Weitere ähnliche Inhalte
Ähnlich wie Lions and Tigers and Cloud, Oh My! The Truth Behind Cloud Security and Risks
Ähnlich wie Lions and Tigers and Cloud, Oh My! The Truth Behind Cloud Security and Risks (20)
Kürzlich hochgeladen (20)
Lions and Tigers and Cloud, Oh My! The Truth Behind Cloud Security and Risks
- 1. C Lions and Tigers and
Cloud, Oh My!
The Truth Behind Cloud
Security and Risks
Accenture
Ariba
© 2012 Ariba, Inc. All rights reserved.
- 2. Lions and Tigers and Cloud, Oh My!
The Truth Behind Cloud Security
and Risks
The single biggest concern by CIOs around going
to the Cloud is security. Paradoxically it is not a
huge issue for Chief Security Officers. Find out
why not in this informative session and receive a
Cloud security checklist.
2 © 2012 Ariba, Inc. All rights reserved.
- 3. Our Speakers
Torben Lundgren
IT Director- Procurement and
F&A BPOs
Accenture
Jason Brown
Dir, Solutions Management –
Data and Security Policies
Ariba
3 © 2012 Ariba, Inc. All rights reserved.
- 4. C Cloud vs Data Security?
Considerations as seen
through the lens of
supplying services to
Financial Services in
Europe
Torben Lundgren
IT Director
Accenture Procurement BPO
© 2012 Ariba, Inc. All rights reserved.
- 5. Introduction to Cloud
• Every service provider - internal or external – seek the optimal way to service their
clients
• Increasingly cloud based services becomes that optimum – for different reasons:
Easy and dynamic scaling
Short lead-times to establish
Metered, on-demand
Lower cost
• However: Many service provider still experience push-back from their clients
• Client are still having concerns – especially around security and data privacy:
Perception that Cloud is a fundamentally different and less secure, is still common
Cloud is often presented exclusively as low-cost potentially making the “Cheap & Cheerful” reputation stick
• We will here focus on the differences seen in client perspective and less in technology
perspective
At the technological level, there are significant differences between type of tools, services, and the organization
5 © 2012 Ariba, Inc. All rights reserved.
- 6. The different shades of Cloud ?
• What is cloud?
A way to provide services over the network where an established capability and capacity can be shared
Reducing lead time for the individual client
On-demand – only pay for consumption and not (fully) for surplus capacity
For the client, the requirements to Cloud are the same as they would be for a conventional service – here Cloud primarily becomes
financial model
….. But note: when in operation the governance models are different
• What can be delivered as Cloud?
Cloud is available in three service models from basic Infrastructure-as-a-Service (IaaS) , including the Middleware and other platform
services in Platform-as-a-Service (PaaS), to full-fledged Software-as-a-Service (SaaS)
The difference is how high in the service stack the service is sharable – a non-shared application can e.g. be put on top of IaaS or
PaaS – of course only giving Cloud benefits for the part which is shared
• Which degree of sharing with other clients is required in Cloud?
The deployment model can allow a higher or lower degree of sharing between clients (Public or Community)
Or specific for one client (Private) or a mix (Hybrid)
Cloud will normally always be multi-tenancy, but in Private the “tenants” are different application services typically serving the same
client
This can be used to accommodate Information Assets with special requirements
6 © 2012 Ariba, Inc. All rights reserved.
- 7. Cloud compared to other services?
• What are similar between Security for Cloud and Conventional services?
The security areas are identical – and the requirements almost the same
All Computing Service Security Models must comprise of:
– Data Center, Physical, and Network Security
– Data / Storage & Server / OS Security
– API and Middleware Security
– Application Security including Access Control, Penetration testing
– Protection of the traffic between Service and End-user
• Some elements of Security for Cloud is different due to the shared nature:
The Risk picture is different due to the risk of crossover between services on same Cloud:
– Shared technological vulnerabilities
– Insecure API’s
– Potential population of Malicious insiders increase
– Risk of Data Leakage / Data Contamination
The Governance models differ:
– Cloud often offer less client transparency and influence
– More reliant on third party attestation and certifications
The Security requirements are higher – especially for:
– Data / Storage , Application security
– Monitoring and malware protection must be tighter
7 © 2012 Ariba, Inc. All rights reserved.
- 8. Service Compliance Framework ?
• Service Compliance Framework does not differ a lot between Cloud and Conventional
Differences are mostly in the mapping from the Security Control Model to the Service Delivery Model due to the
service organization
Governance and e.g. Audit access can vary => Requirements to Service Contract structure are likely to be
different
Graphics borrowed from: https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
8 © 2012 Ariba, Inc. All rights reserved.
- 9. European FS clients
- What trends do we see in their Cloud requirements?
• In general, we see a strong push for Cloud Services across all our clients
• But there are differences in their requirements and approach
• Some of the differences comes from legislation in the European Union; other
trends seem closer related to industry or culture:
Data privacy:
– While there are many similarities between the data privacy requirements in Europe and USA, the EU Data Privacy Model
Clauses lock the service provider in while Safe Harbor can be exited
– This impact the contractual requirements of an European client
Choice of Deployment Model - European FS clients go for Private / Hybrid to a higher degree
– Risk for Data Loss / Leakage seem to be what is significantly influencing this choice
– Also Governance and reliance of third party certifiers play a role
Uptake of Cloud Service Models:
– The uptake of SaaS in USA is much stronger compared to Europe
– A higher proportion of European FS Clients are focusing on IaaS and PaaS and less on SaaS compared to NA counterparts
– Very likely to be related to the division of the European market into several languages as well as legal/traditional
requirements – just not the same type of a large market with uniform requirements
– Consequentially, there is less demand for single-service cloud offerings - still !
9 © 2012 Ariba, Inc. All rights reserved.
- 10. I think I want Cloud!
– how do I avoid the pitfalls ?
• Do ALL of what you would do for a conventional service:
(many very similar frameworks are available – below reflecting https://cloudsecurityalliance.org)
Identify your Information Assets; these are normally Data and Application/Function/Process
Evaluate the sensitivity of your Information Assets => Confidentiality, Integrity, and Availability requirements
Determine your Compliance (incl Jurisdiction), SLA, and BCP Requirements
Evaluate your potential Providers, their Service Models, and Locations
Map potential data flows between locations, and determine risk exposure points
• Decide whether Cloud is available and applicable – if Yes: Continue
Determine the correct deployment model for your Information Assets:
– Private / Community / Public .... or Hybrid
Determine if you go for a full stack SaaS, PaaS, or IaaS hosting services only
Advantages for PaaS / IaaS is that you can get to customise more of the Application Security layer
– The drawback is that you become responsible for defining, implementing, and planning security for all above where the
Cloud Provider service stops
Define /modify your Security Control, Risk Mitigation, and Governance Framework
10 © 2012 Ariba, Inc. All rights reserved.
- 11. Summary
• From a requirement , assessment, and SLA perspective, the conventional and cloud
based services are very similar to the clients
• The potential for great security (or appalling security ! ) are very much the same
• There are differences in security considerations and in some security
requirements, and there are specific information assets, where it must be considered
if Cloud Computing is the optimal service form
Where to go for more information on Cloud Security :
• Cloud Security Alliance has done a great job in promoting best practices and
providing good guidelines for Cloud Computing Security:
www.cloudsecurityalliance.org
• Websites of Service Providers in the industry are also rich sources of information
11 © 2012 Ariba, Inc. All rights reserved.
- 12. Questions and Answers
• Contact Information:
Torben Lundgren,
torben.lundgren@accenture.com
or via LinkedIn:
http://uk.linkedin.com/in/torbenlundgren
12 © 2012 Ariba, Inc. All rights reserved.
- 13. C Lions and Tigers and
Cloud, Oh My!
The Truth Behind Cloud
Security and Risks
Ariba Security in the Cloud
Jason Brown
Dir, Solutions Management - Data and Security Policies
© 2012 Ariba, Inc. All rights reserved.
- 14. Agenda
• Background
• Ariba Privacy/Security Framework
• Building Trust with Ariba
• Trends
• trust.ariba.com
14 © 2012 Ariba, Inc. All rights reserved.
- 16. Building Trust with Ariba
• Semi-annual WebTrust Seal of Assurance since 2001
Covers Security, Confidentiality, Processing Integrity, and Availability Principles
• SSAE 16 - SOC 1 and SOC 2 type II reports for transparency
(formerly SAS70) since 2009
• PCI DSS Level 1 Service Provider since 2008
• US Dept. of Commerce Safe Harbor since 2009
• Vulnerability Scans and Penetration Tests
Monthly PCI Scans, Pen Tests of each release
• trust.ariba.com
• Background Check Program
• Security Awareness Program
Certification upon hire
Annual re-certification
16 © 2012 Ariba, Inc. All rights reserved.
- 17. Trends
• Greater Transparency
Ariba SOC 1 and SOC 2 Type II reports
• Deeper dives on 3rd party / sub-service provider assurance
Extensive Vendor Oversight program
Equinix SOC 1 Type II report
• Customer performed vulnerability scans
Ariba investment in third party penetration tests
• EU Commission on Data Protection
Initiated program to comply by January 2014
• Cloud Security Alliance growth
Ariba membership
Hosted Silicon Valley Chapter
17 © 2012 Ariba, Inc. All rights reserved.
- 21. Questions and Answers
• Contact Information:
Jason Brown
JasonBrown@ariba.com
21 © 2012 Ariba, Inc. All rights reserved.
- 22. Share This Session…NOW…from
your mobile!
• All presentations are posted:
Guidebook mobile app
– Search Apple or Android app store
for Guidebook
– Enter code “collabor8”
Or at Slideshare.net/Ariba
• Share via email or social media
**Come back soon – we are syncing #AribaLIVE
audio and video interviews to
the presentations**
22 © 2012 Ariba, Inc. All rights reserved.