Practical tips for securing your cloud James Turner, IBRS Advisor August 2012.

Slides:



Advertisements
Similar presentations
A 2030 framework for climate and energy policies Marten Westrup
Advertisements

1. 2 Partners in Procurement Steve Hagar Deputy Director Central Purchasing Division Department of Central Services August 24th, 2009.
Evidence of a Double Dip Recession June 2010 Daryl Montgomery June 24, 2010 Copyright 2010, All Rights Reserved The contents of this presentation are not.
Ad Hoc Bulk Electric System Task Force Update RPIC February 19, 2009.
- GDP 2011 versus 2010 – increase by 5.5%
Months of the year December January November October February
Summary of Cloud Computing (CC) from the paper Abovce the Clouds: A Berkeley View of Cloud Computing (Feb. 2009)
A GIA is a contract between a surety company and a contractor (or subcontractor)/principal. A GIA is a standard, typical document in the construction.
FIDIC 2005 Beijing Workshop 14 Risk and Liability for Consulting Engineers: An Australian Perspective Tony Barry, President and Therese Charles CEO Association.
THE ROLE OF INSURANCE REQUIREMENTS WITHIN AN ORGANIZATION By Aaron Hardiman, MBA, ARM.
FINANCIAL INSTITUTIONS ENERGY INFRASTRUCTURE, MINING AND COMMODITIES TRANSPORT TECHNOLOGY AND INNOVATION PHARMACEUTICALS AND LIFE SCIENCES Break out session:
1 Contract Costing Every clause in a contract, regardless of whether it applies to economic or non- economic issues, can have cost implications. However,
Green Building Ordinance Transportation and Environment Committee
Prepared for [xxxx] – Commercial in Confidence connect transform protect A Cloudy Cyberspace? Tony Roadknight – Technical Architect.
The Lucernex Cloud: A software-as-a-service solution delivered via the Cloud What is the Cloud? Cloud Computing is the future of all software applications,
TechFire Conference Cloud Made Simple - Dispelling the Hype. Brian Larkin Operations Director Digital Planet Brian Larkin Operations Director Digital Planet.
Managing Commodity Price Risk with Futures & Options.
Market Research on Car Restriction for First-Year Students: Impact on Undergraduate Recruitment Final Report Overview – May 12, 2010.
U.S. Views on Remanufacturing and Trade in Remanufactured Goods
Revision of the Working Time Directive CBSP Committee 7 November 2012 Jorma Rusanen.
Update by: Social Affairs Department African Union Commission (AUC) Addis Ababa, Ethiopia 1 AFRICAN UNION COMMISSION: DEPARTMENT OF SOCIAL AFFAIRS African.
Lima, Peru, 5 December 2013 Smart-Cities: An EU-Wide approach Colette Maloney Head of Unit, Smart Cities and Sustainability, DG CONNECT European Commission.
The environmental and policy context for crowd-funding in the UK LSE Seminar on Crowd-Funding for Renewables 2 May 2013 Sam Fankhauser Grantham Research.
Ch-2 Proposals and Contracts. Introduction Many issues have to be handled in a contract and a proposal including legal concerns, commercial arrangements.
Digital Agenda Unleashing the Potential of Cloud Computing in Europe Ken Ducatel Head of Unit Software and Services, Cloud European Commission (Directorate.
Little cloud – big difference Matt Healy – Chairman, OzHub April 2012.
District Leadership Team Stakeholder Involvement in the District Strategic Plan! Session #4 April 12th, 2011.
Antitrust/Competition Commercial Damages Environmental Litigation and Regulation Forensic Economics Intellectual Property International Arbitration International.
Introduction Build and impact metric data provided by the SGIG recipients convey the type and extent of technology deployment, as well as its effect on.
1 Cloud Computing Prof. Ravi Sandhu Executive Director and Endowed Chair April 12, © Ravi Sandhu World-Leading.
Cloud Computing - clearing the fog Rob Gear 8 th December 2009.
Chubaka Producciones Presenta :.
2012 JANUARY Sun Mon Tue Wed Thu Fri Sat
Nabarro Nathanson Workshop on Software Quality and the Legal System Friday 13th February 2004 Safety Related Systems: The Legal Framework Dai Davis Solicitor.
Health Informatics Series
Department of Internal Affairs Cloud computing considerations John Roberts Director, Relationship Management CRI Records Managers 11 June 2015.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Citi REO Strategy & Community Relations September 15, 2009.
The Financial Impact of Cyber Security 50 Questions Every CFO Should Ask A publication of the American National Standards Institute and the Internet Security.
Software License Agreement Negotiation 101 Ray Hsu, C.P.M. Assistant Director, Procurement Services University of Washington.
IBM Academic Initiative Skills for a Smarter Planet Cloud Computing John Schilt Lead, IBM Academic Initiative Australia / New Zealand
Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
Agenda What is cloud computing? Google’s Cloud Offerings Key Issue Data Aggregation Profiling Issues AOL User 927 Conclusion.
Savings and Investment Unit Project Student Name.
InfoSecurity Conference 2011 The Challenges of Cloud Computing John R. Robles John R. Robles and Associates
Cloud Computing climate change for legal contracts ? EuroCloud Ireland & Irish Computer Society July 1st 2010 Philip Nolan/ Jeanne Kelly Partners, Mason.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Select a Type of Business Chapter #4. Way to be a Business Owner Purchase an Existing Business Enter a Family Business Franchise Ownership Starting Your.
Developing & Demonstrating Commercial Awareness. What commercial awareness is  Awareness of events in the business world  Awareness of other current.
THE IMPORTANCE OF CONTRACT REVIEW Kristina Phillips PestSure I would like to emphasize that the discussion set forth above is only an insurance/risk management.
Understanding Business Cash Flow. About the SBDC Eighteen Centers in Pennsylvania More than 1,000 Centers Nationwide The SBDC network.
2011 Calendar Important Dates/Events/Homework. SunSatFriThursWedTuesMon January
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
PRIVACYRELIABILIT Y SECURITY Secures against attacks Protects confidentiality, integrity, and availability of data and systems Helps manage risk Protects.
July 2007 SundayMondayTuesdayWednesdayThursdayFridaySaturday
The Department of Internal Affairs Keeping records in the cloud Patrick Power Manager, Government Recordkeeping Programme.
BANKING INFORMATION SYSTEMS
Buy, Build, Partner: 3 Paths to New Managed Services Offerings
Cloud Computing Cloud computing refers to “a model of computing that provides access to a shared pool of computing resources (computers, storage, applications,
The Financial Impact of Cyber Risk 50 Questions Every CFO Should Ask
McDonald’s calendar 2007.
Computer Science and Engineering
McDonald’s calendar 2007.
Habitat Changes and Fish Migration
2015 January February March April May June July August September
Habitat Changes and Fish Migration
Presentation transcript:

Practical tips for securing your cloud James Turner, IBRS Advisor August 2012

Building a smarter planet Warning This presentation has a lot of pictures of clouds 2

Building a smarter planet Practical tips to securing your cloud Defining the cloud What IBRS clients are asking & What the experts say Four interesting areas of risk Summary A glimpse of the future Questions 3

Building a smarter planet Defining cloud The most widely accepted definition of cloud comes from the National Institute of Science and Technology (NIST) : 1.On demand self-service 2.Broad network access 3.Resource pooling 4.Rapid elasticity 5.Pay-per-use measured service Im talking about SaaS 4 Morning Glory clouds – Gulf of Carpentaria. Source: NASA. Credit: Mick PetroffMick Petroff

Building a smarter planet What IBRS clients are asking & what the experts say Review our SaaS contracts for technical risks –Defence Signals Directorate (DSD) availability of data and business functionality; protecting data from unauthorised access; and, handling security incidents. –Australian Government Information Management Office (AGIMO) Liability Performance management Ending the arrangement –National Archives of Australia 5

Building a smarter planet Four SaaS vendor contract reviews Findings – there are 4 core areas of risk in these vendor MSAs: 1.Light on specifics 2.Heavy on indemnity 3.Default customer referencing 4.Flimsy data portability 6

Building a smarter planet Light on specifics Will protect customer data in a manner consistent with general industry standards reasonably applicable Will use commercially reasonable efforts to make the purchased services available 24 hours a day, 7 days a week. Impact: nothing to hold them to! 7 Light and wispy cirrus clouds

Building a smarter planet Heavy on indemnity They will not be held liable for any loss of data, or revenue, or profits. Service credits, if available, are like eating lettuce –You expend more energy chewing than you get from the consumption Impact: nothing to hold them to! –(and look at how well that worked in the software industry!) 8

Building a smarter planet Customer reference by default Customer agrees to work with Marketing Department to produce a news release to Customers use of the Service Risks of being outed as a customer: –kick me –Collateral damage –Target rich environment –Economy of effort for attackers Impact: what has this done to your risk profile? 9

Building a smarter planet Flimsy data portability Only 1 of the 4 mentioned a format Proprietary data formats help create lock-in One source of truth? Migrating to another vendor? –Who owns the metadata? –Can you access security logs? Impact: Vendor lock in, paying for migration, rivals being sold your work 10 Storm front over Phillip Island, Nov 11, Source: ABC.net.au

Building a smarter planet Conclusion: Practical tips to securing your cloud Understand the risks –Create a list of the technical risks –War game different scenarios, attacks, or failures –Walk these through with business stakeholders Contract management –involved vs. committed? –Be biased toward vendors who commit to standards –Note: Take-it-or-leave-it contracts are positively viewed by some 11 Asperatus Cloud, New Zealand, undated photo. Source: National Geographic

Building a smarter planet An interconnected world leads to exponential complexity and unforeseen interdependencies!

Building a smarter planet Questions? 13

Building a smarter planet References Cloud Computing Security Considerations, Defence Signals Directorate (Australian Department of Defence), April 2011.Cloud Computing Security Considerations Better Practice Guide: Negotiating the cloud – legal issues in cloud computing agreements, Australian Government Information Management Office, February 2012.Better Practice Guide: Negotiating the cloud – legal issues in cloud computing agreements A Checklist for Records Management and the Cloud, National Archives of Australia, 2011.A Checklist for Records Management and the Cloud IBRS research: –"The Next Perfect IT Storm: The Red Shift, Utility Computing", IBRS, April 2008.The Next Perfect IT Storm: The Red Shift, Utility Computing –"Cloud computing, you may need a parachute", IBRS, April 2009.Cloud computing, you may need a parachute –"Legal considerations that apply in cloud computing", IBRS, May 2009.Legal considerations that apply in cloud computing –"Cloud computing and the law - data considerations", IBRS, June 2009.Cloud computing and the law - data considerations –"Cloud computing and the law - business implication", IBRS, July 2009.Cloud computing and the law - business implication –"A legal checklist before taking off into the cloud", IBRS, August 2009.A legal checklist before taking off into the cloud –"APRA offers timely advice against losing your head in the cloud", IBRS, November 2010.APRA offers timely advice against losing your head in the cloud –"Two tests to evaluate Cloud economics", IBRS, March 2011.Two tests to evaluate Cloud economics –"A matrix for cloud computing risk analysis", IBRS, October 2011.A matrix for cloud computing risk analysis –"Cloud security - the real risks", IBRS, January 2012.Cloud security - the real risks –How do you catch a cloud and pin it down? Part 1, IBRS, May 2012How do you catch a cloud and pin it down? Part 1 –How do you catch a cloud and pin it down? Part 2, IBRS, July 2012How do you catch a cloud and pin it down? Part 2 14