Weitere ähnliche Inhalte Ähnlich wie Your Data Center Boundaries Don’t Exist Anymore! (20) Kürzlich hochgeladen (20) Your Data Center Boundaries Don’t Exist Anymore! 1. Your Data Center
Boundaries Don’t
Exist Anymore!
Joram Borenstein (CISSP, CISA)
Director, Compliance & Risk Management
RSA, The Security Division of EMC
© Copyright 2012 EMC Corporation. All rights reserved. 1
2. Agenda
Boundaries don’t exist … let me prove it to you!
A Cautionary Tale: What This Presentation is NOT About
Proof-Points (aka “Critical Issues in Oversight & Compliance”)
OK, So What’s Going On Here?
Real-Life Best Practices to Mitigate These Challenges
Conclusion: Open Questions
© Copyright 2012 EMC Corporation. All rights reserved. 2
4. Boundaries: In Our Personal Lives
© Copyright 2012 EMC Corporation. All rights reserved. 4
6. Boundaries: Employees’ Access to Cloud
Amazon Mozy
VMWare DropBox
Google Facebook
salesforce.com EverNote
… and others
© Copyright 2012 EMC Corporation. All rights reserved. 6
7. What This
Presentation Is
NOT About
© Copyright 2012 EMC Corporation. All rights reserved. 7
8. What This Presentation is NOT About
Using Virtualization for new-fangled Data Center tricks
New Product Announcements
How to re-architect your Data Center
It is about
– Compliance
– Auditing
– Adjustments in organizational culture
© Copyright 2012 EMC Corporation. All rights reserved. 8
9. Data Center Compliance Challenges
Visibility
Lack of visibility into servers, storage or
network infrastructure
Automation
Difficult to validate technical control
measurement
Audit
No centralized record keeping as audit trail
Virtualization
New abstraction layers complicate compliance
validation
© Copyright 2012 EMC Corporation. All rights reserved. 9
11. Proof: Press & Analyst Community #s
“Morgan Stanley estimates the percentage of IT departments
using the public cloud to rise from 28% in 2011 to 51% by
2014.”
– (April 2012 source: http://www.marketwatch.com/story/mozy-expanding-cloud-footprint-within-enterprise-
2012-04-10 )
“More Than One-Third of IT Budgets Now Spent on Cloud”
– (April 2012, source: http://www.forbes.com/sites/joemckendrick/2012/04/11/more-than-one-third-of-it-
budgets-now-spent-on-cloud-survey/ based on IDG Enterprise Cloud Computing Study (Jan 2012))
“55% ... are using cloud in some capacity today”
– (Feb 2012 source:
http://www.thedatachain.com/news/2012/2/mid_size_businesses_lead_the_way_in_cloud_adoption )
© Copyright 2012 EMC Corporation. All rights reserved. 11
12. Proof: Start-Up Funding
No boundaries lead to … lots of concern (risk scenarios)
Thesis: basic security building blocks for clouds
Sample Companies
– CloudSwitch – PerspecSys Systems)
(now – Co3Sys – Gazzang
VRZN/TRMK) – salesforce.com – High Cloud
– enStratus (acquiring Security
– Vaultive Navajo – Many others …
Some of these are simple email encryption gateway vendors
Some assist with migration from legacy OP to cloud
© Copyright 2012 EMC Corporation. All rights reserved. 12
13. Proof: An Increasing # of Certifications…
AICPA (American Institute of Certified Public Accountants)
AT 101 = Attest Engagements
3 new reporting designations (“Service Organization Control
(SOC) reports”)
– SOC 1
– SOC 2
– SOC 3
FYI … SAS-70 = SOC 1 = ISAE-3402
© Copyright 2012 EMC Corporation. All rights reserved. 13
14. Certifications: General Questions
SOC
3?
What does my business do?
SOC 2
Who are my customers? Type 1
?
What are they buying from me? SOC 1
Type 2
What sort of customer information do/will I have? ?
What guarantees/confidence do my customers need from my
company?
What certifications do my competitors have?
What IT certifications do my financial auditors recommend I get?
Do I have an IT auditor? Should I? I thought this was only for PII and
PHI data such as PCI and HIPAA?
OK, so I chose a SOC 1 … now do I need a Type 1 or a Type 2?
© Copyright 2012 EMC Corporation. All rights reserved. 14
15. Certifications: Data Center–Specific Questions
Am I prepared as an organization to go through an IT audit?
– Do I have a consistent set of controls in place?
Can I get my DC provider to answer IT audit questions?
– What does my contract allow?
Does my DC provider have its own certifications?
– Which one(s)?
– Do they suffice?
What is my DC architecture?
– Is it still applicable?
– Is the IT Auditor going to understand it? Agree with it?
Allow it?
© Copyright 2012 EMC Corporation. All rights reserved. 15
16. OK, So
What’s Going
On Here?
© Copyright 2012 EMC Corporation. All rights reserved. 16
17. Do Your Own People Understand These
Issues?
“In-The-Trenches” personnel
– Can they articulate the changes?
Your Sales Force
– Are they aware of how to talk with customers?
– Of how contracts might need to change?
Your Legal Department
– Are they aware of new privacy legislation?
– Are they aware of new compliance needs?
Senior Management
– Do they understand the risks?
– Can they articulate a vision to customers, partners, and employees?
Your HR Team
– “7/10 think their IT departments need to expand their skills to keep up
with cloud trends.”
– (April 2012, source: http://www.forbes.com/sites/joemckendrick/2012/04/11/more-than-one-third-of-it-budgets-now-
spent-on-cloud-survey/ based on IDG Enterprise Cloud Computing Study (Jan 2012))
© Copyright 2012 EMC Corporation. All rights reserved. 17
18. What Are the Compliance Implications?
Industrial
– Consortia
– Standards groups
Governmental
– Within your own country
– In other countries you do business in
Internal
– Audit
– Compliance
© Copyright 2012 EMC Corporation. All rights reserved. 18
19. What Are the Regulatory Issues?
Forbidding certain countries
Scoping audits
Virtualization
– … make this more complicated for most people
“Elastic” environments
Shared equipment
© Copyright 2012 EMC Corporation. All rights reserved. 19
20. What Are the Governance Issues?
Are we prepared?
Do we understand the implications?
Do our existing models still work?
Include our service providers within our governance
model?
© Copyright 2012 EMC Corporation. All rights reserved. 20
21. Real-Life Best
Practices to
Mitigate
These
Challenges
© Copyright 2012 EMC Corporation. All rights reserved. 21
22. Real-Life Best Practices to Mitigate
These Challenges
1. Educate EVERYONE
2. Re-assess contractual agreements with Service Providers
3. Keep Track of Certifications
4. Keep Track of New Legislation
5. Pick a set of controls which are adaptive
© Copyright 2012 EMC Corporation. All rights reserved. 22
23. #1: Educate Everyone
Yes … this takes time
Yes … people won’t understand you at first
Especially the executives!!
– Helps $
– Helps when escalation occur
– Just plain helps to provide transparency
The Legal Team is your friend
Why Is This Important?
– You will need these people!
– Decisions across functions will be impacted by these realities
– These teams will eventually have to adjust
© Copyright 2012 EMC Corporation. All rights reserved. 23
24. #2: Re-Assess Contracts
With Who?
– Data Center providers
– Service providers
– Customers
Why?
– You have new risks to consider!
– Contractual language may no longer be applicable
– SLAs take on new meaning in new contexts
– You (might) need new protections
© Copyright 2012 EMC Corporation. All rights reserved. 24
25. #3: Keep Track of New Certifications
What do your customers want?
What does your Internal Audit Team demand?
What do your IT Auditors recommend?
What do your financial auditors recommend?
What are you committed to contractually?
© Copyright 2012 EMC Corporation. All rights reserved. 25
26. #4: Keep Track of New Legislation
Cloud-related legislation is appearing in many places
Here’s one recent example
European Commission (Jan 2012)
Revising the EU’s 1995 Data Protection Directive
“ ... the transfer of data to third countries has become an
important factor in daily life. There are no borders online
and cloud computing means data may be sent from Berlin
to be processed in Boston and stored in Bangalore.”
(source: http://ec.europa.eu/justice/newsroom/data-
protection/news/120125_en.htm)
© Copyright 2012 EMC Corporation. All rights reserved. 26
27. #5: Pick a Control Set(s)
Which adapts as your needs change
Which has industry support
Which makes sense for your organization
Which your customers will respect & support
Keep track of new sets coming out
– e.g. HITRUST in the US is not only for healthcare
Re-visit alternative control set(s) regularly
Considering layering them on top of one another
© Copyright 2012 EMC Corporation. All rights reserved. 27
28. Conclusion:
Open
Questions
© Copyright 2012 EMC Corporation. All rights reserved. 28
29. Conclusion:
There are emerging best practices that will help in managing
the “data center without boundaries”
– An effective strategy based on governance, controls and visibility is
essential.
There are still lots of open questions
– What impact will regulatory changes have?
– How do you articulate your vision of the data center without boundaries?
Get involved
– Participate in working groups from consortia and others
– Attend events such as these to hear about new revelations and
innovations
– Comment on privacy legislation
© Copyright 2012 EMC Corporation. All rights reserved. 29
30. Provide Feedback & Win!
125 attendees will receive
$100 iTunes gift cards. To
enter the raffle, simply
complete:
– 5 sessions surveys
– The conference survey
Download the EMC World
Conference App to learn
more: emcworld.com/app
© Copyright 2012 EMC Corporation. All rights reserved. 30