How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010

At a Glance  NIST Definition  Cloud Challenge  Cloud Concern  Added Security Concerns  Security Transition  Is Cloud ready for you  Available Resources  Where to start

NIST Definition Cloud

4 Cloud Challenge

“In our February 2010 survey of 518 business technology pros, security concerns again led the list of reasons not to use cloud services, while on the roster of drivers, 77% cited cost savings.” -- Information Week

Cloud Security Incident  Make Shift Data Center  Perimeter Security  Incident Response  Product Security  Features  Interpretation  Sold as a premium feature “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.” Attackers are ignoring the front door Current Anti-Virus Solutions are not working Patching sometimes is not enough You might be playing in the big leagues

Added Security Concerns  Business Unit bypass IT and Security  Individuals using cloud  How can IT / Security get in front of decisions to use cloud  Must do a better job managing risk

Cloud Security Shift  Customer Options  Security is a business enabler  Raise cloud user comfort  Provide transparency  Collaboration  Focus on business and not security  Business disabler  Cloud Provider knows how to implement security  Not transparent

Security Transition  Lessons Learned  Customer Concerns  Security Questionnaires  Response to questions varied  Increased of questionnaires  Request of evidence

Critical Challenges for Cloud Security Security Program Questionna ires Follow up Reviews Regulatory Compliance Customer Reviews External and Internal Reviews 10 Security Budgets Staffing/ Resources Reduce Confusion

Enterprise CIO Strategies — IT Security Needs to be Aligned 11 (February 2010) Link Business and IT strategies and plans Deliver projects and enable business growth Cloud Computing Web 2.0 Virtulization

Is Cloud Ready for You  Determine business need  Will the Cloud Provider be around  What data will be stored  Where will it be stored  What is your classification and control requirements for that data

Is Cloud Ready for You  What controls does the provider implement  Who is responsible for security  Are there third party validations  Right to Audit  Process for removing data  Incident Response  How often do you need to review?

Resources Available to Cloud Users  Cloud Security Alliance  CSA Guide (guide your approach internal legal / business UNIT) also recommendations for users and providers  Top Threats to Cloud Security (underwritten by HP)  ENISA  Security Benefits of Cloud and Risks  Make recommendations on risks and maximize the benefits

Resources Available to Cloud Users  Shared Assessments  Target Data Tracker  Self Information Gathering (SIG) – Level I, Level II  AUP  Business Continuity Questions, Privacy Questions, Other tools  Jericho Forum  Cloud Cube Model  Self-Assessment

What Will Be Stored  Know your provider  Ask them what data is required to be stored  Verify with your internal business team

Where Will it be Stored  Request for their locations  Validate that all locations are accounted for  Request they describe the types of controls in place

How to Verify  Target your questionnaire  Questions should clearly identify internal versus production questions  No and N/A should have comments section completed

Assessment

Other Options  Security Questionnaires  OnSite Review  ISO  SAS-70 Type II  ISAE 3402  SysTrust  PCI  Third Party Penetration Test  Emerging Cloud Certifications / Assessments

Moving Forward  Provider security maturing  Continuous Assessment  Transparency  Vendor Cooperation  Collaboration  Community

Available to Cloud Users  Qualys    Cloud Security Alliance   JERICHO Forum   Shared Assessments   ISAE 3402 

Thank you