CLOUD COMPUTING. The Old Ways Are New Again. Jeff Rowland, Vice President, USAA IT/Security Audit Services. Public Information

Transcription

1 CLOUD COMPUTING The Old Ways Are New Again Jeff Rowland, Vice President, USAA IT/Security Audit Services Public Information

2 Who We Are Our Mission The mission of the association is to facilitate the financial security of its members, associates, and their families through provision of a full range of highly competitive financial products and services; in so doing, USAA seeks to be the provider of choice for the military community. Our Brand Promise GOING ABOVE FOR THOSE WHO HAVE GONE BEYOND Our Brand Pillars Our Core Values Service Loyalty Honesty Integrity Shared Military Values Financial Strength & Wisdom Passionate Member Advocacy As of Oct Public Information 2

3 Disclaimers The contents of this presentation do not necessarily reflect any approach used by USAA. The contents of this presentation reflect my opinions only, and not necessarily those of my employer. Following the steps outlined herein does not guarantee any particular outcome, express or implied. Public Information 3

4 Learning Objectives Background Understand how companies used Technology Service Providers (TSPs) before the internet, and the risks we had to mitigate. Cloud today Understand how the use of TSPs have changed, and how that impacts the current risk environment. Parallels Understand how the risks of today parallel those we used to face. Strategies Strategies others have utilized that can be applied to help mitigate today s risks. Public Information 4

5 Why is it important to understand the background? Those who don t know history are destined to repeat it. by Edmund Burke ( ) Learning Objective: Background Public Information 5

6 IT Opportunities and Risks Companies in the News? Learning Objective: Background Public Information 6

7 The rise of the Machines Good old days Business processes were generally supported by IT 1970s - Dumb terminals IT - primarily used for data storage and managing large volumes of information Frequent manual interfaces between IT and business areas Mainframe based technology Early cloud concepts (i.e. VM o/s, RJE) 1980s Personal Computers 3270 emulators DOS, Lotus 123, WordPerfect 1990s Internet Dialup Primary risks we had to manage? IT Change Management (Dev, Test, Prod) Access Controls Disaster Recovery Key Point! Source: Wikipedia, History of IBM Magnetic Disk Drives Learning Objective: Background Public Information 7

8 Some early Technology Service Providers (TSPs) IBM International Business Machines DEC Digital Equipment Corporation EDS Electronic Data Systems (Acquired by HP) Perot Systems (Acquired by Dell) ACS Affiliated Computer Services Learning Objective: Background Public Information 8

9 Current Industry Trends Every two days, we create more information than we did from the dawn of civilization up until * Speed of change (Faster / Better/ Cheaper) Social Media Work anywhere, anytime (i.e. BYOD) Active / Active Cloud Computing Decisions Decisions Public -vs.- Private? Software as a Service (SaaS)? Infrastructure as a Service (IaaS)? Platform as a Services (PaaS)? Primary risks we have to manage? IT Change Management (Dev, Test, Prod) Access Controls Disaster Recovery So why is this hard? Learning Objective: Cloud Today * Source: Eric Schmidt (Google CEO from ) Public Information 9

10 Information Technology Availability Who would have thought a dropped anchor would cut a telecom cable? (Middle East 2008, Africa 2012) Big Data BYOD Bring Your Own Device Cloud computing If you run with dogs, you ll get fleas Model Risk Social Media Regulatory Oversight Third party Reliance Coding Data Emerging Risks Learning Objective: Cloud Today Public Information 10

11 What concerns would have been so pre-internet? Emerging Risks Black Hat Attendee Survey From Black Hat USA 2015 Learning Objective: Parallels Public Information 11

12 Cloud Controls Matrix (CCM) 16 Control Domains Based on established standards (e.g. ISO, NIST, COBIT, ISA, FFIEC, FedRAMP) Application & Interface Security Data Security & Information Lifecycle Management Human Resources Audit Assurance & Compliance Datacenter Security Identity & Access Management Business Continuity Management & Operational Resilience Encryption & Key Management Infrastructure & Virtualization Security Change Control & Configuration Management Governance and Risk Management Interoperability & Portability Source: Cloud Security Alliance New Mobile Security Security Incident Management, E- Discovery & Cloud Forensics Supply Chain Management, Transparency and Accountability Threat and Vulnerability Management Learning Objective: Parallels Public Information 12

13 IT Opportunities and Risks Companies in the News? Learning Objective: Strategies Public Information 13

14 Contract Lifecycle Operational Factors Business Objectives Stakeholders Cloud Risk Management Cloud Drivers & Risks Board of Directors Management / Process Owners Investors Regulators Cloud Providers Customers Growth Ease of Use / Convenience Security Cost Containment / Competitive Edge Contract Financial Compliance & Legal Information Security Business Continuity Data/ Transaction Integrity Reputation Geopolitical & Regulatory Strategic Plan, Evaluate, Select Contract Initiation Manage & Monitor (Ongoing) Exit Strategy Learning Objective: Strategies Public Information 14

15 Control Strategies Key Considerations (Not all inclusive) Control Reqmt Access Mgmt Data Classification Data at Rest Data in Flight Encryption & Key Mgmt Software Dev 4 th Party + Mgmt Logs / DLP Breach Notification??????? Supplier Due-Diligence Change Mgmt??????? BC / DR??????? Company/Stakeholder Risk Tolerance Learning Objective: Strategies Public Information 15

16 5 Essential elements of your Cloud strategy Know yourself Know your partner(s) Trust, but Verify Know the risks Have an Exit Strategy Learning Objective: Strategies Public Information 16

17 Questions? Public Information 17

18 Public Information