Presentation Slides - 2011

earsplittinggoodbeeInternet και Εφαρμογές Web

3 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

62 εμφανίσεις

























The Cloud: Risks, Rewards and Realities


Cloud Security:

Commonly

Overlooked Considerations


Matt Stamper, CISA

Vice President of Managed & Professional Services

matt.stamper@redit.com

858.836.0224



























The Cloud: Risks, Rewards and Realities

About redIT.


redIT

supports

the

global

IT

community

with

private,

customizable

cloud

services

and

data

centers

in

the

southwestern

U
.
S
.

and

Latin

America
.

redIT

enables

its

clients

to

focus

resources

on

what

drives

their

competitive

advantage



not

the

distractions

of

owning

and

managing

IT
.

Through

collaboration

with

clients

such

as

Oracle,

McDonalds,

Bloomberg,

and

Carl

Zeiss,

among

others,

redIT

customizes

an

IT

strategy

that

s

scalable

for

the

long

term,

delivering

lower

total

cost

of

ownership
.



For more information, please visit www.redIT.com.

2

























The Cloud: Risks, Rewards and Realities

Public Cloud Services Providers
(CSPs) as Targets

Large, well
-
known public clouds are the hackers dream come true.



What type of target does my CSP present to the hacking community?



Has my CSP been hacked before?



What type of security is used by my CSP?



How often is my provider the target of DDoS
attacks?



How effectively are these mitigated?



Are there prominent targets (e.g. other clients) receiving similar services from
my CSP? How well do you know your neighbors?



Has my CSP

s IP space been black
-
listed?

3

























The Cloud: Risks, Rewards and Realities

Laws, Regulations & Standards

Governance

standards

for

cloud

security

are

in

their

infancy
.

Good

security

controls

and

IT

operations

best

practices,

however,

still

apply
.

Organizations

should

know

what

data

/

information

is

loaded

into

the

cloud
.

Organizations

face

a

variety

of

regulations,

laws,

and

standards

that

may

influence

their

adoption

of

cloud
-
based

services
.

How

will

regulations

impact

my

organization

s

ability

to

use

cloud

services?



California

s SB1386



Nevada

s SB
-
227



Massachusetts Privacy Law (201 CMR 17)



PCI
-
DSS



Sarbanes
-
Oxley



HIPAA/HITECH



European Privacy Standards

4

























The Cloud: Risks, Rewards and Realities

Data Classification

A

cornerstone

to

developing

a

control

environment

to

mitigate

security

risks

is

to

have

data

appropriate

classified
.




Will

the

CSP

provide

services

that

transmit,

process,

or

store

personally
-
identifiable

information

(PII)

or

personal
-
health

information

(PHI)?



Will

the

CSP

provide

services

that

contain

or

store

credit

card

information?

Cardholder

data

includes
:


Primary account number


Expiration date


Name on the card


CCV / CVV2


Magnetic strip



Will human resource / employment records be part of the data used in the cloud?



Will sensitive data such as intellectual property be loaded to the cloud?

5

























The Cloud: Risks, Rewards and Realities

Data Location

Where

data

physically

resides

is

important

given

certain

regulatory

requirements

and

jurisdictional

nuances

to

data

management
.


Data
-
in
-
Motion

(DIM)


How

is

data

protected

as

it

migrates

to/from

the

cloud?


How

is

data

extracted

from

a

CSP?


How

is

data

protected

within

the

cloud

as

it

migrates

between

virtual

machines

and

shared

storage

arrays?


Data
-
at
-
Rest

(DAR)


How

is

data

protected

in

cloud
-
storage

environments?


What

levels

of

encryption

are

being

employed?


Who

is

managing

the

encryption

keys?


Is

data

encrypted

when

it

is

backed

up

to

tape

or

other

media?

6

























The Cloud: Risks, Rewards and Realities

Audits & Certifications

Public

clouds,

by

definition,

involve

services

provided

by

third

parties
.

This

necessitates

audits

of

the

CSP

s

controls,

procedures,

and

operations
.



What audits has our CSP completed?



What certifications has our CSP achieve?



How meaningful are these audits and certifications to my organization

s control
requirements?



Have the service provider

s controls been mapped to our internal controls? Are
there gaps that need to be filled by mitigating controls? What control framework is
used by the CSP? Does your auditor recognize this framework?



How willing is my provider to disclose the status of their audits (e.g. exceptions,
scope, etc.) and the extent of their certifications?

7

























The Cloud: Risks, Rewards and Realities

Legal / Contract

Economies

of

scale

and

perceived

cost

reductions

involved

in

leveraging

cloud

services

may

be

surpassed

by

the

increased

costs

of

specialized

contract

negotiations
.



Custom terms & conditions


Custom Service Level Agreements (SLAs)


Recovery
-
time objectives (RTOs)


Recovery
-
point objectives (RPOs)


Response times to service requests


Escrow covenants


Notification requirements



Required audits / certifications / personnel



Jurisdictional requirements / data locality



Are there particular elements to the provider

s AUP or contract that will impact my
organization

s IT operations?



8

























The Cloud: Risks, Rewards and Realities

Moving Forward…


Organizations

should
:




Understand

what

type

of

data

they

deploy

to

the

cloud,




The

regulatory

environment

that

controls

the

handling

of

this

data,




The

legal

nuances

of

using

cloud

services
;

and





The

skills

required

to

manage

a

third
-
party

provider
.




9

























The Cloud: Risks, Rewards and Realities

Matt Stamper, CISA

Vice President of Managed & Professional Services

matt.stamper@redit.com

858.836.0224

Thank You