Cloud Computing Risks & Reality Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com
What is Cloud Security The quality or state of being secure to be free from danger & minimize risk To be protected from adversaries A successful Cloud implementation should have multiple layers of security in place: Physical security Personal security Operations security Communications security Network security
Cloud Business Governance Organizations need a set of capabilities that are essential when effectively implementing and managing cloud services that include the following: Demand Management Relationship Management Data Security Management Application Lifecycle Management Risk & Compliance Management
Compliance Requirements Data Regulatory Compliance Requirements Freedom of Information and Protection of Privacy Act (FIPPA/MFIPPA), Ontario Revised February 2012 Personal Health Information Protection Act (PHIPA), Ontario 2004 Personal Information Protection and Electronic Documents Act (PIPEDA) Canadian Federal Government Payment Card Industry (PCI DSS 3.0) Accessibility for Ontarians with Disabilities Act 2005 (AODA)
Data Security Data Types Personal Health Information (PHI) Personal Identifiable Information (PII) Credit Card Data (PCI) Senior Management is Accountable for Data and Information Security & Privacy
Privacy by Design
Privacy by Design
Business and IT Working Together Risk Management Legal Audit Compliance Privacy Business Continuity Quality Control Facilities Human Resources Information, IT and Physical Security Emergency Management
To the Cloud What to think about
How to Choose a Provider Choose a provider you can trust and people you trust in key positions. Ask people in your network about their successful and unsuccessful relationships. Learn how the providers behaved when things went wrong. (They are all great when things are going well.) Learn how the provider responded when their customer was wrong or made a mistake. The last two will likely tell you much more than what is in their service agreement. Review Audit Compliance Reporting ISO 27001, SSAE 16, SOC-1, SOC-2, SOC-3, PCI-DSS
Questions What do the terms "continuity" and "recovery" mean? What constitutes a breach? How long should it take to restore service? What options do you have if it is taking too long? Can you go somewhere else? Who gets to decide whether you can exit? How is "too long" defined? Can you have your data back? In what form and format? When can you have it? How will it be delivered?
Questions and More Questions And what happens to your data, software, and systems if the provider becomes insolvent or subject to prosecution? What happens to your data if you don't pay your provider? Who owns your information and your systems then? Can your provider shut you down and/or permanently delete your data if you withhold payment? If you are thinking that is not a possibility... could it happen in the event you are having a dispute related to billing or service?
Exit Strategy? If you fail to plan, you plan to fail! Have an exit strategy. More than that, understand what would cause you to execute it. How long can something be down (or slow...) before it impacts your business? How long will it take to implement even a temporary exit? How will the provider help? How can you return to the provider's service (should you decide to) once the problem has been resolved? Who gets to decide whether you return?
Know What You Need Know what you want It is important to perform that second order thinking ahead of time. Know what you need It may be different than what you want Read & know what is in the service agreement Know how to engage It is not only about the negotiation and the remedies Someone needs to be familiar with how to identify a breach or issue, and how to engage the provider for assistance Know what to do both in cases where the provider has an issue, as well as those cases where the customer has caused a problem
Never Make Assumptions Do not assume the service provider will think of everything It all goes back to Know what you need
Cloud Service Providers and their Data Centres
Cloud Data Centres Where your data is makes a difference Yes, your data in a cloud does have a location (or many locations) As a Canadian Public or Private Corporation, once your Data leaves Canadian soil, it is governed by the Laws and Regulations of the Country that it resides in. Each organization must understand the risks and implications associated to their data storage location. You are subject to the jurisdiction your data is in and passing through
Cloud Data Centres One way or another your Cloud data is in a Data Centre What Affects the Data Centre affects You The Data Centre can be Affected by Two Factors: Natural Factors: Floods, Earthquakes, Tornadoes, Drought and Fire, Storms, Snow etc, Human Factor: Riots, Political Protest, Sports Events
Cloud Data Centres Are your data centres geographically clustered? Can one event take all of your cloud servers and their data paths out? Is it on a fault line?
Cloud Data Centres
Cloud Data Centres Bottom Line Every question you would ask about the physical location of data, hardware and Apps on your own server You must ask about your CLOUD based servers. You Cannot Outsource Responsibility
Even when you ask all the right questions
Case Study #1 Hosted Website Scenario Platform as a Service Vendor ISO 270001 Certification Applications and Data Client Service Level Agreement in Place Intrusion Detection Log Monitoring Vulnerability Management System Patch Management
Case Study #1 Hosted Website Findings Interviewed the Service Provider for Security Controls Data Centre was recently acquired by a large service provider with ISO 27001 Compliance Service Level Agreement was not reality No Intrusion Detection No Log Monitoring No Vulnerability Management No System Patch Management No Change Management
Case Study #2 EMR Implementation Scenario Tender for Cloud Based Electronic Medical Record (EMR) System Included Security Requirements Threat Risk Assessment Privacy Impact Assessment Contractual Obligations Privacy Breach Return of Data Data Residency required in Native Country
Case Study #2 EMR Implementation Findings Lowest Bid Cloud based EMR Vendor Awarded Tender Awarded Cloud Vendor Executed Contract Privacy Impact Assessment Performed Threat Risk Assessment Performed Cloud EMR Vendor found to be in Breach of Contract Data residency outside of Native Country Still in Negotiations
Case Study #3 Network System Integration Scenario Review of Network Architecture, Infrastructure, Systems and Services Network Design Created over 10 Years ago Implementation of Point Solutions WiFi, Various SaaS Application, Various Legacy Systems, Payment System, VLANs, IP Security Cameras, Corporate
Case Study #3 Network System Integration Findings No Separation of Networks, System, Applications and Infrastructure based on data sets and compliance requirements No Password Changes Due to Complex Application Integration LDAP Authentication in Clear Text No Network Infrastructure/Security Strategy No Business Process and Application Integration Strategy
Questions