Paul Woods Chair, ISNorthEast @paulw_pm MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast.

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

[Organisation’s Title] Environmental Management System
Scottish Wide Area Network 2014 Anne Moises Scottish Government CIO SWAN SRO Anne.
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Security Controls – What Works
Information Security Policies and Standards
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Session 3 – Information Security Policies
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
The Crown and Suppliers: A New Way of Working People & Security15:35 – 16:20 Channels & Citizen Engagement Social Media ICT Capability Risk Management.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Information Systems Security Computer System Life Cycle Security.
HIPAA COMPLIANCE WITH DELL
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
Designing Smart Cities Conference University of Strathclyde, Glasgow 31 st March 2015 “Regulating Smart Cities: Policing & Privacy” Paul Mackie Chief Executive.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© University of Reading Information Technology Services 23 December 2015 Information Security Policy Mike Roch - Director of IT.
Cloud Computing Use Case Draft v2.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Information Security tools for records managers Frank Rankin.
The NIST Special Publications for Security Management By: Waylon Coulter.
Technical and organisational measures for protecting data and ensuring data security Simon Rice Group Manager (Technology) 29 May 2014.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
April 2016 RM1045 Network Services: Developing Your Invitation to Tender (ITT) / Request for Proposal (RfP) Document Set.
Managed IT Services JND Consulting Group LLC
ISO 9001: 2015 BUSINESS PROCESS IMPLEMENTATION GENERAL AWARENESS
Principles Identified - UK DfT -
Audit Trail LIS 4776 Advanced Health Informatics Week 14
Review of IT General Controls
Physical Security Governance Model
Understanding The Cloud
Overview of Structure General Data Protection Regulation (GDPR)
ISSeG Integrated Site Security for Grids WP2 - Methodology
NISF Objectives Conceptual structure for guiding IS activities
Cybersecurity - What’s Next? June 2017
VIRTUALIZATION & CLOUD COMPUTING
Integrated Management System and Certification
Current ‘Hot Topics’ in Information Security Governance Auditing
Introduction to the Federal Defense Acquisition Regulation
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Information Security Board
I have many checklists: how do I get started with cyber security?
All data occupies physical space, even if we don't think of it as such.
GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive.
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Automating Security in the Cloud
AppExchange Security Certification
Blockchain-as-a-Service (BaaS) :: providers & trust
IS4680 Security Auditing for Compliance
Computer Science and Engineering
Developing and testing the Plan
PLANNING A SECURE BASELINE INSTALLATION
Neopay Practical Guides #2 PSD2 (Should I be worried?)
IT Management Services Infrastructure Services
Global One Communications
Cloud Computing for Wireless Networks
Presentation transcript:

Paul Woods Chair, ISNorthEast @paulw_pm MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast @paulw_pm @neict #ESB16

What are you buying? Making sense of “aaS” @neict #ESB16

Caveat Emptor Central Government – has a ‘cloud first’ policy G-Cloud is a procurement option. ALL other procurement routes are available. Cloud first policy and use commercially available systems instead of custom built systems - to save costs. G-Cloud is a series of framework agreements with suppliers, from which public sector organisations can buy services without needing to run a full tender or competition procurement process. CCS does not assure services, we have to Must take suppliers agreed Ts & Cs Maximum contract duration (exit strategy) CCS – Crown Commercial Services @neict #ESB16

Before you start Know your business requirements Understand your: risk appetite information / application Think about your exit strategy Talk to colleagues in IG, IA, IS and any third party data controllers Understand Information/Application - Are YOU the data controller or processing someone else’s data? In cloud based systems – you need to know how to get YOUR information into the system and out of the system once the contract has come to an end. @neict #ESB16

Talk to colleagues from IG, IA and IS Determine which cloud security principles are important and what implementation options are acceptable to manage risks to your organisation's information. You need to be able to score / exclude cloud providers that don’t meet your requirements. @neict #ESB16

Talk to colleagues from IG, IA and IS Include investigations of how the principles are implemented in your award questions. Evaluate responses with colleagues from IG, IA and IS. @neict #ESB16

Cloud Security Principles Lets look at HMG’s 14 Cloud Security Principles Principle 1: Data in transit protection Principle 2: Asset protection and resilience Principle 3: Separation between consumers Principle 4: Governance framework Principle 5: Operational security Principle 6: Personnel security Principle 7: Secure development Principle 8: Supply chain security Principle 9: Secure consumer management Principle 10: Identity and authentication Principle 11: External interface protection Principle 12: Secure service administration Principle 13: Audit information provision to consumers Principle 14: Secure use of the service by the consumer @neict #ESB16

Cloud Security Principles Principle 1: How is data protected in transit? Principle 2: How is your data and the assets storing or processing it protected against physical tampering, loss, damage or seizure? Principle 3: How is separation put in place between your data/application and others? Principle 1: Between you and the cloud provider Across the cloud provider’s systems Where any APIs are exposed Network protection Encryption Principle 2 Physical location and legal jurisdiction Data centre security Data at rest protection Data sanitisation Equipment disposal Physical resilience and availability Principle 3 Public, private or community cloud? Is the underlying infrastructure IaaS and how does that impact on separation risks? Who are you sharing with? What level of sharing is acceptable? Shared server / rack / cage / data centre @neict #ESB16

Cloud Security Principles Principle 4: What is the cloud provider’s security governance framework? Principle 5: What processes and procedures are in place to ensure the operational security of the service? Principle 6: What staff security screening and education has the cloud provider put in place? Principle 4 Is a board member responsible for security? Have key security policies been developed and are they in place? Are security risks managed as part of the organisation’s risk reporting mechanisms? What legal and regulatory frameworks apply and how does the cloud provider ensure compliance? Principle 5 Configuration and change management Vulnerability management Protective monitoring Incident management Patching policies and procedures Principle 6 Does the nature of your data / application dictate any special screening needs? How / does the cloud provider screen staff that can access your data? What regular training is in place? @neict #ESB16

Cloud Security Principles Principle 7: What measures has the cloud supplier designed into their service to identify and mitigate threats to their security? Principle 8: How does the cloud supplier ensure its supply chain doesn’t compromise any of the security principles it has put in place? Principle 7 Is continual development in place in response to threat evolution? Is development in line with industry good practice on design, coding, testing and deployment? Are configuration management processes in place? Principle 8 What third parties provide what services to the cloud provider? Do any of these have access to your data? How does the cloud provider manage their conformance with their security requirements? How the cloud provider verifies any hardware and software they use is genuine and not been tampered with. @neict #ESB16

Cloud Security Principles Principle 9: What tools does the cloud provider give you access to so you can manage your service securely? Principle 10: How does the cloud provider ensure access to service interfaces is constrained to authorised and authenticated individuals? Principle 9: What tools does the cloud provider give you access to so you can manage your service securely? Principle 10: How does the cloud provider ensure access to service interfaces is constrained to authorised and authenticated individuals? What authentication is in place? How are unauthorised people denied access to your application / data? @neict #ESB16

Cloud Security Principles Principle 11: Has the cloud provider identified all external or less trusted interfaces to its services and taken appropriate actions to protect them? Principle 12: How has the cloud provider ensured that its services are administered securely? Principle 11 Are interfaces documented? What penetration testing regime is in place? Principle 12 Are more stringent controls applied to who can administer the cloud provider’s systems and what data they can access? Is your data/application segregated and administrated separately? At what level? e.g. private cloud Can the service be managed from devices used for normal business use? (high risk) Are the services being managed offsite – from various locations? @neict #ESB16

Cloud Security Principles Principle 13: Does the cloud provider give you access to audit records so you can monitor access to your service and the data in it? Principle 14: What measures has the cloud provider taken to help end users (employees/citizens) use the service responsibly and not create security risks? Principle 13 What information is available? How can you access it? What format? Retention period? Suitable for investigating misuse or incidents? Do you need a copy of the logs at your site? Risk of log tampering? Principle 14 Especially for IaaS and PaaS What configuration options are available? Is access restricted to devices you own and manage? (think PSN) What end user education is available / recommended? @neict #ESB16

Other Considerations What are the guaranteed availability levels of the cloud system, if any? When will patching/updating of the system be carried out? What business continuity provisions has the cloud provider put in place? What security and business continuity testing regimes has the cloud provider put in place? What security and business continuity accreditations / certifications does the cloud provider have? Availability – 99.9% = 8.76 Hrs per year, 99.99% = 0.87 hrs per year, uptime etc. BC - if a data centre is unavailable? @neict #ESB16

Other Considerations What connectivity does the cloud provider have in place? What connectivity do you have in place? What browsers and/or devices does the cloud service support? Is there an ongoing application compatibility issue? What additional mitigations could you apply? What residual risks are there? The EU General Data Protection Regulation. Connectivity Can it cope with the traffic? Is it resilient? What browsers and/or devices does the cloud service support - manufacturer / product / version Is there an ongoing application compatibility issues? – current browser & previous for example? IE11 and previous versions. There will be lots of others that need to be taken into consideration. @neict #ESB16

https://www.gov.uk/government/collections/cloud-security-guidance @neict #ESB16

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.