1. C Lions and Tigers and Cloud, Oh My! The Truth Behind Cloud Security and Risks Accenture Ariba© 2012 Ariba, Inc. All rights reserved.
2. Lions and Tigers and Cloud, Oh My! The Truth Behind Cloud Security and Risks The single biggest concern by CIOs around going to the Cloud is security. Paradoxically it is not a huge issue for Chief Security Officers. Find out why not in this informative session and receive a Cloud security checklist.2 © 2012 Ariba, Inc. All rights reserved.
3. Our Speakers Torben Lundgren IT Director- Procurement and F&A BPOs Accenture Jason Brown Dir, Solutions Management – Data and Security Policies Ariba3 © 2012 Ariba, Inc. All rights reserved.
4. C Cloud vs Data Security? Considerations as seen through the lens of supplying services to Financial Services in Europe Torben Lundgren IT Director Accenture Procurement BPO© 2012 Ariba, Inc. All rights reserved.
5. Introduction to Cloud• Every service provider - internal or external – seek the optimal way to service their clients• Increasingly cloud based services becomes that optimum – for different reasons: Easy and dynamic scaling Short lead-times to establish Metered, on-demand Lower cost• However: Many service provider still experience push-back from their clients• Client are still having concerns – especially around security and data privacy: Perception that Cloud is a fundamentally different and less secure, is still common Cloud is often presented exclusively as low-cost potentially making the “Cheap & Cheerful” reputation stick• We will here focus on the differences seen in client perspective and less in technology perspective At the technological level, there are significant differences between type of tools, services, and the organization5 © 2012 Ariba, Inc. All rights reserved.
6. The different shades of Cloud ?• What is cloud? A way to provide services over the network where an established capability and capacity can be shared Reducing lead time for the individual client On-demand – only pay for consumption and not (fully) for surplus capacity For the client, the requirements to Cloud are the same as they would be for a conventional service – here Cloud primarily becomes financial model ….. But note: when in operation the governance models are different• What can be delivered as Cloud? Cloud is available in three service models from basic Infrastructure-as-a-Service (IaaS) , including the Middleware and other platform services in Platform-as-a-Service (PaaS), to full-fledged Software-as-a-Service (SaaS) The difference is how high in the service stack the service is sharable – a non-shared application can e.g. be put on top of IaaS or PaaS – of course only giving Cloud benefits for the part which is shared• Which degree of sharing with other clients is required in Cloud? The deployment model can allow a higher or lower degree of sharing between clients (Public or Community) Or specific for one client (Private) or a mix (Hybrid) Cloud will normally always be multi-tenancy, but in Private the “tenants” are different application services typically serving the same client This can be used to accommodate Information Assets with special requirements6 © 2012 Ariba, Inc. All rights reserved.
7. Cloud compared to other services? • What are similar between Security for Cloud and Conventional services? The security areas are identical – and the requirements almost the same All Computing Service Security Models must comprise of: – Data Center, Physical, and Network Security – Data / Storage & Server / OS Security – API and Middleware Security – Application Security including Access Control, Penetration testing – Protection of the traffic between Service and End-user • Some elements of Security for Cloud is different due to the shared nature: The Risk picture is different due to the risk of crossover between services on same Cloud: – Shared technological vulnerabilities – Insecure API’s – Potential population of Malicious insiders increase – Risk of Data Leakage / Data Contamination The Governance models differ: – Cloud often offer less client transparency and influence – More reliant on third party attestation and certifications The Security requirements are higher – especially for: – Data / Storage , Application security – Monitoring and malware protection must be tighter7 © 2012 Ariba, Inc. All rights reserved.
8. Service Compliance Framework ? • Service Compliance Framework does not differ a lot between Cloud and Conventional Differences are mostly in the mapping from the Security Control Model to the Service Delivery Model due to the service organization Governance and e.g. Audit access can vary => Requirements to Service Contract structure are likely to be different Graphics borrowed from: https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf8 © 2012 Ariba, Inc. All rights reserved.
9. European FS clients - What trends do we see in their Cloud requirements? • In general, we see a strong push for Cloud Services across all our clients • But there are differences in their requirements and approach • Some of the differences comes from legislation in the European Union; other trends seem closer related to industry or culture: Data privacy: – While there are many similarities between the data privacy requirements in Europe and USA, the EU Data Privacy Model Clauses lock the service provider in while Safe Harbor can be exited – This impact the contractual requirements of an European client Choice of Deployment Model - European FS clients go for Private / Hybrid to a higher degree – Risk for Data Loss / Leakage seem to be what is significantly influencing this choice – Also Governance and reliance of third party certifiers play a role Uptake of Cloud Service Models: – The uptake of SaaS in USA is much stronger compared to Europe – A higher proportion of European FS Clients are focusing on IaaS and PaaS and less on SaaS compared to NA counterparts – Very likely to be related to the division of the European market into several languages as well as legal/traditional requirements – just not the same type of a large market with uniform requirements – Consequentially, there is less demand for single-service cloud offerings - still !9 © 2012 Ariba, Inc. All rights reserved.
10. I think I want Cloud! – how do I avoid the pitfalls ? • Do ALL of what you would do for a conventional service: (many very similar frameworks are available – below reflecting https://cloudsecurityalliance.org) Identify your Information Assets; these are normally Data and Application/Function/Process Evaluate the sensitivity of your Information Assets => Confidentiality, Integrity, and Availability requirements Determine your Compliance (incl Jurisdiction), SLA, and BCP Requirements Evaluate your potential Providers, their Service Models, and Locations Map potential data flows between locations, and determine risk exposure points • Decide whether Cloud is available and applicable – if Yes: Continue Determine the correct deployment model for your Information Assets: – Private / Community / Public .... or Hybrid Determine if you go for a full stack SaaS, PaaS, or IaaS hosting services only Advantages for PaaS / IaaS is that you can get to customise more of the Application Security layer – The drawback is that you become responsible for defining, implementing, and planning security for all above where the Cloud Provider service stops Define /modify your Security Control, Risk Mitigation, and Governance Framework10 © 2012 Ariba, Inc. All rights reserved.
11. Summary • From a requirement , assessment, and SLA perspective, the conventional and cloud based services are very similar to the clients • The potential for great security (or appalling security ! ) are very much the same • There are differences in security considerations and in some security requirements, and there are specific information assets, where it must be considered if Cloud Computing is the optimal service form Where to go for more information on Cloud Security : • Cloud Security Alliance has done a great job in promoting best practices and providing good guidelines for Cloud Computing Security: www.cloudsecurityalliance.org • Websites of Service Providers in the industry are also rich sources of information11 © 2012 Ariba, Inc. All rights reserved.
12. Questions and Answers • Contact Information: Torben Lundgren, email@example.com or via LinkedIn: http://uk.linkedin.com/in/torbenlundgren12 © 2012 Ariba, Inc. All rights reserved.
13. C Lions and Tigers and Cloud, Oh My! The Truth Behind Cloud Security and Risks Ariba Security in the Cloud Jason Brown Dir, Solutions Management - Data and Security Policies© 2012 Ariba, Inc. All rights reserved.
14. Agenda • Background • Ariba Privacy/Security Framework • Building Trust with Ariba • Trends • trust.ariba.com14 © 2012 Ariba, Inc. All rights reserved.
15. Ariba Privacy/Security Framework15 © 2012 Ariba, Inc. All rights reserved.
16. Building Trust with Ariba• Semi-annual WebTrust Seal of Assurance since 2001 Covers Security, Confidentiality, Processing Integrity, and Availability Principles• SSAE 16 - SOC 1 and SOC 2 type II reports for transparency (formerly SAS70) since 2009• PCI DSS Level 1 Service Provider since 2008• US Dept. of Commerce Safe Harbor since 2009• Vulnerability Scans and Penetration Tests Monthly PCI Scans, Pen Tests of each release• trust.ariba.com• Background Check Program• Security Awareness Program Certification upon hire Annual re-certification16 © 2012 Ariba, Inc. All rights reserved.
17. Trends • Greater Transparency  Ariba SOC 1 and SOC 2 Type II reports • Deeper dives on 3rd party / sub-service provider assurance  Extensive Vendor Oversight program  Equinix SOC 1 Type II report • Customer performed vulnerability scans  Ariba investment in third party penetration tests • EU Commission on Data Protection  Initiated program to comply by January 2014 • Cloud Security Alliance growth  Ariba membership  Hosted Silicon Valley Chapter17 © 2012 Ariba, Inc. All rights reserved.
18. trust.ariba.com18 © 2012 Ariba, Inc. All rights reserved.
19. trust.ariba.com – Cloud Status19 © 2012 Ariba, Inc. All rights reserved.
20. trust.ariba.com - Policies20 © 2012 Ariba, Inc. All rights reserved.
21. Questions and Answers • Contact Information: Jason Brown JasonBrown@ariba.com21 © 2012 Ariba, Inc. All rights reserved.
22. Share This Session…NOW…from your mobile! • All presentations are posted: Guidebook mobile app – Search Apple or Android app store for Guidebook – Enter code “collabor8” Or at Slideshare.net/Ariba • Share via email or social media **Come back soon – we are syncing #AribaLIVE audio and video interviews to the presentations**22 © 2012 Ariba, Inc. All rights reserved.