Copyright 2011 EMC Corporation. All rights reserved.

Similar documents
OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE HEALTH AFFAIRS SKYLINE FIVE, SUITE 810, 5111 LEESBURG PIKE FALLS CHURCH, VIRGINIA

Leveraging the Cloud for Law Enforcement. Richard A. Falkenrath, PhD Principal, The Chertoff Group

The Business of Security in the Cloud

Cloud First Policy General Directorate of Governance and Operations Version April 2017

Privacy hacking & Data Theft

Cloud Computing Overview. The Business and Technology Impact. October 2013

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

Security Models for Cloud

Cloud Standards: Vincent Franceschini CTO Intelligent Data Fabrics, Hitachi Data Systems Chairman Emeritus, SNIA

Introduction to Cloud Computing. [thoughtsoncloud.com] 1

Introduction To Cloud Computing

Building Trust in the Era of Cloud Computing

Oracle Buys Automated Applications Controls Leader LogicalApps

Cloud Computing. January 2012 CONTENT COMMUNITY CONVERSATION CONVERSION

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Building your Castle in the Cloud for Flash Memory

ALI-ABA Topical Courses ESI Retention vs. Preservation, Privacy and the Cloud May 2, 2012 Video Webcast

Auditing the Cloud. Paul Engle CISA, CIA

CLOUD COMPUTING. Rajesh Kumar. DevOps Architect.

Accelerate Your Enterprise Private Cloud Initiative

Driving Cloud Governance and Avoiding Cloud Chaos

Reinvent Your 2013 Security Management Strategy

Tech Talk #11. Public Cloud UNIVERSITY OF COLORADO AT BOULDER 12/14/16 CU TECH TALK #11

Practical Guide to Cloud Computing Version 2. Read whitepaper at

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

Cloud Essentials for Architects using OpenStack

Cloud Computing: The Next Wave. Matt Jonson Connected Architectures Lead Cisco Systems US and Canada Partner Organization

Click to edit Master title style

Cloud Computing, SaaS and Outsourcing

Mitigating Risks with Cloud Computing Dan Reis

The Cloud and Big Data. Christopher L Poelker VP Enterprise Solutions FalconStor Software

Transform to Your Cloud

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Cisco Services: Towards Your Next Generation IT

Cloud Computing in the enterprise: Not if, but when and how?

Predstavenie štandardu ISO/IEC 27005

Service Provider Consulting

PUBLIC AND HYBRID CLOUD: BREAKING DOWN BARRIERS

How Credit Unions Are Taking Advantage of the Cloud

Overview of International Standards for Cloud Computing

Topics of Discussion

Computing as a Service

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Business Technology Briefing: Fear of Flying, And How You Can Overcome It

locuz.com SOC Services

OpenStack Seminar Disruption, Consolidation and Growth. Woodside Capital Partners

Cloud Computing and Service-Oriented Architectures

Microsoft Security Management

COMPLIANCE IN THE CLOUD

Enterprise & Cloud Security

JOURNEY TO CLOUD (J2C) CONSUMING TECHNOLOGY, NOT OWNING IT

Cloud Computing introduction

Part III: Evaluating the Business Value of the Hybrid Cloud

Programowanie w chmurze na platformie Java EE Wykład 1 - dr inż. Piotr Zając

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

ISO/IEC ISO/IEC

NERC Staff Organization Chart Budget 2018

NERC Staff Organization Chart Budget 2019

Governance, Risk & Compliance - Management Commitment; Building a GRC Aware Culture.

Securing Data in the Cloud: Point of View

Angela McKay Director, Government Security Policy and Strategy Microsoft

Cloud Computing: Is it safe for you and your customers? Alex Hernandez DefenseStorm

Enhanced Privacy ID (EPID), 156

Microsoft Azure Security, Privacy, & Compliance

BHConsulting. Your trusted cybersecurity partner

Matrix IT work Copyright Do not remove source or Attribution from any graphic or portion of graphic

Bharath Chari Cyber Risk Sr. Manager, Deloitte & Touche LLP

NERC Staff Organization Chart Budget 2019

Practical Guide to Platform as a Service.

Cloud forensics definitions and critical criteria for cloud forensic capability: An overview of survey results

Cloud Customer Architecture for Securing Workloads on Cloud Services

2-4 April 2019 Taets Art and Event Park, Amsterdam CLICK TO KNOW MORE

The ProcessGene GRC Suite. Solution Presentation

Choosing the Right Cloud. ebook

Cloud solution consultant

Why the cloud matters?

Introduction to Cloud Computing

Access Governance in a Cloudy Environment. Nabeel Nizar VP Worldwide Solutions

Introduction to AWS GoldBase

INTELLIGENCE DRIVEN GRC FOR SECURITY

Transforming IT: From Silos To Services

Building a Resilient Security Posture for Effective Breach Prevention

Introduction to Cloud Computing

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Cloud Computing and Service-Oriented Architectures

Enterprise GRC Implementation

Clouds in the Forecast. Factors to Consider for In-House vs. Cloud-Based Systems and Services

Capgemini Dynamic Services

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Improving Cybersecurity through the use of the Cybersecurity Framework

Automating for Agility in the Data Center. Purnima Padmanabhan Jeff Evans BMC Software

Cloud solution consultant

United States Government Cloud Standards Perspectives

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

John Snare Chair Standards Australia Committee IT/12/4

Data Center and Cloud Automation

Automating the Top 20 CIS Critical Security Controls

Smart Data Center From Hitachi Vantara: Transform to an Agile, Learning Data Center

Future Shifts in Enterprise Architecture Evolution. IPMA Marlyn Zelkowitz, SAP Industry Business Solutions May 22 nd, 2013

Cloud Computing. Theory and Practice. 22 March 2012 Phil Mustaphi, Colin Ashford, Larkland Morley

Transcription:

1

2

How risky is the Cloud? 3

Is Cloud worth it? YES! 4

Cloud adds the concept of Supply Chain 5

Cloud Computing Definition National Institute of Standards and Technology (NIST Special Publication 800-145 (Draft) Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) Rapidly provisioned and released with minimal management effort or service provider interaction Composed of 5 essential characteristics, 3 service models, and 4 deployment models. Source: http://www.nist.gov/itl/csd/cloud-020111.cfm 6

Cloud Computing 5 Essential Characteristics On-demand tenant self-service model for provisioning computing capabilities (server time, network storage, etc.) Broad network access with capabilities over the network accessible by standard mechanisms and mobile platforms Resource pooling through dynamically assigned physical and virtual capabilities delivered in a multi-tenant model and location independent Rapid elasticity of provisioned resources automatically or manually adjusted aligned with service level flexibility and needs Measured service to monitor, control and report on transparent resource optimization 7

Cloud Computing 3 Service Models Software as a Service (SaaS) Capability made available to tenant (or consumer) to use provider s applications running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces. Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx Platform as a Service (PaaS) Capability made available to tenant to deploy tenant owned (created or acquired) applications using programming languages and tools supported by provider. Examples: Microsoft Azure, Amazon Web Services, Bungee Connect Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS) Capability made available to tenant to provision processing, storage, networks or other fundamental computing resources to host and run tenant s applications. Examples: Rackspace, Terremark (Verizon), Savvis, AT&T 8

Cloud Computing Deployment Models (1) PRIVATE (2) COMMUNITY (3)PUBLIC ACCESSIBILITY Single Organization Shared with Common Interests / Requirements General Public / Large Industry Group MANAGEMENT Organization or Third Party Organization or Third Party Cloud Provider HOST On or Off Premise On or Off Premise On or Off Premise (4) HYBRID 9

What should we do? Embrace and accept this rapid change for Corporate IT and weigh the business benefits and risks. Adopt and integrate guidance and toolkits for improved Governance, Risk & Compliance. 10

And some more Numbers Source: Gartner Worldwide Cloud Services Market to reach $148.8 billions in 2014 $58.6 billion in 2009 $68.3 billion in 2010 Spending to reach $112 billion within 5 years Sector by Sector adoption Financial Services Manufacturing Communications and High Tech Public Sector

Adoption by Region Source: Gartner 70% 60% 50% 40% 30% 20% 2010 2014 10% 0% USA Western Europe Japan Other

Chains are only as strong as the weakest link GRC Insures the integrity of the chain 13

EU Concerns Cloud Computing Strategy DIGIT-IPM Questions to be answered: Legal Framework Technical and Commercial Fundamentals The Market 14

Top Five Barriers to Cloud Adoption Source: CIO Magazine: Security Openness Portability Reliability Integration http://www.zdnet.co.uk/videos/view/online-business/experts-highlight-barriers-to-cloudadoption-260682411/

Cloud Computing Security: Largest Barrier to Adoption 16

Barriers Become Opportunity Finance & Business Operations Legal & Corporate Compliance Information Technology Security VP, Enterprise Risk Mgt Lines of Business VPs VP, Risk Mgt/Compliance CFO VP, Internal Audit VP, Legal and Compliance Chief Information Officer Chief Legal Counsel Chief Compliance Officer Chief Information Officer VP, IT Risk Mgt/Compliance VP, Applications VP, BCM/DR VP, Infrastructure Chief Information Security Officer (CISO) Director, Security Ops Management and audit needs dashboards and analytics that Increase visibility, improve decision making, manage risk within appetites Legal and compliance needs automated discovery, policy and risk analysis Align policies with business and legal imperatives IT operations needs continuous, automated, consolidated assessments Translate business appetite for risk into IT thresholds Security needs to integrate information risk analysis with IT and the business Leverage security metrics and assessment for IT and enterprise risk Drive accountability into day to day operating fabric Prioritize and scope risk assessments Understand discoverable information risks, processes and assets in context Leverage common, traceable system of record Streamline policy and assessments across all IT assets Drive down costs, improve accuracy and improve efficiencies Protect information according to its importance and criticality to the business Drive down costs, improve accuracy and improve efficiencies

Why do we need Standards? Use of available technical expertise, enhanced trade Common metrics for service level expectations Essential to the cloud supply chain Open global markets Required by legal and accounting professions Increased automation 18

GRC Automation GRC Dashboards Goals Objectives Assessments Measures and Metrics T r a n s p a r e n c y T r a c e a b i l i t y Finance & Business Operations Legal & Compliance Information Technology Security Business Processes, Policies, SLAs, Guidelines, Reports, Incidents Risk Control Frameworks, Standards & Libraries Service Provider Control Validation Evidence, Transactional Data, KPIs, Events, Operational/business/ legal Environment Enterprise

GRC Automation Standards GRC Dashboards Goals Objectives Assessments Measures and Metrics T r a n s p a r e n c y T r a c e a b i l i t y Finance & Business Operations Legal & Compliance Information Technology Security Business Processes, Policies, SLAs, Guidelines, Reports, Incidents Risk Control Frameworks, Standards & Libraries ISO 27000, NIST 800-53, GRC-XML OCEG, CSA, IFAC ITIL, etom, IETF, COSO Service Provider Control Validation Evidence, Transactional Data, KPIs, Events, Operational/business/ legal Environment ITU-T CYBEX, Enterprise NIST SCAP +, CIM, DMTF

International Standards driving Cloud Trust Frameworks and Guidance to provide transparency via automation International Telecommunications Union (ITU-T) Study Group 17, Question 4 Cyber Security Exchange (CYBEX) Pulls together techniques and protocols to enable continuous monitoring and incident coordination International Standards Organization (ISO) 27000 SC 27 JTC 1 Security standards framework and ISMS Guidance Risk assessment process Internet Engineering Task Force (IETF) Protocols to enable secure exchange of information, such as incidents Cloud Security Alliance (CSA) Developing guidance and set of cloud specific controls Work in process of integration into international standards bodies National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP) plus standards joint from MITRE and NIST also in ITU CYBEX Open Compliance and Ethics Group (OCEG) GRC-XML used to format reports that include risk information and rules International Federation of Accountants (IFAC) Develops international standards on ethics, auditing and assurance, education, and public sector accounting

Current State of GRC enabled Cloud Trust Cloud Security Alliance (CSA) initiatives: manual, moving toward automation Consensus Assessment Initiative Lightweight common assessment criteria 148 Questions to assess security of a cloud provider Cloud specific controls developed with CSA guidance Cloud Control Matrix 98 controls Bridging regulatory governance and practical compliance Similar to the audit world s concept of continuous audits Cloud Audit Provides a namespace to assist with automation of audit and assessment

Semantic Technologies Cloud Rules Matrix and the Cloud 23

Cloud Computing and Intelligent Data Centers Quality of Service Service Level Management Rule-based service configuration Nested Multi-Tier Security Automated GRC LegalRuleML and SLAs Software Agents as Cloud Services Ontologies Rules 24

Cloud Computing and Intelligent Data Centers Common vocabulary for federated systems on the Cloud Semantic Heterogeneity Interoperability/Portability Self-sustaining Data Centers Dynamic deployment of resources Interactive Service Providers-Consumers Audits Policy-based Multi-Tenancy 25

Conclusions 26

Thank You! Questions? 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback