Cloud Computing: A European Perspective. Rolf von Roessing CISA, CGEIT, CISM International Vice President, ISACA

Similar documents
STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

COBIT and Cybersecurity. Rolf von Roessing CISA, CGEIT, CISM

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

IT Attestation in the Cloud Era

The NIS Directive and Cybersecurity in

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

Altius IT Policy Collection Compliance and Standards Matrix

CCISO Blueprint v1. EC-Council

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

WELCOME ISO/IEC 27001:2017 Information Briefing

How to ensure control and security when moving to SaaS/cloud applications

A Global Look at IT Audit Best Practices

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

ENISA EU Threat Landscape

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

COMPLIANCE IN THE CLOUD

The Role of the Data Protection Officer

BHConsulting. Your trusted cybersecurity partner

EU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017

IT risks and controls

Cyber Risks in the Boardroom Conference

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

ECSA Assessment Report

NIS Standardisation ENISA view

Altius IT Policy Collection Compliance and Standards Matrix

How to avoid storms in the cloud. The Australian experience and global trends

Public vs private cloud for regulated entities

Internet of Things Toolkit for Small and Medium Businesses

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

ISO Professional Services Guide to Implementation and Certification AND

CLOUD COMPUTING. The Old Ways Are New Again. Jeff Rowland, Vice President, USAA IT/Security Audit Services. Public Information

How to Establish Security & Privacy Due Diligence in the Cloud

Data Security Standards

Securing Data in the Cloud: Point of View

Choosing a Secure Cloud Service Provider

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Next Generation Policy & Compliance

Data Protection and GDPR

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Oracle Buys Automated Applications Controls Leader LogicalApps

La certificazione ISO27001

European Union Agency for Network and Information Security

CNH Industrial Privacy Policy. This Privacy Policy relates to our use of any personal information you provide to us.

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Moving to computing are auditors ready for the security challenges? Albert Otete CPA CISA ISACA Uganda Workshop

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Protecting your data. EY s approach to data privacy and information security

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Welcome & Introductions

GDPR: A QUICK OVERVIEW

Copyright 2011 EMC Corporation. All rights reserved.

Cloud Computing, SaaS and Outsourcing

How will cyber risk management affect tomorrow's business?

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cyber Security. Activities of an national insurance association based on the example of VVO

Mitigating Risks with Cloud Computing Dan Reis

locuz.com SOC Services

Data Security: Public Contracts and the Cloud

EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

Version 1/2018. GDPR Processor Security Controls

Information Security Management Systems Standards ISO/IEC Global Opportunity for the Business Community

Managing SaaS risks for cloud customers

2017 RIMS CYBER SURVEY

ISACA Cincinnati Chapter March Meeting

Security Operations & Analytics Services

Towards a European Cloud Computing Strategy

SCCE ECEI 2014 EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS. Monica Salgado JANINE REGAN CIPP/E

Risk Management in Electronic Banking: Concepts and Best Practices

BHConsulting. Your trusted cybersecurity partner

City, University of London Institutional Repository. This version of the publication may differ from the final published version.

Securing Your Secured Data

Conducting a data flow mapping exercise under the GDPR. Presented by: Alan Calder, founder and executive chairman, IT Governance 4 October 2017

Cyber Security Incident Response Fighting Fire with Fire

Securing Europe's Information Society

Current Cloud Certification Challenges Ahead and Proposed Solutions

Auditing the Cloud. Paul Engle CISA, CIA

CLOUD COMPUTING READINESS CHECKLIST

Cybersecurity The Evolving Landscape

ISACA January 2016 Cybersecurity Snapshot US Results. Number of respondents (n) = 862

Canada Life Cyber Security Statement 2018

แนวทางการพ ฒนา Information Security Professional ในประเทศไทย

Critical Information Infrastructure Protection Law

In Accountable IoT We Trust

Security and resilience in Information Society: the European approach

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Cyber Security Strategy

AFC Compliance Careers

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Mapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma

Business Technology Briefing: Fear of Flying, And How You Can Overcome It

COURSE BROCHURE CISA TRAINING

Directive on security of network and information systems (NIS): State of Play

Transcription:

Cloud Computing: A European Perspective Rolf von Roessing CISA, CGEIT, CISM International Vice President, ISACA

Overview Cloud Universe Definitions Cloud Risks in Europe Governance, Risk and Compliance (GRC) Issues European Union Perspective Research Agenda GRC Recommendations Regulatory Initiatives Selected National Approaches in the EU Conclusions and Outlook

Cloud Computing A European Perspective CLOUD UNIVERSE - DEFINITIONS

The Cloud Universe Source: Jericho Forum

Cloud Cube Dimensions and Layers Internal vs. External delineate the physical boundaries of the cloud under review Proprietary vs. Open determine ownership of technology, services, interfaces and other components Perimeterised vs. De-Perimeterised trace your corporate boundaries (structural / logical), for instance DMZ / firewalling: may be wider than physical Layer(s) at which the cloud exists Process, Software (SaaS), Platform (PaaS), Infrastructure (IaaS) Insourced vs. Outsourced control of resources, contracts Source: based on Cloud Cube Model (Jericho)

Social Networks as Part of the Cloud Social Networks have rapidly become an area of concern throughout Europe therefore included in this presentation Practical areas of concern: Facebook controversy, employment / recruitment practices, GPS-based tracking of minors etc. Typically external, de-perimeterised, outsourced Process or software layer, sometimes platform layer Social networks are user-centric: they tunnel through the corporate paradigm Link between social network users and their corporate background is organisational, not technical Corporate use of social networks must be bottom-up (by definition) Social networks are encapsulated by a Privacy boundary that is drawn around the individual user Network operators have introduced far-reaching terms and conditions that may be in breach of European privacy regulations

User, Corporation, and Social Network Cloudy Social Network Privacy Boundary Corporate Boundary

Cloud Computing A European Perspective CLOUD RISKS IN EUROPE

Key Risks in Cloud Computing User privileges access, bypassing the border etc. Regulatory compliance key internal controls, financial controls etc. Data location physical and logical Data segregation data at rest, data flow, encryption etc. Availability and DR capacity and recovery capabilities, dimensioning of platforms and infrastructure, etc. Audit and investigative support logging, audit trails, evidence, chain of custody etc. Long-term viability what to do about 10 yr retention (or longer) Source: Gartner

More Key Risks Contracting risk SLA design, strategic dependencies, exit scenarios, etc. User privacy risk protective rights may be prohibitive to audit AND regulators, ie contradictory points of law (also consider employee duty of care) Reputational and societal risk Process as a Service, and social networks, evoke spontaeous phenomena such as virtual flash mobs etc. Reverse user privacy risk targeted identity theft, defamatory activity, libel / slander, stalking etc. (also consider employer duty of care)

Strategic European Risks Sourcing dependency (lock-in): technical dominance of non- EU commercial providers Cross-border: loss of control over data and infrastructure situated outside the Union Cyber crime: decentralised attack and crime vectors from outside the Union Data availability: service and platform continuity for critical infrastructures Alignment: integration of clouds with existing GRC provisions across the member states

Cloud Computing A European Perspective GOVERNANCE, RISK AND COMPLIANCE (GRC) ISSUES

GRC Issues Transparency Security Traditional security audit strategies, BMIS, ISO etc. Consider both perspectives on privacy risk Privacy Compliance Contract / Certification Cross- Border General contractual basis, including third party attestation etc.

GRC Issues Transparency: Structure, Quality of Service, suppliers and supply chains, liability Security: Outlying services, degree of control, alignment with corporate and national ISMS, critical infrastructures Privacy: EU and national laws, safe harbor, binding corporate rules (BCR), data location issues, encryption and archival Compliance: adjusting cloud GRC to internal corporate compliance provisions, eg SOx, operational risk etc. Cross-border: multiple suppliers / vendors, agile data, data mappings, data management, binding corporate rules Contract / Certification: rights to audit, contractual language vs technology, existing certifications (eg ISO 27001), existing regulatory reports

Cloud Computing A European Perspective EUROPEAN UNION PERSPECTIVE

Research Agenda EU Framework Programme 7 (FP7): The Future of Cloud Computing, Report (2010) January 2010 Symposium, including an interesting EU / Japan comparative perspective 2011 FP7 Work Programme under way European Network Information Security Agency (ENISA): Official EU agency conducting surveys and research in cloud computing, specifically security Cloud Computing Security Risk Assessment (2009) Cloud Computing Small and Medium sized Enterprise (SME) Report (2009)

GRC Recommendations Governance: growing number of informal calls for better governance (from industry) since 2009 See for instance Helmbrecht (2010), further Proceedings of Octopus Conference (2010) Risk: growing risk and some notable incidents See for instance EU Parliamentary Resolution (June 2010) Compliance: heterogeneous approaches across EU: ENISA: Cloud Computing Information Assurance Framework (2009) France: national federation of clouds (?) Germany: generic regulatory approach, privacy-driven Emergence of a growing consultancy sector, many vendorcentric recommendations

Regulatory Initiatives Most regulatory activity is indirect Provisions such as SOx, 8th EU Directive (EuroSOx), Privacy laws etc. influence cloud computing Employment practices are a significant driver that is shaping public cloud security While there appears to be a common goal to regulate, this is difficult across 27 member states Best practice / self-regulation vs. Codification Several sectors (eg Finance, Health) are subject to more stringent regulation

Cloud Computing A European Perspective SELECTED NATIONAL APPROACHES IN THE EU

Example: France Planned national infrastructure (federation of clouds) Independence vis a vis US / international cloud structures National agencies or institutions Substantial budget allocated French plans are widely seen as difficult to implement It is not clear if any national structure will be competitive in the international arena

Example: Germany Two National Plans: Critical Infrastructures, including some strategic clouds Standardisation, specifically BSI 100 series, across all federal agencies Close alignment with State Privacy Officers Adaptation of national privacy laws Alignment with EU initiatives on critical infrastructures and security

Cloud Computing A European Perspective CONCLUSIONS AND OUTLOOK

Conclusions Cloud computing is a dominant theme throughout the EU There is a defined research agenda at Union level, both in the technical and in the societal fields Best practices are forming, but this will require some more work At this point, there is no definitive regulation or definitive governance over cloud computing Many GRC issues persist, sometimes addressed by nongovernmental bodies or Union agencies National thinking on cloud GRC is still heterogeneous

Outlook Regulatory initiatives at EU level may start in the near future Internationally recognised frameworks such as COBIT and BMIS are applicable Standardisation and best practice are slowly converging New challenges are arising from privacy and social networks, as the latter are becoming a mass movement At national and Union levels, individual (personal) protection in public clouds is an important issue Corporate and national protection of critical infrastructures are extended to cloud computing Cyber crime grows in importance, particularly at the corporate and industry sector level

Background Materials The sources quoted and some important background materials are supplied together with this presentation All sources quoted represent the opinion of the respective author(s)

Thank you very much indeed for your kind attention. Your questions and comments are highly appreciated. Rolf can be contacted at: Forfa AG Holding Andhauser Str. 62 8572 Berg / Thurgau Switzerland rvr@scmltd.com Skype: rvrscm

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback