It's easy to say "No" to cloud computing, but then again, "Why not ?"
That's the slide deck presented in the ISACA China Hong Kong Chapter AsiaCACS 2015.
14. Insecure ?
Truth is that data and systems residing in
public or private clouds are as secure as you
make them
Typically, cloud-based systems can be more
secure than existing internal systems if you do
the upfront work required
15. Barriers
• Perceived Loss of control
• Lack of clarity around
responsibilities, liabilities
and accountability
• Lack of transparency /
clarity in SLA /
interoperability /
awareness and expertise
16. Cloud …
is not New
is not a Fad
is more Cost Effective
is Secure *
19. Risks and Security Concerns
Vendor Lock In
Poor SLA
3rd Party access
to Data
Poor DR Plan
Few tools, procedures or standard formats available for data and
service portability
Service level affects confidentiality and availability
The needs to protect the intellectual property, trade secrets, personal
data; complied to regulations / laws in different geographical regions
Business continuity and disaster recovery plans must be well
documented and tested
Service and contractual risks
20. Risks and Security Concerns
Integration /
Bandwidth
Encryption and
Identity Mgnt
Testing and
Monitoring
Resource
Allocation
How to integrate the in-house systems to the Cloud ?
High speed bandwidth ready ?
Speedy encryption / decryption – in transit, at rest, destruction;
Identity management
Provider may not allow you to do thorough PEN test, audit;
Are there good monitoring tools available ?
Overbooking, underbooking;
Handling of DOS attack; Payment cap
Technology risks
21. Questions To Ask …
When and where to use the cloud – the business case
SLO (and then SLA)
Availability, reliability, accessibility, performance and security
Along with what best practices
People, processes, change management etc.
Along with what technologies, services, vendors
Servers, storage, network, software etc.
22. Bear In Mind …
Even though you are outsourcing some of your infrastructure
to the cloud
You are not outsourcing to vendor, the …
Risk,
Accountability and
Compliance obligations
Find the right Cloud Services Provider – qualified, Security
Standards compliance
23. ISO 27001, 27002, 27017, 27018,
29100
SSAE 16, HIPAA, FedRAMP, FISMA.
PCI-DSS
Are Security Standards the answer
?
24. Standards Development / Setting Organizations
(SDO / SSO)
DMTF = Distributed Management Task Force
ENISA = European Network and Information Security Agency
ETSI = European Telecommunications Standards Institute
IEC = International Electrotechnical Commission
IEEE = Institute of Electrical and Electronics Engineers
INCITS = International Committee for Information Technology Standards
ISO = International Organization for Standardization
ITU-T = International Telecommunication Union – Telecom
NIST = National Institute for Standards and Technology
OASIS = Organization for the Advancement of Structured Information Standards
SNIA = Storage Networking Industry Association
TCG = Trusted Computing Group
Alphabet
Soup
25. SDO / SSO Relationships
Alphabet
and
Spaghetti
Soup
28. Get Help from Professionals
Companies and individuals with certifications
An objective measurement of a professional’s knowledge and
skills in Security, Governance and Cloud technology
Committing the effort and resources to obtain certification
indicates seriousness of prospective companies and
individuals
30. Take Away Messages
Cloud is real and here to stay
Take ownership and responsibility
Review your current set up and the Cloud Services
Provider with guidelines
Focus in the SLO and SLA
Ask for expert help from services providers, and
professional organizations
31. To Cloud or Not To Cloud ?
mail@michaelyung.com