SlideShare ist ein Scribd-Unternehmen logo

Asset 1 security-in-the-cloud

D
drewz lin
1 von 8
Downloaden Sie, um offline zu lesen
Whitepaper Security in the Cloud: Mitigating Risk Outside Enterprise Boundaries
INTRODUCTION Traditionally, sensitive data and applications have been deployed, managed, and accessed within the trusted boundaries established by IT. Those boundaries are now bending in response to business and customer demand. Endpoints are now a mix of corporate and user-owned devices. Applications and data are hosted on both enterprise and third party servers, available over private, partner, and public networks. They’re housed in both enterprise and third party data centers. These changes bring about significant business value, enhancing agility, mobility, and collaboration while reducing upfront capital expenditures. But they also present a new challenge: IT no longer controls all the assets, yet is still accountable for ensuring security and compliance.  How do you assess the risks associated with moving to the cloud and third party resources?  How do you identify gaps in corporate security policies and compliance requirements?  What additional security measures are required, and who is accountable? This whitepaper will outline the benefits and risks associated with moving to the cloud, and provide a framework for working with vendors to mitigate those risks. 2
SHIFT TO THE CLOUD: BENDING BOUNDARIES The most obvious way to secure digital assets is to lock them down behind network and application firewalls in one’s own building. But organizations are heading in the opposite direction, bending boundaries to harness the business benefits of moving to the cloud. For both SMB and Enterprise businesses, Morgan Stanley predicts workloads in virtualized or private cloud environments to nearly double from 2011 through 2013. SaaS workloads as percentage of total 1 workloads are also expected to more than double in that time period. There are clear business benefits to moving to the cloud, including the opportunity to reduce upfront capital expenditures, scale up or down based on business needs, improve service with SLA guarantees, and support workforce collaboration and mobility. In many cases business users have driven these changes, maneuvering “Today, scalability and cost are seen as around IT to gain direct access to SaaS applications. The use of mobile and the primary drivers for cloud usage, while BYOD (Bring Your Own Device) creates additional risk, as more and more agility and innovation are quickly consumer-owned devices are used to access corporate data and applica- emerging as a key factor for adoption” tions in the cloud. According to a 2011 ISACA “Shopping on the Job” Survey, nearly one-third of consumers say that they plan to do more Future of Cloud Computing Survey (GigaOM, shopping than last year using their work-supplied or BYOD device (32%), Northbridge Venture Partners, 451 Group). increasing the risk of malware and other security threats being introduced to the larger organization through personal use of corporate assets.2 So-- IT organizations are now faced with devices they don’t own, accessing data over networks they don’t administer, running on infrastructure in data centers they don’t host. But rather than fighting the trend, IT organizations are embracing the cloud, both for business benefit and to ensure consistency in areas such as service levels and security. SECURING THE CLOUD: CONTRACT-IT-IN VS. BUILD-IT-IN How do you manage security and compliance when you don't host the assets? The very Rather than investing time and transfer of control of enterprise assets from in-house platforms to the virtual world, coincid- resources in establishing a strong in-house security program, IT ing with a widening net of regulatory requirements and security threats means redefining organizations now need to shift how you select and manage vendor relationships. You can’t simply select a cloud vendor their attention to building a trusted based on their ability to support your outsourced data or application requirements. You relationship with their cloud need to be able to trust that cloud vendor, and ensure that they can support your require- vendors. ments with respect to security and compliance. Your reputation and your ability to service your user and customer base are in their hands. This is even more critical in industries subject to regulation, such as healthcare (HIPAA), financial services (GLBA), retail (PCI), 3
Today, the standard of security for third party providers largely remains the humble firewall, augmented by web- application and application-aware firewalls that guard against OWASP (Open Web Application Security Project) Top 10 and other known vulnerability exploits. But still, these are provincial in view rather than part of an overall strategy. There are also a variety of point solutions, but no seamless strategy for securing front-end applications or back-end data in a consistent, policy-driven manner. An array of certifications is no guarantee, because they focus on compli- ance rather than true security. So with the business pushing for a move to outsourcing, how do you ensure that your risk, in terms of both security and compliance, are covered? IT organizations need to take a new approach: contract it in rather than build it in. Histori- cally, IT organizations have invested in security, compliance, and business continuity by developing the business justification, obtaining buy in, and executing against a strategy. In a cloud scenario, the emphasis shifts to the vendor. That is, assessing and defining your vendors’ ability to guarantee service levels, provide transparency where required, and provide vital security services to support your organization’s requirements. It also means being clearly aligned on roles and responsibilities. Many organizations are already taking a proactive approach to ensuring the security of outsourced services. Accord- ing to a survey of IT organizations by the Aberdeen Group called "Security and Cloud Best practices", almost half are asking their cloud service providers to implement strong security practices.3 ASSESSING YOUR RISK What should you expect of your cloud provider? This depends on the data and applications you are outsourcing, and the compliance requirements and security policies that apply to your organization. If the expectation is that you will safeguard sensitive data such as that related to credit cards, patient data, privacy, or financial transactions, then you need to have that same expectation for your cloud partners. There is obviously no such thing as risk-free. If transactions are being executed over shared resources, the strategy should be to determine the level of your risk and to either mitigate, transfer, avoid, or accept that risk. Some compli- ance bodies use the term “compensating controls,” i.e. there is a known window of vulnerability, and these are the solutions and procedures put in place to account for that. Risk is the likelihood of a threat exploiting a vulnerability to produce harm to an asset. It is contextual, and driven by the intersection of assets, threats, and vulnerabilities. When identifying and prioritizing risks, considerations include: What are the gaps, in terms of corporate, compliance, and security policies? What are the possible consequences of a breach, in terms of customer impact, employee impact, penalties, public relations, or share price? Various regulations require protection of data, which often translates into encryption. What do your outside auditors require in terms of that encryption? AES 192? AES 256? Triple DES? Are you hosting data and/or applications for another party, and if so, what are their expectations and requirements? How strong do your password policies need to be? What periodic reviews, internal audits, or reporting must be conducted to ascertain the current security posture relative to the risk? In the end your organization is responsible to your users for securing all the pieces you have assembled for executing transactions and securing the data that result from those transactions; it’s critical that you work closely with your vendors as part of your attendant infrastructure. 4
TEN KEY ELEMENTS OF CLOUD SECURITY What should you ask your cloud provider? Once you’ve selected a short list of vendors and assessed your risk, what should you ask your cloud provider to ensure that they can support you effectively? While your selection criteria and contract requirements may vary, the following questions provide a starting point for ensuring that requirements and responsibilities are clearly understood by both parties. Security Requirements: Will your provider work with you to understand your security and business requirements? When selecting a vendor, make sure they are willing to tailor and integrate a security solution with your cloud service, rather than providing a “one-sized fits all” solution. Roles and responsibilities should be clearly defined and the delineation of responsibilities should align with your organization’s needs. Third Party Certifications: Does the vendor employ independent and verifiable audits? The provider should have achieved key certifications, such as SSAE 16 (formerly SAS 70), demonstrating their commitment to maintaining a secure, controlled environment for your data and applications. Ask the vendor if they are subject to periodic validation of their security infrastructure, and if they regularly conduct penetration and other testing to achieve certification or validation. Service Level Agreements (SLA): What is included in the vendor’s SLA? The vendor’s SLA should include the guarantees required for the applications and data they will be hosting, based on risk assessment, as described earlier in this whitepaper. Reliability/Business Continuity: How does the vendor ensure uptime, throughput, and other requirements as defined in the SLA? Ask the vendor about the procedures they have in place for backup and disaster recovery, and how often those processes validated and tested. Maintenance: Does the vendor conduct regular maintenance, patching, and upgrades? The vendor may offer tiered service options, as well as additional integrated security services such as periodic vulnerability scanning. 5
TEN KEY ELEMENTS OF CLOUD SECURITY (continued) VM-Specific Security: Does the vendor configure security in multi-tenant virtual networks? If you will be sharing servers with their other customers, ask the vendor how separation is ensured, so that no data or access is shared. This can be established in several ways depending on your requirements, for example by creating private network segments or by installing virtual or physical firewalls. Secure Access: How does the provider verify the credentials of users and determine their level of access? Are the endpoint machines accessing the vendor secured? It’s important to discuss how, where, and from what devices applications and data will be accessed, and in some cases your vendor may offer endpoint security or asset management in addition to cloud services. Data Security: What controls are in place to protect data in production, in transit, and in backup? Your requirements may vary based on the sensitivity of the data and regulatory environment. In that context, ask your provider how sensitive data will be protected (such as through encryption or firewalls), who will have access to the data, and what measures they have in place to protect against data loss in the event of a disaster. Visibility: Does your provider offer visibility into the security of the hosted service? Review the tools the vendor provides to give you control over the services they will be providing, and ensure that they can support any reporting requirements required for audits or compliance. Physical Security: Does the vendor follow best practices in securing their data center facilities? Security controls should include badge-protected facilities, 24x7 cameras, and most importantly, a policy on separation of duties and physical access to servers for their personnel. If you are subject to regulatory requirements pertaining to “data jurisdiction”, verify the physical location of servers. 6
SUMMARY It’s no longer a question of whether you should move to the cloud, as the evolution is already well underway, and there are clear business advantages to outsourcing. The question is, can you move to the cloud, and still maintain control of IT security and ensure compliance? The answer is yes, but the approach for mitigating risk is different. Rather than investing time and resources in establishing a strong in-house security program, IT organizations now need to shift their attention to building a trusted relationship with their cloud vendors. Assess risk and gaps in the context of application/data security requirements, compliance requirements, and enterprise security policies. Incorporate the ability for vendors to support your security requirements into your vendor selection process. Ask the right questions and establish an SLA to ensure that both you and the vendor are clearly aligned on requirements, roles, and responsibilities. Last and most importantly, make it a priority to establish a trusted, long-term partnership with your vendors, as communication and alignment on business goals is critical to long term success. ABOUT EARTHLINK BUSINESS EarthLink is a leading IT services, network and communications provider to more than 150,000 businesses. With a comprehensive security portfolio, CISSP® & CISA-certified professionals, SSAE 16 compliant data centers, and over 3,000 deployments across industries including financial services, healthcare, retail, energy, transportation, and government, EarthLink enables businesses of all sizes to mitigate risk as they move to the cloud. Our security services integrate with our cloud hosting and IP voice and data services, and include application penetration testing, information security, business continuity and disaster recovery, asset management, monitoring, content filtering, firewall, intrusion detection/intrusion prevention (IDS/IPS), laptop security, and secure remote access. To learn more about how EarthLink can help your organization to mitigate risk, email getinfo@earthlinkbusiness.com, call 1-877-355-1501, or visit www.earthlinkbusiness.com. 7
References: 1. “Cloud Computing Takes Off”, Morgan Stanley Research, May 23, 2011 (http://www.morganstanley.com/views/perspectives/cloud_computing.pdf <http://www.morganstanley.com/views/perspectives/cloud_computing.pdf> ) 2. 2011 ISACA Shopping on the Job Survey, Prepared by the Ketchum Global Research Network, Novem- ber 2011 (www.isaca.org/online-shopping-risk <http://www.isaca.org/online-shopping-risk> ) 3. Security and Cloud Best Practices”, Derek Brink, Aberdeen Group, July 2011 8

Empfohlen

Fy17 sec shadow_it-e_book_final_032417
Fy17 sec shadow_it-e_book_final_032417Fy17 sec shadow_it-e_book_final_032417
Fy17 sec shadow_it-e_book_final_032417Основна школа "Миливоје Боровић" Мачкат
 
NoHidingInTheCloud
NoHidingInTheCloudNoHidingInTheCloud
NoHidingInTheCloudJoan Ross
 
Global Security Certification for Governments
Global Security Certification for GovernmentsGlobal Security Certification for Governments
Global Security Certification for GovernmentsCloudMask inc.
 
Cashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidenceCashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidenceCloudMask inc.
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationBooz Allen Hamilton
 
Law firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMaskLaw firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMaskCloudMask inc.
 
MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudKumar Goud
 
Identity and Access Management as a Service Gets Boost with SailPoint's Ident...
Identity and Access Management as a Service Gets Boost with SailPoint's Ident...Identity and Access Management as a Service Gets Boost with SailPoint's Ident...
Identity and Access Management as a Service Gets Boost with SailPoint's Ident...Dana Gardner
 

Empfohlen

Fy17 sec shadow_it-e_book_final_032417
Fy17 sec shadow_it-e_book_final_032417Fy17 sec shadow_it-e_book_final_032417
Fy17 sec shadow_it-e_book_final_032417Основна школа "Миливоје Боровић" Мачкат
 
NoHidingInTheCloud
NoHidingInTheCloudNoHidingInTheCloud
NoHidingInTheCloudJoan Ross
 
Global Security Certification for Governments
Global Security Certification for GovernmentsGlobal Security Certification for Governments
Global Security Certification for GovernmentsCloudMask inc.
 
Cashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidenceCashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidenceCloudMask inc.
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationBooz Allen Hamilton
 
Law firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMaskLaw firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMaskCloudMask inc.
 
MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudKumar Goud
 
Identity and Access Management as a Service Gets Boost with SailPoint's Ident...
Identity and Access Management as a Service Gets Boost with SailPoint's Ident...Identity and Access Management as a Service Gets Boost with SailPoint's Ident...
Identity and Access Management as a Service Gets Boost with SailPoint's Ident...Dana Gardner
 
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...CloudEntr
 
internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideSatchit Dokras
 
Cyber security basics for law firms
Cyber security basics for law firmsCyber security basics for law firms
Cyber security basics for law firmsRobert Westmacott
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
o-palerra-ROI-QuantifyCASB-WP
o-palerra-ROI-QuantifyCASB-WPo-palerra-ROI-QuantifyCASB-WP
o-palerra-ROI-QuantifyCASB-WPEric Opp
 
California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)Happiest Minds Technologies
 
Mitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersMitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersBroadridge
 
Identity and Access Management Tools
Identity and Access Management ToolsIdentity and Access Management Tools
Identity and Access Management Toolsijtsrd
 
Optiv Security Award Write Up
Optiv Security Award Write UpOptiv Security Award Write Up
Optiv Security Award Write UpClaudia Toscano
 
Should we fear the cloud?
Should we fear the cloud?Should we fear the cloud?
Should we fear the cloud?Gabe Akisanmi
 
Wk White Paper
Wk White PaperWk White Paper
Wk White PaperCreus Moreira Carlos
 
Is your infrastructure holding you back?
Is your infrastructure holding you back?Is your infrastructure holding you back?
Is your infrastructure holding you back?Gabe Akisanmi
 
Hexnode Identity and Access Management solution
Hexnode Identity and Access Management solutionHexnode Identity and Access Management solution
Hexnode Identity and Access Management solutionHexnode
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 
Allow is the New Block
Allow is the New BlockAllow is the New Block
Allow is the New BlockSean Dickson
 
A data-centric program
A data-centric program A data-centric program
A data-centric program at MicroFocus Italy ❖✔
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Michael Ofarrell
 
Keep Student information protected while improving services
Keep Student information protected while improving servicesKeep Student information protected while improving services
Keep Student information protected while improving servicesCloudMask inc.
 
How Secure Is Cloud
How Secure Is CloudHow Secure Is Cloud
How Secure Is CloudWilliam Lam
 
Meet scrum抯 big brother, dynamic governance v3
Meet scrum抯 big brother, dynamic governance v3Meet scrum抯 big brother, dynamic governance v3
Meet scrum抯 big brother, dynamic governance v3drewz lin
 
Ieee psaddington-agile2012-v2 0
Ieee psaddington-agile2012-v2 0Ieee psaddington-agile2012-v2 0
Ieee psaddington-agile2012-v2 0drewz lin
 

Weitere ähnliche Inhalte

Was ist angesagt?

Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...CloudEntr
 
internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideSatchit Dokras
 
Cyber security basics for law firms
Cyber security basics for law firmsCyber security basics for law firms
Cyber security basics for law firmsRobert Westmacott
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
o-palerra-ROI-QuantifyCASB-WP
o-palerra-ROI-QuantifyCASB-WPo-palerra-ROI-QuantifyCASB-WP
o-palerra-ROI-QuantifyCASB-WPEric Opp
 
Mitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersMitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersBroadridge
 
Identity and Access Management Tools
Identity and Access Management ToolsIdentity and Access Management Tools
Identity and Access Management Toolsijtsrd
 
Optiv Security Award Write Up
Optiv Security Award Write UpOptiv Security Award Write Up
Optiv Security Award Write UpClaudia Toscano
 
Should we fear the cloud?
Should we fear the cloud?Should we fear the cloud?
Should we fear the cloud?Gabe Akisanmi
 
Is your infrastructure holding you back?
Is your infrastructure holding you back?Is your infrastructure holding you back?
Is your infrastructure holding you back?Gabe Akisanmi
 
Hexnode Identity and Access Management solution
Hexnode Identity and Access Management solutionHexnode Identity and Access Management solution
Hexnode Identity and Access Management solutionHexnode
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 
Allow is the New Block
Allow is the New BlockAllow is the New Block
Allow is the New BlockSean Dickson
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Michael Ofarrell
 
Keep Student information protected while improving services
Keep Student information protected while improving servicesKeep Student information protected while improving services
Keep Student information protected while improving servicesCloudMask inc.
 
How Secure Is Cloud
How Secure Is CloudHow Secure Is Cloud
How Secure Is CloudWilliam Lam
 

Was ist angesagt? (20)

Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
 
internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guide
 
Cyber security basics for law firms
Cyber security basics for law firmsCyber security basics for law firms
Cyber security basics for law firms
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
o-palerra-ROI-QuantifyCASB-WP
o-palerra-ROI-QuantifyCASB-WPo-palerra-ROI-QuantifyCASB-WP
o-palerra-ROI-QuantifyCASB-WP
 
California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)
 
Mitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersMitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker Dealers
 
Identity and Access Management Tools
Identity and Access Management ToolsIdentity and Access Management Tools
Identity and Access Management Tools
 
Optiv Security Award Write Up
Optiv Security Award Write UpOptiv Security Award Write Up
Optiv Security Award Write Up
 
Should we fear the cloud?
Should we fear the cloud?Should we fear the cloud?
Should we fear the cloud?
 
Wk White Paper
Wk White PaperWk White Paper
Wk White Paper
 
Is your infrastructure holding you back?
Is your infrastructure holding you back?Is your infrastructure holding you back?
Is your infrastructure holding you back?
 
Hexnode Identity and Access Management solution
Hexnode Identity and Access Management solutionHexnode Identity and Access Management solution
Hexnode Identity and Access Management solution
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firms
 
Allow is the New Block
Allow is the New BlockAllow is the New Block
Allow is the New Block
 
A data-centric program
A data-centric program A data-centric program
A data-centric program
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
 
Keep Student information protected while improving services
Keep Student information protected while improving servicesKeep Student information protected while improving services
Keep Student information protected while improving services
 
How Secure Is Cloud
How Secure Is CloudHow Secure Is Cloud
How Secure Is Cloud
 

Andere mochten auch

Meet scrum抯 big brother, dynamic governance v3
Meet scrum抯 big brother, dynamic governance v3Meet scrum抯 big brother, dynamic governance v3
Meet scrum抯 big brother, dynamic governance v3drewz lin
 
Ieee psaddington-agile2012-v2 0
Ieee psaddington-agile2012-v2 0Ieee psaddington-agile2012-v2 0
Ieee psaddington-agile2012-v2 0drewz lin
 
Taobao 100702070730-phpapp01
Taobao 100702070730-phpapp01Taobao 100702070730-phpapp01
Taobao 100702070730-phpapp01drewz lin
 
云安全的意义
云安全的意义云安全的意义
云安全的意义drewz lin
 
大型网站架构的发展
大型网站架构的发展大型网站架构的发展
大型网站架构的发展drewz lin
 
Overcoming traditional project release reporting with an agile approach focus...
Overcoming traditional project release reporting with an agile approach focus...Overcoming traditional project release reporting with an agile approach focus...
Overcoming traditional project release reporting with an agile approach focus...drewz lin
 
Better code, littler classes
Better code, littler classesBetter code, littler classes
Better code, littler classesdrewz lin
 
Cloudsecurity
CloudsecurityCloudsecurity
Cloudsecuritydrewz lin
 
移动互联网的未来
移动互联网的未来移动互联网的未来
移动互联网的未来drewz lin
 
Is it worth it agile2012 0
Is it worth it agile2012 0Is it worth it agile2012 0
Is it worth it agile2012 0drewz lin
 
Making animpact
Making animpactMaking animpact
Making animpactdrewz lin
 
Precor agile alliance presentation 1208
Precor agile alliance presentation 1208Precor agile alliance presentation 1208
Precor agile alliance presentation 1208drewz lin
 
Lake2 企业安全应急响应新思路
Lake2 企业安全应急响应新思路Lake2 企业安全应急响应新思路
Lake2 企业安全应急响应新思路drewz lin
 
Pptv lb日志实时分析平台
Pptv lb日志实时分析平台Pptv lb日志实时分析平台
Pptv lb日志实时分析平台drewz lin
 
How to brainstorm
How to brainstormHow to brainstorm
How to brainstormdrewz lin
 
流量清洗产品概述和关键技术介绍
流量清洗产品概述和关键技术介绍流量清洗产品概述和关键技术介绍
流量清洗产品概述和关键技术介绍drewz lin
 
Pinterest arch summit august 2012 - scaling pinterest
Pinterest arch summit august 2012 - scaling pinterestPinterest arch summit august 2012 - scaling pinterest
Pinterest arch summit august 2012 - scaling pinterestdrewz lin
 
4+1view architecture
4+1view architecture4+1view architecture
4+1view architecturedrewz lin
 

Andere mochten auch (18)

Meet scrum抯 big brother, dynamic governance v3
Meet scrum抯 big brother, dynamic governance v3Meet scrum抯 big brother, dynamic governance v3
Meet scrum抯 big brother, dynamic governance v3
 
Ieee psaddington-agile2012-v2 0
Ieee psaddington-agile2012-v2 0Ieee psaddington-agile2012-v2 0
Ieee psaddington-agile2012-v2 0
 
Taobao 100702070730-phpapp01
Taobao 100702070730-phpapp01Taobao 100702070730-phpapp01
Taobao 100702070730-phpapp01
 
云安全的意义
云安全的意义云安全的意义
云安全的意义
 
大型网站架构的发展
大型网站架构的发展大型网站架构的发展
大型网站架构的发展
 
Overcoming traditional project release reporting with an agile approach focus...
Overcoming traditional project release reporting with an agile approach focus...Overcoming traditional project release reporting with an agile approach focus...
Overcoming traditional project release reporting with an agile approach focus...
 
Better code, littler classes
Better code, littler classesBetter code, littler classes
Better code, littler classes
 
Cloudsecurity
CloudsecurityCloudsecurity
Cloudsecurity
 
移动互联网的未来
移动互联网的未来移动互联网的未来
移动互联网的未来
 
Is it worth it agile2012 0
Is it worth it agile2012 0Is it worth it agile2012 0
Is it worth it agile2012 0
 
Making animpact
Making animpactMaking animpact
Making animpact
 
Precor agile alliance presentation 1208
Precor agile alliance presentation 1208Precor agile alliance presentation 1208
Precor agile alliance presentation 1208
 
Lake2 企业安全应急响应新思路
Lake2 企业安全应急响应新思路Lake2 企业安全应急响应新思路
Lake2 企业安全应急响应新思路
 
Pptv lb日志实时分析平台
Pptv lb日志实时分析平台Pptv lb日志实时分析平台
Pptv lb日志实时分析平台
 
How to brainstorm
How to brainstormHow to brainstorm
How to brainstorm
 
流量清洗产品概述和关键技术介绍
流量清洗产品概述和关键技术介绍流量清洗产品概述和关键技术介绍
流量清洗产品概述和关键技术介绍
 
Pinterest arch summit august 2012 - scaling pinterest
Pinterest arch summit august 2012 - scaling pinterestPinterest arch summit august 2012 - scaling pinterest
Pinterest arch summit august 2012 - scaling pinterest
 
4+1view architecture
4+1view architecture4+1view architecture
4+1view architecture
 

Ähnlich wie Asset 1 security-in-the-cloud

Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkIOSR Journals
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
EMC Perspective: What Customers Seek from Cloud Services Providers
EMC Perspective: What Customers Seek from Cloud Services ProvidersEMC Perspective: What Customers Seek from Cloud Services Providers
EMC Perspective: What Customers Seek from Cloud Services ProvidersEMC
 
New Era in Insurance - Cloud Computing
New Era in Insurance - Cloud ComputingNew Era in Insurance - Cloud Computing
New Era in Insurance - Cloud ComputingNIIT Technologies
 
Cloud computing Risk management
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management Padma Jella
 
IDC Study on Enterprise Hybrid Cloud Strategies
IDC Study on Enterprise Hybrid Cloud StrategiesIDC Study on Enterprise Hybrid Cloud Strategies
IDC Study on Enterprise Hybrid Cloud StrategiesEMC
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
5 must haves - cloud confidence
5 must haves - cloud confidence5 must haves - cloud confidence
5 must haves - cloud confidenceSean Dickson
 
IDC: Top Five Considerations for Cloud-Based Security
IDC: Top Five Considerations for Cloud-Based SecurityIDC: Top Five Considerations for Cloud-Based Security
IDC: Top Five Considerations for Cloud-Based Securityarms8586
 
Protect your confidential information while improving services
Protect your confidential information while improving servicesProtect your confidential information while improving services
Protect your confidential information while improving servicesCloudMask inc.
 
2014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v012014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v01promediakw
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 
Hybrid & Multi-cloud Environment.pdf
Hybrid & Multi-cloud Environment.pdfHybrid & Multi-cloud Environment.pdf
Hybrid & Multi-cloud Environment.pdfmanoharparakh
 
Cloud Computing - A future prerogative
Cloud Computing - A future prerogativeCloud Computing - A future prerogative
Cloud Computing - A future prerogativeWayne Poggenpoel
 
10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the CloudPeak 10
 
10 Tips for CIOS Data Security in the Cloud
10 Tips for CIOS Data Security in the Cloud10 Tips for CIOS Data Security in the Cloud
10 Tips for CIOS Data Security in the CloudIron Mountain
 
The Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinThe Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinCloud Expo
 
Top 10 Cloud Trends for 2017
Top 10 Cloud Trends for 2017Top 10 Cloud Trends for 2017
Top 10 Cloud Trends for 2017Tableau Software
 

Ähnlich wie Asset 1 security-in-the-cloud (20)

J3602068071
J3602068071J3602068071
J3602068071
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
EMC Perspective: What Customers Seek from Cloud Services Providers
EMC Perspective: What Customers Seek from Cloud Services ProvidersEMC Perspective: What Customers Seek from Cloud Services Providers
EMC Perspective: What Customers Seek from Cloud Services Providers
 
New Era in Insurance - Cloud Computing
New Era in Insurance - Cloud ComputingNew Era in Insurance - Cloud Computing
New Era in Insurance - Cloud Computing
 
Cloud computing Risk management
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management
 
IDC Study on Enterprise Hybrid Cloud Strategies
IDC Study on Enterprise Hybrid Cloud StrategiesIDC Study on Enterprise Hybrid Cloud Strategies
IDC Study on Enterprise Hybrid Cloud Strategies
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
 
5 must haves - cloud confidence
5 must haves - cloud confidence5 must haves - cloud confidence
5 must haves - cloud confidence
 
IDC: Top Five Considerations for Cloud-Based Security
IDC: Top Five Considerations for Cloud-Based SecurityIDC: Top Five Considerations for Cloud-Based Security
IDC: Top Five Considerations for Cloud-Based Security
 
Protect your confidential information while improving services
Protect your confidential information while improving servicesProtect your confidential information while improving services
Protect your confidential information while improving services
 
2014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v012014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v01
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
 
Hybrid & Multi-cloud Environment.pdf
Hybrid & Multi-cloud Environment.pdfHybrid & Multi-cloud Environment.pdf
Hybrid & Multi-cloud Environment.pdf
 
Cloud Computing - A future prerogative
Cloud Computing - A future prerogativeCloud Computing - A future prerogative
Cloud Computing - A future prerogative
 
10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud
 
10 Tips for CIOS Data Security in the Cloud
10 Tips for CIOS Data Security in the Cloud10 Tips for CIOS Data Security in the Cloud
10 Tips for CIOS Data Security in the Cloud
 
4aa5-6541enw
4aa5-6541enw4aa5-6541enw
4aa5-6541enw
 
The Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinThe Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny Heaberlin
 
Top 10 Cloud Trends for 2017
Top 10 Cloud Trends for 2017Top 10 Cloud Trends for 2017
Top 10 Cloud Trends for 2017
 

Mehr von drewz lin

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21drewz lin
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansendrewz lin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentationdrewz lin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowaspdrewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usadrewz lin
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架drewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈drewz lin
 

Mehr von drewz lin (20)

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
 

Asset 1 security-in-the-cloud

  • 1. Whitepaper Security in the Cloud: Mitigating Risk Outside Enterprise Boundaries
  • 2. INTRODUCTION Traditionally, sensitive data and applications have been deployed, managed, and accessed within the trusted boundaries established by IT. Those boundaries are now bending in response to business and customer demand. Endpoints are now a mix of corporate and user-owned devices. Applications and data are hosted on both enterprise and third party servers, available over private, partner, and public networks. They’re housed in both enterprise and third party data centers. These changes bring about significant business value, enhancing agility, mobility, and collaboration while reducing upfront capital expenditures. But they also present a new challenge: IT no longer controls all the assets, yet is still accountable for ensuring security and compliance.  How do you assess the risks associated with moving to the cloud and third party resources?  How do you identify gaps in corporate security policies and compliance requirements?  What additional security measures are required, and who is accountable? This whitepaper will outline the benefits and risks associated with moving to the cloud, and provide a framework for working with vendors to mitigate those risks. 2
  • 3. SHIFT TO THE CLOUD: BENDING BOUNDARIES The most obvious way to secure digital assets is to lock them down behind network and application firewalls in one’s own building. But organizations are heading in the opposite direction, bending boundaries to harness the business benefits of moving to the cloud. For both SMB and Enterprise businesses, Morgan Stanley predicts workloads in virtualized or private cloud environments to nearly double from 2011 through 2013. SaaS workloads as percentage of total 1 workloads are also expected to more than double in that time period. There are clear business benefits to moving to the cloud, including the opportunity to reduce upfront capital expenditures, scale up or down based on business needs, improve service with SLA guarantees, and support workforce collaboration and mobility. In many cases business users have driven these changes, maneuvering “Today, scalability and cost are seen as around IT to gain direct access to SaaS applications. The use of mobile and the primary drivers for cloud usage, while BYOD (Bring Your Own Device) creates additional risk, as more and more agility and innovation are quickly consumer-owned devices are used to access corporate data and applica- emerging as a key factor for adoption” tions in the cloud. According to a 2011 ISACA “Shopping on the Job” Survey, nearly one-third of consumers say that they plan to do more Future of Cloud Computing Survey (GigaOM, shopping than last year using their work-supplied or BYOD device (32%), Northbridge Venture Partners, 451 Group). increasing the risk of malware and other security threats being introduced to the larger organization through personal use of corporate assets.2 So-- IT organizations are now faced with devices they don’t own, accessing data over networks they don’t administer, running on infrastructure in data centers they don’t host. But rather than fighting the trend, IT organizations are embracing the cloud, both for business benefit and to ensure consistency in areas such as service levels and security. SECURING THE CLOUD: CONTRACT-IT-IN VS. BUILD-IT-IN How do you manage security and compliance when you don't host the assets? The very Rather than investing time and transfer of control of enterprise assets from in-house platforms to the virtual world, coincid- resources in establishing a strong in-house security program, IT ing with a widening net of regulatory requirements and security threats means redefining organizations now need to shift how you select and manage vendor relationships. You can’t simply select a cloud vendor their attention to building a trusted based on their ability to support your outsourced data or application requirements. You relationship with their cloud need to be able to trust that cloud vendor, and ensure that they can support your require- vendors. ments with respect to security and compliance. Your reputation and your ability to service your user and customer base are in their hands. This is even more critical in industries subject to regulation, such as healthcare (HIPAA), financial services (GLBA), retail (PCI), 3
  • 4. Today, the standard of security for third party providers largely remains the humble firewall, augmented by web- application and application-aware firewalls that guard against OWASP (Open Web Application Security Project) Top 10 and other known vulnerability exploits. But still, these are provincial in view rather than part of an overall strategy. There are also a variety of point solutions, but no seamless strategy for securing front-end applications or back-end data in a consistent, policy-driven manner. An array of certifications is no guarantee, because they focus on compli- ance rather than true security. So with the business pushing for a move to outsourcing, how do you ensure that your risk, in terms of both security and compliance, are covered? IT organizations need to take a new approach: contract it in rather than build it in. Histori- cally, IT organizations have invested in security, compliance, and business continuity by developing the business justification, obtaining buy in, and executing against a strategy. In a cloud scenario, the emphasis shifts to the vendor. That is, assessing and defining your vendors’ ability to guarantee service levels, provide transparency where required, and provide vital security services to support your organization’s requirements. It also means being clearly aligned on roles and responsibilities. Many organizations are already taking a proactive approach to ensuring the security of outsourced services. Accord- ing to a survey of IT organizations by the Aberdeen Group called "Security and Cloud Best practices", almost half are asking their cloud service providers to implement strong security practices.3 ASSESSING YOUR RISK What should you expect of your cloud provider? This depends on the data and applications you are outsourcing, and the compliance requirements and security policies that apply to your organization. If the expectation is that you will safeguard sensitive data such as that related to credit cards, patient data, privacy, or financial transactions, then you need to have that same expectation for your cloud partners. There is obviously no such thing as risk-free. If transactions are being executed over shared resources, the strategy should be to determine the level of your risk and to either mitigate, transfer, avoid, or accept that risk. Some compli- ance bodies use the term “compensating controls,” i.e. there is a known window of vulnerability, and these are the solutions and procedures put in place to account for that. Risk is the likelihood of a threat exploiting a vulnerability to produce harm to an asset. It is contextual, and driven by the intersection of assets, threats, and vulnerabilities. When identifying and prioritizing risks, considerations include: What are the gaps, in terms of corporate, compliance, and security policies? What are the possible consequences of a breach, in terms of customer impact, employee impact, penalties, public relations, or share price? Various regulations require protection of data, which often translates into encryption. What do your outside auditors require in terms of that encryption? AES 192? AES 256? Triple DES? Are you hosting data and/or applications for another party, and if so, what are their expectations and requirements? How strong do your password policies need to be? What periodic reviews, internal audits, or reporting must be conducted to ascertain the current security posture relative to the risk? In the end your organization is responsible to your users for securing all the pieces you have assembled for executing transactions and securing the data that result from those transactions; it’s critical that you work closely with your vendors as part of your attendant infrastructure. 4
  • 5. TEN KEY ELEMENTS OF CLOUD SECURITY What should you ask your cloud provider? Once you’ve selected a short list of vendors and assessed your risk, what should you ask your cloud provider to ensure that they can support you effectively? While your selection criteria and contract requirements may vary, the following questions provide a starting point for ensuring that requirements and responsibilities are clearly understood by both parties. Security Requirements: Will your provider work with you to understand your security and business requirements? When selecting a vendor, make sure they are willing to tailor and integrate a security solution with your cloud service, rather than providing a “one-sized fits all” solution. Roles and responsibilities should be clearly defined and the delineation of responsibilities should align with your organization’s needs. Third Party Certifications: Does the vendor employ independent and verifiable audits? The provider should have achieved key certifications, such as SSAE 16 (formerly SAS 70), demonstrating their commitment to maintaining a secure, controlled environment for your data and applications. Ask the vendor if they are subject to periodic validation of their security infrastructure, and if they regularly conduct penetration and other testing to achieve certification or validation. Service Level Agreements (SLA): What is included in the vendor’s SLA? The vendor’s SLA should include the guarantees required for the applications and data they will be hosting, based on risk assessment, as described earlier in this whitepaper. Reliability/Business Continuity: How does the vendor ensure uptime, throughput, and other requirements as defined in the SLA? Ask the vendor about the procedures they have in place for backup and disaster recovery, and how often those processes validated and tested. Maintenance: Does the vendor conduct regular maintenance, patching, and upgrades? The vendor may offer tiered service options, as well as additional integrated security services such as periodic vulnerability scanning. 5
  • 6. TEN KEY ELEMENTS OF CLOUD SECURITY (continued) VM-Specific Security: Does the vendor configure security in multi-tenant virtual networks? If you will be sharing servers with their other customers, ask the vendor how separation is ensured, so that no data or access is shared. This can be established in several ways depending on your requirements, for example by creating private network segments or by installing virtual or physical firewalls. Secure Access: How does the provider verify the credentials of users and determine their level of access? Are the endpoint machines accessing the vendor secured? It’s important to discuss how, where, and from what devices applications and data will be accessed, and in some cases your vendor may offer endpoint security or asset management in addition to cloud services. Data Security: What controls are in place to protect data in production, in transit, and in backup? Your requirements may vary based on the sensitivity of the data and regulatory environment. In that context, ask your provider how sensitive data will be protected (such as through encryption or firewalls), who will have access to the data, and what measures they have in place to protect against data loss in the event of a disaster. Visibility: Does your provider offer visibility into the security of the hosted service? Review the tools the vendor provides to give you control over the services they will be providing, and ensure that they can support any reporting requirements required for audits or compliance. Physical Security: Does the vendor follow best practices in securing their data center facilities? Security controls should include badge-protected facilities, 24x7 cameras, and most importantly, a policy on separation of duties and physical access to servers for their personnel. If you are subject to regulatory requirements pertaining to “data jurisdiction”, verify the physical location of servers. 6
  • 7. SUMMARY It’s no longer a question of whether you should move to the cloud, as the evolution is already well underway, and there are clear business advantages to outsourcing. The question is, can you move to the cloud, and still maintain control of IT security and ensure compliance? The answer is yes, but the approach for mitigating risk is different. Rather than investing time and resources in establishing a strong in-house security program, IT organizations now need to shift their attention to building a trusted relationship with their cloud vendors. Assess risk and gaps in the context of application/data security requirements, compliance requirements, and enterprise security policies. Incorporate the ability for vendors to support your security requirements into your vendor selection process. Ask the right questions and establish an SLA to ensure that both you and the vendor are clearly aligned on requirements, roles, and responsibilities. Last and most importantly, make it a priority to establish a trusted, long-term partnership with your vendors, as communication and alignment on business goals is critical to long term success. ABOUT EARTHLINK BUSINESS EarthLink is a leading IT services, network and communications provider to more than 150,000 businesses. With a comprehensive security portfolio, CISSP® & CISA-certified professionals, SSAE 16 compliant data centers, and over 3,000 deployments across industries including financial services, healthcare, retail, energy, transportation, and government, EarthLink enables businesses of all sizes to mitigate risk as they move to the cloud. Our security services integrate with our cloud hosting and IP voice and data services, and include application penetration testing, information security, business continuity and disaster recovery, asset management, monitoring, content filtering, firewall, intrusion detection/intrusion prevention (IDS/IPS), laptop security, and secure remote access. To learn more about how EarthLink can help your organization to mitigate risk, email getinfo@earthlinkbusiness.com, call 1-877-355-1501, or visit www.earthlinkbusiness.com. 7
  • 8. References: 1. “Cloud Computing Takes Off”, Morgan Stanley Research, May 23, 2011 (http://www.morganstanley.com/views/perspectives/cloud_computing.pdf <http://www.morganstanley.com/views/perspectives/cloud_computing.pdf> ) 2. 2011 ISACA Shopping on the Job Survey, Prepared by the Ketchum Global Research Network, Novem- ber 2011 (www.isaca.org/online-shopping-risk <http://www.isaca.org/online-shopping-risk> ) 3. Security and Cloud Best Practices”, Derek Brink, Aberdeen Group, July 2011 8