• No results found

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC"

Copied!
29
0
0

Loading.... (view fulltext now)

Download now ( 29 Page )

Full text

(1)

Sandra Liepkalns, CRISC

[email protected]

(2)

The quality or state of being secure –

to be free from danger & minimize risk

• To be protected from adversaries

• A successful Cloud implementation should have multiple

layers of security in place:

• Physical security • Personal security • Operations security

• Communications security • Network security

(3)

Organizations need a set of capabilities that are essential

when effectively implementing and managing cloud

services that include the following:

• Demand Management

• Relationship Management

• Data Security Management

• Application Lifecycle Management

• Risk & Compliance Management

(4)

Data Regulatory Compliance Requirements

• General Data Protection Regulation (EU GDPR)

– Privacy By Design

• Personal Data Protection Law, Latvia • Freedom of Information Law, Latvia • Payment Card Industry (PCI DSS 3.0)

• In addition, each Country has its own legal and regulatory compliance requirements

(5)

Data Types

• Personal Health Information (PHI) • Personal Identifiable Information (PII) • Credit Card Data (PCI)

Data Security

(6)
(7)
(8)

• Risk Management

• Legal

• Audit

• Compliance

• Privacy

• Business Continuity

• Quality Control

• Facilities

• Human Resources

• Information, IT and Physical Security

• Emergency Management

(9)

To the Cloud…

(10)

• Choose a provider you can trust and people you trust in key positions.

• Ask people in your network about their successful and unsuccessful relationships.

• Learn how the providers behaved when things went wrong. (They are all great when things are going well.) Learn how the provider responded when their customer was wrong or made a mistake. • The last two will likely tell you much more than what is in their

service agreement.

• Review Audit Compliance Reporting

– ISO 27001, SSAE 16, SOC-1, SOC-2, SOC-2, PCI-DSS

(11)

• What do the terms "continuity" and "recovery" mean? • What constitutes a breach?

• How long should it take to restore service?

• What options do you have if it is taking too long? • Can you go somewhere else?

• Who gets to decide whether you can exit? • How is "too long" defined?

• Can you have your data back? In what form and format? • When can you have it? How will it be delivered?

(12)

• And what happens to your data, software, and systems if the provider becomes insolvent or subject to prosecution?

• What happens to your data if you don't pay your provider? • Who owns your information and your systems then?

• Can your provider shut you down and/or permanently delete your data if you withhold payment?

• If you are thinking that is not a possibility... could it happen in the event you are having a dispute related to billing or

service?

(13)

• If you fail to plan, you plan to fail!

• Have an exit strategy.

• More than that, understand what would cause you to

execute it.

– How long can something be down (or slow...) before it impacts your business?

– How long will it take to implement even a temporary exit? – How will the provider help?

– How can you return to the provider's service (should you decide to) once the problem has been resolved?

(14)

• Know what you want

– It is important to perform that second order thinking ahead of time.

• Know what you need

– It may be different than what you want

• Read & know what is in the service agreement • Know how to engage

– It is not only about the negotiation and the remedies

– Someone needs to be familiar with how to identify a breach or issue, and how to engage the provider for assistance

– Know what to do both in cases where the provider has an issue, as well as those cases where the customer has caused a problem

(15)

Never Make Assumptions

Do not assume the service provider

will think of everything

(16)

Cloud Service Providers

and

(17)

• Where your data is makes a difference

– Yes, your data in a cloud does have a location (or many locations)

• As a Canadian Public or Private Corporation, once your Data leaves Canadian soil, it is governed by the Laws and

Regulations of the Country that it resides in.

• Each organization must understand the risks and implications associated to their data storage location.

You are subject to the jurisdiction your data is in and

passing through

(18)

• One way or another your “Cloud” data is in a Data

Centre

• What Affects the Data Centre affects You

• The Data Centre can be Affected by Two Factors:

– Natural Factors: Floods, Earthquakes, Tornadoes,

Drought and Fire, Storms, Snow etc,

– Human Factor: Riots, Political Protest, Sports Events

(19)

• Are your data centres geographically

clustered?

• Can one event take all of your cloud

servers and their data paths out?

• Is it on a fault line?

(20)
(21)

Bottom Line…

Every question you would ask about the

physical location of data, hardware and Apps

on your own server…

You must ask about your CLOUD based

servers.

You Cannot Outsource Responsibility

(22)
(23)

Scenario

• Platform as a Service – Vendor

– ISO 270001 Certification

• Applications and Data – Client

• Service Level Agreement in Place

– Intrusion Detection

– Log Monitoring

– Vulnerability Management

– System Patch Management

(24)

Findings

• Interviewed the Service Provider for Security Controls

• Data Centre was recently acquired by a large service

provider with ISO 27001 Compliance

• Service Level Agreement was not reality

– No Intrusion Detection – No Log Monitoring

– No Vulnerability Management – No System Patch Management – No Change Management

(25)

Scenario

• Tender for Cloud Based Electronic Medical Record

(EMR) System

• Included Security Requirements

– Threat Risk Assessment – Privacy Impact Assessment

• Contractual Obligations

– Privacy Breach – Return of Data

• Data Residency required in Native Country

Case Study #2

(26)

Findings

• Lowest Bid Cloud based EMR Vendor Awarded Tender

• Awarded Cloud Vendor Executed Contract

• Privacy Impact Assessment Performed

• Threat Risk Assessment Performed

• Cloud EMR Vendor found to be in Breach of Contract

– Data residency outside of Native Country

• Still in Negotiations

Case Study #2

(27)

Scenario

• Review of Network Architecture,

Infrastructure, Systems and Services

• Network Design Created over 10 Years ago

• Implementation of Point Solutions

– WiFi, Various SaaS Application, Various Legacy

Systems, Payment System, VLANs, IP Security

Cameras, Corporate

Case Study #3

(28)

Findings

• No Separation of Networks, System, Applications and Infrastructure based on data sets and compliance

requirements

• No Password Changes Due to Complex Application Integration

• LDAP Authentication in Clear Text

• No Network Infrastructure/Security Strategy

• No Business Process and Application Integration Strategy

Case Study #3

(29)

References

Download now ( PDF - 29 Page - 1.24 MB )

Related documents

Honor Science and Technical Writing - Online

11-12.RL.1 Cite strong and thorough textual evidence to support analysis of what the text says explicitly as well as inferences drawn from the text, including determining where

Factors Influencing Southwestern Tennessee Farmers' Willingness to Participate in the Boll Weevil Eradication Program

Taking all the variables together, the producer most likely to have voted yes in the 1997 referendum (i) was an older individual with more years of experience growing cotton,

Opinion & Special Articles: Professionalism in neurologyMaintaining patient rapport in a world of EMR

tablet computers has the ability to change the dynamic of encounters as it may help share information with patients, foster their education, and eventually enhance patient –

78.docx

sales plus sales returns and allowances less sales discounts less cost of merchandise sold C.. sales plus sales discounts less sales returns and allowances less cost of merchandise

The climate change stalemate : ideological tensions in international climate change negotiations

domestic political salience within Germany and also because international targets set at. Kyoto would certainly be more modest than those set within Germany or

Leveraging Information Access in E-Government Using Mobile Services in Kenya. Clement W. Marini

With the increase in the mobile penetration in Kenya, there is a need to provide access to the Government services in a cost effective and accessible manner.. Effort and

Does the current process to address labour rights violations of Migrant Domestic Workers in Hong Kong Provide an Effective Remedy?

It will: define the concept of an effective remedy; establish Hong Kong’s legal responsibility to provide an effective remedy for human rights violations as a party to International

Regulation through code as a safeguard for implementing smart contracts in no-trust environments

The three core technologies that make up blockchain technology (a distributed network of computers that keeps a chronological database of all transactions (the ledger), the use