INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Similar documents
Cloud Computing, SaaS and Outsourcing

Building Trust in the Era of Cloud Computing

Compliance & Security in Azure. April 21, 2018

Future Shifts in Enterprise Architecture Evolution. IPMA Marlyn Zelkowitz, SAP Industry Business Solutions May 22 nd, 2013

10 Considerations for a Cloud Procurement. March 2017

IT Attestation in the Cloud Era

Exploring Emerging Cyber Attest Requirements

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

VMware vcloud Air Network Service Providers Ensure Smooth Cloud Deployment

Accelerating the HCLS Industry Through Cloud Computing

COMPLIANCE IN THE CLOUD

SOC 3 for Security and Availability

SoftLayer Security and Compliance:

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Auditing the Cloud. Paul Engle CISA, CIA

Data Security: Public Contracts and the Cloud

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Defining the S&P Impacts of Cloud Computing? Presented by the SPWG September 20, 2012

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

hcloud Deployment Models

Microsoft Azure Security, Privacy, & Compliance

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

ISACA Cincinnati Chapter March Meeting

TRACKVIA SECURITY OVERVIEW

Data Security, Integrity and Accessibility in the Cloud

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

Security Models for Cloud

Google Cloud & the General Data Protection Regulation (GDPR)

Provisioning IT at the Speed of Need with Microsoft Azure. Presented by Mark Gordon and Larry Kuhn Hashtag: #HAND5

WHITE PAPER. Title. Managed Services for SAS Technology

Healthcare and the Cloud:

Cloud Computing: Is it safe for you and your customers? Alex Hernandez DefenseStorm

Vendor Security Questionnaire

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cloud Transformation and Significance of Security

Locking Down the Cloud Security is Not a Myth

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

6 Tips to Find the Right Colocation Center for You

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

NS2 Cloud Overview The Cloud Built for Federal Security and Export Controlled Environments. Hunter Downey, Cloud Solution Director

Introduction to AWS GoldBase

A sanity check on Cloud from a Benelux point of view. Is Cloud turning into Fast Food? Are we conscious of the health risks?

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Granted: The Cloud comes with security and continuity...

Cloud Computing - Reaping the Benefits and Avoiding the Pitfalls. Stuart James & Delizia Diaz. Intellectual Property & Technology Webinar

Cloud Computing. Presentation to AGA April 20, Mike Teller Steve Wilson

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

Altius IT Policy Collection Compliance and Standards Matrix

This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

The Challenge of Cloud Security

Accelerate Your Enterprise Private Cloud Initiative

Security Information & Policies

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Cloud Brief. Understanding Compliance in the Cloud. Introduction PCI DSS THE CLOUD STRATEGY COMPANY TM

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

Security and Compliance at Mavenlink

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

Public vs private cloud for regulated entities

Choosing the Right Cloud. ebook

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

HITRUST CSF: One Framework

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

hybrid cloud for science Kickoff Phase 3 Pilot FeBRUARY, 6 th / 7 th 2018 Team T-Systems/Huawei/Cyfronet/Divia

Analysis of ISO 27001:2013 Controls Effectiveness for Cloud Computing

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

The SOC 2 Compliance Handbook:

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

Altius IT Policy Collection Compliance and Standards Matrix

CLOUD COMPUTING. The Old Ways Are New Again. Jeff Rowland, Vice President, USAA IT/Security Audit Services. Public Information

5 Things to Consider when Moving to the Cloud. Dr Chris Folkerd

How to Establish Security & Privacy Due Diligence in the Cloud

How to ensure control and security when moving to SaaS/cloud applications

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

A Repeatable Cloud-First Deployment Process Model

Azure SQL Database Basics

Study concluded that success rate for penetration from outside threats higher in corporate data centers

IGNITING GROWTH. Why a SOC Report Makes All the Difference

Understanding and Evaluating Service Organization Controls (SOC) Reports

Cloud Customer Architecture for Securing Workloads on Cloud Services

Your Trusted Partner in Europe European Business Reliance Centre

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

Intermedia s Private Cloud Exchange

IT your way - Hybrid IT FAQs

Cloud First Policy General Directorate of Governance and Operations Version April 2017

Contents. Navigating your way to the cloud

locuz.com SOC Services

NEXT GENERATION CLOUD SECURITY

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Welcome ControlCase Conference. Kishor Vaswani, CEO

Enhanced Privacy ID (EPID), 156

Protecting vital data with NIST Framework

Automate the Lifecycle of IT

CLOUD COMPUTING READINESS CHECKLIST

Fundamental Concepts and Models

Transcription:

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

INTRODUCTION

AGENDA 01. Overview of Cloud Services 02. Cloud Computing Compliance Framework 03. Cloud Adoption and Enhancing Compliance Posture in the Cloud 04. Real-World Experiences Benefits 05. Real-World Experiences Challenges 06. Q&A

OVERVIEW OF CLOUD SERVICES

CLOUD SERVICE MODELS Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)

CLOUD SERVICE MODELS

CLOUD SERVICE MODELS

CLOUD DEPLOYMENT MODELS Public Private Hybrid Community

CLOUD COMPUTING COMPLIANCE FRAMEWORK

COMPLIANCE OVERVIEW

TERMINOLOGY AND CONCEPTS Financial reporting impact (ICOFR Internal Controls Over Financial Reporting) Control Objectives / Trust Principles / Criteria / Standards / Management System Standards /Annexes / Frameworks Certification / Attestation / Audit / Benchmarking Assessments (Consulting Reports) Type 1 vs Type 2 for SOC Reports Backward looking / Point in Time / Forward Looking Accounting Standards - US / International - SSAE / AT vs ISAE Shelf Life Generally Annual Annual / 2 Year Cycle / 3 Year Cycle Restricted use / Restricted Distribution / Unrestricted

UNDERSTANDING COMPLIANCE NEEDS Cloud Service Customer Know customer / contractual requirements Know cloud service provider commitments Cloud Service Provider Know customer / contractual requirements Know market need

GENERAL CONTROL ASSESSMENTS SOC 1 SOC 2 CSA STAR Program Level 2 ISO 27001 / 27017

INDUSTRY SPECIFIC ASSESSMENTS Healthcare Federal Industry Payment Card Transactions Privacy / PII Compliance Options HIPAA / HITECH, HITRUST FedRAMP, NIST, FISMA PCI DSS ISO 27018, Privacy Shield

CLOUD ADOPTION AND ENHANCING COMPLIANCE POSTURE IN THE CLOUD

CLOUD OPERATIONAL CONSIDERATION Traditional security infrastructure Business continuity/ disaster recovery operations Disaster Recovery v. High Availability Access and identity Nuts and bolts of connecting internal user stores with external provider / access to internal information by external provider

CLOUD OPERATIONAL CONSIDERATIONS Incident management Coordination and escalation with external provider Encryption management (if applicable) Key management and scalable encryption requirements Technical infrastructure Virtualization, connectivity, bandwidth, performance, etc.

UNDERSTANDING RESPONSIBILITY Outsourcing may not extend to compliance Ensure clear SLAs (and continuous monitoring of them) Target comprehensive coverage Anticipate

UNDERSTANDING RESPONSIBILITY - IAAS Controls Environment Customer: Application usage and user provisioning. Application security Database security Operating system configuration Provider: Hardware provisioning and management Network management Facilities management Application Data Operating System Hardware Network Facility

UNDERSTANDING RESPONSIBILITY - PAAS Controls Environment Customer: Application usage and user provisioning. Application development, deployment and security Database management and security Application Data Provider: Operating system configuration and provisioning Hardware management Network management Facilities management Operating System Hardware Network Facility

UNDERSTANDING RESPONSIBILITY - SAAS Controls Environment Customer: Application usage and user provisioning. Provider: Application, development, management and security Database management and security Operating system configuration Hardware management Network management Facilities management Application Data Operating System Hardware Network Facility

CLOUD COMPUTING EXAMPLE RASCI MODEL R Responsible "The doer" A Accountable "The buck stops here" S Supported "The Helper" C Consulted "In the loop" I Informed "Notify me" BEFORE Cloud Provider Infrastructure Layer Customer Cloud Provider External Network & Security R A S C I Applications: Configuration & Patching R A S C I Internal Network & Security R A S C I Operating System: Updates & Patching R A S C I Vmware R A S C I Computing Hardware - "Bare Metal" R A S C I AFTER Cloud Provider Infrastructure Layer Customer Cloud Provider External Network & Security R A C I R A S C I Applications: Configuration and Patching R A C I R A S C I Internal Network & Security I R A S C I Operating System: Updates & Patching I R A S C I Vmware I R A S C I Computing Hardware - "Bare Metal" I R A S C I

KNOW WHERE THE DATA IS Customers and providers may have external obligations National / Regional / Local data management requirements Can data be moved without customer consent Who can view it (subcontractors / offshore) Safeguarding for discovery

TAKE YOUR TIME Adoption is a process Management commitment Defined goals and stated objectives Involve all interested parties, especially information technology / information security

REAL-WORLD EXPERIENCES BENEFITS

BENEFITS OF CLOUD COMPUTING Eliminates single points of failure Risk transfer to the cloud service provider Allows for the use of third party expertise

BENEFITS OF CLOUD COMPUTING Time savings (varies by cloud model) Allows organization to concentrate on core competencies Enhanced availability and continuity

REAL-WORLD EXPERIENCES CHALLENGES

CHALLENGES OF CLOUD COMPUTING Relinquishing Control Reduced control of data as more responsibility shifts to third parties. Meeting Regulations Regulations govern the way data must be protected. The cloud service provider may not be heavily regulated but the customers may be. As their trust supplier, a customer s requirements flow down to the cloud service provider, meaning the cloud must have proper controls.

CHALLENGES OF CLOUD COMPUTING Business Interoperability Today s clouds must be able to communicate with each other and offer data portability. Convenience vs. Security Using the cloud, we want both convenient access and secure data protection, creating a difficult balancing act. Management Reporting To meet many of today s regulations, the ability to report where data is and how it is protected is essential.

CHALLENGES OF CLOUD COMPUTING Data Integration and Transfer We must find a way to transfer data into the cloud in a way that is both safe and cost effective. Due diligence Allow for a full assessment of cloud service provider prospects, applicable to the model chosen and understanding the boundaries of responsibility

Q&A

THANK YOU!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback