Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

Similar documents
Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

University of Pittsburgh Security Assessment Questionnaire (v1.7)

NYDFS Cybersecurity Regulations

Cloud Computing, SaaS and Outsourcing

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Altius IT Policy Collection Compliance and Standards Matrix

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Altius IT Policy Collection Compliance and Standards Matrix

Electronic Service Provider Standard

Google Cloud & the General Data Protection Regulation (GDPR)

Security Audit What Why

01.0 Policy Responsibilities and Oversight

Effective Strategies for Managing Cybersecurity Risks

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

2018 THALES DATA THREAT REPORT

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

IBM Security Intelligence on Cloud

Data Security: Public Contracts and the Cloud

DeMystifying Data Breaches and Information Security Compliance

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

The Common Controls Framework BY ADOBE

Certification Exam Outline Effective Date: August 1, 2019

It s still very important that you take some steps to help keep up security when you re online:

TRACKVIA SECURITY OVERVIEW

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

CHAPTER 5 DISCUSSION AND ANALYSIS

Auditing the Cloud. Paul Engle CISA, CIA

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Managing SaaS risks for cloud customers

Vendor Security Questionnaire

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

locuz.com SOC Services

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

SECURITY. The changing Face and Focus. UPDATED - May Sr. Advisor/Partner at PostMark 21 years in corporate IT P&G and RJ Reynolds

DATA PROCESSING AGREEMENT

How Credit Unions Are Taking Advantage of the Cloud

Cloud Transformation Program Cloud Change Champions June 20, 2018

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Hot Topics in Privacy

Hot Topics in Privacy

ADIENT VENDOR SECURITY STANDARD

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

Updated December 12, Chapter 10 Service Description IBM Cloud for Government

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Compliance with CloudCheckr

Questions Submitted Barry County Michigan Network Security Audit and Vulnerability Assessment RFP

SECURITY & PRIVACY DOCUMENTATION

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA Security and Privacy Policies & Procedures

How to Establish Security & Privacy Due Diligence in the Cloud

The ABCs of HIPAA Security

Title: Planning AWS Platform Security Assessment?

Exploring Emerging Cyber Attest Requirements

Accelerate GDPR compliance with the Microsoft Cloud

The simplified guide to. HIPAA compliance

Layer Security White Paper

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

Securing Your Cloud Introduction Presentation

Security Policies and Procedures Principles and Practices

Top Five Privacy and Data Security Issues for Nonprofit Organizations

DIGITAL SUBSCRIBER LINE (DSL) SERVICE GUIDE

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Emerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI Web Hull Privacy, Data Protection, & Compliance Advisor

Topics 4/11/2016. Emerging Challenges in mhealth: Keeping Information Safe & Secure. Here s the challenge It s just the beginning of mhealth

Altius IT Policy Collection

Cyber Risks in the Boardroom Conference

Version 1/2018. GDPR Processor Security Controls

IBM Security Services Overview

DIGITAL SUBSCRIBER LINE (DSL) SERVICE GUIDE

Certified Information Systems Auditor (CISA)

SoftLayer Security and Compliance:

Data Processing Agreement

Business Technology Briefing: Fear of Flying, And How You Can Overcome It

Embedding Privacy by Design

Cybersecurity Auditing in an Unsecure World

Cloud Security Whitepaper

Cybersecurity The Evolving Landscape

Information Security at Veritext Protecting Your Data

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

What can the OnBase Cloud do for you? lbmctech.com

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

Cybersecurity in Higher Ed

falanx Cyber ISO 27001: How and why your organisation should get certified

MultiPlan Selects CyrusOne for Exceptional Colocation and Flexible Solutions

NW NATURAL CYBER SECURITY 2016.JUNE.16

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

Choosing a Secure Cloud Service Provider

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Transcription:

Cloud Computing Risks & Reality Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

What is Cloud Security The quality or state of being secure to be free from danger & minimize risk To be protected from adversaries A successful Cloud implementation should have multiple layers of security in place: Physical security Personal security Operations security Communications security Network security

Cloud Business Governance Organizations need a set of capabilities that are essential when effectively implementing and managing cloud services that include the following: Demand Management Relationship Management Data Security Management Application Lifecycle Management Risk & Compliance Management

Compliance Requirements Data Regulatory Compliance Requirements Freedom of Information and Protection of Privacy Act (FIPPA/MFIPPA), Ontario Revised February 2012 Personal Health Information Protection Act (PHIPA), Ontario 2004 Personal Information Protection and Electronic Documents Act (PIPEDA) Canadian Federal Government Payment Card Industry (PCI DSS 3.0) Accessibility for Ontarians with Disabilities Act 2005 (AODA)

Data Security Data Types Personal Health Information (PHI) Personal Identifiable Information (PII) Credit Card Data (PCI) Senior Management is Accountable for Data and Information Security & Privacy

Privacy by Design

Privacy by Design

Business and IT Working Together Risk Management Legal Audit Compliance Privacy Business Continuity Quality Control Facilities Human Resources Information, IT and Physical Security Emergency Management

To the Cloud What to think about

How to Choose a Provider Choose a provider you can trust and people you trust in key positions. Ask people in your network about their successful and unsuccessful relationships. Learn how the providers behaved when things went wrong. (They are all great when things are going well.) Learn how the provider responded when their customer was wrong or made a mistake. The last two will likely tell you much more than what is in their service agreement. Review Audit Compliance Reporting ISO 27001, SSAE 16, SOC-1, SOC-2, SOC-3, PCI-DSS

Questions What do the terms "continuity" and "recovery" mean? What constitutes a breach? How long should it take to restore service? What options do you have if it is taking too long? Can you go somewhere else? Who gets to decide whether you can exit? How is "too long" defined? Can you have your data back? In what form and format? When can you have it? How will it be delivered?

Questions and More Questions And what happens to your data, software, and systems if the provider becomes insolvent or subject to prosecution? What happens to your data if you don't pay your provider? Who owns your information and your systems then? Can your provider shut you down and/or permanently delete your data if you withhold payment? If you are thinking that is not a possibility... could it happen in the event you are having a dispute related to billing or service?

Exit Strategy? If you fail to plan, you plan to fail! Have an exit strategy. More than that, understand what would cause you to execute it. How long can something be down (or slow...) before it impacts your business? How long will it take to implement even a temporary exit? How will the provider help? How can you return to the provider's service (should you decide to) once the problem has been resolved? Who gets to decide whether you return?

Know What You Need Know what you want It is important to perform that second order thinking ahead of time. Know what you need It may be different than what you want Read & know what is in the service agreement Know how to engage It is not only about the negotiation and the remedies Someone needs to be familiar with how to identify a breach or issue, and how to engage the provider for assistance Know what to do both in cases where the provider has an issue, as well as those cases where the customer has caused a problem

Never Make Assumptions Do not assume the service provider will think of everything It all goes back to Know what you need

Cloud Service Providers and their Data Centres

Cloud Data Centres Where your data is makes a difference Yes, your data in a cloud does have a location (or many locations) As a Canadian Public or Private Corporation, once your Data leaves Canadian soil, it is governed by the Laws and Regulations of the Country that it resides in. Each organization must understand the risks and implications associated to their data storage location. You are subject to the jurisdiction your data is in and passing through

Cloud Data Centres One way or another your Cloud data is in a Data Centre What Affects the Data Centre affects You The Data Centre can be Affected by Two Factors: Natural Factors: Floods, Earthquakes, Tornadoes, Drought and Fire, Storms, Snow etc, Human Factor: Riots, Political Protest, Sports Events

Cloud Data Centres Are your data centres geographically clustered? Can one event take all of your cloud servers and their data paths out? Is it on a fault line?

Cloud Data Centres

Cloud Data Centres Bottom Line Every question you would ask about the physical location of data, hardware and Apps on your own server You must ask about your CLOUD based servers. You Cannot Outsource Responsibility

Even when you ask all the right questions

Case Study #1 Hosted Website Scenario Platform as a Service Vendor ISO 270001 Certification Applications and Data Client Service Level Agreement in Place Intrusion Detection Log Monitoring Vulnerability Management System Patch Management

Case Study #1 Hosted Website Findings Interviewed the Service Provider for Security Controls Data Centre was recently acquired by a large service provider with ISO 27001 Compliance Service Level Agreement was not reality No Intrusion Detection No Log Monitoring No Vulnerability Management No System Patch Management No Change Management

Case Study #2 EMR Implementation Scenario Tender for Cloud Based Electronic Medical Record (EMR) System Included Security Requirements Threat Risk Assessment Privacy Impact Assessment Contractual Obligations Privacy Breach Return of Data Data Residency required in Native Country

Case Study #2 EMR Implementation Findings Lowest Bid Cloud based EMR Vendor Awarded Tender Awarded Cloud Vendor Executed Contract Privacy Impact Assessment Performed Threat Risk Assessment Performed Cloud EMR Vendor found to be in Breach of Contract Data residency outside of Native Country Still in Negotiations

Case Study #3 Network System Integration Scenario Review of Network Architecture, Infrastructure, Systems and Services Network Design Created over 10 Years ago Implementation of Point Solutions WiFi, Various SaaS Application, Various Legacy Systems, Payment System, VLANs, IP Security Cameras, Corporate

Case Study #3 Network System Integration Findings No Separation of Networks, System, Applications and Infrastructure based on data sets and compliance requirements No Password Changes Due to Complex Application Integration LDAP Authentication in Clear Text No Network Infrastructure/Security Strategy No Business Process and Application Integration Strategy

Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback