Driving Cloud Governance and Avoiding Cloud Chaos

Similar documents
Azure SQL Database Basics

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Privacy hacking & Data Theft

Copyright 2011 EMC Corporation. All rights reserved.

Auditing the Cloud. Paul Engle CISA, CIA

Healthcare and the Cloud:

Future Shifts in Enterprise Architecture Evolution. IPMA Marlyn Zelkowitz, SAP Industry Business Solutions May 22 nd, 2013

Introduction to Cloud Computing. [thoughtsoncloud.com] 1

Security and Privacy Mechanisms: An Analysis of Cloud Service Providers for the US Government

Introduction To Cloud Computing

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Leveraging the Cloud for Law Enforcement. Richard A. Falkenrath, PhD Principal, The Chertoff Group

The Business of Security in the Cloud

The Challenge of Cloud Security

Cloud First Policy General Directorate of Governance and Operations Version April 2017

Cloud Computing, SaaS and Outsourcing

EMC Strategy Overview: Journey To The Private Cloud

Click to edit Master title style

Computing as a Service

Cloud Computing: Is it safe for you and your customers? Alex Hernandez DefenseStorm

Cloud Computing: The Next Wave. Matt Jonson Connected Architectures Lead Cisco Systems US and Canada Partner Organization

Cloud Computing. Presentation to AGA April 20, Mike Teller Steve Wilson

Cisco Intelligent Automation for Cloud & Compute

Protecting Sensitive Data in the Cloud. Presented by: Eric Wolff Thales e-security

10 Considerations for a Cloud Procurement. March 2017

A guide for IT professionals. implementing the hybrid cloud

Accelerate Your Cloud Journey

OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE HEALTH AFFAIRS SKYLINE FIVE, SUITE 810, 5111 LEESBURG PIKE FALLS CHURCH, VIRGINIA

Cloud solution consultant

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

Cloud solution consultant

Cloud Essentials for Architects using OpenStack

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

WHAT S NEW IN SQL SERVER 2016 REPORTING SERVICES?

Cloud Infrastructure and Operations Chapter 2B/8 Page Main concept from which Cloud Computing developed

IT Service Quality amidst a World Gone Cloud. June 2012 V: 2.0

Summary of today s session.

The Three Data Challenges

Introduction to AWS GoldBase

INFS 214: Introduction to Computing

Practical Guide to Platform as a Service.

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

How to Establish Security & Privacy Due Diligence in the Cloud

Cloud Computing Concepts, Models, and Terminology

Cloud Strategies for Addressing IT Challenges

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Building Trust in the Era of Cloud Computing

White Paper Impact of DoD Cloud Strategy and FedRAMP on CSP, Government Agencies and Integrators.

Why Choose MS Azure?

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Cloud Computing Introduction & Offerings from IBM

ALI-ABA Topical Courses ESI Retention vs. Preservation, Privacy and the Cloud May 2, 2012 Video Webcast

Choosing the Right Cloud. ebook

Security Models for Cloud

AtoS IT Solutions and Services. Microsoft Solutions Summit 2012

Accelerate Your Enterprise Private Cloud Initiative

Security as a Service (Implementation Guides) Research Sponsorship

Analytics in the Cloud Mandate or Option?

THE DATA CENTER AS A COMPUTER

1/10/2011. Topics. What is the Cloud? Cloud Computing

Choosing the Right Cloud Computing Model for Data Center Management

Tieto s itap Offering

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

Databases In the Cloud

Fundamental Concepts and Models

2013 AWS Worldwide Public Sector Summit Washington, D.C.

NIST Cloud Computing Security Working Group

Capgemini Dynamic Services

Architectural Implications of Cloud Computing

Compliance & Security in Azure. April 21, 2018

Tech Talk #11. Public Cloud UNIVERSITY OF COLORADO AT BOULDER 12/14/16 CU TECH TALK #11

Building your Castle in the Cloud for Flash Memory

Programowanie w chmurze na platformie Java EE Wykład 1 - dr inż. Piotr Zając

READ ME for the Agency ATO Review Template

Getting Hybrid IT Right. A Softchoice Guide to Hybrid Cloud Adoption

Why the cloud matters?

Computing Power at the push of a button: Dynamic Services for Infrastructure.

Supporting the Cloud Transformation of Agencies across the Public Sector

Mind your Business We manage your IT

Cloud Customer Architecture for Securing Workloads on Cloud Services

How to Keep UP Through Digital Transformation with Next-Generation App Development

<Placeholder cover we will adjust> Microsoft Azure Stack Licensing Guide (Hosters and service providers)

1-2-3 Webinar: Demystifying the Cloud

Moving to the Cloud: Making It Happen With MarkLogic

Azure Stack: The hybrid cloud revolution

Orchestrating the Cloud Infrastructure using Cisco Intelligent Automation for Cloud

DEEP DIVE INTO CLOUD COMPUTING

Cloud Security. Copyright Ramesh Nagappan. All rights reserved.

COMPLIANCE IN THE CLOUD

Accelerating the HCLS Industry Through Cloud Computing

Perfect Balance of Public and Private Cloud

Overcoming IT Challenges in the Education Segment Leveraging Cloud and On-Premise Resources for Maximum Impact

Your Trusted Partner in Europe European Business Reliance Centre

Developing, Deploying and Managing Applications on the Cloud

Cloud Computing. January 2012 CONTENT COMMUNITY CONVERSATION CONVERSION

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

Migration to Cloud Computing: Roadmap for Success

CLOUD COMPUTING PRIMER FOR EXECUTIVES

Mitigating Risks with Cloud Computing Dan Reis

Transcription:

Driving Cloud Governance and Avoiding Cloud Chaos

Key Take Aways What is Cloud Chaos? Why Do You Need Cloud Governance?

Intro: Timothy P. McAliley timothy.mcaliley@microsoft.com Microsoft Premier Field Engineer, SQL Server, Washington, DC CISA, CISM, CISSP, ITIL V3, MCSA, MCSE, MCITP, MCTS, MCT, PMP

Agenda Cloud Primer What are the Challenges? What are the Risks? Practices to Mitigate Risk Resources

Cloud Primer

Cloud Primer Spot Quiz: What Document Provides Key Recommendations for Defining Cloud Computing? Answer: NIST Special Publication 800-145, The NIST Definition of Cloud Computing

Cloud Primer What Is In The NIST SP 800-145, Definition of Cloud Computing? Essential Characteristics: On-demand self-service. Broad network access. Resource pooling. Rapid elasticity. Measured service.

Cloud Primer What Is In The NIST SP 800-145, Definition of Cloud Computing? Service Models: Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)

Cloud Primer

Cloud Primer What Is In The NIST SP 800-145, Definition of Cloud Computing? Deployment Models: Private Cloud Community Cloud Public Cloud Hybrid Cloud

What Is Microsoft Azure?

What Is Microsoft Azure?

What Are The Challenges?

What Are The Challenges? Forrester estimates that for every cloud initiative tracked centrally by IT shops today, there are three to six initiatives that are not tracked. Flexibility, or pay-as-you-go, enables a business unit to increase capacity or request additional services with a simple call. But there is a downside; this flexibility could also result in the bypassing of expense authorization, change control processes, information protection controls and other oversight processes. Staten, James; What are Enterprises Really Doing in the Cloud?, The Forrester Blog, 25 October 2011, http://blogs.forrester.com/james_staten/11-10-25-what_are_enterprises_really_doing_in_the_cloud

What Are The Challenges? Challenges presented by Essential Characteristics of Cloud Computing On-demand self-service (users/organizations can spin up resources) Broad network access. Resource pooling. Rapid elasticity. Measured service (cost control)

What Are The Challenges? Challenges presented by Cloud Computing Service Models SaaS PaaS IaaS (virtual servers, storage, network interfaces, data transfers)

What Are The Challenges? Challenges presented by Cloud Computing Deployment Models Private Cloud usually owned by an organization Community Cloud Public Cloud (IaaS - virtual servers, storage, network interfaces, data transfers) Hybrid Cloud (data egress/transfers)

What Are The Challenges? Controlling resources, services and data Users can self-provision resources - no longer required to interact with storage, network, server admins, IA, etc. Cost overruns for overutilization of cloud resources Organizational Awareness Individual Awareness Resource Sprawl / Cloud Sprawl Cloud Service Provider (CSP) Accountability/Response Rate/Pace of Change/Change Tracking

What Are The Risks?

What Are The Risks? Organizational Risks Individual Risks

What Are The Risks? Organizational Risks Failure to properly plan and assess Cloud Sprawl/Service Mapping Data Loss / Data Exposure Lack of Insight/Alert on competitive architectures/services Individuals ability to quick provision resources Work/Culture/Skill Sets

What Are The Risks? Individual Risks Rogue / Competitive Architecture Theft of Data Duplication of proprietary systems/configurations Cost Lack of Accountability

Practices to Mitigate Risk

Practices to Mitigate Risk Organizational Risk Organizational Readiness Assessment (Do you need to go into the cloud?) Assess/Adopt Compliance/Risk Assessment Framework Cloud Security Alliance Cloud Service Provider Compliance Guidance Have clear policies for individual and group resource provision Have charge-back/consumption metering in place Tiered resource access for metering/throttling Group/Individual Resource throttling Compliance Requirements Example for Public Sector- Federal Risk and Authorization Management Program (FedRAMP)

Practices to Mitigate Risk Organizational Risk Clear Service Level Agreements (SLAs) with CSPs Review the CSP Compliance Center Data ownership and data protection Services ownership Access ownership Response time Monitoring level Is there broad a organizational regulation /accreditation FedRAMP

Practices to Mitigate Risk Individual Risk (this is a tough one, no clear answer) Clear polices and restrictions in place Non-Disclosure/Non-Compete Agreements User education and awareness Consumption Limits/Monitoring (only effective if the user is leveraging organizational resources)

Practices to Mitigate Risk Leverage Automation for Provisioning Resources, Change Tracking, Monitoring Have Clear, Top-Down RACI assignments (responsible, accountable, consulted, informed) Tools for Assessing Cloud-based Risk/Governance Establishment FedRAMP "The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services" Cloud Security Alliance Consensus Assessments Initiative Questionnaire v3.0.1 Cloud Controls Matrix v3.0.1

Practices to Mitigate Risk Ask the Right Questions ISACA Cloud Governance: Questions Boards of Directors Need to Ask Do management teams have a plan for cloud computing? Have they weighed value and opportunity costs? How do current cloud plans support the enterprise s mission? Have executive teams systematically evaluated organizational readiness? Have management teams considered what existing investments might be lost in their cloud planning? Do management teams have strategies to measure and track the value of cloud return vs. risk? http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/cloud-governance-questions-boards-of-directors-need-to-ask.aspx

Resources

Resources NIST Special Publication 800-145, The NIST Definition of Cloud Computing http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf ISACA Cloud Computing Knowledge http://www.isaca.org/groups/professional-english/cloud-computing/pages/overview.aspx CSA - https://cloudsecurityalliance.org FEDRAMP - http://www.fedramp.gov

Resources Microsoft Azure Compliance Portal http://azure.microsoft.com/en-us/support/trust-center/compliance/ Amazon Web Services Compliance Portal http://aws.amazon.com/compliance/ IBM Compliance http://www.ibm.com/cloud-computing/us/en/security.html

Summary Cloud Primer What are the Challenges? What are the Risks? Practices to Mitigate Risk Resources

Thank You!! Make Sure to Checkout Special Seminar on SQL Server Security, April 14-15 GMU Arlington Campus http://www.isaca-washdc.org/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback