Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.

Published byLewis Johnson Modified over 9 years ago

Similar presentations

Presentation on theme: "How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010."— Presentation transcript:

1 How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010

2 At a Glance  NIST Definition  Cloud Challenge  Cloud Concern  Added Security Concerns  Security Transition  Is Cloud ready for you  Available Resources  Where to start

3 NIST Definition Cloud http://csrc.nist.gov/groups/SNS/cloud-computing/

4 4 Cloud Challenge

5 “In our February 2010 survey of 518 business technology pros, security concerns again led the list of reasons not to use cloud services, while on the roster of drivers, 77% cited cost savings.” -- Information Week http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=224202319

6 Cloud Security Incident  Make Shift Data Center  Perimeter Security  Incident Response  Product Security  Features  Interpretation  Sold as a premium feature “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.” Attackers are ignoring the front door Current Anti-Virus Solutions are not working Patching sometimes is not enough You might be playing in the big leagues http://googleblog.blogspot.com/2010/01/new-approach-to-china.html http://www.qualys.com/aurora

7 Added Security Concerns  Business Unit bypass IT and Security  Individuals using cloud  How can IT / Security get in front of decisions to use cloud  Must do a better job managing risk

8 Cloud Security Shift  Customer Options  Security is a business enabler  Raise cloud user comfort  Provide transparency  Collaboration  Focus on business and not security  Business disabler  Cloud Provider knows how to implement security  Not transparent

9 Security Transition  Lessons Learned  Customer Concerns  Security Questionnaires  Response to questions varied  Increased of questionnaires  Request of evidence

10 Critical Challenges for Cloud Security Security Program Questionna ires Follow up Reviews Regulatory Compliance Customer Reviews External and Internal Reviews 10 Security Budgets Staffing/ Resources Reduce Confusion

11 Enterprise CIO Strategies — IT Security Needs to be Aligned 11 (February 2010) Link Business and IT strategies and plans Deliver projects and enable business growth Cloud Computing Web 2.0 Virtulization

12 Is Cloud Ready for You  Determine business need  Will the Cloud Provider be around  What data will be stored  Where will it be stored  What is your classification and control requirements for that data

13 Is Cloud Ready for You  What controls does the provider implement  Who is responsible for security  Are there third party validations  Right to Audit  Process for removing data  Incident Response  How often do you need to review?

14 Resources Available to Cloud Users  Cloud Security Alliance  CSA Guide (guide your approach internal legal / business UNIT) also recommendations for users and providers  Top Threats to Cloud Security (underwritten by HP)  ENISA  Security Benefits of Cloud and Risks  Make recommendations on risks and maximize the benefits

15 Resources Available to Cloud Users  Shared Assessments  Target Data Tracker  Self Information Gathering (SIG) – Level I, Level II  AUP  Business Continuity Questions, Privacy Questions, Other tools  Jericho Forum  Cloud Cube Model  Self-Assessment

16 What Will Be Stored  Know your provider  Ask them what data is required to be stored  Verify with your internal business team

17 Where Will it be Stored  Request for their locations  Validate that all locations are accounted for  Request they describe the types of controls in place

18 How to Verify  Target your questionnaire  Questions should clearly identify internal versus production questions  No and N/A should have comments section completed

19 Assessment www.jerichoforum.org/SAS_Guide.pdf

20 Other Options  Security Questionnaires  OnSite Review  ISO 27002  SAS-70 Type II  ISAE 3402  SysTrust  PCI  Third Party Penetration Test  Emerging Cloud Certifications / Assessments

21 Moving Forward  Provider security maturing  Continuous Assessment  Transparency  Vendor Cooperation  Collaboration  Community

22 Available to Cloud Users  Qualys  http://www.qualys.com/products/qg_suite/malware_detection/ http://www.qualys.com/products/qg_suite/malware_detection/  http://www.qualys.com/aurora http://www.qualys.com/aurora  Cloud Security Alliance  http://www.cloudsecurityalliance.org/ http://www.cloudsecurityalliance.org/  JERICHO Forum  http://www.opengroup.org/jericho/ http://www.opengroup.org/jericho/  Shared Assessments  http://www.sharedassessments.org/ http://www.sharedassessments.org/  ISAE 3402  http://www.ifac.org/MediaCenter/?q=node/view/687 http://www.ifac.org/MediaCenter/?q=node/view/687

23 Thank you rbarr@qualys.com

Download ppt "How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010."

Similar presentations

Cloud Computing - clearing the fog Rob Gear 8 th December 2009.

Cloud Computing - clearing the fog Rob Gear 8 th December 2009.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Phone: (919) 573-6132 Fax: (919) 677-8470 21CFR Part 11 FDA Public Meeting Comments Presented by: M. Rita.

Phone: (919) Fax: (919) CFR Part 11 FDA Public Meeting Comments Presented by: M. Rita.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Page 1 Business Architecture – From Business Strategy to the Alignment of IT Rich Waller An Insurance Industry Case Study April 15, 2009.

Page 1 Business Architecture – From Business Strategy to the Alignment of IT Rich Waller An Insurance Industry Case Study April 15, 2009.
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
Malware Response Infrastructure Planning and Design Published: February 2011 Updated: November 2011.

Malware Response Infrastructure Planning and Design Published: February 2011 Updated: November 2011.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works

Security Controls – What Works
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Enterprise Risk Management and Business Continuity Planning Mark Carey, CPA, CISA President 866.335.2736 x8431

Enterprise Risk Management and Business Continuity Planning Mark Carey, CPA, CISA President x8431
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
© 2010 RightNow Technologies, Inc. ASU – CABIT – Privacy Day Privacy in the Cloud Ben Nelson CISO, RightNow Technologies.

© 2010 RightNow Technologies, Inc. ASU – CABIT – Privacy Day Privacy in the Cloud Ben Nelson CISO, RightNow Technologies.
No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+

No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+
Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:

Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:

Similar presentations

Ads by Google