• No results found

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week"

Copied!
37
0
0

Loading.... (view fulltext now)

Download now ( 37 Page )

Full text

(1)

Cloud Security Panel:

Real World GRC Experiences

(2)

Children’s Healthcare of Atlanta

Agenda

• Introductions

• Recap: Overview of Cloud Computing and Why Auditors Should Care

• Reference Materials • Panel/Questions

(3)

Introductions

• Grady Boggs, CISSP

Technical Specialist, Security & Identity Microsoft Corporation

• Reid Eastburn, CISA, CRISC, CISM, HISP (Moderator) Vice President, Information Assurance and Security The Experts

• Stoddard Manikin, CISM, CISSP

Director, Information Systems Security Children’s Healthcare of Atlanta

(4)

Children’s Healthcare of Atlanta

Overview of Cloud Computing

• The use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet)

• Extension of client-server model • Cloud computing, big data,

consumerization of IT (BYOD), and virtualization

– Cloud computing adoption is one of the biggest IT trends.

(5)
(6)

Children’s Healthcare of Atlanta

Microsoft’s Cloud Environment

(7)

Why Auditors Should Care

• Risk typically stays “insourced”

• Organizations, and individuals, are outsourcing critical applications and data

• 24x7 pervasive availability also means your data is accessible to malicious users all day every day

• Multi-tenant architectures can result in unintended consequences, i.e., data mixing

• Cloud service providers may not share same goals (profitability vs. implementing controls)

(8)

Children’s Healthcare of Atlanta

Survey Data

• 51% of respondents, believe stormy weather can interfere with cloud computing.

• 54% of respondents claim to never use cloud computing.

• 97% are actually using cloud services today via

online shopping, banking, social networking and file sharing.

8

(9)

Adoption Risk and Rewards

BENE

FITS

privacy security

reliability scalability

increased agility flexibility

(10)

Children’s Healthcare of Atlanta

Provider is your Partner

(11)

Reference Materials

• Cloud Security Alliance (CSA) – GRC Stack

– https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-grc-stack.php

• CSA –Security Guidance for Critical Areas of Focus in Cloud Computing

– https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf

• CSA Security, Trust, and Assurance Registry

– https://cloudsecurityalliance.org/star

• Microsoft Global Foundation Services – http://www.globalfoundationservices.com/

(12)
(13)
(14)

Children’s Healthcare of Atlanta

(15)

Security Maturity and Cloud Providers

• Trust us, we use a firewall • We’ll be happy to fill out

your questionnaire

• Download a copy of our 3rd party assessment

(16)

Children’s Healthcare of Atlanta

GRC and Cloud Computing

16

(17)

The GRC Stack Framework

(18)

Children’s Healthcare of Atlanta

GRC Examples in Cloud Computing

• Governance

– Jurisdiction for contractual enforcement – Data governance

– Transparency • Compliance

– ASP should follow a methodology (plan, do, check, act)

– At end of the day, compliance can't be fully outsourced

– Cloud provider's capabilities and controls must be integrated into your overall compliance program

18

• Risk

(19)

An Approach to Evaluate Cloud Providers

• Leverage the Cloud Security Alliance (CSA) GRC Stack – Cloud Controls Matrix

– Consensus Assessments Initiative – Cloud Audit

– CloudTrust Protocol

• Designed to support cloud consumers and cloud providers • Prepared to capture value from the cloud as well as

support compliance and control within the cloud • Also review the Security, Trust, and

Assurance Registry (CSA STAR)

(20)

Children’s Healthcare of Atlanta

Leveraging the CSA GRC Pack

20

(21)

Example: Cloud Controls Matrix (CCM)

(22)

Children’s Healthcare of Atlanta

Closing Thoughts/Summary

• Concentrate on GRC as a foundational component of your organization’s cloud strategy

• Demand commitment to standards (CSA Cloud Controls Matrix) and transparency (CSA STAR)

• Encourage your cloud computing buyers and legal teams to require stipulations like “right to audit” • Build familiarity with your vertical industry's

compliance needs

• Integrate your cloud provider's capabilities and controls into your overall compliance program

(23)

Technical Specialist, Security & Identity Directory of Security

(24)
(25)
(26)

BE NEFIT S privacy security reliability scalability increased agility flexibility

Reduced costs CON

CER

(27)

CLOUD PROVIDER SaaS PaaS IaaS RESPONSIBILITY: Data classification

Application level controls

Client and end point protection

Network controls Physical security

Identity and access management Host security

(28)

Global Foundation Services

Microsoft’s

Cloud Environment

Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Consumer and Small Business Services Enterprise Services Third-party Hosted Services Security Global Network Operations Data Centers

(29)

Compliance Framework

CERTIFICATION AND ATTESTATIONS

CONTROLS FRAMEWORK

• Identify and integrate • Regulatory requirements • Customer requirements • Assess and remediate

• Eliminate or mitigate gaps in control design

PREDICTABLE AUDIT SCHEDULE

• Test effectiveness and assess risk • Attain certifications and attestations • Improve and optimize

• Examine root cause of non-compliance • Track until fully remediated

INDUSTRY STANDARDS AND REGULATIONS

• Sarbanes-Oxley • PCI-DSS • HIPAA, etc • ISO/IEC 27001:2005 • EU Model Clauses • FISMA/NIST 800-53

• ISO / IEC 27001:2005 certification

• SSAE 16/ISAE 3402 SOC 1

• AT 101 SOC 2 and 3

• PCI DSS certification

• FISMA certification and accreditation

(30)

Know the value of your data and processes and the security and

compliance obligations you need to meet Consider the ability of vendors to

accommodate changing security and compliance requirements

Ensure a clear understanding of security and compliance roles and responsibilities for delivered services

Ensure data and services can be brought back in house if necessary

Consult guidance from organizations such as the Cloud Security Alliance

Require that the provider has attained third-party certifications and audits, e.g. ISO/IEC 27001:2005

(31)
(32)
(33)

CCM control Description DG-01 Data Governance - Ownership / Stewardship

All data shall be designated with

stewardship with assigned responsibilities defined, documented and communicated.

DG-02 Data Governance - Classification

Data, and objects containing data, shall be assigned a classification based on data type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints, contractual constraints, value, sensitivity, criticality to the organization and third party obligation for retention and prevention of

(34)

Where are you now? Where will you be?

(35)
(36)
(37)

References

Download now ( PDF - 37 Page - 2.66 MB )

Related documents

Quantifying the Quality of Web Authentication Mechanisms A Usability Perspective

Environmental factors were not considered when the quality coefficient was calculated in the previous section, and this weakens the measure as a determinant of its efficacy within the

North East London Cancer Research Network. Annual Report

Our key objectives and priorities for the year have been to maintain a balanced portfolio across all tumour sites and modalities and in particular to increase recruitment

Engagement, Search Goals and Conversion - The Different M-Commerce Path to Conversion

In this research, using detailed event log-files of an online jewelry retailer, we analyze user engagement and navigation behaviors on both platforms, model search goals and their

Privileged Identity Management in the Cloud Scalable Security Practices for Cloud Providers

Deployment Models Service Models Essential Characteristics Common Characteristics Private Cloud Public Cloud Community Cloud Hybrid Clouds Software as a Service

Impact of vegetation die-off on spatial flow patterns over a tidal marsh

This study quantified for the first time the effects o f large-scale (4 ha) artificial vegetation removal, as proxy o f die-off, on the spatial flow patterns

Journal of Internet Banking and Commerce

Using information systems in Jordanian banks seems to be vital to the success of today’s banking systems in Jordan. Understanding how IS operates to improve banks

Comparing Evaporative Sources of Terrestrial Precipitation and Their Extremes in MERRA Using Relative Entropy

Comparing Evaporative Sources of Terrestrial Precipitation and Their Extremes in MERRA Using Relative Entropy..

Brochure WellServices 12p A4 PROOF

Through Expro’s other services lines, including wireline (braided line, e-line and slickline) services and cased hole logging, we deliver the full spectrum of services required