1 / 23

How to Gain Comfort in Losing Control to the Cloud

How to Gain Comfort in Losing Control to the Cloud. Randolph Barr CSO - Qualys, Inc SourceBoston , 23. April 2010. At a Glance. NIST Definition Cloud Challenge Cloud Concern Added Security Concerns Security Transition Is Cloud ready for you Available Resources Where to start.

margo
Download Presentation

How to Gain Comfort in Losing Control to the Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to GainComfort in LosingControl to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010

  2. At a Glance • NIST Definition • Cloud Challenge • Cloud Concern • Added Security Concerns • Security Transition • Is Cloud ready for you • Available Resources • Where to start

  3. NIST Definition Cloud http://csrc.nist.gov/groups/SNS/cloud-computing/

  4. Cloud Challenge

  5. “In our February 2010 survey of 518 business technology pros, security concerns again led the list of reasons not to use cloud services, while on the roster of drivers, 77% cited cost savings.” -- Information Week http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=224202319

  6. Cloud Security Incident “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.” • Make Shift Data Center • Perimeter Security • Incident Response • Product Security • Features • Interpretation • Sold as a premium feature • Attackers are ignoring the front door • Current Anti-Virus Solutions are not working • Patching sometimes is not enough • You might be playing in the big leagues • http://googleblog.blogspot.com/2010/01/new-approach-to-china.html • http://www.qualys.com/aurora

  7. Added Security Concerns • Business Unit bypass IT and Security • Individuals using cloud • How can IT / Security get in front of decisions to use cloud • Must do a better job managing risk

  8. Cloud Security Shift • Customer Options • Security is a business enabler • Raise cloud user comfort • Provide transparency • Collaboration • Focus on business and not security • Business disabler • Cloud Provider knows how to implement security • Not transparent

  9. Security Transition • Lessons Learned • Customer Concerns • Security Questionnaires • Response to questions varied • Increased of questionnaires • Request of evidence

  10. Staffing/ Resources Security Budgets Questionnaires Follow up Reviews Customer Reviews External and Internal Reviews Regulatory Compliance Critical Challenges for Cloud Security Reduce Confusion Security Program

  11. Enterprise CIO Strategies — IT Security Needs to be Aligned • Link Business and IT strategies and plans • Deliver projects and enable business growth • Cloud Computing • Web 2.0 • Virtulization (February 2010)

  12. Is Cloud Ready for You • Determine business need • Will the Cloud Provider be around • What data will be stored • Where will it be stored • What is your classification and control requirements for that data

  13. Is Cloud Ready for You • What controls does the provider implement • Who is responsible for security • Are there third party validations • Right to Audit • Process for removing data • Incident Response • How often do you need to review?

  14. Resources Available to Cloud Users • Cloud Security Alliance • CSA Guide (guide your approach internal legal / business UNIT) also recommendations for users and providers • Top Threats to Cloud Security (underwritten by HP) • ENISA • Security Benefits of Cloud and Risks • Make recommendations on risks and maximize the benefits

  15. Resources Available to Cloud Users • Shared Assessments • Target Data Tracker • Self Information Gathering (SIG) – Level I, Level II • AUP • Business Continuity Questions, Privacy Questions, Other tools • Jericho Forum • Cloud Cube Model • Self-Assessment

  16. What Will Be Stored • Know your provider • Ask them what data is required to be stored • Verify with your internal business team

  17. Where Will it be Stored • Request for their locations • Validate that all locations are accounted for • Request they describe the types of controls in place

  18. How to Verify • Target your questionnaire • Questions should clearly identify internal versus production questions • No and N/A should have comments section completed

  19. Assessment www.jerichoforum.org/SAS_Guide.pdf

  20. Other Options • Security Questionnaires • OnSite Review • ISO 27002 • SAS-70 Type II • ISAE 3402 • SysTrust • PCI • Third Party Penetration Test • Emerging Cloud Certifications / Assessments

  21. Moving Forward • Provider security maturing • Continuous Assessment • Transparency • Vendor Cooperation • Collaboration • Community

  22. Available to Cloud Users • Qualys • http://www.qualys.com/products/qg_suite/malware_detection/ • http://www.qualys.com/aurora • Cloud Security Alliance • http://www.cloudsecurityalliance.org/ • JERICHO Forum • http://www.opengroup.org/jericho/ • Shared Assessments • http://www.sharedassessments.org/ • ISAE 3402 • http://www.ifac.org/MediaCenter/?q=node/view/687

  23. Thank you rbarr@qualys.com

More Related