Presentation is loading. Please wait.

Presentation is loading. Please wait.

#watitis2015 CAN I DO THAT IN THE CLOUD? Jason Testart.

Published byAshlie Jackson Modified over 9 years ago

Similar presentations

Presentation on theme: "#watitis2015 CAN I DO THAT IN THE CLOUD? Jason Testart."— Presentation transcript:

1 #watitis2015 watitis.uwaterloo.ca @watitisconf CAN I DO THAT IN THE CLOUD? Jason Testart

2 #watitis2015 CAN YOU DO THAT IN THE CLOUD?

3 #watitis2015 Yes.

4 #watitis2015 This is really about RISK

5 #watitis2015 WHAT IS RISK? “Risk” means the chance of occurrence of an event or trend that will have a negative impact on operations or fulfillment of objectives at the institutional, academic unit and/or academic support unit levels.

6 #watitis2015 RISK (VERB) ACCORDING TO GOOGLE expose (someone or something valued) to danger, harm, or loss.

7 #watitis2015 RISKS TO INFORMATION Confidentiality Unintentional disclosure Integrity Unintentional modification Availability Unintentional loss of access Let’s not forget Compliance Don’t forget it’s about HARM.

8 #watitis2015 RISK FACTORS RISK LIKELIHOODIMPACT

9 #watitis2015 RISK FACTORS RISK LIKELIHOOD Threat Vulnerability Exposure IMPACT Scope Value Cost of Recovery Technical Factors Business Factors

10 #watitis2015 IMPACT FACTORS (WHAT’S THE DEGREE OF HARM?) Scope Number of records Numbers of areas of the University Value E-mail addresses? Grades? Health information? Cost of Recovery People time? Restore from backups? Costs from outage?

11 #watitis2015 LIKELIHOOD FACTORS (TECHNICAL CONSIDERATIONS) Threats Vulnerabilities (Exposures) Let’s consider some contexts…

12 #watitis2015 LIKELIHOOD FACTORS (PAPER RECORDS) Threats Mostly physical Mother Nature Vulnerabilities Flammable Process issues Exposures Handling issues

13 #watitis2015 LIKELIHOOD FACTORS (DESKTOP COMPUTER) Threats Bad “actors” Time Mother Nature Vulnerabilities Low quality hardware Software Exposures On-line Low physical security measures, generally

14 #watitis2015 WHO ARE BAD “ACTORS”? Hactivists Anonymous Cybercriminals West African fraudsters Eastern European organized crime Foreign States

15 #watitis2015 LIKELIHOOD FACTORS (ENTERPRISE DATA) Threats Bad “actors” Human error (many hands) Inappropriate use (vs intent of collection) Mother Nature Vulnerabilities Change management process (lack of?) Software Hardware Exposures On-line

16 #watitis2015 HOW DOES CLOUD CHANGE THINGS? Threats Generally the same People who aren’t on your payroll Vulnerabilities UNKNOWN Exposures UNKNOWN

17 #watitis2015 KNOWN UNKNOWNS, AND UNKNOWN UNKNOWNS!

18 #watitis2015 FIRST, WHAT IS “THE CLOUD”? Service offerings IaaS PaaS SaaS SaaS is what we see most often Many SaaS offerings depend on IaaS or PaaS offerings

19 #watitis2015 FOCUS ON THE DATA, NOT THE TECHNOLOGY Lifecycle Collection Use (including integration) Destruction Quality Authoritative Data? Don’t forget about C – I – A

20 #watitis2015 HOW DO WE MANAGE CLOUD RISK? Due diligence before contract is signed. Consider R = L x I Think about C – I – A Impact considerations How important is the data/service to you, your clients, and the institution? Likelihood considerations Ask questions What questions to ask?

21 #watitis2015 YOU ARE NOT ALONE PSIA is a first attempt as a tool to manage risk Privacy Officer helps with privacy elements (mostly impact factors) Information Security Services helps with security elements (mostly likelihood factors) Even with lack of PSIA, can still do due diligence

22 #watitis2015

23 EXPERIENCES SO FAR You can have data in the USA Size and maturity of provider Contractual relationships SaaS stacked on IaaS PCI DSS and E-Commerce NDAs for information SAML support: A good move!

24 #watitis2015 METHODOLOGY Calculate Impact Calculate Likelihood Determine Risk! Simple Methodology Binary Risk AnalysisBinary Risk Analysis (see example) OWASP Risk Rating Methodology

25 #watitis2015 EXAMPLE RISK TABLE

26 #watitis2015 EVOLVING OUR RISK MANAGEMENT APPROACH Other risks Information management risks Appropriate use? Can we get our data if we terminate agreement? Change management? BCP/DR? Policy 8 shortcomings Classifications are for Confidentiality What about Integrity? Availability? Need a link to risk management Need a formal definition of who makes risk management decisions (consistent with Policy 11)

27 #watitis2015 watitis.uwaterloo.ca @watitisconf THANK YOU!

Download ppt "#watitis2015 CAN I DO THAT IN THE CLOUD? Jason Testart."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
What In-house Counsel and the Business Really Want and Need from the Cloud LEXPERT CLOUD COMPUTING CONFERENCE 2012 CLOUD COMPUTING: A PRACTICAL APPROACH.

What In-house Counsel and the Business Really Want and Need from the Cloud LEXPERT CLOUD COMPUTING CONFERENCE 2012 CLOUD COMPUTING: A PRACTICAL APPROACH.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Information Security at Waterloo: Past, Present, and Future Jason A. Testart, BMath, CISSP Director, Information Security Services Information Systems.

Information Security at Waterloo: Past, Present, and Future Jason A. Testart, BMath, CISSP Director, Information Security Services Information Systems.
Copyright Security-Assessment.com 2006 Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented.

Copyright Security-Assessment.com 2006 Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented.
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Security Controls – What Works

Security Controls – What Works
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.

Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Similar presentations

Ads by Google