SlideShare ist ein Scribd-Unternehmen logo

Cloud governance is not hard

Als PPTX, PDF herunterladen
Vladimir Jirasek
Vladimir Jirasek

Organisations are spending large amounts of resources to bring advanced IT controls (mostly preventative) to protect against advanced attacks. However, many organisations neglect basics, such as ensuring systems and applications are not vulnerable which would help reduce the attack surface. The session will look how to establish a patch policy and governance structures and processes. Furthermore we will show the best practices, acquired through years of designing and operating QualysGuard Enterprise, to use Qualys services to discover vulnerabilities in systems, manage the patch management process, and harden systems with secure configuration settings.

TechnologieBusiness
1 von 15
Jirasek Consulting Services Classification: Public 1 Supporting Business Agility Cloud governance: Examples from trenches Cloud and Mobile Compliance Summit Vladimir Jirasek Jirasek Consulting Services & Research Director, Cloud Security Alliance, UK chapter
Jirasek Consulting Services Classification: Public 2 Agenda • What is Cloud Governance • Tips and Tricks • Bad examples • Good examples
Jirasek Consulting Services Classification: Public 3 Governance is: • … the act of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists of either a separate process or part of decision-making or leadership processes SOURCE: Wikipedia http://en.wikipedia.org/wiki/Governance
Jirasek Consulting Services Classification: Public 4 Applied to Cloud • Setting company policy for Cloud computing • Risk based decision which Cloud provider, if any, to engage • Assigning responsibilities for enforcing and monitoring of the policy compliance • Set corrective actions for non-compliance
Jirasek Consulting Services Classification: Public 5 Cloud governance::Policy • Cloud adopted typically by a) IT directors – managed relatively consistently and mostly [I|P]aaS b) Business managers – less governance; typically SaaS • Policy should state: It is a policy of …. to manage the usage of external Cloud computing services, taking into account risks to business processes, legal and regulatory compliance when using external services Cloud services. CIO is responsible for creating and communicating external Cloud computing strategy and standards.
Jirasek Consulting Services Classification: Public 6 Cloud standard structure • General statements – Governance requirements for Cloud – Enterprise architecture to be ready for Cloud and Cloud services to plug-in (IAM, SIEM, Data architecture, Forensic) – Discovery of Cloud service use • Before Cloud project – Cloud service to comply with data classification – Encrypting all sensitive data in Cloud – Identity and Access management (AAA) link to Cloud service • During Cloud project – Due diligence to be performed – Do not forget “right to audit” – Know locations of PII – Assess availability (SLA and DR) of Cloud provider – Assess Cloud provider security controls – Assess potential for forensic investigation by company’s team • Running a Cloud service – Limit use of live data for development and testing – Monitor cloud provider’s security controls – Link Company’s SIEM with Cloud provider and monitor for incidents • Moving out of Cloud – Data cleansing – Data portability
Supporting Business Agility Jirasek Consulting Services Classification: Public 7 POOR EXAMPLES
Jirasek Consulting Services Classification: Public 8 Trust and do not verify • Large manufacturer and very Large software company • SaaS • No change to legal terms and conditions allowed -> increased risk of non compliance • Decision to go ahead anyway • Tip: The bigger the provider the less flexibility on contracts. Shopping around is not always possible.
Jirasek Consulting Services Classification: Public 9 Did you erase my data? • Large media company “outsourced” CRM to SA company • Standard contract conditions • Little assurance that the data has been deleted when the contract ends -> security expert spent a week in SA “assessing” • Tip: Negotiate “exit” before signing contract. Seek details on how the data is erased.
Jirasek Consulting Services Classification: Public 10 I have 1TB of CSV files, now what? • Customer uses well know CRM in Cloud • SaaS designed to immerse clients into well defined, bespoke CRM • No known data mode • Export of data in CSV. • Tip: Portability is key in SaaS applications. Think about leaving the Cloud provider upfront. How will you take your data?
Jirasek Consulting Services Classification: Public 11 I take this rack “please”! • Law enforcement has been slower to adapt to principles of Cloud computing • Small cloud providers more vulnerable to seizing HW rather then using clever imaging/forensic techniques. • SaaS generally more affected. • Tip: Use reputable and strong cloud providers who have developed good relationship with law enforcement (ask upfront).
Supporting Business Agility Jirasek Consulting Services Classification: Public 12 GOOD EXAMPLE
Jirasek Consulting Services Classification: Public 13 Scaling up/down development • Large manufacture and service company • Requirement to support development needs with seasonal demands – ideal case for [I|P]aaS • Security team approached up-front to perform review • “Live” data not uploaded to the provider before on-site sanitising
Jirasek Consulting Services Classification: Public 14 Summary • Have a Cloud policy/standard and update risk management classification • Engage with Procurement and Finance team – gatekeepers for any contracts an credit card spends • Discover usage of Cloud services • Prepare you enterprise architecture to plug Cloud services in IAM, SIEM, Key management • Think about Cloud exit upfront • Do not fear Cloud – another form of outsourcing!!
Jirasek Consulting Services Classification: Public 15 Contact • Vladimir Jirasek • vladimir@jirasekconsulting.com • www.jirasekconsulting.com • @vjirasek • About.me/Jirasek

Empfohlen

Enterprise Cloud Governance: A Frictionless Approach
Enterprise Cloud Governance: A Frictionless ApproachEnterprise Cloud Governance: A Frictionless Approach
Enterprise Cloud Governance: A Frictionless ApproachRightScale
 
Azure cloud governance deck
Azure cloud governance deckAzure cloud governance deck
Azure cloud governance deckSoftchoice Corporation
 
AWS Governance Overview - Beach
AWS Governance Overview - BeachAWS Governance Overview - Beach
AWS Governance Overview - BeachAmazon Web Services
 
Accountability for Data Governance in the Cloud
Accountability for Data Governance in the CloudAccountability for Data Governance in the Cloud
Accountability for Data Governance in the CloudMassimo Felici
 
Cloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesCloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesSusanneT
 
Security and governance in the cloud
Security and governance in the cloudSecurity and governance in the cloud
Security and governance in the cloudJulian Knight
 
Governing in the Cloud
Governing in the CloudGoverning in the Cloud
Governing in the CloudRolf Frydenberg
 
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...Amazon Web Services
 

Empfohlen

Enterprise Cloud Governance: A Frictionless Approach
Enterprise Cloud Governance: A Frictionless ApproachEnterprise Cloud Governance: A Frictionless Approach
Enterprise Cloud Governance: A Frictionless ApproachRightScale
 
Azure cloud governance deck
Azure cloud governance deckAzure cloud governance deck
Azure cloud governance deckSoftchoice Corporation
 
AWS Governance Overview - Beach
AWS Governance Overview - BeachAWS Governance Overview - Beach
AWS Governance Overview - BeachAmazon Web Services
 
Accountability for Data Governance in the Cloud
Accountability for Data Governance in the CloudAccountability for Data Governance in the Cloud
Accountability for Data Governance in the CloudMassimo Felici
 
Cloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesCloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesSusanneT
 
Security and governance in the cloud
Security and governance in the cloudSecurity and governance in the cloud
Security and governance in the cloudJulian Knight
 
Governing in the Cloud
Governing in the CloudGoverning in the Cloud
Governing in the CloudRolf Frydenberg
 
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...
AWS re:Invent 2016: How News UK Centralized Cloud Governance Through Policy M...Amazon Web Services
 
AWS re:Invent 2016: Governance Strategies for Cloud Transformation (WWPS302)
AWS re:Invent 2016: Governance Strategies for Cloud Transformation (WWPS302)AWS re:Invent 2016: Governance Strategies for Cloud Transformation (WWPS302)
AWS re:Invent 2016: Governance Strategies for Cloud Transformation (WWPS302)Amazon Web Services
 
Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013David Linthicum
 
Managing Governance Across the Social Landscape
Managing Governance Across the Social LandscapeManaging Governance Across the Social Landscape
Managing Governance Across the Social LandscapeChristian Buckley
 
Jazoon'12 Enterprise-wide Cloud Governance
Jazoon'12 Enterprise-wide Cloud GovernanceJazoon'12 Enterprise-wide Cloud Governance
Jazoon'12 Enterprise-wide Cloud GovernanceNetcetera
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Vladimir Jirasek
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksVladimir Jirasek
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekVladimir Jirasek
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud securityVladimir Jirasek
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 
"What does 'Full Life-Cycle' Data Management Mean ?"
"What does 'Full Life-Cycle' Data Management Mean ?""What does 'Full Life-Cycle' Data Management Mean ?"
"What does 'Full Life-Cycle' Data Management Mean ?"Tom Moritz
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011Vladimir Jirasek
 
E commerce adoption by insurance companies in india
E commerce adoption by insurance companies in indiaE commerce adoption by insurance companies in india
E commerce adoption by insurance companies in indiaumaganesh
 
100 Greatest Military Photographs
100 Greatest Military Photographs100 Greatest Military Photographs
100 Greatest Military Photographsmikern99
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Vladimir Jirasek
 
IT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance MetricIT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance MetricPECB
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVladimir Jirasek
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009Vladimir Jirasek
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metricsVladimir Jirasek
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesVladimir Jirasek
 

Weitere ähnliche Inhalte

Andere mochten auch

AWS re:Invent 2016: Governance Strategies for Cloud Transformation (WWPS302)
AWS re:Invent 2016: Governance Strategies for Cloud Transformation (WWPS302)AWS re:Invent 2016: Governance Strategies for Cloud Transformation (WWPS302)
AWS re:Invent 2016: Governance Strategies for Cloud Transformation (WWPS302)Amazon Web Services
 
Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013David Linthicum
 
Managing Governance Across the Social Landscape
Managing Governance Across the Social LandscapeManaging Governance Across the Social Landscape
Managing Governance Across the Social LandscapeChristian Buckley
 
Jazoon'12 Enterprise-wide Cloud Governance
Jazoon'12 Enterprise-wide Cloud GovernanceJazoon'12 Enterprise-wide Cloud Governance
Jazoon'12 Enterprise-wide Cloud GovernanceNetcetera
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksVladimir Jirasek
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekVladimir Jirasek
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud securityVladimir Jirasek
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 
"What does 'Full Life-Cycle' Data Management Mean ?"
"What does 'Full Life-Cycle' Data Management Mean ?""What does 'Full Life-Cycle' Data Management Mean ?"
"What does 'Full Life-Cycle' Data Management Mean ?"Tom Moritz
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011Vladimir Jirasek
 
E commerce adoption by insurance companies in india
E commerce adoption by insurance companies in indiaE commerce adoption by insurance companies in india
E commerce adoption by insurance companies in indiaumaganesh
 
100 Greatest Military Photographs
100 Greatest Military Photographs100 Greatest Military Photographs
100 Greatest Military Photographsmikern99
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Vladimir Jirasek
 
IT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance MetricIT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance MetricPECB
 

Andere mochten auch (15)

AWS re:Invent 2016: Governance Strategies for Cloud Transformation (WWPS302)
AWS re:Invent 2016: Governance Strategies for Cloud Transformation (WWPS302)AWS re:Invent 2016: Governance Strategies for Cloud Transformation (WWPS302)
AWS re:Invent 2016: Governance Strategies for Cloud Transformation (WWPS302)
 
Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013
 
Managing Governance Across the Social Landscape
Managing Governance Across the Social LandscapeManaging Governance Across the Social Landscape
Managing Governance Across the Social Landscape
 
Jazoon'12 Enterprise-wide Cloud Governance
Jazoon'12 Enterprise-wide Cloud GovernanceJazoon'12 Enterprise-wide Cloud Governance
Jazoon'12 Enterprise-wide Cloud Governance
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
"What does 'Full Life-Cycle' Data Management Mean ?"
"What does 'Full Life-Cycle' Data Management Mean ?""What does 'Full Life-Cycle' Data Management Mean ?"
"What does 'Full Life-Cycle' Data Management Mean ?"
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
 
E commerce adoption by insurance companies in india
E commerce adoption by insurance companies in indiaE commerce adoption by insurance companies in india
E commerce adoption by insurance companies in india
 
100 Greatest Military Photographs
100 Greatest Military Photographs100 Greatest Military Photographs
100 Greatest Military Photographs
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 
IT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance MetricIT Performance Measurement using IT Governance Metric
IT Performance Measurement using IT Governance Metric
 

Mehr von Vladimir Jirasek

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVladimir Jirasek
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009Vladimir Jirasek
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metricsVladimir Jirasek
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesVladimir Jirasek
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White HatsVladimir Jirasek
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityVladimir Jirasek
 

Mehr von Vladimir Jirasek (11)

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
 

Kürzlich hochgeladen

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Kürzlich hochgeladen (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Cloud governance is not hard

  • 1. Jirasek Consulting Services Classification: Public 1 Supporting Business Agility Cloud governance: Examples from trenches Cloud and Mobile Compliance Summit Vladimir Jirasek Jirasek Consulting Services & Research Director, Cloud Security Alliance, UK chapter
  • 2. Jirasek Consulting Services Classification: Public 2 Agenda • What is Cloud Governance • Tips and Tricks • Bad examples • Good examples
  • 3. Jirasek Consulting Services Classification: Public 3 Governance is: • … the act of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists of either a separate process or part of decision-making or leadership processes SOURCE: Wikipedia http://en.wikipedia.org/wiki/Governance
  • 4. Jirasek Consulting Services Classification: Public 4 Applied to Cloud • Setting company policy for Cloud computing • Risk based decision which Cloud provider, if any, to engage • Assigning responsibilities for enforcing and monitoring of the policy compliance • Set corrective actions for non-compliance
  • 5. Jirasek Consulting Services Classification: Public 5 Cloud governance::Policy • Cloud adopted typically by a) IT directors – managed relatively consistently and mostly [I|P]aaS b) Business managers – less governance; typically SaaS • Policy should state: It is a policy of …. to manage the usage of external Cloud computing services, taking into account risks to business processes, legal and regulatory compliance when using external services Cloud services. CIO is responsible for creating and communicating external Cloud computing strategy and standards.
  • 6. Jirasek Consulting Services Classification: Public 6 Cloud standard structure • General statements – Governance requirements for Cloud – Enterprise architecture to be ready for Cloud and Cloud services to plug-in (IAM, SIEM, Data architecture, Forensic) – Discovery of Cloud service use • Before Cloud project – Cloud service to comply with data classification – Encrypting all sensitive data in Cloud – Identity and Access management (AAA) link to Cloud service • During Cloud project – Due diligence to be performed – Do not forget “right to audit” – Know locations of PII – Assess availability (SLA and DR) of Cloud provider – Assess Cloud provider security controls – Assess potential for forensic investigation by company’s team • Running a Cloud service – Limit use of live data for development and testing – Monitor cloud provider’s security controls – Link Company’s SIEM with Cloud provider and monitor for incidents • Moving out of Cloud – Data cleansing – Data portability
  • 7. Supporting Business Agility Jirasek Consulting Services Classification: Public 7 POOR EXAMPLES
  • 8. Jirasek Consulting Services Classification: Public 8 Trust and do not verify • Large manufacturer and very Large software company • SaaS • No change to legal terms and conditions allowed -> increased risk of non compliance • Decision to go ahead anyway • Tip: The bigger the provider the less flexibility on contracts. Shopping around is not always possible.
  • 9. Jirasek Consulting Services Classification: Public 9 Did you erase my data? • Large media company “outsourced” CRM to SA company • Standard contract conditions • Little assurance that the data has been deleted when the contract ends -> security expert spent a week in SA “assessing” • Tip: Negotiate “exit” before signing contract. Seek details on how the data is erased.
  • 10. Jirasek Consulting Services Classification: Public 10 I have 1TB of CSV files, now what? • Customer uses well know CRM in Cloud • SaaS designed to immerse clients into well defined, bespoke CRM • No known data mode • Export of data in CSV. • Tip: Portability is key in SaaS applications. Think about leaving the Cloud provider upfront. How will you take your data?
  • 11. Jirasek Consulting Services Classification: Public 11 I take this rack “please”! • Law enforcement has been slower to adapt to principles of Cloud computing • Small cloud providers more vulnerable to seizing HW rather then using clever imaging/forensic techniques. • SaaS generally more affected. • Tip: Use reputable and strong cloud providers who have developed good relationship with law enforcement (ask upfront).
  • 12. Supporting Business Agility Jirasek Consulting Services Classification: Public 12 GOOD EXAMPLE
  • 13. Jirasek Consulting Services Classification: Public 13 Scaling up/down development • Large manufacture and service company • Requirement to support development needs with seasonal demands – ideal case for [I|P]aaS • Security team approached up-front to perform review • “Live” data not uploaded to the provider before on-site sanitising
  • 14. Jirasek Consulting Services Classification: Public 14 Summary • Have a Cloud policy/standard and update risk management classification • Engage with Procurement and Finance team – gatekeepers for any contracts an credit card spends • Discover usage of Cloud services • Prepare you enterprise architecture to plug Cloud services in IAM, SIEM, Key management • Think about Cloud exit upfront • Do not fear Cloud – another form of outsourcing!!
  • 15. Jirasek Consulting Services Classification: Public 15 Contact • Vladimir Jirasek • vladimir@jirasekconsulting.com • www.jirasekconsulting.com • @vjirasek • About.me/Jirasek