sometimes competing or conflicting
priorities
13 © Copyright 2011 EMC Corporation. All rights reserved.
Bringing in the Business Context
13
Business Domains
eGRC facilitates the processes, information, technology and people required to recognize
context that enables business decisions
BUSINESS DRIVERS OPERATIONAL
INFRASTRUCTURE
Applications
Databases
Devices
Workstations
Vendors
Information
Customers
Regulations
Business Objectives
Threats
Laws
Legal
IT
Finance
Operations
14 © Copyright 2011 EMC Corporation. All rights reserved.
Success Metrics
14
Where before we managed work in two or three places, with RSA Archer you have one place to
manage all of your work. People are completing assessments and mitigating risks,
not focusing on administrative tasks. ”
“
Time to prepare monthly reporting
Time to demonstrate compliance
with new regulations
# regulatory requirements
met
# closed findings
Decreasing risk of
regulatory audit fines
15 © Copyright 2011 EMC Corporation. All rights reserved.
Achieving Trust
Right Information Right People Trusted Infrastructure
16 © Copyright 2011 EMC Corporation. All rights reserved.
Realizing This Goal Has Become Exponentially Harder
Information Grows
Access Points Proliferate
Risks Multiply
Infrastructure Evolves
17 © Copyright 2011 EMC Corporation. All rights reserved.
The Result?
A dangerous void of trust has
opened up, standing squarely
between organizations and
their ability to reap the cloud’s
well documented benefits.
18 © Copyright 2011 EMC Corporation. All rights reserved.
What’s Needed: Proof
Auditors Regulators
Management
19 © Copyright 2011 EMC Corporation. All rights reserved.
Facets of Multi-Tenancy
Trusted Multi-tenancy model is built on the following six foundational elements: • Secure separation • Service assurance • Security and compliance • Availability and data protection • Tenant management and control • Service provider management and control
20 © Copyright 2011 EMC Corporation. All rights reserved.
Solving the Trust Equation
21 © Copyright 2011 EMC Corporation. All rights reserved.
Inspect and Monitor…
22 © Copyright 2011 EMC Corporation. All rights reserved.
Using the CSA domains
Cloud Architecture
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Security Alliance’s 13 domains of focus for cloud computing
Assessing Service Provider Compliance
23 © Copyright 2011 EMC Corporation. All rights reserved.
In Fact…
The cloud presents
opportunities to strengthen
information security and
streamline compliance
beyond anything we’ve
ever seen before.
24 © Copyright 2011 EMC Corporation. All rights reserved.
Virtualization Transforms Control & Visibility
25 © Copyright 2011 EMC Corporation. All rights reserved.
Policies Regulations Best Practices
Built-in and Automated
26 © Copyright 2011 EMC Corporation. All rights reserved.
What’s Needed
Synergy of expertise
We’ve integrated our domain
expertise to see what others don’t see and to create
new value.
Power of virtualization
Our deep insight into the virtual layer greatly
enhances the visibility and
control possible in the cloud.
Proof through verification
Our services and solutions are focused on
providing proof, not promises.
27 © Copyright 2011 EMC Corporation. All rights reserved.
Regulations, standards
Generalized security controls
VMware-specific security controls
VMware cloud infrastructure
Virtualization Ecosystem
RSA enVision
Automated assessment
Configuration State
Security Events
Visibility Across Physical & Virtual Environments Cloud Security Alliance Questions and Policies
28 © Copyright 2011 EMC Corporation. All rights reserved.
Achieving that Goal Securely Means…
29 © Copyright 2011 EMC Corporation. All rights reserved.
Identities Infrastructure Information
Security & Compliance
Delivered Within an Ecosystem of Trust
30 © Copyright 2011 EMC Corporation. All rights reserved.
31 © Copyright 2011 EMC Corporation. All rights reserved.
THANK YOU