How to Establish Security & Privacy Due Diligence in the Cloud Presentation: Cloud Computing Expo 2015, Santa Clara, California Maria C. Horton, CISSP, ISSMP, Cloud Essentials, IAM CEO, EmeSec Incorporated November 5, 2015
Objectives Attendees will discuss cloud due diligence from the perspective of: A driver to security & privacy requirements for cloud data governance The implications of continuous monitoring and compliance Adapting data loss prevention and incidence response activities
Due Diligence: Why the Emphasis? In business negotiations, it is the information needed to assess risk accurately In compliance, it describes the degree of effort required by law or industry standard In civil law, it is the reasonable care taken to avoid harm For Cloud Services, IaaS, PaaS, and SaaS, both the Cloud Service Provider and the Cloud Customer will have obligations in the business, compliance and legal realms
to the Era of Cyber Liability Wyndham vs Federal Trade Commission (FTC) Federal Appeals courts decision gives authority to FTC without clear regulations Likely more lawsuits related to inadequate policies/practices or recurrent issues FTC has limited interest in clear regulations because that reduces ability to police, fine and re-define inadequate Data Breach Costs Total cost is$3.8 million - a 23% increase since 2013 Per record cost is $154 also up IBM Ponemon Institute 2015 Annual Study Cyber Insurance The number of conferences and articles suggest cyber liability (and its costs are here to stay.
Due Diligence Framework Begins with business and functional requirements Governance Roles and Responsibilities Monitoring/Reporting Risk tolerance Exposure, Control, Risk CSP strategy and SLAs Technical, Operational, and Management Security Processes Technology Standard based, proven
Due Diligence in Action Ask questions, see demonstrations Conduct evaluation(s) Technical vendor assessment Certifications (FedRAMP, ISO 27k) Site tour Negotiate Terms Service level agreements (SLA) Validate, validate, validate Continuous Monitoring Not just technically! Sample Questions Are there specific set up fees? What are the user authentication methods for our solution? What are the geolocation boundaries for the data? How are incidents and breaches reported? How often are third party audits conducted? Are there any termination fees?
Due Diligence for Value & Protection Leveraging FedRAMP Federal Risk and Authorization Management Program (FedRAMP) provides a foundation of uniform security standards Establishes continuous monitoring requirements Identifies externally vetted providers Cloud Service Providers 3PAOs Can be interpreted as an underwriter s seal of approval
Privacy Due Diligence Do you know where your data resides in the cloud? Do you have ownership rights? Preparing for US-EU convergence Adapting incident response Cloud notifications Negotiated SLAs Accounting for forensics Changing responsibilities and accountabilities Wait, watch and worry?
Benefits of a Due Diligence Approach Limits liability Builds trust with customers and users Proactive approach to security and regulatory compliance You can t delegate accountability!
Find What s Right Be Pragmatic: Demonstrate Reasonableness Build Cyber Resilience Consider a Virtual Compliance Officer Power of Simplicity --
Thank you for your time! Continue the discussion Twitter: @EmeSec Twitter: @mariahorton Phone: 703.429.4492/4491 Email: info@emesec.net