ciso-platform-annual-summit-2013-Mitigating the security risks of cloud service v2

•

0 gefällt mir•373 views

Presented by Wayne Tufek at CISO Platform Annual Summit, 2013. Wayne Tufek is currently the IT Security and Risk Manager at the University of Melbourne. His career spans over 17 years as an active hands on practitioner of information security and technology risk management. He has worked in the public sector, Big 4, financial services, consumer products and education sectors.

Technologie Business

CISO PLATFORM ANNUAL SUMMIT

Mitigating the Security Risks
of Cloud Service Adoption

Wayne Tufek
CISO Platform Annual Summit
November 15-16
Hyatt Regency
Mumbai

AGENDA
•
•
•
•
•
•
•

Introductions
Overview
What is the Cloud?
What are the Risks?
A Process
Summary
Questions

Overview
• What is this presentation about?
• What won’t be covered?

What is the Cloud?

• “A scalable, multi-tenant, multiplatform, multi-network method
of delivering information
technology services.”
• Why the Cloud?

What are the Risks?
•
•
•
•
•
•

Data security
Network availability
Cloud provider viability
Security incident handling
Business continuity
Legal or regulatory compliance

What are the Risks?
• Risk transparency
• Risk management and control
responsibilities between the Cloud
Service Provider (CSP) and the
customer vary according to the cloud
model

What are the Risks?

Source: Gartner (March 2013)

Process – Who are the
Players?
•
•
•
•
•
•

Data owner
IT Department
Project team (if one exists)
Legal
Vendor management
CSP

Process
1. Confirm the data
2. Engage the data
owner
3. Understand process
4. Other considerations
5. Assess risk

6. Evaluate the CSP
7. Assess risk
8. Negotiate the contract
9. Assess risk
10.Monitor and assess
risk

Process – Start With the Data
•
•
•
•
•

Identify the CSP
Identify exactly what the data is
Understand the business process(es)
Engage with the data owner
Perform a risk assessment

Process – How Critical is the
Data?
• Consider the business value of the
process vs. the importance of the
information

Source: Gartner 2013

Process – Other
Considerations
• Integrations/web services
• Support and maintenance processes
• Development/test and production?
– Data masking requirements

Process – How Critical is the
Data?
• Does moving to the Cloud still make
sense?
• Does the proposed business process
need to change?
• Assess the risk

Process – Assess the CSP
• Ask questions about the controls in
place
• Cloud security control guidance
–
–
–
–
–

Cloud Security Alliance (CSA) and STAR
Defence Signals Directorate (DSD)
Common Assurance Maturity Model (CAMM)
The Shared Assessments Program
The European Network and Information Security
Agency

Process – Assess the CSP
• Is the CSP independently assessed?
–
–
–
–

ISO 27001
ISO 27017 and 27018 (Draft)
PCI DSS
SSAE 16 (SOC 1, 2 and 3) –> replaced SAS 70

Assess the CSP
• Understand the controls in place
–
–
–
–

Ask questions
Review documentation
Conduct interviews
Site visit

• Assess the risk

Process – Review the
Contract
• Contractual considerations
–
–
–
–

List controls and processes
Include regular formal third party assessments
Gartner (G00247574)
Gartner (G00211616)

Process – Review the
Contract
• Service Level Agreements
– Define RTO and RPO
– Immediate notification of a security breach
– Increase liability limits

• Assess the risk

Process - Monitor
• Results of security assessments
• Vendor management function
• Assess the risk

Summary
1. Confirm the data
6. Evaluate the CSP
2. Engage the data
7. Assess risk
owner
8. Negotiate the contract
3. Understand process 9. Assess risk
4. Other considerations 10.Monitor and assess
5. Assess risk
risk

Contact
• wtufek@unimelb.edu.au
• LinkedIn
• http://www.linkedin.com/pub/wayne-tufek/0/338/312

Weitere ähnliche Inhalte

Ähnlich wie ciso-platform-annual-summit-2013-Mitigating the security risks of cloud service v2

Time to re think our security process

Ulf Mattsson

Biznet GIO National Seminar on Digital Forensics

Yusuf Hadiwinata Sutandar

Supporting your CMMC initiatives with Sumo Logic

CloudHesive

Global Cybersecurity Blockchain Group

Maeva Ghonda

Clint Harder, Vice President of Product Strategy for TDS HMS presents on "Cloud Services and Enterprise IT Applications: Are They a Match?". Clint Harder takes you through key decision points in selecting cloud services for enterprise applications. This presentation was given at the Enterprise Cloud Summit on October 16, 2012 - presented by VISI. Learn more about enterprise cloud computing at http://www.reliacloud.com.

Moving Enterprise Applications to the Cloud

VISI

The Cloud Controls Matrix (CCM) is an industry accepted set of principles and guidelines that can be leveraged to assess services, products, and your own security posture in the cloud. The framework is based on security requirements and criteria from research conducted by the Cloud Security Alliance (CSA). Learn about the architectural elements of the framework, its impact on international standards, and how it maps to over 30 other industry regulations.

Introduction to the CSA Cloud Controls Matrix

John Yeoh

Standards for protection of data on storage device are emerging from both the...

CMG - The Digital Transformation Association

Security Architecture Best Practices for SaaS Applications

Techcello

Don’t Just Trust Cloud Providers - How To Audit Cloud Providers

Michael Davis

Webinar presentation September 20, 2016. This deck introduces the CSCC’s deliverable, Cloud Security Standards: What to Expect and What to Negotiate V2.0, which was updated in August 2016 to reflect the latest developments in cloud security standards. The presentation is an overview of the various security standards, frameworks, and certifications that exist for cloud computing. This information will help cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers. Read the CSCC's deliverable here: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm

Cloud Security Standards: What to Expect and What to Negotiate V2.0

Cloud Standards Customer Council

Webinar presentation: November 17, 2016 Subject matter experts from the CSCC present an overview of the security standards, frameworks, and certifications that exist for cloud computing. We also discuss privacy considerations in light of new regulations (e.g., EU’s General Data Protection Regulation (GDPR)). This presentation helps cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers. Read the CSCC's deliverable, Cloud Security Standards: What to Expect and What to Negotiate: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm

Latest Developments in Cloud Security Standards and Privacy

Cloud Standards Customer Council

Cloud services and it security

East Midlands Cyber Security Forum

Security architecture best practices for saas applications

kanimozhin

gkkCloudtechnologyassociate(cta)day 2

Anne Starr

What the auditor need to know about cloud computing

Moshe Ferber

When weighing options for increasing enterprise computing capabilities or seeking ways to improve IT operational efficiency, the prevailing method is to integrate an external IT services vendor, commonly referred to as a cloud service provider (CSP). There is a high probability that audit clients will engage this CSP service to manage their IT needs. Learn how to cope with the audit and risk assessment challenges related to this emerging technology trend in this key session. •Understanding the various Cloud Service Levels and Implementation Types •Identifying Compliance, Service Level Agreement and other Important Duties each party must perform •Understand the Complexities of Auditing internal controls, data security, privacy and performancerelated to cloud •Mitigating the underlying Business Risks associated with adopting a cloud-based IT model

Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...

Alan Yau Ti Dun

At first sight, the development of "hardware" products hardly differs from that of IoT devices. Here you can see the methodology of IoT product development based on an IoT framework by Daniel Elizalde. It’s a convenient and simple model that estimates expenses and potential income, evaluates the technological complexity and at the same time is easily understood by the client. Made by notAnotherOne

Decision Matrix for IoT Product Development

Alexey Pyshkin

Data breaches are on the rise. The constant threat of cyber attacks combined with the high cost and a shortage of skilled security engineers has put many companies at risk. There is a shift in cybersecurity investment and IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. PCI DSS 3.2 is out with an important update on data discovery and requirements to detect security control failures. In this webinar, cybersecurity expert Ulf Mattsson will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.

How the latest trends in data security can help your data protection strategy...

Ulf Mattsson

ISO 27017 – What are the Business Advantages of Cloud Security?

Alvin Integrated Services [AIS]

What's Next : A Trillion Event Logs, A Million Security Threat

Alan Yau Ti Dun

Ähnlich wie ciso-platform-annual-summit-2013-Mitigating the security risks of cloud service v2 (20)

Time to re think our security process

Biznet GIO National Seminar on Digital Forensics

Supporting your CMMC initiatives with Sumo Logic

Global Cybersecurity Blockchain Group

Moving Enterprise Applications to the Cloud

Introduction to the CSA Cloud Controls Matrix

Standards for protection of data on storage device are emerging from both the...

Security Architecture Best Practices for SaaS Applications

Don’t Just Trust Cloud Providers - How To Audit Cloud Providers

Cloud Security Standards: What to Expect and What to Negotiate V2.0

Latest Developments in Cloud Security Standards and Privacy

Cloud services and it security

Security architecture best practices for saas applications

gkkCloudtechnologyassociate(cta)day 2

What the auditor need to know about cloud computing

Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...

Decision Matrix for IoT Product Development

How the latest trends in data security can help your data protection strategy...

ISO 27017 – What are the Business Advantages of Cloud Security?

What's Next : A Trillion Event Logs, A Million Security Threat

Mehr von Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs

Priyanka Aash

Verizon Breach Investigation Report (VBIR).pdf

Priyanka Aash

Top 10 Security Risks .pptx.pdf

Priyanka Aash

Simplifying data privacy and protection.pdf

Priyanka Aash

Generative AI and Security (1).pptx.pdf

Priyanka Aash

EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf

Priyanka Aash

DPDP Act 2023.pdf

Priyanka Aash

Cyber Truths_Are you Prepared version 1.1.pptx.pdf

Priyanka Aash

Cyber Crisis Management.pdf

Priyanka Aash

CISOPlatform journey.pptx.pdf

Priyanka Aash

Chennai Chapter.pptx.pdf

Priyanka Aash

Cloud attack vectors_Moshe.pdf

Priyanka Aash

Stories From The Web 3 Battlefield

Priyanka Aash

Lessons Learned From Ransomware Attacks

Priyanka Aash

Emerging New Threats And Top CISO Priorities In 2022 (Chennai)

Priyanka Aash

Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)

Priyanka Aash

Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)

Priyanka Aash

Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud

Cloud Security: Limitations of Cloud Security Groups and Flow Logs

Priyanka Aash

Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.

Cyber Security Governance

Priyanka Aash

The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.

Ethical Hacking

Priyanka Aash

Mehr von Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs

Verizon Breach Investigation Report (VBIR).pdf

Top 10 Security Risks .pptx.pdf

Simplifying data privacy and protection.pdf

Generative AI and Security (1).pptx.pdf

EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf

DPDP Act 2023.pdf

Cyber Truths_Are you Prepared version 1.1.pptx.pdf

Cyber Crisis Management.pdf

CISOPlatform journey.pptx.pdf

Chennai Chapter.pptx.pdf

Cloud attack vectors_Moshe.pdf

Stories From The Web 3 Battlefield

Lessons Learned From Ransomware Attacks

Emerging New Threats And Top CISO Priorities In 2022 (Chennai)

Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)

Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)

Cloud Security: Limitations of Cloud Security Groups and Flow Logs

Cyber Security Governance

Ethical Hacking

Kürzlich hochgeladen

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

The Raspberry Pi 5 was announced on October 2023. This new version of the popular embedded device comes with a new iteration of Broadcom’s VideoCore GPU platform, and was released with a fully open source driver stack, developed by Igalia. The presentation will discuss some of the major changes required to support this new Video Core iteration, the challenges we faced in the process and the solutions we provided in order to deliver conformant OpenGL ES and Vulkan drivers. The talk will also cover the next steps for the open source Raspberry Pi 5 graphics stack. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://eoss24.sched.com/event/1aBEx

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Igalia

How to convert PDF to text with Nanonets

naman860154

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

In an era where artificial intelligence (AI) stands at the forefront of business innovation, Information Architecture (IA) is at the core of functionality. See “There’s No AI Without IA” – (from 2016 but even more relevant today) Understanding and leveraging how Information Architecture (IA) supports AI synergies between knowledge engineering and prompt engineering is critical for senior leaders looking to successfully deploy AI for internal and externally facing knowledge processes. This webinar be a high-level overview of the methodologies that can elevate AI-driven knowledge processes supporting both employees and customers. Core Insights Include: Strategic Knowledge Engineering: Delve into how structuring AI's knowledge base is required to prevent hallucinations, enable contextual retrieval of accurate information. This will include discussion of gold standard libraries of use cases support testing various LLMs and structures and configurations of knowledge base. Precision in Prompt Engineering: Learn the art of crafting prompts that direct AI to deliver targeted, relevant responses, thereby optimizing customer experiences and business outcomes. Unified Approach for Enhanced AI Performance: Explore the intersection of knowledge and prompt engineering to develop AI systems that are not only more responsive but also aligned with overarching business strategies. Guiding Principles for Implementation: Equip yourself with best practices, ethical guidelines, and strategic considerations for embedding these technologies into your business ecosystem effectively. This webinar is designed to empower business and technology leaders with the knowledge to harness the full potential of AI, ensuring their organizations not only keep pace with digital transformation but lead the charge. Join us to map a roadmap to fully leverage Information Architecture (IA) and AI chart a course towards a future where AI is a key pillar of strategic innovation and business success.

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx

Earley Information Science

Histor y of HAM Radio presentation slide

vu2urc

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Friends Colony Women Seeking Men

Delhi Call girls

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Kürzlich hochgeladen (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

How to Troubleshoot Apps for the Modern Connected Worker

Boost PC performance: How more available memory can improve productivity

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

How to convert PDF to text with Nanonets

Data Cloud, More than a CDP by Matt Robison

GenAI Risks & Security Meetup 01052024.pdf

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx

Histor y of HAM Radio presentation slide

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

08448380779 Call Girls In Friends Colony Women Seeking Men

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Powerful Google developer tools for immediate impact! (2023-24 C)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

What Are The Drone Anti-jamming Systems Technology?

presentation ICT roal in 21st century education

ciso-platform-annual-summit-2013-Mitigating the security risks of cloud service v2

1. CISO PLATFORM ANNUAL SUMMIT Mitigating the Security Risks of Cloud Service Adoption Wayne Tufek CISO Platform Annual Summit November 15-16 Hyatt Regency Mumbai

2. AGENDA • • • • • • • Introductions Overview What is the Cloud? What are the Risks? A Process Summary Questions

3. Overview • What is this presentation about? • What won’t be covered?

4. What is the Cloud? • “A scalable, multi-tenant, multiplatform, multi-network method of delivering information technology services.” • Why the Cloud?

5. What are the Risks? • • • • • • Data security Network availability Cloud provider viability Security incident handling Business continuity Legal or regulatory compliance

6. What are the Risks? • Risk transparency • Risk management and control responsibilities between the Cloud Service Provider (CSP) and the customer vary according to the cloud model

7. What are the Risks? Source: Gartner (March 2013)

8. Process – Who are the Players? • • • • • • Data owner IT Department Project team (if one exists) Legal Vendor management CSP

9. Process 1. Confirm the data 2. Engage the data owner 3. Understand process 4. Other considerations 5. Assess risk 6. Evaluate the CSP 7. Assess risk 8. Negotiate the contract 9. Assess risk 10.Monitor and assess risk

10. Process – Start With the Data • • • • • Identify the CSP Identify exactly what the data is Understand the business process(es) Engage with the data owner Perform a risk assessment

11. Process – How Critical is the Data? • Consider the business value of the process vs. the importance of the information Source: Gartner 2013

12. Process – Other Considerations • Integrations/web services • Support and maintenance processes • Development/test and production? – Data masking requirements

13. Process – How Critical is the Data? • Does moving to the Cloud still make sense? • Does the proposed business process need to change? • Assess the risk

14. Process – Assess the CSP • Ask questions about the controls in place • Cloud security control guidance – – – – – Cloud Security Alliance (CSA) and STAR Defence Signals Directorate (DSD) Common Assurance Maturity Model (CAMM) The Shared Assessments Program The European Network and Information Security Agency

15. Process – Assess the CSP • Is the CSP independently assessed? – – – – ISO 27001 ISO 27017 and 27018 (Draft) PCI DSS SSAE 16 (SOC 1, 2 and 3) –> replaced SAS 70

16. Assess the CSP • Understand the controls in place – – – – Ask questions Review documentation Conduct interviews Site visit • Assess the risk

17. Process – Review the Contract • Contractual considerations – – – – List controls and processes Include regular formal third party assessments Gartner (G00247574) Gartner (G00211616)

18. Process – Review the Contract • Service Level Agreements – Define RTO and RPO – Immediate notification of a security breach – Increase liability limits • Assess the risk

19. Process - Monitor • Results of security assessments • Vendor management function • Assess the risk

20. Summary 1. Confirm the data 6. Evaluate the CSP 2. Engage the data 7. Assess risk owner 8. Negotiate the contract 3. Understand process 9. Assess risk 4. Other considerations 10.Monitor and assess 5. Assess risk risk

21. Questions?

22. Contact • wtufek@unimelb.edu.au • LinkedIn • http://www.linkedin.com/pub/wayne-tufek/0/338/312

ciso-platform-annual-summit-2013-Mitigating the security risks of cloud service v2

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie ciso-platform-annual-summit-2013-Mitigating the security risks of cloud service v2

Ähnlich wie ciso-platform-annual-summit-2013-Mitigating the security risks of cloud service v2 (20)

Mehr von Priyanka Aash

Mehr von Priyanka Aash (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

ciso-platform-annual-summit-2013-Mitigating the security risks of cloud service v2