INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Transcription

1

2 INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

3 INTRODUCTION

4 AGENDA 01. Overview of Cloud Services 02. Cloud Computing Compliance Framework 03. Cloud Adoption and Enhancing Compliance Posture in the Cloud 04. Real-World Experiences Benefits 05. Real-World Experiences Challenges 06. Q&A

5 OVERVIEW OF CLOUD SERVICES

6 CLOUD SERVICE MODELS Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)

7 CLOUD SERVICE MODELS

8 CLOUD SERVICE MODELS

9 CLOUD DEPLOYMENT MODELS Public Private Hybrid Community

10 CLOUD COMPUTING COMPLIANCE FRAMEWORK

11 COMPLIANCE OVERVIEW

12 TERMINOLOGY AND CONCEPTS Financial reporting impact (ICOFR Internal Controls Over Financial Reporting) Control Objectives / Trust Principles / Criteria / Standards / Management System Standards /Annexes / Frameworks Certification / Attestation / Audit / Benchmarking Assessments (Consulting Reports) Type 1 vs Type 2 for SOC Reports Backward looking / Point in Time / Forward Looking Accounting Standards - US / International - SSAE / AT vs ISAE Shelf Life Generally Annual Annual / 2 Year Cycle / 3 Year Cycle Restricted use / Restricted Distribution / Unrestricted

13 UNDERSTANDING COMPLIANCE NEEDS Cloud Service Customer Know customer / contractual requirements Know cloud service provider commitments Cloud Service Provider Know customer / contractual requirements Know market need

14 GENERAL CONTROL ASSESSMENTS SOC 1 SOC 2 CSA STAR Program Level 2 ISO / 27017

15 INDUSTRY SPECIFIC ASSESSMENTS Healthcare Federal Industry Payment Card Transactions Privacy / PII Compliance Options HIPAA / HITECH, HITRUST FedRAMP, NIST, FISMA PCI DSS ISO 27018, Privacy Shield

16 CLOUD ADOPTION AND ENHANCING COMPLIANCE POSTURE IN THE CLOUD

17 CLOUD OPERATIONAL CONSIDERATION Traditional security infrastructure Business continuity/ disaster recovery operations Disaster Recovery v. High Availability Access and identity Nuts and bolts of connecting internal user stores with external provider / access to internal information by external provider

18 CLOUD OPERATIONAL CONSIDERATIONS Incident management Coordination and escalation with external provider Encryption management (if applicable) Key management and scalable encryption requirements Technical infrastructure Virtualization, connectivity, bandwidth, performance, etc.

19 UNDERSTANDING RESPONSIBILITY Outsourcing may not extend to compliance Ensure clear SLAs (and continuous monitoring of them) Target comprehensive coverage Anticipate

20 UNDERSTANDING RESPONSIBILITY - IAAS Controls Environment Customer: Application usage and user provisioning. Application security Database security Operating system configuration Provider: Hardware provisioning and management Network management Facilities management Application Data Operating System Hardware Network Facility

21 UNDERSTANDING RESPONSIBILITY - PAAS Controls Environment Customer: Application usage and user provisioning. Application development, deployment and security Database management and security Application Data Provider: Operating system configuration and provisioning Hardware management Network management Facilities management Operating System Hardware Network Facility

22 UNDERSTANDING RESPONSIBILITY - SAAS Controls Environment Customer: Application usage and user provisioning. Provider: Application, development, management and security Database management and security Operating system configuration Hardware management Network management Facilities management Application Data Operating System Hardware Network Facility

23 CLOUD COMPUTING EXAMPLE RASCI MODEL R Responsible "The doer" A Accountable "The buck stops here" S Supported "The Helper" C Consulted "In the loop" I Informed "Notify me" BEFORE Cloud Provider Infrastructure Layer Customer Cloud Provider External Network & Security R A S C I Applications: Configuration & Patching R A S C I Internal Network & Security R A S C I Operating System: Updates & Patching R A S C I Vmware R A S C I Computing Hardware - "Bare Metal" R A S C I AFTER Cloud Provider Infrastructure Layer Customer Cloud Provider External Network & Security R A C I R A S C I Applications: Configuration and Patching R A C I R A S C I Internal Network & Security I R A S C I Operating System: Updates & Patching I R A S C I Vmware I R A S C I Computing Hardware - "Bare Metal" I R A S C I

24 KNOW WHERE THE DATA IS Customers and providers may have external obligations National / Regional / Local data management requirements Can data be moved without customer consent Who can view it (subcontractors / offshore) Safeguarding for discovery

25 TAKE YOUR TIME Adoption is a process Management commitment Defined goals and stated objectives Involve all interested parties, especially information technology / information security

26 REAL-WORLD EXPERIENCES BENEFITS

27 BENEFITS OF CLOUD COMPUTING Eliminates single points of failure Risk transfer to the cloud service provider Allows for the use of third party expertise

28 BENEFITS OF CLOUD COMPUTING Time savings (varies by cloud model) Allows organization to concentrate on core competencies Enhanced availability and continuity

29 REAL-WORLD EXPERIENCES CHALLENGES

30 CHALLENGES OF CLOUD COMPUTING Relinquishing Control Reduced control of data as more responsibility shifts to third parties. Meeting Regulations Regulations govern the way data must be protected. The cloud service provider may not be heavily regulated but the customers may be. As their trust supplier, a customer s requirements flow down to the cloud service provider, meaning the cloud must have proper controls.

31 CHALLENGES OF CLOUD COMPUTING Business Interoperability Today s clouds must be able to communicate with each other and offer data portability. Convenience vs. Security Using the cloud, we want both convenient access and secure data protection, creating a difficult balancing act. Management Reporting To meet many of today s regulations, the ability to report where data is and how it is protected is essential.

32 CHALLENGES OF CLOUD COMPUTING Data Integration and Transfer We must find a way to transfer data into the cloud in a way that is both safe and cost effective. Due diligence Allow for a full assessment of cloud service provider prospects, applicable to the model chosen and understanding the boundaries of responsibility

33 Q&A

34 THANK YOU!