Presentation is loading. Please wait.

Presentation is loading. Please wait.

R ISK M ANAGEMENT AND C LOUD S ECURITY Rodney A. Walsh, CGEIT, CRISC//Director of IT Risk Services Paco Diaz//Senior Consultant II CACUBO Central Association.

Published byAlannah Hubbard Modified over 9 years ago

Similar presentations

Presentation on theme: "R ISK M ANAGEMENT AND C LOUD S ECURITY Rodney A. Walsh, CGEIT, CRISC//Director of IT Risk Services Paco Diaz//Senior Consultant II CACUBO Central Association."— Presentation transcript:

1 R ISK M ANAGEMENT AND C LOUD S ECURITY Rodney A. Walsh, CGEIT, CRISC//Director of IT Risk Services Paco Diaz//Senior Consultant II CACUBO Central Association of College & University Business Officers Kansas City Winter Workshop April 8, 2014

2 Risk Management & Cloud Security February 19, 2014 2 Define the cloud ecosystem Business use of cloud services Cloud service risks Governance of the cloud – critical policies, procedures & controls Third-party management considerations for the cloud Agenda

3 Risk Management & Cloud Security February 19, 2014 3 DEFINE THE CLOUD ECOSYSTEM

4 Risk Management & Cloud Security February 19, 2014 4 Define the Cloud Ecosystem Cloud Computing: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Source: NIST Special Publication 800-145 - The NIST Definition of Cloud Computing (http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf )

5 Risk Management & Cloud Security February 19, 2014 5 Define the Cloud Ecosystem Cloud Computing: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Source: NIST Special Publication 800-145 - The NIST Definition of Cloud Computing (http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf )

6 Risk Management & Cloud Security February 19, 2014 6 Define the Cloud Ecosystem Essential Characteristics  On demand self service  Broad network access  Resource pooling  Rapid elasticity  Measured service

7 Risk Management & Cloud Security February 19, 2014 7 Define the Cloud Ecosystem Service Models  Software as a Service (SaaS)  Platform as a Service (PaaS)  Infrastructure as a Service (IaaS)

8 Risk Management & Cloud Security February 19, 2014 8 SaaS Software as a Service PaaS Platform as a Service IaaS Infrastructure as a Service Define the Cloud Ecosystem Apps for Business Adobe Creative Cloud

9 Risk Management & Cloud Security February 19, 2014 9 Define the Cloud Ecosystem Deployment Models  Private cloud  Community cloud  Public cloud  Hybrid cloud

10 Risk Management & Cloud Security February 19, 2014 10 Define the Cloud Ecosystem Private Cloud  Provisioned for single organization  May exist on or off site  May be managed by organization or outsourced

11 Risk Management & Cloud Security February 19, 2014 11 Define the Cloud Ecosystem Community Cloud  Provisioned for exclusive use by a specific community  May be managed by one or more of the community organizations  May be managed by community organization or outsourced

12 Risk Management & Cloud Security February 19, 2014 12 Define the Cloud Ecosystem Public Cloud  Provisioned for general public  Exists on the premise of the cloud provider  May be owned, managed & operated by a business, academic or government organization or a combination

13 Risk Management & Cloud Security February 19, 2014 13 Define the Cloud Ecosystem Hybrid Cloud  Combination of two or more distinct cloud infrastructures  Combines characteristics of private, public & community clouds

14 Risk Management & Cloud Security February 19, 2014 14 Just Imagine 2011 Digital Universe Study: Extracting Value from Chaos It will take over 132 billion 64GB iPads to hold all of the world’s electronic data by 2015? Placing that many 64GB iPads end-to-end, it would go around the world over 790 times. You could create two stacks of that many 64GB iPads that would reach the moon and a 3 rd stack that would be 129,606 miles high. That many 64GB iPads would cost $92.76 trillion dollars.

15 Risk Management & Cloud Security February 19, 2014 15 BUSINESS USE OF CLOUD SERVICES

16 Risk Management & Cloud Security February 19, 2014 16 Business Use of Cloud Services “By 2016, the average personal cloud will synchronize and orchestrate at least six different device types. Gartner Predicts 2013: Cloud Computing Becomes an Integral Part of IT. Issue #3– Developing a campus-wide cloud strategy. EDUCAUSE “Top 10 IT Issues”, 2013

17 Risk Management & Cloud Security February 19, 2014 17 Financial Savings  Equipment  Personnel  Infrastructure  Space & utilities  Reduced obsolescence  Reduced capital expenditures  Reduced implementation costs Business Use of Cloud Services

18 Risk Management & Cloud Security February 19, 2014 18 Increased Flexibility  Rapid deployment  Ability to add or reduce capacity  On-demand provisioning  Disaster recovery  Business expansion (across town or across the globe) Business Use of Cloud Services

19 Risk Management & Cloud Security February 19, 2014 19 Streamlined business development  Focus on innovation & research  Reduced effort on management, maintenance & support  Simplified entry into or exiting from business initiatives  Increased access to technical expertise Business Use of Cloud Services

20 Risk Management & Cloud Security February 19, 2014 20 “Slow transition to the Clouds continues.” Kenneth C. Green- Campus Computing Project, EDUCAUSE Annual Conference 10/17/2013. Business Use of Cloud Services

21 Risk Management & Cloud Security February 19, 2014 21 Slow transition to the Clouds continues. Kenneth C. Green- Campus Computing Project, EDUCAUSE Annual Conference 10/17/2013. Why so slow?  Absence of provider offerings.  Can’t visualize moving to the Cloud.  Want to retain command, control & computing.  Let others make the journey first. Business Use of Cloud Services

22 Risk Management & Cloud Security February 19, 2014 22 CLOUD SERVICE RISKS

23 Risk Management & Cloud Security February 19, 2014 23 Cloud Service Risks

24 Risk Management & Cloud Security February 19, 2014 24 Cloud Service Risks Security  Physical access to infrastructure, systems & data  Physical location of systems, data  Logical access to the network, OS, applications & databases  Network & data segregation

25 Risk Management & Cloud Security February 19, 2014 25 Availability  Cloud provider service interruptions  Data location/availability for restoration  Network/connectivity interruptions  Failure of the provider to adhere to SLAs  Service provider disaster recovery Cloud Service Risks

26 Risk Management & Cloud Security February 19, 2014 26 Processing Integrity  Adherence to change management procedures  Incident management  Failure of the provider to adhere to SLAs Timeliness Accuracy Authorization Completeness Cloud Service Risks

27 Risk Management & Cloud Security February 19, 2014 27 Confidentiality  Comingling of data & other assets  Unauthorized access to sensitive or trade secret information Privacy  International laws affecting service provider location  Regulatory compliance/legal liability  Breach & incident management Cloud Service Risks

28 Risk Management & Cloud Security February 19, 2014 28 GOVERNANCE OF THE CLOUD Critical Policies, Procedures & Controls

29 Risk Management & Cloud Security February 19, 2014 29 Governance of the Cloud  Governance  Risk Management  Tools

30 Risk Management & Cloud Security February 19, 2014 30 Governance of the Cloud  Governance  Risk Management  Tools Information Security Data life cycle Data classification Formal policies & procedures

31 Risk Management & Cloud Security February 19, 2014 31 Governance of the Cloud  Governance  Risk Management  Tools Metrics Objectives Define metrics Periodic assessment & Review

32 Risk Management & Cloud Security February 19, 2014 32 Governance of the Cloud  Governance  Risk Management  Tools SLAs Access to data Appropriate Controls Management, counsel, IT & business owners involved

33 Risk Management & Cloud Security February 19, 2014 33 Governance of the Cloud  Governance  Risk Management  Tools Data Flow Analysis Understand life cycle Develop data-flow schematics Policies to review/update data flow documentation

34 Risk Management & Cloud Security February 19, 2014 34 Governance of the Cloud  Governance  Risk Management  Tools Managing Computing Risk App & Tech Inventory In conjunction with data flow analysis Address each layer of cloud “stack” risk.

35 Risk Management & Cloud Security February 19, 2014 35 Governance of the Cloud  Governance  Risk Management  Tools Audit & Compliance Regulatory implications Use risk assessment tools and control frameworks Assess control maturity Vendor management

36 Risk Management & Cloud Security February 19, 2014 36 Governance of the Cloud  Governance  Risk Management  Tools Control Frameworks (NIST, COBIT, CSA) CIS Security Metrics v1.0.0 Cloud Security Alliance NIST SP 800-146 NIST SP 500-293

37 Risk Management & Cloud Security February 19, 2014 37 Procedures/Tools Links NIST Guidance http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf http://www.nist.gov/itl/cloud/upload/SP_500_293_volumeII.pdf Cloud Security Alliance (CSA) https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3/ Information System Audit and Control Association (ISACA) http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cloud- Computing-Management-Audit-Assurance-Program.aspx http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cloud- Computing-Management-Audit-Assurance-Program.aspx The Center for Internet Security (CIS) https://benchmarks.cisecurity.org/tools2/metrics/CIS_Security_Metrics_v1.1.0.pdf Governance of the Cloud

38 Risk Management & Cloud Security February 19, 2014 38 THIRD-PARTY MANAGEMENT CONSIDERATIONS FOR THE CLOUD

39 Risk Management & Cloud Security February 19, 2014 39 Third-Party Management Use of the cloud  Transfers risk  Reduces control Requires new control considerations  Service-level management  Third-party management

40 Risk Management & Cloud Security February 19, 2014 40 Third-Party Management What Can You Do? Define service levels for financial report systems Create a framework to manage service level agreements KPIs A designated individual responsible monitoring & reporting service level performance Organization vendor management policy for the selection of outsources services Determines that, before selection, potential third parties are qualified on 1) capability to deliver the service and 2) a review of their financial viability

41 Risk Management & Cloud Security February 19, 2014 41 Third-Party Management What Can You Do? Third-party service contracts address risks, security controls & procedures for information systems & Procedures ensure that a formal contract is defined & agreed upon for all third-party services before work is initiated, including definition of internal control requirements & acceptance of the organization’s policies & procedures A regular review of security, availability & processing integrity is performed for service-level agreements & related contracts with third-party service providers

42 Risk Management & Cloud Security February 19, 2014 42 Service Organization Control Reports SOC 1SOC 2SOC 3 1 Internal Control Over Financial Reporting 2 Service Organization Management, Users, Users Auditor 3 Service Organization Management, Users, Knowledgeable Parties SOC 1SOC 2SOC 3 PurposeReport on controls relevant to user entities ICFR 1 Report on controls related to compliance & operations SOC 1SOC 2SOC 3 PurposeReport on controls relevant to user entities ICFR 1 Report on controls related to compliance & operations Use of ReportRestricted 2 Restricted 3 General SOC 1SOC 2SOC 3 PurposeReport on controls relevant to user entities ICFR 1 Report on controls related to compliance & operations Use of ReportRestricted 2 Restricted 3 General Report DetailIncludes Testing Detail No Testing Detail SOC 1SOC 2SOC 3 PurposeReport on controls relevant to user entities ICFR 1 Report on controls related to compliance & operations Use of ReportRestricted 2 Restricted 3 General Report DetailIncludes Testing Detail No Testing Detail AICPA Interpretive Guidance SSAE 16 & AICPA Guide AT 101, Trust Services Principles, & AICPA Guide AT 101 & Trust Services Principles

43 Risk Management & Cloud Security February 19, 2014 43 R ISK M ANAGEMENT AND C LOUD S ECURITY Rodney A. Walsh, CGEIT, CRISC Director of IT Risk Services Paco Diaz, CISA Senior Consultant II Thank You

Download ppt "R ISK M ANAGEMENT AND C LOUD S ECURITY Rodney A. Walsh, CGEIT, CRISC//Director of IT Risk Services Paco Diaz//Senior Consultant II CACUBO Central Association."

Similar presentations

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.

Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.
Clouds C. Vuerli Contributed by Zsolt Nemeth. As it started.

Clouds C. Vuerli Contributed by Zsolt Nemeth. As it started.
Cloud Usability Framework

Cloud Usability Framework
Wally Kowal, President and Founder Canadian Cloud Computing Inc.

Wally Kowal, President and Founder Canadian Cloud Computing Inc.
Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.

Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.
Cloud Computing Guide & Handbook SAI USA Madhav Panwar.

Cloud Computing Guide & Handbook SAI USA Madhav Panwar.
SPRING 2011 CLOUD COMPUTING Cloud Computing San José State University Computer Architecture (CS 147) Professor Sin-Min Lee Presentation by Vladimir Serdyukov.

SPRING 2011 CLOUD COMPUTING Cloud Computing San José State University Computer Architecture (CS 147) Professor Sin-Min Lee Presentation by Vladimir Serdyukov.
Design of New or Changed Services in the Cloud: An ISO/IEC 20000 Perspective Ronald Dattero Missouri State University, CIS Dept. Stuart D. Galup Florida.

Design of New or Changed Services in the Cloud: An ISO/IEC Perspective Ronald Dattero Missouri State University, CIS Dept. Stuart D. Galup Florida.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
EA and IT Infrastructure - 1© Minder Chen, 1995-2011 Stages in IT Infrastructure Evolution Mainframe/Mini Computers Personal Computer Client/Sever Computing.

EA and IT Infrastructure - 1© Minder Chen, Stages in IT Infrastructure Evolution Mainframe/Mini Computers Personal Computer Client/Sever Computing.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Discussion on LI for Mobile Clouds

Discussion on LI for Mobile Clouds
Plan Introduction What is Cloud Computing?

Plan Introduction What is Cloud Computing?
Cloud Computing in Large Scale Projects George Bourmas Sales Consulting Manager Database & Options.

Cloud Computing in Large Scale Projects George Bourmas Sales Consulting Manager Database & Options.
Effectively and Securely Using the Cloud Computing Paradigm.

Effectively and Securely Using the Cloud Computing Paradigm.
Cloud Computing. 2 A division of Konica Minolta Business Solutions USA Inc. What is Cloud Computing? A model for enabling convenient, on-demand network.

Cloud Computing. 2 A division of Konica Minolta Business Solutions USA Inc. What is Cloud Computing? A model for enabling convenient, on-demand network.
Clouds on IT horizon Faculty of Maritime Studies University of Rijeka Sanja Mohorovičić INFuture 2009, Zagreb, 5 November 2009.

Clouds on IT horizon Faculty of Maritime Studies University of Rijeka Sanja Mohorovičić INFuture 2009, Zagreb, 5 November 2009.
CLOUD COMPUTING & COST MANAGEMENT S. Gurubalasubramaniyan, MSc IT, MTech Presented by.

CLOUD COMPUTING & COST MANAGEMENT S. Gurubalasubramaniyan, MSc IT, MTech Presented by.

Similar presentations

Ads by Google