• Save
Lions and Tigers and Cloud, Oh My!   The Truth Behind Cloud Security and Risks
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Lions and Tigers and Cloud, Oh My! The Truth Behind Cloud Security and Risks

on

  • 1,202 views

 

Statistics

Views

Total Views
1,202
Views on SlideShare
1,196
Embed Views
6

Actions

Likes
0
Downloads
3
Comments
0

1 Embed 6

http://exchange.ariba.com 6

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Lions and Tigers and Cloud, Oh My! The Truth Behind Cloud Security and Risks Presentation Transcript

  • 1. C Lions and Tigers and Cloud, Oh My! The Truth Behind Cloud Security and Risks What Are the Opportunities for the Cloud? Sallie Mae Ariba© 2012 Ariba, Inc. All rights reserved.
  • 2. Lions and Tigers and Cloud, Oh My! The Truth Behind Cloud Security and Risks The single biggest concern by CIOs around going to the Cloud is security. Paradoxically it is not a huge issue for Chief Security Officers. Find out why not in this informative session and receive a Cloud security checklist.2 © 2012 Ariba, Inc. All rights reserved.
  • 3. Our Speakers Jerry Archer, CISSP Senior Vice President and Chief Security Officer Sallie Mae Elton Hay Chief Information Security Officer, Chief Privacy Officer Ariba3 © 2012 Ariba, Inc. All rights reserved.
  • 4. C Lions and Tigers and Cloud, Oh My! The Truth Behind Cloud Security and Risks Or What Are the Opportunities for the Cloud? Jerry Archer Senior Vice President & Chief Security Officer Sallie Mae© 2012 Ariba, Inc. All rights reserved.
  • 5. Some Context• What is Cloud [Computing]? Primarily an economic model – NIST – “cloud computing …ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources …“ – Elastic, on-demand, multi-tenancy, metered Available in three service models – Infrastructure as a service, platform as a service, software as a service And, in four deployment models – Private, community, public and hybrid• Cloud Security Security in the cloud – A robust GRC stack for cloud services – Realistic expectations and ramifications – Transparency (contractually, digitally) – Much greater reliance on third party attestation (flow down) and certifications (SOC-1, CSA-STAR, Trusted Cloud, etc.) – Hyper-Application security, self-protecting, monitoring, etc. (DARPA, DISA foundational research) Security from the cloud – New services to address weakness in primarily end-point security – Multiple-service models (fully cloud based, partially cloud based) – Dramatic improvement in security capability based ubiquity and inexpensive computing capability Regulation and industry standards for cloud providers – CSA STAR, FFIEC, NIST Standards, NSTAC, ITU, ISO, et. al.5 © 2012 Ariba, Inc. All rights reserved.
  • 6. Securing Sallie Mae Clouds • A strategic focus for Corporate Security Active participation in Cloud Standards Work closely with our vendors to develop extensible cloud capability • As a cloud consumer Cloud Security contractual addendum Reliance on third-party attestation Annual security and risk assessments Where possible extending our systems and processes into the cloud • As a cloud provider Numerous SOC-1s Numerous AUPs Regulatory requirements for FISMA, PCI, FFIEC, SEC, FINRA …6 © 2012 Ariba, Inc. All rights reserved.
  • 7. Sallie Mae in the Cloud • Myriad of service and deployment models SaaS, hybrid model (private, community) SaaS, community SaaS, public PaaS, private • As a Cloud provider SaaS – Bank lender servicing, community SaaS – ED servicing, private SaaS – UII state 529 plans, community7 © 2012 Ariba, Inc. All rights reserved.
  • 8. Is the Cloud Right for You? • Evaluate assets that will be in the cloud Assess confidentially, integrity and availability for the asset • Map assets to cloud deployment models Private, public, community, hybrid • Evaluate service providers Can risks be appropriately mitigated Can regulatory requirements be met • Map data flow Assess exposure points • Make a rational risk-based decision Condensed from: CSA Guidance v3.0 https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf8 © 2012 Ariba, Inc. All rights reserved.
  • 9. Cloud Threats • Abuse and Nefarious Use of Cloud Computing • Insecure Application Programming Interfaces • Malicious Insiders • Shared Technology Vulnerabilities • Data Loss/Leakage • Account, Service and Traffic Hijacking • Unknown Risk Profile9 © 2012 Ariba, Inc. All rights reserved.
  • 10. Future Initiatives • End-point security • Automated cloud service provider engagement (Self-service, feeds directly into SIEM, GRC tool, vulnerability scanning) • Automated/Self-service tools, functionality, and APIs as a provider – GRC, IPS, SIEM, Identity and Access Management10 © 2012 Ariba, Inc. All rights reserved.
  • 11. Lions and Tigers andC Cloud, Oh My! The Truth Behind Cloud Security and Risks How Providers like Ariba Insure Security Elton Hay Chief Information Security Officer, Chief Privacy Officer Ariba© 2012 Ariba, Inc. All rights reserved.
  • 12. Agenda • Background • Ariba Privacy/Security Framework • Building Trust with Ariba • Trends • trust.ariba.com12 © 2012 Ariba, Inc. All rights reserved.
  • 13. Ariba Privacy/Security Framework13 © 2012 Ariba, Inc. All rights reserved.
  • 14. Building Trust with Ariba• Semi-annual WebTrust Seal of Assurance since 2001 Covers Security, Confidentiality, Processing Integrity, and Availability Principles• SSAE 16 - SOC 1 and SOC 2 type II reports for transparency (formerly SAS70) since 2009• PCI DSS Level 1 Service Provider since 2008• US Dept. of Commerce Safe Harbor since 2009• Vulnerability Scans and Penetration Tests Monthly PCI Scans, Pen Tests of each release• trust.ariba.com• Background Check Program• Security Awareness Program Certification upon hire Annual re-certification14 © 2012 Ariba, Inc. All rights reserved.
  • 15. Trends • Greater Transparency  Ariba SOC 1 and SOC 2 Type II reports • Deeper dives on 3rd party / sub-service provider assurance  Extensive Vendor Oversight program  Equinix SOC 1 Type II report • Customer performed vulnerability scans  Ariba investment in third party penetration tests • EU Commission on Data Protection  Initiated program to comply by January 2014 • Cloud Security Alliance growth  Ariba membership  Hosted Silicon Valley Chapter15 © 2012 Ariba, Inc. All rights reserved.
  • 16. trust.ariba.com16 © 2012 Ariba, Inc. All rights reserved.
  • 17. trust.ariba.com – Cloud Status17 © 2012 Ariba, Inc. All rights reserved.
  • 18. trust.ariba.com - Policies18 © 2012 Ariba, Inc. All rights reserved.
  • 19. Questions and Answers • Contact Information: Elton Hay, CISO/CPO ehay@ariba.com19 © 2012 Ariba, Inc. All rights reserved.
  • 20. Share This Session…NOW…from your mobile! • All presentations are posted: Guidebook mobile app – Search Apple or Android app store for Guidebook – Enter code “collabor8” Or at Slideshare.net/Ariba • Share via email or social media **Come back soon – we are syncing #AribaLIVE audio and video interviews to the presentations**20 © 2012 Ariba, Inc. All rights reserved.