Campus Cloud Security Shared Assessments Jon Allen, Baylor University and Nick Lewis, Internet2 April 2016

Agenda Current State Existing Solutions Somewhere to Start Questions

Current state Campuses are rapidly adopting cloud services and deploying software systems Assessing the risk for cloud services and software systems as quickly as possible Developing vendor risk mgmt programs Developing enterprise risk mgmt programs Evolving information security programs as quickly as possible Too much to do to effectively do it all!

What problem are you trying to solve? How to as easily and quickly as reasonably possible share work done at one campus with other campuses Freeing up time to dedicate back to critical information security functions Create a forum/space to share and find existing shared assessments Build on the existing higher education information security community sharing

Example Graduate Admissions wants to use Slate for applications Add to risk assessment list to address ASAP Could e-mail various security lists to see if anyone has used or assessed it Could check external vendor, or NET+, to see if it has been assessed Work with dept on assessment and contract Potentially spend significant amount of time and slow down dept requestor

We’re not proposing…. Replacing your information security risk assessment programs Replace existing communities Approve the security of a cloud service or software Replace NET+ program

Existing Solutions? Existing vendor management programs Existing commercial service providers like 3PAS, Skyhigh Registry, and others Community service providers like Shared Assessments, CSA CSTAR, and others NET+ program On this slide, go over why each won’t work

Potential Challenges Intent is not for “approval”, but to help a campus save some time in managing their third party vendors and service providers Could provide insight into security operations on a campus Providing access control to just higher ed Materials can’t be under NDA How to incorporate into your information security programs

What Assessment Questionnaire? Existing security questionnaires CSA’s Consensus Assessments Initiative Questionnaire Google’s Vendor Security Assessment Questionnaire NIST 800-53v4, ISO27001, and many others Develop something new – NO!

Potential Solutions Does this need to be more than just some metadata and a pointer to a report? Trying for low maintenance, but high value (also free) Can this be done in existing community activities? Email list, Box folder, Internet2 forum, wiki, other?

Somewhere to start Start with an Internet2 Working Group Start with mailing list - shared-security-assessments@internet2.edu  Figure out if Box folder, Internet2 Forum, or Mailing list would meet the need Do we want to have a conference call? Develop a usage document explaining how to use, metadata required, and disclaimer Announce!

Questions for you Do you want to help get this started? Is this of interest of you and your teams? Would you actually use it? Would you be willing to share your assessments? Do you want to help get this started?

Questions for us? If you have any questions, please contact: Jon Allen, CISSP, EnCE Assistant Vice President & CISO Jon_Allen@baylor.edu Nick Lewis, Internet2 NET+ Program Manager, Security and Identity nlewis@internet2.edu

Campus Cloud Security Shared Assessments Please remember to fill out your session evaluation! It’s all Nick’s fault if this sucks!