1. Cyber Security in Real-Time Systems
CSIRS
David Spinks - Chairman
February 2011
2. Quote by : Sun Tzu
As Sun Tzu, the military theoretician and strategist extraordinaire of
ancient China, wrote in his seminal work "The Art of War", "The skilful
leader subdues the enemy’s troops without any fighting; he captures their
cities without laying siege to them; he overthrows their kingdom without
lengthy operations in the field.”
Lush
Stuxnet
LSE
NYSE
E-Trading
RBS ATM
4. Cloud (IAAS) Pressures
Instant now
any time anywhere
Limitless Continued cost reduction
Flexibility beyond Outsourcing
Secure
IT Utility
Services
Managed
Services
Limitless Volumes
Up and Down
8. Into the (Cloud) Futurewith hp
SERVICES
ECOSYSTEM
SYSTEMS
INTEGRATION
TECHNOLOGY
ISLAND
ADVANCED
AGILITY
CLOUD
ENTERPRISE
CLOUD
SERVICES
UTILITY
AUTOMATED SERVICES
MANAGED
HOSTING HOSTING
TRADITIONAL
CONFIGURED
SERVICES
SOURCING MODELS
8
9. So what are the security hot buttons?
Robust acceptable pan-client Information Security policies and procedures.
One single independent assurance certificate - no your auditors and will
not be allowed access.
Identity and access management need to get this working anyway!
Business continuity and IT DR acceptance of standard RTO and RPO.
Encryption (key management) will be a client responsibility this issue is
related to IdM!
Flexibility in contracts and please kill off the “old school” purchasing and
contracts departments!
11. Cloud Computing Security Assessment Process Flow
Week 1 Week 2 Week 2
1 2 3
Review InfoSec Program Documentation Interview Subject Matter Experts (SME) Inspect Infrastructure & Controls
Week 2 Week 2 Week 3
4 5 6
Complete Security/Continuity Checklists Cloud Computing Readiness Workshop Analyze Data & Determine Gaps
Week 4 Week 4 Week 4
7 8 9
Cloud Computing Security Roadmap Workshop
Create Service Improvement Plan (SIP) Create Remediation Roadmap
Confidential & Proprietary
11 April 20th, 2010 - v1 Information of Hewlett-Packard
Company
12. Conclusions
Adoption of Cloud lessons leant not available
Implementation experiences limited
Security and risk management methods immature
Best practice evolving but gaps exist still
Views of regulators and auditors still not clear
Legal and regulatory issues (e-Discovery Jury is still out!)
Watch this space ....
13. Finally
Linkedin CSIRS : http://www.linkedin.com/groupRegistration?gid=3623430
David.spinks@hp.com
http://www.cloudsecurityalliance.org/
http://www.hp.com/hpinfo/newsroom/press/2009/090331xa.html
Q and A