SOARING THROUGH THE CLOUDS IT S A BREEZE

Transcription

1 Securing your data from here to the Cloud SOARING THROUGH THE CLOUDS IT S A BREEZE Mary Siero, CISSP, CISM, CRISC msiero@innovativeitlv.com Terry A. Tobias, CRISC, CCP ttobias@innovativeitlv.com

2 Security

3 The only thing we have to fear is fear itself Franklin Delano Roosevelt March 4, 1933 Sheep Mountain Range, Las Vegas, Nevada

4 You ve always had the power! The secret lies in the controls built into the contract

5 Cloud Elevates Certain Risks Insider threats Visibility into hiring practices More people with access Regulatory and/or compliance Aggregation and inference breaches Collateral target for hackers Remnant data disposal Data seizure

6 Risks Vary Based On: Cloud service model SaaS business application IaaS online processing/storage capacity PaaS developers Existing IT operations and processes Classification of data being moved to cloud Compliance requirements

7

8 Start By Looking At The Differences Anywhere, anytime, anyplace, any device access Resource pools Processing power Storage Connectivity (bandwidth) Administration Virtual technologies Multi-tenancy Sharing of applications

9 Managing the Differences : Cloud vs. On-Premise Data Operational Processes Joint Tenancy Jurisdictional Access Control Security Transparency Litigation Breaches

10 Data Control over data Ownership Use limitations Location transparency Access and privileges Protection Remanence Maintains integrity

11 Data (cont d) Metadata Provisions upon contract termination Erasure Return Format Costs

12 Operational Processes System and Data Backups Tape rotation and destruction Mirroring Virtualization management Data erasure Asset management Retirement

13 Joint Tenancy Co-mingled data Compartmentalization Inter-tenant traffic flows Association Rules Data retention Sub-tenant security rules and configuration Encryption key management Process to prevent use of same key

14 Jurisdictional Data location transparency Trans-border data flows Legal and regulatory implications are magnified Disclosure requests vs. privacy laws Violate the law or lose the lawsuit? Whose choice?

15 Access Control Client control of identity and access management Client employees, contractors, and third parties Cloud services provider Contractors and subcontractors Default Deny All philosophy Management of temporary client access What vetting is done

16 Security Transparency Compliance and periodic re-evaluation of industry standards ISO 2700X, NIST, PCI??? Security policies and procedures Accretion of privileges or changes to continued access Compliance Testing Annual Risk Assessment Auditing Auditor qualification Ability to conduct own periodic audits

17 Litigation Response capability to legal processes Litigation Holds ediscovery May include metadata Disclosure without contamination Expert testimony Seizure order notification and compliance Laws may be in contradiction or not aligned with technical capability of cloud service provider

18 Breaches Incident response Notification Containment strategies Record protection for forensic audit/analysis Allow you to conduct own forensic assessment Access defenses available Breach notification Significant trans-border issue Indemnification

19 In Conclusion Security is not the issue. risk is! Mitigate your risk by understanding your options Select a partner for a Cloud Provider Understand the Cloud environment or hire someone who does Manage your risk with a good contract

20 References ISACA IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud, 2011 Cloud Computing Management Audit/Assurance Program, 2010 Cloud Security Alliance (CSA) Achieving Security Assurance and Compliance in the Cloud, 2011 CSA Cloud Controls Matrix R1.1 FINAL, April 2010 Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, Dec 2009 Information & Security Privacy News Knocking on the Cloud s Door- Obligations of CSPs to Maintain the Privacy of Information Entrusted to Them, Yakov Ginzburg, Winter 2011 V2 I1 Cloud Computing Customers Bill of Rights, David Navetta, Winter 2011 V2 I1 Data Integrity and Evidence in the Cloud, Scott Blackmer, Winter 2011 V2 I1 Book Extract: Information Security and Privacy A Practical Guide for Global Executives, Lawyers and Technologists, Thomas Shaw, Spring 2011 V2 I2

21 Questions?