SlideShare ist ein Scribd-Unternehmen logo

ISACA Cloud Computing Risks

Marc Vael
Marc Vael

Marc Vael, International Vice-President and Chair of the Cloud Computing Task Force, presented on cloud computing risks. The document discussed the definition of cloud computing, its characteristics and service models. It outlined lessons learned from cloud computing implementations including never outsourcing what cannot be properly managed internally, and that risk always exists regardless of detection. Specific technical, legal and organizational risks were also reviewed.

Technologie
1 von 103
Downloaden Sie, um offline zu lesen
Cloud Computing Risks today… Marc Vael International Vice-President Chair of the Cloud Computing Task Force
Industrial transformation
When was the term used for the first time? 26th of October 1997
Who hyped all this? “What's interesting [now] is that there is an emergent new model, and you all are here because you are part of that new model. I don't think people have really understood how big this opportunity really is. It starts with the premise that the data services and architecture should be on servers. We call it cloud computing – they should be in a "cloud" somewhere. And that if you have the right kind of browser or the right kind of access, it doesn't matter whether you have a PC or a Mac or a mobile phone or a BlackBerry or what have you – or new devices still to be developed – you can get access to the cloud.” Mr. Eric Schmidt, Chairman & CEO Google Search Engine Strategies Conference 
 9th of August 2006 http://www.google.com/press/podium/ses2006.html
http://www.nist.gov/itl/cloud/
http://www.isaca.org/cloud/
http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud- computing-risk-assessment
Cloud Computing Lessons learned...thusfar
Definition Cloud computing = 
 model for enabling convenient, on-demand broad network access to a shared pool of configurable computing resources that can be rapidly provisioned & released with minimal management effort or service provider interaction and with automatic measuring, controlling & optimization. 5 characteristics 3 service models 4 deployment models NIST, Definition of Cloud Computing, October 2009
Definition : 5 essential characteristics 1. On-demand self-service. 

Definition : 5 essential characteristics 2. Broad network access. 
 accessible via different platforms.
Definition : 5 essential characteristics 3. Resource pooling. 
 multi-tenant model. Location independence : 
 Consumer has no control / knowledge over location of resources but may be able to specify location at a higher level of abstraction
Definition : 5 essential characteristics 4. Rapid & elastic provisioning (add & withdraw). 
 Capabilities appear to be unlimited + can be purchased in any quantity at any time.
Definition : 5 essential characteristics 5. Automatically measured, controlled, optimized service.
Definition Cloud computing = 
 model for enabling convenient, on-demand broad network access to a shared pool of configurable computing resources that can be rapidly provisioned & released with minimal management effort or service provider interaction and with automatic measuring, controlling & optimization. 5 characteristics 3 service models 4 deployment models NIST, Definition of Cloud Computing, October 2009
ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2010 Considerations in 3 Cloud Computing Service Models
Considerations in 3 Cloud Computing Service Models • Marketing packaging is becoming important…
Definition Cloud computing = 
 model for enabling convenient, on-demand broad network access to a shared pool of configurable computing resources that can be rapidly provisioned & released with minimal management effort or service provider interaction and with automatic measuring, controlling & optimization. 5 characteristics 3 service models 4 deployment models NIST, Definition of Cloud Computing, October 2009
Considerations in 4 Cloud Computing Deployment Models ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2010
Cloud Computing Lessons learned...thusfar
Analyzing Cloud Computing
CLOUD ROI in practice
TANGIBLE BENEFITS •Cost Reduction (OPEX) •Enhanced productivity •Optimized resource utilization •Improved security •Improved compliance •Access to skills & capabilities •On-demand scalability •Agility (time to market) •Improved customer satisfaction •Higher reliability (DRP) •Better performance and uptime INTANGIBLE BENEFITS •Avoiding missed business opportunities •Focus on core business •Higher employee satisfaction (mobile) •Boosting innovation •Real-time collaboration •Risk transfer to CSP
UPFRONT COSTS •Technical readiness (bandwidth) •Implementation / Transition •Integration inhouse-cloud •Configuration/Customization •Training •Organisational change RECURRING COSTS •Subscription fees •Change management •Vendor management (SLA) •Cloud coordination •End-user support & administration •Risk mitigation •Downsize/Upsize costs TERMINATION COSTS •Revert to on-premises or transfer to other CSP •Penalties, Data export, Knowledge, Documents
UPFRONT COSTS •Technical readiness (bandwidth) •Implementation / Transition •Integration inhouse-cloud •Configuration/Customization •Training •Organisational change RECURRING COSTS •Subscription fees •Change management •Vendor management (SLA) •Cloud coordination •End-user support & administration •Risk mitigation •Downsize/Upsize costs TERMINATION COSTS •Revert to on-premises or transfer to other CSP •Penalties, Data export, Knowledge, Documents
CLOUD ROI suggestions • Focus quickly on the optimal cloud solution 
 Starting with initial/baseline model and iteratively identify the one best suited to the enterprise’s needs. • Make an “apples to apples” comparison
 Evaluate comparable set of costs for as-is & to-be alternatives : 
 make a fair comparison between 2 solutions that are potentially very different. Measuring monetary values in a consistent manner increases ROI accuracy and reliability. • Stay within the enterprise’s risk tolerance
 Perform risk assessment of as-is & to-be options to ensure that the solutions being compared are within the enterprise’s risk tolerance and the costs of mitigating unacceptable risk are factored into the calculations. 
 Knowing enterprise’s risk appetite before calculations begin is a must.
Cloud Computing Lessons learned...thusfar
Risk always exists! 
 (whether or not it is detected / recognised 
 by the organisation).
Risk always exists! 
 (whether or not it is detected / recognised 
 by the organisation).
Cloud Computing Lessons learned...thusfar
Never outsource what you do not manage properly today! 
 You always remain accountable!
15 basic “lessons learned”: 1. Psychological impact 2. IT governance model 3. Integration with internal/external IT systems 4. Network connectivity / bandwidth 5. Data location 6. Shared tenancy 7. Vendor lock-in 8. Service Provider stability, reliability and viability 9. Service portability / customization 10.Legal & regulatory compliance requirements (including licensing, contractual arrangements, record protection for forensic audit) 11.Information security management (including IAM and logging) 12.Incident response & crisis management 13.Business Continuity Mgt & Disaster Recovery Planning 14.Data ownership, lifecycle, archiving & removal 15.(Right to) Audit (pentest, screening, monitoring,…)
Principles, policies &
Policy & Organizational risks 1. Provider Lock in* 2. Loss of Governance* 3. Compliance challenges* 4. Loss of business reputation due to co-tenant activities 5. Cloud service termination/failure 6. Cloud provider acquisition 7. Supply Chain failure 8. SLA challenges
65
Processes
Legal risks 1. Data protection risks* 2. Risks from changes in jurisdiction 3. Licensing risks 4. Subpoena & e-discovery
Corporate governance : ERM = COSO Organisational structure
Information
• Transparency : providers must prove effective & robust security controls, assuring consumers all info is properly secured (C-I-A). - How much transparency is enough/too much? - Which employees (of the provider) have access to consumer information? - Is Segregation of Duties (SoD) between provider employees maintained? - How are different consumers’ information segregated? - What controls are in place to prevent, detect and 
 react to security breaches? - What investigations, examinations and audits
 (physical & virtual) are allowed 
 by the provider?
• Privacy : providers must prove privacy controls are in place + demonstrate ability to prevent, detect, react to security breaches in a timely manner. - Information & reporting lines of communication need to be in place & agreed on. - Communication channels should be tested periodically.
• Trans-border information flow : physical location of the information: - Physical location dictates jurisdiction and legal obligation. - National laws governing personally identifiable information (PII). • What is allowed in one country can be a violation in another.
Services, Infrastructure,
Technical risks 1. Isolation failure* 2. Malicious insider at cloud provider* 3. Management interface compromise* 4. Insecure/ineffective data deletion* 5. Malicious scans 6. Resource exhaustion 7. Intercepting data in transit 8. Data leakage 9. DDoS 10. Loss of encryption keys 11. Compromise service engine 12. Conflicts consumer procedures vs cloud procedures
Culture, Ethics,
Effec%ve'Cloud' Risk' Communica%on' Expecta%on:' strategy,' policies,' procedures,' awareness,'…' Capability:' Risk' Management' Process' Maturity' Status:'Risk' Profile,'KRIs,' Loss'data,'…'
People, Skills, Competencie
• Certification : providers need to provide independent assurance to consumers that they are doing the “right” things.
Cloud Computing Lessons learned...thusfar
86
Cloud Computing Audit program ! Planning & Scoping the Audit ! Cloud Governance – Governance & Enterprise Risk Management – Legal & Electronic Discovery – Compliance & Audit – Portability & Interoperability ! Cloud Operations – Incident Response, Notification & Remediation – Application Security – Data Security & Integrity – Identity & Access Management – Virtualization
Cloud Computing Conclusions
32
Your cloud computing solution is as strong … … as its weakest link
www.isaca.org/cloud
www.isaca.org/cobit
http://www.enisa.europa.eu/ http://www.enisa.europa.eu/activities/Resilience-and-CIIP/networks-and-services- resilience/cloud-computing
97
! www.cloudsecurityalliance.org/ ! http://www.enisa.europa.eu/activities/risk- management/files/deliverables/cloud-computing ! csrc.nist.gov/groups/SNS/cloud-computing/ ! opencloudconsortium.org/ ! www.opencloudmanifesto.org/ ! www.cloud-standards.org/wiki/ ! en.wikipedia.org/wiki/Cloud_computing ! searchcloudcomputing.techtarget.com/ ! cloudsecurity.org/ ! www.cloudaudit.org/ ! www.isaca.org/cloud References : Relevant Cloud Computing websites
Marc Vael
 
 International Vice-President Chairman of the Cloud Computing Task Force http://www.isaca.org/cloud Contact information marc@vael.net http://www.linkedin.com/in/marcvael @marcvael
100 83/20 www.isaca.org
14 General Cloud Computing Security Advantages 1.Data Fragmentation & Dispersal 2.Dedicated Security Team 3.Greater Investment in Security Infrastructure 4.Fault Tolerance & Reliability 5.Greater Resiliency 6.Hypervisor Protection against Network Attacks 7.Access to Pre-Accredited Clouds 8.Simplification of Compliance Analysis 9.Data held by unbiased party (cloud vendor assertion) 10.Low-Cost Disaster Recovery & Data Storage Solutions 11.On-Demand Security Controls 12.Real-Time Detection of System Tampering 13.Rapid Re-constitution of Services 14.Advanced Honeynet Capabilities
1.Migrating PII & sensitive data to the cloud – EU Data Protection Directive & U.S. Safe Harbor program – Exposure of data to foreign government & data subpoenas – Data retention & records management issues – Privacy Impact Assessments (PIA) 2.Identity & Access Management 3.Multi-tenancy 4.Logging & Monitoring 5.Data ownership /custodianship 6.Quality of Service guarantees 14 Specific Cloud Computing Security Challenges
8.Attracting hackers (high value target) 9.Security of virtual OS in the cloud 10.BCP / DRP 11.Data encryption & key management – Encrypting access to cloud resource control interface – Encrypting administrative access to OS instances – Encrypting access to applications – Encrypting application data at rest 12.Public cloud vs. Internal cloud security 13.Lack of public SaaS version control 14.Using SLAs to obtain cloud security – Suggested requirements for cloud SLAs 14 Specific Cloud Computing Security Challenges

Empfohlen

110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
GovCloud Network
 
4.5.cloud security
4.5.cloud security4.5.cloud security
4.5.cloud security
DrRajapraveenkN
 
Cloud computing
Cloud computingCloud computing
Cloud computing
jhoejoe
 
Privacy issues in the cloud final
Privacy issues in the cloud finalPrivacy issues in the cloud final
Privacy issues in the cloud final
guest50a642f
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]
Tudor Damian
 
Cloud Security And Privacy
Cloud Security And PrivacyCloud Security And Privacy
Cloud Security And Privacy
tmather
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
Andy Powell
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think
Uni Systems S.M.S.A.
 

Empfohlen

110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
GovCloud Network
 
4.5.cloud security
4.5.cloud security4.5.cloud security
4.5.cloud security
DrRajapraveenkN
 
Cloud computing
Cloud computingCloud computing
Cloud computing
jhoejoe
 
Privacy issues in the cloud final
Privacy issues in the cloud finalPrivacy issues in the cloud final
Privacy issues in the cloud final
guest50a642f
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]
Tudor Damian
 
Cloud Security And Privacy
Cloud Security And PrivacyCloud Security And Privacy
Cloud Security And Privacy
tmather
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
Andy Powell
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think
Uni Systems S.M.S.A.
 
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
Phil Agcaoili
 
How to ensure Business Continuity in the Cloud
How to ensure Business Continuity in the CloudHow to ensure Business Continuity in the Cloud
How to ensure Business Continuity in the Cloud
Uni Systems S.M.S.A.
 
Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption
Dell World
 
bishu pdf1
bishu pdf1bishu pdf1
bishu pdf1
Bishwanth Konathala
 
Privacy Issues In Cloud Computing
Privacy Issues In Cloud ComputingPrivacy Issues In Cloud Computing
Privacy Issues In Cloud Computing
iosrjce
 
Get your house on order
Get your house on orderGet your house on order
Get your house on order
Dekkinga, Ewout
 
Cloud computing 2012
Cloud computing 2012Cloud computing 2012
Cloud computing 2012
Uni Systems S.M.S.A.
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak
 
Iia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V FinalIia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V Final
Danny Miller
 
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Tudor Damian
 
Big Data (security Issue)
Big Data (security Issue)Big Data (security Issue)
Big Data (security Issue)
Export Promotion Bureau
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
Brian K. Dickard
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMCloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Hector Del Castillo, CPM, CPMM
 
Data protection in cloud computing - Data Protection Conference 2011
Data protection in cloud computing - Data Protection Conference 2011Data protection in cloud computing - Data Protection Conference 2011
Data protection in cloud computing - Data Protection Conference 2011
Cloud Legal Project
 
Host your Cloud – Netmagic Solutions
Host your Cloud – Netmagic SolutionsHost your Cloud – Netmagic Solutions
Host your Cloud – Netmagic Solutions
Netmagic Solutions Pvt. Ltd.
 
CFO Summit Series - Cloud Computing
CFO Summit Series - Cloud ComputingCFO Summit Series - Cloud Computing
CFO Summit Series - Cloud Computing
TGO Consulting
 
Cloud Computing security issues
Cloud Computing security issuesCloud Computing security issues
Cloud Computing security issues
Pradeepti Kamble
 
Solve Big Data Security Issues
Solve Big Data Security IssuesSolve Big Data Security Issues
Solve Big Data Security Issues
Editor IJCATR
 
Ohm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slideshareOhm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slideshare
Peter HJ van Eijk
 
IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011
Donald E. Hester
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and audit
Marc Vael
 
Tech equity - Cloud presentation
Tech equity - Cloud presentationTech equity - Cloud presentation
Tech equity - Cloud presentation
Adrian Hall
 

Weitere ähnliche Inhalte

Was ist angesagt?

Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak
 
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Tudor Damian
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
Brian K. Dickard
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMCloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Hector Del Castillo, CPM, CPMM
 

Was ist angesagt? (20)

CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
 
How to ensure Business Continuity in the Cloud
How to ensure Business Continuity in the CloudHow to ensure Business Continuity in the Cloud
How to ensure Business Continuity in the Cloud
 
Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption
 
bishu pdf1
bishu pdf1bishu pdf1
bishu pdf1
 
Privacy Issues In Cloud Computing
Privacy Issues In Cloud ComputingPrivacy Issues In Cloud Computing
Privacy Issues In Cloud Computing
 
Get your house on order
Get your house on orderGet your house on order
Get your house on order
 
Cloud computing 2012
Cloud computing 2012Cloud computing 2012
Cloud computing 2012
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
 
Iia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V FinalIia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V Final
 
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
 
Big Data (security Issue)
Big Data (security Issue)Big Data (security Issue)
Big Data (security Issue)
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMCloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
 
Data protection in cloud computing - Data Protection Conference 2011
Data protection in cloud computing - Data Protection Conference 2011Data protection in cloud computing - Data Protection Conference 2011
Data protection in cloud computing - Data Protection Conference 2011
 
Host your Cloud – Netmagic Solutions
Host your Cloud – Netmagic SolutionsHost your Cloud – Netmagic Solutions
Host your Cloud – Netmagic Solutions
 
CFO Summit Series - Cloud Computing
CFO Summit Series - Cloud ComputingCFO Summit Series - Cloud Computing
CFO Summit Series - Cloud Computing
 
Cloud Computing security issues
Cloud Computing security issuesCloud Computing security issues
Cloud Computing security issues
 
Solve Big Data Security Issues
Solve Big Data Security IssuesSolve Big Data Security Issues
Solve Big Data Security Issues
 
Ohm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slideshareOhm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slideshare
 
IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011
 

Ähnlich wie ISACA Cloud Computing Risks

Dr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud ComputingDr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
ikanow
 
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & NetskopeSecuring Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
Ahmad Abdalla
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav Acharya
AchSulav
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav Acharya
AchSulav
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
patmisasi
 
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
CloudPassage
 

Ähnlich wie ISACA Cloud Computing Risks (20)

Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and audit
 
Tech equity - Cloud presentation
Tech equity - Cloud presentationTech equity - Cloud presentation
Tech equity - Cloud presentation
 
Preventing Cloud Data Breaches.pdf
Preventing Cloud Data Breaches.pdfPreventing Cloud Data Breaches.pdf
Preventing Cloud Data Breaches.pdf
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
 
Securing The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdfSecuring The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdf
 
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud ComputingDr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
EMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the CloudEMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the Cloud
 
Securing Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & NetskopeSecuring Apps & Data in the Cloud by Spyders & Netskope
Securing Apps & Data in the Cloud by Spyders & Netskope
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav Acharya
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav Acharya
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
 
Building Cloud capability for startups
Building Cloud capability for startupsBuilding Cloud capability for startups
Building Cloud capability for startups
 
Insurtech, Cloud and Cybersecurity - Chartered Insurance Institute
Insurtech, Cloud and Cybersecurity - Chartered Insurance InstituteInsurtech, Cloud and Cybersecurity - Chartered Insurance Institute
Insurtech, Cloud and Cybersecurity - Chartered Insurance Institute
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
 
Celera Networks on Cloud Computing
Celera Networks on Cloud Computing Celera Networks on Cloud Computing
Celera Networks on Cloud Computing
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
 
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
 

Mehr von Marc Vael

Mehr von Marc Vael (20)

How secure are chat and webconf tools
How secure are chat and webconf toolsHow secure are chat and webconf tools
How secure are chat and webconf tools
 
my experience as ciso
my experience as cisomy experience as ciso
my experience as ciso
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoE
 
Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)Cybersecurity governance existing frameworks (nov 2015)
Cybersecurity governance existing frameworks (nov 2015)
 
Cybersecurity nexus vision
Cybersecurity nexus visionCybersecurity nexus vision
Cybersecurity nexus vision
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
 
ISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentationISACA Internet of Things open forum presentation
ISACA Internet of Things open forum presentation
 
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analytics
 
Social media risks and controls
Social media risks and controlsSocial media risks and controls
Social media risks and controls
 
The view of auditor on cybercrime
The view of auditor on cybercrimeThe view of auditor on cybercrime
The view of auditor on cybercrime
 
ISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentationISACA Mobile Payments Forum presentation
ISACA Mobile Payments Forum presentation
 
Belgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programmeBelgian Data Protection Commission's new audit programme
Belgian Data Protection Commission's new audit programme
 
Information security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handoutInformation security awareness (sept 2012) bis handout
Information security awareness (sept 2012) bis handout
 
ISACA smart security for smart devices
ISACA smart security for smart devicesISACA smart security for smart devices
ISACA smart security for smart devices
 
Securing big data (july 2012)
Securing big data (july 2012)Securing big data (july 2012)
Securing big data (july 2012)
 
Valuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handoutValuendo cyberwar and security (jan 2012) handout
Valuendo cyberwar and security (jan 2012) handout
 
How to handle multilayered IT security today
How to handle multilayered IT security todayHow to handle multilayered IT security today
How to handle multilayered IT security today
 
ISACA Belgium CERT view 2011
ISACA Belgium CERT view 2011ISACA Belgium CERT view 2011
ISACA Belgium CERT view 2011
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

Kürzlich hochgeladen (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

ISACA Cloud Computing Risks

  • 1. Cloud Computing Risks today… Marc Vael International Vice-President Chair of the Cloud Computing Task Force
  • 2.
  • 4.
  • 5.
  • 6. When was the term used for the first time? 26th of October 1997
  • 7. Who hyped all this? “What's interesting [now] is that there is an emergent new model, and you all are here because you are part of that new model. I don't think people have really understood how big this opportunity really is. It starts with the premise that the data services and architecture should be on servers. We call it cloud computing – they should be in a "cloud" somewhere. And that if you have the right kind of browser or the right kind of access, it doesn't matter whether you have a PC or a Mac or a mobile phone or a BlackBerry or what have you – or new devices still to be developed – you can get access to the cloud.” Mr. Eric Schmidt, Chairman & CEO Google Search Engine Strategies Conference 
 9th of August 2006 http://www.google.com/press/podium/ses2006.html
  • 8.
  • 13.
  • 14. Definition Cloud computing = 
 model for enabling convenient, on-demand broad network access to a shared pool of configurable computing resources that can be rapidly provisioned & released with minimal management effort or service provider interaction and with automatic measuring, controlling & optimization. 5 characteristics 3 service models 4 deployment models NIST, Definition of Cloud Computing, October 2009
  • 15. Definition : 5 essential characteristics 1. On-demand self-service. 

  • 16. Definition : 5 essential characteristics 2. Broad network access. 
 accessible via different platforms.
  • 17. Definition : 5 essential characteristics 3. Resource pooling. 
 multi-tenant model. Location independence : 
 Consumer has no control / knowledge over location of resources but may be able to specify location at a higher level of abstraction
  • 18. Definition : 5 essential characteristics 4. Rapid & elastic provisioning (add & withdraw). 
 Capabilities appear to be unlimited + can be purchased in any quantity at any time.
  • 19. Definition : 5 essential characteristics 5. Automatically measured, controlled, optimized service.
  • 20. Definition Cloud computing = 
 model for enabling convenient, on-demand broad network access to a shared pool of configurable computing resources that can be rapidly provisioned & released with minimal management effort or service provider interaction and with automatic measuring, controlling & optimization. 5 characteristics 3 service models 4 deployment models NIST, Definition of Cloud Computing, October 2009
  • 21. ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2010 Considerations in 3 Cloud Computing Service Models
  • 22. Considerations in 3 Cloud Computing Service Models • Marketing packaging is becoming important…
  • 23. Definition Cloud computing = 
 model for enabling convenient, on-demand broad network access to a shared pool of configurable computing resources that can be rapidly provisioned & released with minimal management effort or service provider interaction and with automatic measuring, controlling & optimization. 5 characteristics 3 service models 4 deployment models NIST, Definition of Cloud Computing, October 2009
  • 24. Considerations in 4 Cloud Computing Deployment Models ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2010
  • 27.
  • 28. CLOUD ROI in practice
  • 29. TANGIBLE BENEFITS •Cost Reduction (OPEX) •Enhanced productivity •Optimized resource utilization •Improved security •Improved compliance •Access to skills & capabilities •On-demand scalability •Agility (time to market) •Improved customer satisfaction •Higher reliability (DRP) •Better performance and uptime INTANGIBLE BENEFITS •Avoiding missed business opportunities •Focus on core business •Higher employee satisfaction (mobile) •Boosting innovation •Real-time collaboration •Risk transfer to CSP
  • 30. UPFRONT COSTS •Technical readiness (bandwidth) •Implementation / Transition •Integration inhouse-cloud •Configuration/Customization •Training •Organisational change RECURRING COSTS •Subscription fees •Change management •Vendor management (SLA) •Cloud coordination •End-user support & administration •Risk mitigation •Downsize/Upsize costs TERMINATION COSTS •Revert to on-premises or transfer to other CSP •Penalties, Data export, Knowledge, Documents
  • 31. UPFRONT COSTS •Technical readiness (bandwidth) •Implementation / Transition •Integration inhouse-cloud •Configuration/Customization •Training •Organisational change RECURRING COSTS •Subscription fees •Change management •Vendor management (SLA) •Cloud coordination •End-user support & administration •Risk mitigation •Downsize/Upsize costs TERMINATION COSTS •Revert to on-premises or transfer to other CSP •Penalties, Data export, Knowledge, Documents
  • 32. CLOUD ROI suggestions • Focus quickly on the optimal cloud solution 
 Starting with initial/baseline model and iteratively identify the one best suited to the enterprise’s needs. • Make an “apples to apples” comparison
 Evaluate comparable set of costs for as-is & to-be alternatives : 
 make a fair comparison between 2 solutions that are potentially very different. Measuring monetary values in a consistent manner increases ROI accuracy and reliability. • Stay within the enterprise’s risk tolerance
 Perform risk assessment of as-is & to-be options to ensure that the solutions being compared are within the enterprise’s risk tolerance and the costs of mitigating unacceptable risk are factored into the calculations. 
 Knowing enterprise’s risk appetite before calculations begin is a must.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39. Risk always exists! 
 (whether or not it is detected / recognised 
 by the organisation).
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50. Risk always exists! 
 (whether or not it is detected / recognised 
 by the organisation).
  • 51.
  • 53. Never outsource what you do not manage properly today! 
 You always remain accountable!
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61. 15 basic “lessons learned”: 1. Psychological impact 2. IT governance model 3. Integration with internal/external IT systems 4. Network connectivity / bandwidth 5. Data location 6. Shared tenancy 7. Vendor lock-in 8. Service Provider stability, reliability and viability 9. Service portability / customization 10.Legal & regulatory compliance requirements (including licensing, contractual arrangements, record protection for forensic audit) 11.Information security management (including IAM and logging) 12.Incident response & crisis management 13.Business Continuity Mgt & Disaster Recovery Planning 14.Data ownership, lifecycle, archiving & removal 15.(Right to) Audit (pentest, screening, monitoring,…)
  • 62.
  • 64. Policy & Organizational risks 1. Provider Lock in* 2. Loss of Governance* 3. Compliance challenges* 4. Loss of business reputation due to co-tenant activities 5. Cloud service termination/failure 6. Cloud provider acquisition 7. Supply Chain failure 8. SLA challenges
  • 65. 65
  • 67.
  • 68. Legal risks 1. Data protection risks* 2. Risks from changes in jurisdiction 3. Licensing risks 4. Subpoena & e-discovery
  • 69. Corporate governance : ERM = COSO Organisational structure
  • 70.
  • 72. • Transparency : providers must prove effective & robust security controls, assuring consumers all info is properly secured (C-I-A). - How much transparency is enough/too much? - Which employees (of the provider) have access to consumer information? - Is Segregation of Duties (SoD) between provider employees maintained? - How are different consumers’ information segregated? - What controls are in place to prevent, detect and 
 react to security breaches? - What investigations, examinations and audits
 (physical & virtual) are allowed 
 by the provider?
  • 73. • Privacy : providers must prove privacy controls are in place + demonstrate ability to prevent, detect, react to security breaches in a timely manner. - Information & reporting lines of communication need to be in place & agreed on. - Communication channels should be tested periodically.
  • 74. • Trans-border information flow : physical location of the information: - Physical location dictates jurisdiction and legal obligation. - National laws governing personally identifiable information (PII). • What is allowed in one country can be a violation in another.
  • 76. Technical risks 1. Isolation failure* 2. Malicious insider at cloud provider* 3. Management interface compromise* 4. Insecure/ineffective data deletion* 5. Malicious scans 6. Resource exhaustion 7. Intercepting data in transit 8. Data leakage 9. DDoS 10. Loss of encryption keys 11. Compromise service engine 12. Conflicts consumer procedures vs cloud procedures
  • 80.
  • 81. • Certification : providers need to provide independent assurance to consumers that they are doing the “right” things.
  • 83.
  • 84.
  • 85.
  • 86. 86
  • 87. Cloud Computing Audit program ! Planning & Scoping the Audit ! Cloud Governance – Governance & Enterprise Risk Management – Legal & Electronic Discovery – Compliance & Audit – Portability & Interoperability ! Cloud Operations – Incident Response, Notification & Remediation – Application Security – Data Security & Integrity – Identity & Access Management – Virtualization
  • 88.
  • 90.
  • 91. 32
  • 92. Your cloud computing solution is as strong … … as its weakest link
  • 93.
  • 97. 97
  • 98. ! www.cloudsecurityalliance.org/ ! http://www.enisa.europa.eu/activities/risk- management/files/deliverables/cloud-computing ! csrc.nist.gov/groups/SNS/cloud-computing/ ! opencloudconsortium.org/ ! www.opencloudmanifesto.org/ ! www.cloud-standards.org/wiki/ ! en.wikipedia.org/wiki/Cloud_computing ! searchcloudcomputing.techtarget.com/ ! cloudsecurity.org/ ! www.cloudaudit.org/ ! www.isaca.org/cloud References : Relevant Cloud Computing websites
  • 99. Marc Vael
 
 International Vice-President Chairman of the Cloud Computing Task Force http://www.isaca.org/cloud Contact information marc@vael.net http://www.linkedin.com/in/marcvael @marcvael
  • 101. 14 General Cloud Computing Security Advantages 1.Data Fragmentation & Dispersal 2.Dedicated Security Team 3.Greater Investment in Security Infrastructure 4.Fault Tolerance & Reliability 5.Greater Resiliency 6.Hypervisor Protection against Network Attacks 7.Access to Pre-Accredited Clouds 8.Simplification of Compliance Analysis 9.Data held by unbiased party (cloud vendor assertion) 10.Low-Cost Disaster Recovery & Data Storage Solutions 11.On-Demand Security Controls 12.Real-Time Detection of System Tampering 13.Rapid Re-constitution of Services 14.Advanced Honeynet Capabilities
  • 102. 1.Migrating PII & sensitive data to the cloud – EU Data Protection Directive & U.S. Safe Harbor program – Exposure of data to foreign government & data subpoenas – Data retention & records management issues – Privacy Impact Assessments (PIA) 2.Identity & Access Management 3.Multi-tenancy 4.Logging & Monitoring 5.Data ownership /custodianship 6.Quality of Service guarantees 14 Specific Cloud Computing Security Challenges
  • 103. 8.Attracting hackers (high value target) 9.Security of virtual OS in the cloud 10.BCP / DRP 11.Data encryption & key management – Encrypting access to cloud resource control interface – Encrypting administrative access to OS instances – Encrypting access to applications – Encrypting application data at rest 12.Public cloud vs. Internal cloud security 13.Lack of public SaaS version control 14.Using SLAs to obtain cloud security – Suggested requirements for cloud SLAs 14 Specific Cloud Computing Security Challenges