Abstract image of a woman sitting on books and studying on a laptop

Legal And Regulatory Issues Cloud Computing...V2.0

David Spinks, profile picture
David Spinks

The document provides an overview of 11 domains related to security in cloud computing. It summarizes recommendations for governance, risk management, compliance, auditing, information lifecycle management, portability and interoperability, traditional security practices, data center operations, incident response, application security, and encryption in cloud environments. The document emphasizes the importance of thorough risk analysis, contractual agreements, ongoing assessment and monitoring when adopting cloud services.

1 of 34
David Spinks Status and Experience of Security and “The Cloud” (legal and regulatory)
Introduction- Who am I and what do I do?:
Security is a perceived and possibly real barrier
The Cloud Defined:
 
http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf
Domain 1: Cloud Computing Architectural Framework This domain, the Cloud Computing Architectural Framework, provides a conceptual framework for the rest of the Cloud Security Alliance’s guidance. The contents of this domain focus on a description of Cloud Computing that is specifically tailored to the unique perspective of IT network and security professionals. The following three sections define this perspective in terms of:
 
Domain 2: Governance and Enterprise Risk Management Effective governance and enterprise risk management in Cloud Computing environments follows from well-developed information security governance processes, as part of the organization’s overall corporate governance obligations of due care. Well-developed information security governance processes should result in information security management programs that are scalable with the business, repeatable across the organization, measurable, sustainable, defensible, continually improving, and cost-effective on an ongoing basis. Governance Recommendations A portion of the cost savings obtained by Cloud Computing services must be invested into increased scrutiny of the security capabilities of the provider , application of security controls, and ongoing detailed assessments and audits , to ensure requirements are continuously met. Enterprise Risk Management Recommendations As with any new business process, it’s important to follow best practices for risk management. The practices should be proportionate to your particular usages of cloud services, which may range from innocuous and transient data processing up through mission critical business processes dealing with highly sensitive information . A full discussion of enterprise risk management and information risk management is beyond the scope of this guidance, but here are some cloud-specific recommendations you can incorporate into your existing risk management processes. Information Risk Management Recommendations Information Risk Management is the act of aligning exposure to risk and capability of managing it with the risk tolerance of the data owner. In this manner, it is the primary means of decision support for information technology resources designed to protect the confidentiality, integrity, and availability of information assets. Third Party Management Recommendations Customers should view cloud services and security as supply chain security issues . This means examining and assessing the provider’s supply chain (service provider relationships and dependencies), to the extent possible. This also means examining the provider’s own third party management .
Domain 3: Legal and Electronic Discovery Cloud Computing creates new dynamics in the relationship between an organization and its information, involving the presence of a third party: the cloud provider. This creates new challenges in understanding how laws apply to a wide variety of information management scenarios. 1 ½ Pages! Knowing where the cloud service provider will host the data is a prerequisite to implementing the required measures to ensure compliance with local laws that restrict the cross-border flow of data. Pre-contract due diligence, contract term negotiation, post-contract monitoring, and contract termination, and the transition of data custodianship are components of the duty of care required of a cloud services client. Very little actually on eDiscovery!
Domain 4: Compliance and Audit With Cloud Computing developing as a viable and cost effective means to outsource entire systems or even entire business processes, maintaining compliance with your security policy and the various regulatory and legislative requirements to which your organization is subject can become more difficult to achieve and even harder to demonstrate to auditors and assessors 2 pages of recommendations mostly to undertake analysis! Auditor Qualification and Selection . In many cases the organization has no say in selecting auditors or security assessors. If an organization does have selection input, it is highly advisable to pick a “cloud aware” auditor since many might not be familiar with cloud and virtualization challenges. Asking their familiarity with the IaaS, PaaS, and SaaS nomenclature is a good starting point. Cloud Provider’s SAS 70 Type II. Providers should have this audit statement at a minimum, as it will provide a recognizable point of reference for auditors and assessors. Since a SAS 70 Type II audit only assures that controls are implemented as documented, it is equally important to understand the scope of the SAS 70 audit, and whether these controls meet your requirements. Cloud Provider’s ISO/IEC 27001/27002 Roadmap . Cloud providers seeking to provide mission critical services should embrace the ISO/IEC 27001 standard for information security management systems. If the provider has not achieved ISO/IEC 27001 certification, they should demonstrate alignment with ISO 27002 practices. ISO/IEC 27001/27002 Scoping . The Cloud Security Alliance is issuing an industry call to action to align cloud providers behind the ISO/IEC 27001 certification, to assure that scoping does not omit critical certification criteria
Domain 5: Information Lifecycle Management One of the primary goals of information security is to protect the fundamental data that powers our systems and applications. As we transition to Cloud Computing, our traditional methods of securing data are challenged by cloud-based architectures. Elasticity, multi-tenancy, new physical and logical architectures, and abstracted controls require new data security strategies. With many cloud deployments we are also transferring data to external — or even public — environments, in ways that would have been unthinkable only a few years ago. 6+ Pages!
Domain 6: Portability and Interoperability Organizations must approach the cloud with the understanding that they may have to change providers in the future. Portability and interoperability must be considered up front as part of the risk management and security assurance of any cloud program. Large cloud providers can offer geographic redundancy in the cloud, hopefully enabling high availability with a single provider. Nonetheless, it’s advisable to do basic business continuity planning, to help minimize the impact of a worst-case scenario. Various companies will in the future suddenly find themselves with urgent needs to switch cloud providers for varying reasons, including: 3 pages! Most Outsourced clients do not fully appreciate Exit Planning
Domain 7: Traditional Security, Business Continuity, and Disaster Recovery The body of knowledge accrued within traditional physical security, business continuity planning and disaster recovery remains quite relevant to Cloud Computing. The rapid pace of change and lack of transparency within Cloud Computing requires that traditional security, Business Continuity Planning (BCP) and Disaster Recovery (DR) professionals be continuously engaged in vetting and monitoring your chosen cloud providers. Our challenge is to collaborate on risk identification, recognize interdependencies, integrate, and leverage resources in a dynamic and forceful way. Cloud Computing and its accompanying infrastructure assist to diminish certain security issues, but may increase others and can never eliminate the need for security. While major shifts in business and technology continue, traditional security principles remain. Red Hot Issue but Outside the scope of this presentation!
Domain 8: Data Centre Operations The number of Cloud Computing providers continues to increase as business and consumer IT services move to the cloud. There has been similar growth in data centres to fuel Cloud Computing service offerings. Cloud providers of all types and sizes, including well known technology leaders and thousands of start-ups and emerging growth companies, are making major investments in this promising new approach to IT service delivery. Many HP clients have reached the end of their ability to meet demands for effective Data Centre space … Green agenda… Physical secure space power and cooling… Compliance (PCI-DSS) …
Domain 9: Incident Response, Notification, and Remediation The nature of Cloud Computing makes it more difficult to determine who to contact in case of a security incident, data breach, or other event that requires investigation and reaction. Standard security incident response mechanisms can be used with modifications to accommodate the changes required by shared reporting responsibilities. This domain provides guidance on how to handle these incidents.
Domain 10: Application Security Cloud environments — by virtue of their flexibility, openness, and often public availability — challenge many fundamental assumptions about application security. Some of these assumptions are well understood; however many are not. This section is intended to document how Cloud Computing influences security over the lifetime of an application — from design to operations to ultimate decommissioning. This guidance is for all stakeholders — including application designers, security professionals, operations personnel, and technical management — on how to best mitigate risk and manage assurance within Cloud Computing applications. Big issue regarding version control, patch management and access control for SaaS – out of scope for this presentation.
Domain 11: Encryption and Key Management Cloud customers and providers need to guard against data loss and theft. Today, encryption of personal and enterprise data is strongly recommended, and in some cases mandated by laws and regulations around the world. Cloud customers want their providers to encrypt their data to ensure that it is protected no matter where the data is physically located. Likewise, the cloud provider needs to protect its customers’ sensitive data. One step at a time please … if data actually today needs to be encrypted then may be you should reconsider Cloud?
Domain 12: Identity and Access Management Managing identities and access control for enterprise applications remains one of the greatest challenges facing IT today. While an enterprise may be able to leverage several Cloud Computing services without a good identity and access management strategy, in the long run extending an organization’s identity services into the cloud is a necessary precursor towards strategic use of on-demand computing services. Supporting today’s aggressive adoption of an admittedly immature cloud ecosystem requires an honest assessment of an organization’s readiness to conduct cloud-based Identity and Access Management (IAM), as well as understanding the capabilities of that organization’s Cloud Computing providers. Essential if your organisation has not already got IdM sorted then may be the cloud is not for you! The implementation of Two Factor Authentication – Single Sign On – SSPRs – RBAC is almost “a must” prior to any serious exploration into the Cloud!
Lessons Learnt from Cloud Computing Projects: Real experience and best practice is still emerging Attention is being paid to technical and strategic … Maturity of organisations to adapt Policies and procedures is often very low If you are already not involved in 2 nd or 3 rd generation outsourcing then the Cloud will present a significant challenge
Challenges Include: Understanding leveraged models? How IT can be managed in a multi-vendor Outsource? Contractual service issues? Creating a win/win … Buying a service ….
More Specific Detailed Issues : Rights of audit – mostly none! Access rights – mostly none! Specification of SAS 70 II controls – mostly none! Capacity engineering break points and charges! Business Continuity – very little and no transparency or visibility! Compliance with existing Security Policies, Procedures and standards NO! You will find you only get these with an Outsource rather than a Cloud model…
 
 
 
 
 
 
 
 
 
 
 
Questions :

More Related Content

PDF
Deploying Confluent Platform for Production
confluent
 
PPTX
DC UNIT 1 cs 3551 DISTRIBUTED COMPUTING.pptx
NusrathFarheen1
 
PPTX
Database , 4 Data Integration
Ali Usman
 
PPTX
Cs6703 grid and cloud computing unit 3
RMK ENGINEERING COLLEGE, CHENNAI
 
PPT
Chapter 6-Consistency and Replication.ppt
sirajmohammed35
 
PDF
Capacity Planning Your Kafka Cluster | Jason Bell, Digitalis
HostedbyConfluent
 
PPTX
Dynamic Rule-based Real-time Market Data Alerts
Flink Forward
 
PDF
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023]
Chris Bingham
 
Deploying Confluent Platform for Production
confluent
 
DC UNIT 1 cs 3551 DISTRIBUTED COMPUTING.pptx
NusrathFarheen1
 
Database , 4 Data Integration
Ali Usman
 
Cs6703 grid and cloud computing unit 3
RMK ENGINEERING COLLEGE, CHENNAI
 
Chapter 6-Consistency and Replication.ppt
sirajmohammed35
 
Capacity Planning Your Kafka Cluster | Jason Bell, Digitalis
HostedbyConfluent
 
Dynamic Rule-based Real-time Market Data Alerts
Flink Forward
 
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023]
Chris Bingham
 

What's hot(20)

PDF
High Level Solution Document for VDI Project
Shahab Al Yamin Chawdhury
 
PDF
Streaming Event Time Partitioning with Apache Flink and Apache Iceberg - Juli...
Flink Forward
 
PPTX
Hyper-Converged Infrastructure: Concepts
Nick Scuola
 
PDF
Downscaling: The Achilles heel of Autoscaling Apache Spark Clusters
Databricks
 
PPTX
Hadoop File system (HDFS)
Prashant Gupta
 
PDF
Parallel and Distributed Computing Chapter 10
AbdullahMunir32
 
PDF
2. Stream Ciphers
Sam Bowne
 
PDF
The Future of Data Science and Machine Learning at Scale: A Look at MLflow, D...
Databricks
 
PDF
Microsoft Cloud Adoption Framework
ssuserdb85d71
 
PPTX
The Heartbleed Attack
Shreyas Kothari
 
PPTX
Introduction to cryptography part2-final
Taymoor Nazmy
 
PPTX
Architecting Snowflake for High Concurrency and High Performance
SamanthaBerlant
 
PPTX
Cloudsim & Green Cloud
Neda Maleki
 
PPT
HadoooIO.ppt
Sheba41
 
PPTX
The Top 5 Apache Kafka Use Cases and Architectures in 2022
Kai Wähner
 
PPTX
Key Management and Distribution
Syed Bahadur Shah
 
PDF
Messaging queue - Kafka
Mayank Bansal
 
PDF
Data Catalog in Denodo Platform 7.0: Creating a Data Marketplace with Data Vi...
Denodo
 
PDF
CDC Stream Processing With Apache Flink With Timo Walther | Current 2022
HostedbyConfluent
 
ODP
Distributed operating system(os)
Dinesh Modak
 
High Level Solution Document for VDI Project
Shahab Al Yamin Chawdhury
 
Streaming Event Time Partitioning with Apache Flink and Apache Iceberg - Juli...
Flink Forward
 
Hyper-Converged Infrastructure: Concepts
Nick Scuola
 
Downscaling: The Achilles heel of Autoscaling Apache Spark Clusters
Databricks
 
Hadoop File system (HDFS)
Prashant Gupta
 
Parallel and Distributed Computing Chapter 10
AbdullahMunir32
 
2. Stream Ciphers
Sam Bowne
 
The Future of Data Science and Machine Learning at Scale: A Look at MLflow, D...
Databricks
 
Microsoft Cloud Adoption Framework
ssuserdb85d71
 
The Heartbleed Attack
Shreyas Kothari
 
Introduction to cryptography part2-final
Taymoor Nazmy
 
Architecting Snowflake for High Concurrency and High Performance
SamanthaBerlant
 
Cloudsim & Green Cloud
Neda Maleki
 
HadoooIO.ppt
Sheba41
 
The Top 5 Apache Kafka Use Cases and Architectures in 2022
Kai Wähner
 
Key Management and Distribution
Syed Bahadur Shah
 
Messaging queue - Kafka
Mayank Bansal
 
Data Catalog in Denodo Platform 7.0: Creating a Data Marketplace with Data Vi...
Denodo
 
CDC Stream Processing With Apache Flink With Timo Walther | Current 2022
HostedbyConfluent
 
Distributed operating system(os)
Dinesh Modak
 

Similar to Legal And Regulatory Issues Cloud Computing...V2.0(20)

PDF
Strategies for assessing cloud security
Arun Gopinath
 
PDF
Strategies for assessing cloud security
IBM India Smarter Computing
 
PDF
Ast 0064255 strategies-for_assessing_cloud_security
Accenture
 
PDF
Cloud Security
Pyingkodi Maran
 
PDF
How Secure Is Cloud
William Lam
 
PPTX
The Cloud Computing Contract Playbook: Contracting for Cloud Services
This account is closed
 
PDF
Frans van Leuven - The security aspects of Cloud Services
VNU Exhibitions Europe
 
PDF
Cloud Security
Pyingkodi Maran
 
PDF
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
Shah Sheikh
 
PPTX
Cloud computing Risk management
Padma Jella
 
PDF
Migrating to Cloud? 5 motivations and 10 key security architecture considerat...
Yew Weisin
 
PDF
Cloud computing security issues and challenges
Kresimir Popovic
 
PDF
The Art of Cloud Auditing - ISACA ID
Eryk Budi Pratama
 
PDF
It auditing to assure a secure cloud computing
ingenioustech
 
PDF
Cloud: Should I Stay or Should I Go?
Marcelo Martins
 
ODP
Securing The Cloud
george.james
 
PDF
IBM Point of View: Security and Cloud Computing
IBM India Smarter Computing
 
PDF
IBM Point of view -- Security and Cloud Computing (Tivoli)
IBM India Smarter Computing
 
PDF
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
This account is closed
 
PDF
Lecture27 cc-security2
Ankit Gupta
 
Strategies for assessing cloud security
Arun Gopinath
 
Strategies for assessing cloud security
IBM India Smarter Computing
 
Ast 0064255 strategies-for_assessing_cloud_security
Accenture
 
Cloud Security
Pyingkodi Maran
 
How Secure Is Cloud
William Lam
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
This account is closed
 
Frans van Leuven - The security aspects of Cloud Services
VNU Exhibitions Europe
 
Cloud Security
Pyingkodi Maran
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
Shah Sheikh
 
Cloud computing Risk management
Padma Jella
 
Migrating to Cloud? 5 motivations and 10 key security architecture considerat...
Yew Weisin
 
Cloud computing security issues and challenges
Kresimir Popovic
 
The Art of Cloud Auditing - ISACA ID
Eryk Budi Pratama
 
It auditing to assure a secure cloud computing
ingenioustech
 
Cloud: Should I Stay or Should I Go?
Marcelo Martins
 
Securing The Cloud
george.james
 
IBM Point of View: Security and Cloud Computing
IBM India Smarter Computing
 
IBM Point of view -- Security and Cloud Computing (Tivoli)
IBM India Smarter Computing
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
This account is closed
 
Lecture27 cc-security2
Ankit Gupta
 

More from David Spinks(7)

PDF
Cyber Security Threats to Industrial Control Systems
David Spinks
 
PDF
CSIRS ICS BCS 2.2
David Spinks
 
PDF
Cyber response to insider threats 3.1
David Spinks
 
PDF
Cyber response to insider threats 3.1
David Spinks
 
PDF
Csirs Trabsport Security September 2011 V 3.6
David Spinks
 
PPTX
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
David Spinks
 
PPT
Operational Risk V2.1
David Spinks
 
Cyber Security Threats to Industrial Control Systems
David Spinks
 
CSIRS ICS BCS 2.2
David Spinks
 
Cyber response to insider threats 3.1
David Spinks
 
Cyber response to insider threats 3.1
David Spinks
 
Csirs Trabsport Security September 2011 V 3.6
David Spinks
 
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
David Spinks
 
Operational Risk V2.1
David Spinks
 

Legal And Regulatory Issues Cloud Computing...V2.0

  • 1.
    David Spinks Statusand Experience of Security and “The Cloud” (legal and regulatory)
  • 2.
    Introduction- Who amI and what do I do?:
  • 3.
    Security is aperceived and possibly real barrier
  • 4.
  • 5.
  • 6.
  • 7.
    Domain 1: CloudComputing Architectural Framework This domain, the Cloud Computing Architectural Framework, provides a conceptual framework for the rest of the Cloud Security Alliance’s guidance. The contents of this domain focus on a description of Cloud Computing that is specifically tailored to the unique perspective of IT network and security professionals. The following three sections define this perspective in terms of:
  • 8.
  • 9.
    Domain 2: Governanceand Enterprise Risk Management Effective governance and enterprise risk management in Cloud Computing environments follows from well-developed information security governance processes, as part of the organization’s overall corporate governance obligations of due care. Well-developed information security governance processes should result in information security management programs that are scalable with the business, repeatable across the organization, measurable, sustainable, defensible, continually improving, and cost-effective on an ongoing basis. Governance Recommendations A portion of the cost savings obtained by Cloud Computing services must be invested into increased scrutiny of the security capabilities of the provider , application of security controls, and ongoing detailed assessments and audits , to ensure requirements are continuously met. Enterprise Risk Management Recommendations As with any new business process, it’s important to follow best practices for risk management. The practices should be proportionate to your particular usages of cloud services, which may range from innocuous and transient data processing up through mission critical business processes dealing with highly sensitive information . A full discussion of enterprise risk management and information risk management is beyond the scope of this guidance, but here are some cloud-specific recommendations you can incorporate into your existing risk management processes. Information Risk Management Recommendations Information Risk Management is the act of aligning exposure to risk and capability of managing it with the risk tolerance of the data owner. In this manner, it is the primary means of decision support for information technology resources designed to protect the confidentiality, integrity, and availability of information assets. Third Party Management Recommendations Customers should view cloud services and security as supply chain security issues . This means examining and assessing the provider’s supply chain (service provider relationships and dependencies), to the extent possible. This also means examining the provider’s own third party management .
  • 10.
    Domain 3: Legaland Electronic Discovery Cloud Computing creates new dynamics in the relationship between an organization and its information, involving the presence of a third party: the cloud provider. This creates new challenges in understanding how laws apply to a wide variety of information management scenarios. 1 ½ Pages! Knowing where the cloud service provider will host the data is a prerequisite to implementing the required measures to ensure compliance with local laws that restrict the cross-border flow of data. Pre-contract due diligence, contract term negotiation, post-contract monitoring, and contract termination, and the transition of data custodianship are components of the duty of care required of a cloud services client. Very little actually on eDiscovery!
  • 11.
    Domain 4: Complianceand Audit With Cloud Computing developing as a viable and cost effective means to outsource entire systems or even entire business processes, maintaining compliance with your security policy and the various regulatory and legislative requirements to which your organization is subject can become more difficult to achieve and even harder to demonstrate to auditors and assessors 2 pages of recommendations mostly to undertake analysis! Auditor Qualification and Selection . In many cases the organization has no say in selecting auditors or security assessors. If an organization does have selection input, it is highly advisable to pick a “cloud aware” auditor since many might not be familiar with cloud and virtualization challenges. Asking their familiarity with the IaaS, PaaS, and SaaS nomenclature is a good starting point. Cloud Provider’s SAS 70 Type II. Providers should have this audit statement at a minimum, as it will provide a recognizable point of reference for auditors and assessors. Since a SAS 70 Type II audit only assures that controls are implemented as documented, it is equally important to understand the scope of the SAS 70 audit, and whether these controls meet your requirements. Cloud Provider’s ISO/IEC 27001/27002 Roadmap . Cloud providers seeking to provide mission critical services should embrace the ISO/IEC 27001 standard for information security management systems. If the provider has not achieved ISO/IEC 27001 certification, they should demonstrate alignment with ISO 27002 practices. ISO/IEC 27001/27002 Scoping . The Cloud Security Alliance is issuing an industry call to action to align cloud providers behind the ISO/IEC 27001 certification, to assure that scoping does not omit critical certification criteria
  • 12.
    Domain 5: InformationLifecycle Management One of the primary goals of information security is to protect the fundamental data that powers our systems and applications. As we transition to Cloud Computing, our traditional methods of securing data are challenged by cloud-based architectures. Elasticity, multi-tenancy, new physical and logical architectures, and abstracted controls require new data security strategies. With many cloud deployments we are also transferring data to external — or even public — environments, in ways that would have been unthinkable only a few years ago. 6+ Pages!
  • 13.
    Domain 6: Portabilityand Interoperability Organizations must approach the cloud with the understanding that they may have to change providers in the future. Portability and interoperability must be considered up front as part of the risk management and security assurance of any cloud program. Large cloud providers can offer geographic redundancy in the cloud, hopefully enabling high availability with a single provider. Nonetheless, it’s advisable to do basic business continuity planning, to help minimize the impact of a worst-case scenario. Various companies will in the future suddenly find themselves with urgent needs to switch cloud providers for varying reasons, including: 3 pages! Most Outsourced clients do not fully appreciate Exit Planning
  • 14.
    Domain 7: TraditionalSecurity, Business Continuity, and Disaster Recovery The body of knowledge accrued within traditional physical security, business continuity planning and disaster recovery remains quite relevant to Cloud Computing. The rapid pace of change and lack of transparency within Cloud Computing requires that traditional security, Business Continuity Planning (BCP) and Disaster Recovery (DR) professionals be continuously engaged in vetting and monitoring your chosen cloud providers. Our challenge is to collaborate on risk identification, recognize interdependencies, integrate, and leverage resources in a dynamic and forceful way. Cloud Computing and its accompanying infrastructure assist to diminish certain security issues, but may increase others and can never eliminate the need for security. While major shifts in business and technology continue, traditional security principles remain. Red Hot Issue but Outside the scope of this presentation!
  • 15.
    Domain 8: DataCentre Operations The number of Cloud Computing providers continues to increase as business and consumer IT services move to the cloud. There has been similar growth in data centres to fuel Cloud Computing service offerings. Cloud providers of all types and sizes, including well known technology leaders and thousands of start-ups and emerging growth companies, are making major investments in this promising new approach to IT service delivery. Many HP clients have reached the end of their ability to meet demands for effective Data Centre space … Green agenda… Physical secure space power and cooling… Compliance (PCI-DSS) …
  • 16.
    Domain 9: IncidentResponse, Notification, and Remediation The nature of Cloud Computing makes it more difficult to determine who to contact in case of a security incident, data breach, or other event that requires investigation and reaction. Standard security incident response mechanisms can be used with modifications to accommodate the changes required by shared reporting responsibilities. This domain provides guidance on how to handle these incidents.
  • 17.
    Domain 10: ApplicationSecurity Cloud environments — by virtue of their flexibility, openness, and often public availability — challenge many fundamental assumptions about application security. Some of these assumptions are well understood; however many are not. This section is intended to document how Cloud Computing influences security over the lifetime of an application — from design to operations to ultimate decommissioning. This guidance is for all stakeholders — including application designers, security professionals, operations personnel, and technical management — on how to best mitigate risk and manage assurance within Cloud Computing applications. Big issue regarding version control, patch management and access control for SaaS – out of scope for this presentation.
  • 18.
    Domain 11: Encryptionand Key Management Cloud customers and providers need to guard against data loss and theft. Today, encryption of personal and enterprise data is strongly recommended, and in some cases mandated by laws and regulations around the world. Cloud customers want their providers to encrypt their data to ensure that it is protected no matter where the data is physically located. Likewise, the cloud provider needs to protect its customers’ sensitive data. One step at a time please … if data actually today needs to be encrypted then may be you should reconsider Cloud?
  • 19.
    Domain 12: Identityand Access Management Managing identities and access control for enterprise applications remains one of the greatest challenges facing IT today. While an enterprise may be able to leverage several Cloud Computing services without a good identity and access management strategy, in the long run extending an organization’s identity services into the cloud is a necessary precursor towards strategic use of on-demand computing services. Supporting today’s aggressive adoption of an admittedly immature cloud ecosystem requires an honest assessment of an organization’s readiness to conduct cloud-based Identity and Access Management (IAM), as well as understanding the capabilities of that organization’s Cloud Computing providers. Essential if your organisation has not already got IdM sorted then may be the cloud is not for you! The implementation of Two Factor Authentication – Single Sign On – SSPRs – RBAC is almost “a must” prior to any serious exploration into the Cloud!
  • 20.
    Lessons Learnt fromCloud Computing Projects: Real experience and best practice is still emerging Attention is being paid to technical and strategic … Maturity of organisations to adapt Policies and procedures is often very low If you are already not involved in 2 nd or 3 rd generation outsourcing then the Cloud will present a significant challenge
  • 21.
    Challenges Include: Understandingleveraged models? How IT can be managed in a multi-vendor Outsource? Contractual service issues? Creating a win/win … Buying a service ….
  • 22.
    More Specific DetailedIssues : Rights of audit – mostly none! Access rights – mostly none! Specification of SAS 70 II controls – mostly none! Capacity engineering break points and charges! Business Continuity – very little and no transparency or visibility! Compliance with existing Security Policies, Procedures and standards NO! You will find you only get these with an Outsource rather than a Cloud model…
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.