Calming the storm


Published on

2013 - 07 - 02

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Total Number of Slides: 38Duration: ~50 minutesEnglish:Thank you.  <name>, thank you.  It is wonderful to be here.  I’m so glad to see all of you.  It is great to have the opportunity to bring together so many minds, experiences and diverse backgrounds so we can share ideas and learn from one another.Portuguese:Obrigado. <name>, obrigado. É um delicioestaraqui com vocês. Fico felizemvê-lo mui. É umagrandeprivilejio tem a oportunidade de reunir o maiornúmero de Celebros, experiências e váriosprofessionesparanóspudemoscompartilharidéias e aprenderuns com os outros.Spanish:Gracias. <name>, gracias. Es un delicioestaraqui con ustedes. Estoymuialegre en verle.  Es un gran privilejiotener la oportunidad de traerjuntostantoscelebros, experiencias, y diversasprofessionesparaquenosotrospodramoscompartir ideas y aprender de cadacual.
  • Presentation Summary:Cloud computing is viewed by many Information Security professionals as a major threat to their IT environment.  How great a threat? One on a level commonly associated with natural disasters such as tornados, hurricanes, typhoons, tsunamis, etc.  It is important that IT professionals be given alternatives and ways to calm the storm.  In this session, a three-tiered convergence and integration model consisting of Integrated Secure Cloud Services, Information Security, and Service Management will be discussed.  Join us in an exploratory journey that will enable you to calm the coming storm. Notes:Photo Credit [Accessed: June 10, 2013]
  • My name is Quinn Shamblin. I am the Executive Director of Information Security at Boston University and work with EXIN from time to time developing course and exam material.The original concept for this presentation was developed by my good friend and mentor Kevin McLaughlin.He and I met over a decade ago at Procter & Gamble and have worked together off and on ever since. Kevin is now in charge of Global Security Operations, Identity Management and Global Incident Response at Whirlpool and I serve in the role of CISO at Boston University; although we don’t use that title. Notes:Photo Credit [Accessed: June 10, 2013]
  • Boston University is a very highly ranked Research University comprised of 16 colleges, including a medical school and a number of programs ranking the top 10 of the U.S.Whirlpool is one of most well-known names in consumer home appliances in the worldA small note: Throughout this presentation I provide information collected from reports or online sources. Links for the source material are provided in the notes section of each slide in this presentation.Notes: - Boston University has over 33,000 undergraduate and graduate students from more than 140 countries, 10,000 faculty and staff, 16 schools and colleges, and 250 fields of study, our two campuses are always humming, always in high gear. - Whirlpool Corporation is a leader of the $120 billion global home appliance industry. Our appliances are marketed in nearly every country around the world.Photo Credit [Accessed: June 10, 2013]
  • Let me tell you a story. A few years ago, my wife and I were visiting her sister and her sister’s family. We decided to go sailing in this small sailboat they own. It was only April, but it was a beautiful sunny day; a few clouds on the horizon, but a nice, warming sun and gentle, steady breeze. We got the boat ready to sail, loaded into it and pushed off. It was me, my wife, her sister, her 8 year old niece, and her sister’s husband. We had a beautiful, steady breeze filling our sails and started a nice run out into the lake. We were having such a good time, that we didn’t notice the line of clouds at the horizon had darkened and picked up speed until they were almost over top of us. Suddenly, our sail started luffing (flapping around) and that nice steady breeze picked up into a wind and started shifting around and blowing generally back to shore, but gusting in from all directions. The sun was blotted out, and the boat started to heel over toward the water. Now, we were out quite ways; we did have a small electric motor on board designed to get us into and out of the dock, but that was it as far as alternative forms of power. We wanted to get in out of the storm quickly, so we kept the sail up, tried to anticipate the wind well enough and adjust quickly enough to get into shore without being swamp. But it was so unpredictable and the water was getting so choppy that soon waves were splashing right up to the edge of the boat… and then over the edge of the boat, dousing my wife, her sister and niece. Up until that point, all the adults on the boat had been trying to keep things upbeat for the benefit of the 8-year-old, despite getting more and more nervous as the weather got worse and worse. But one that wave broke over the boat, splashing everyone including that little girl, I could see a real panic in the eyes of her mother. We instantly shifted tactics. Even though it was going to take a lot longer to get into shore, we dropped the sail, redistributed to weight to get the boat more balance and made our way to shore using just the little electric motor. It was slower, but safer. A tactic to calm the panic.This is a perfect analogy for the situation that many IT and Information Security professionals are finding themselves in right now. In the eyes of many IT and security practitioners, a storm has been building and is getting bigger and more uncontrollable each day. That panic, that feeling of lack of control, make people want to ignore it or at a very minimum to take an extremely slow and conservative tack.Hopefully by the end of this presentation you will come to realize that things are not so bad as the may seem, that there are standards and best practices out there to help guide us, that companies like EXIN are working to provide the information and training to help calm the storm.Notes:Photo Credit [Accessed: June 10, 2013]
  • Today we are going to take a look at that storm and exploreSome of the attitudes that make people fear cloud computingThe standards and best practice frameworks that can guide us through these challengesHow they help us understand that the cloud is actually an enablerConsiderations when analyzing a cloud serviceAnd how you can get build the expertise required to take advantage of the incredible opportunities out thereNotes:Photo Credit [Accessed: June 10, 2013]
  • When business people consider cloud services, they tend to mostly look at what that service is doing. It is IT that often helps them understand that the full value proposition that needs to be considered not only what the service does, but how it does so: does the service offer acceptable levels of availability, capacity, continuity, security. Unsurprisingly, security and reliability are usually listed as the main reason organizations are reluctant to turn to cloud-based IT services. It is often our risk officers that are most against the cloudBut this situation is nothing new. We saw the same thing when we left the mainframe. Security and IT had similar concerns. From a security perspective, every time we go through a major technology shift, existing security models get broken, new threats emerge and new security models and technologies are developed to meet those threats. Cloud technologies are simply the latest round of this cycle.It is important to understand that most of the fears of cloud computer are coming from IT and from your security and risk managers…Notes: S The list of fears shown on the slide came from Credit [Accessed: June 10, 2013]
  • …The business itself sees things very differently. They see benefits & opportunities in leveraging cloud computing and are very interested in capitalizing on those opportunities. IT was once so highly technical that business people were not generally able to understand it. This left the business somewhat at the mercy of what their IT people told them. IT was—and in many cases still is—perceived as arrogant and obstructionist.Cloud services are changing that. Modern services are easy to understand and can be set up any time from anywhere by anyone. The general level of technical sophistication is increasing. Business people are understanding more of their options and the relationship between the business and IT is changing. If IT does not provide the capability that a business person is looking for, that person now has real options to go make it happen all on their own, leveraging cloud services and completely cutting out local IT. Many in the industry are predicting a trend away from having local IT organizations at all. In the future, you will not be an IT person, you will be a business person that happens to work with Technology. In such a world—and this is the important point—your main focus will be how to deliver business goals… by exploiting available technology. Business focus, not technical focus.That is how it will be… that is how it should be today.
  • More and more capability is being hosted in the cloud. Companies commonly use the cloud for functions such as application hosting, e-mail and messaging, and Data Storage. Spending on cloud computing is forecasted by Gartner to grow 18.5% this year, reaching $130.7 billion worldwide.Technology growth is exponential. Let’s think about the implications of technological growth for a moment…Notes: 1 - -
  • Technologists often like to quote Moore’s law to say that technology doubles every 18 months.Acclaimed global futurist, and best-selling author Jack Uldrich illustrates the implications of this in a powerful way. Imagine a lily pad on a lake and every day the number of lily pads doubles. On day one, you have 1; on day two, 2; on day three, 4; on day four, 8; and so on. Imagine the lake is large enough that on day 30 the lily pads will cover the entire surface of the lake. What percentage of the lake do the lily pads cover on day 20? … 0.1%Notes: S –'s_law and Intel executive David House
  • Visionaries like the creator of Netflix, Reed Hastings, understand the power of exponential growth. Reed Hastings understood in 1998 that the cost of storage space would continue to drop, allowing for cheaper entertainment media. He leveraged that idea to start his mail-order DVD rental business, which has resulted in the complete demise of brick-and-mortar movie rental industry in many countries around the world. Later, he saw the same trend in Internet bandwidth and again understood the implications. In 2007, he launched his streaming Media Service, which has changed the way that many people around the world consume media and is a real threat to the existing business models of the cable providers. I personally have not had a cable account since 2007.
  • We are hearing a lot about copyright infringement and illegal file sharing in the news these days. This is a perfect case study showing that if you provide a service to customers in the way that the customers demand, they will use your service. But if you don’t, they will find ways around you to do what they want to do. Customers demanded the ability to watch what they wanted to watch, whenever they wanted, but the media industry ignored them. So the customers just solved the problem themselves, creating vast peer-to-peer file sharing networks to provide for themselves the service that the media industry did feel like providing, losing millions. It may have technically been illegal, but customers didn’t care. They saw it as artificially illegal; it didn’t make sense to them, they could watch the content for free if they did so on their TV, why should they not be able to do so via file sharing? If we don’t provide our customers with the capability of doing what they are wanting to do, they will find a way around us. That is what happened to the media industry and they have been losing millions for years.But in May of 2011, Netflix surpassed BitTorrent to become the largest consumer of bandwidth in North America. For media companies who are paying attention, this clearly shows that customers the issue was not cost. They were not primarily driven by wanting it for free. They wanted the concenience. They wanted watch what they want to watch, when they want to watch it - not when the media company wants to spoon-feed it to them and not so saturated with commercials as to be disruptive. Netflix supplied that. By understanding the implications of Moore’s law, Reed Hastings has changed the face of the world.Until Netflix, iTunes, Amazon, etc. provided a legal way for customers to be able to do so, customers solved the problem themselves; cutting out the companies. When a legal way was presented, customers by and large were happy to use it. So think about the lily pads. Think about what it means that computing capabilities double every 18 months. Now ask yourself about cloud computing: What day are we on? Are we on day 20? Day 10? Day 5? …or Day 1? Do you think we any real option to go back?
  • Having just talked about one revolution being enabled by the cloud, I would now suggest for most of those of us in this room, cloud computing is evolution not revolution. There are companies like Netflix that are absolutely doing revolutionary things, things that change how the world works or developing entirely new business models that were not possible before the cloud; however, this is not the case for most of us. Most of us are moving existing business models, processes and services to the cloud, just taking the next logical step in technical evolution to make our company stronger or more agile or to do the same thing with lower cost. The cloud is definitely leading to fundamental changes in the relationship between IT and business, but for most of us, it is not changing the business itself. Procter & Gamble has not stopped making soap and paper products, it is just changing the way it does marketing and logistics.Cloud computing is not even a new concept. In the 80’s-90’s when networks were first being deployed, people tried to use network servers to serve up applications—provide “cloud’ services—but at that time they were limited by bandwidth constraints. But now we have enough bandwidth and systems with enough responsiveness to meet the needs of thousands and millions of end users simultaneously, and services are able to growFor us, it is an evolution and we should be growing right along with themNotes:Photo Credit [Accessed: June 10, 2013]
  • The business is going to move to the cloud. On a long enough time line, it is inevitable Remember my story about Bit Torrent. Customers wanted to watch what they wanted to what, when, where and how they wanted to watch it. The media industry said ‘no’; they didn’t spend any time thinking about the possibilities to enable this need. They didn’t get in front of it and figure out a way to monetize it in a way that customers would accept. They failed. They failed to listen to the customer. …and lost millions. Many security departments are like that. They don’t understand or don’t listen to the customer… and we need to change that.For those of you who have dealt with the business side of higher education, you will no doubt be aware that universities have a culture of allowing everyone free access to everything. The term is “academic freedom”. So you can imagine when university management wants to create an information security department, faculty get very concerned. They are afraid we will come in like Big Brother and stop what they are doing. One of my core jobs to help alleviate those concerns and help people understand that my job is to help them find a safe way to reach their goal. “It is not my job to say ‘no’. It is my job to find a safe way to say ‘yes’.”When organizations deploy new technologies without consulting with security professionals, those technologies are usually much less secure than required; but when information security is seen as being a stumbling block, they avoid us. Security professionals need to understand the business of the business itself and the business of IT Service Management. We need to understand that our CORE function is to ENABLE the business to do its business. Without these core understandings and attitudes, we cannot be effective in leading them to achieve their goals in a safe manner. Notes: Photo Credit [Accessed: June 10, 2013]
  • Let’s examine the fear that “one tiny, seemingly insignificant human error can have enormous consequences”. This statement is absolutely true, and always has been true. Does adoption of cloud services change it in any real way? Wade Baker, manager the Verizon group that investigates breaches, doesn’t think so. To quote Mr Baker, "I've been looking for it, but I can't find any real evidence that the cloud is more risky than hosting everything completely internal," Most hacking attacks against corporations are still aimed at internal computer systems. 80% of the breaches Verizon investigated in 2012 involved internally hosted data. The remainder began inside companies' networks and spread to the third-party hosting services, not the other way around. Yes, risk exists in the cloud; bad security design and human error can of course result in a data breach or other bad outcome. But exactly the same thing is true of internal solutions. If one of your people is going to fall for a phishing scam and tell their password to a bad guy, it doesn’t matter if that password is for an internal system or one hosted in the cloud. Existing risks are not inherently much different. It is true that the cloud introduces a few new risks, but these are controllable too. As long as you understand them.Notes1 Credit [Accessed: June 10, 2013]
  • There is a need for an integrated approach, starting at a foundational level, where business challenges, IT practices and new technological developments are considered together.Smart, mature information security professionals understand that well-designed security enables a business to do more, not less. Consider online banking. If we didn’t have SSL, adaptive authentication and non-repudiation solutions, would any of you bank online? How about online shopping? (In 2012, 63% of consumers in the U.S. did the majority of their Christmas shopping online). Security has enabled these business models.As security professionals, we need to (1) understand the business and (2) understand how a well-run IT service is managed just as we understand (3) our own core competency in information security. AND we need to understand how to integrate those concepts and apply them to emerging technologies. How do we get to understand all of these things? …Notes: Photo Credit [Accessed: June 10, 2013]$web_zoom$&/1202181039/3-ring-napkin-ring.jpg
  • …we turn to international standards to help guide our choices and processes.The International Standards Organization is comprised of 163 countries and over 3,300 technical bodies. These people collaborate to develop international standards guiding a host of disciplines and practices. A few of the important ones for us are these:ISO/IEC 20000 Tells us what is required to run a world class IT organization. This standard is codified into a best practice framework called ITIL: IT Infrastructure Library ISO/IEC 27002 Tells us what to consider when managing an Information Security programISO/IEC 27017 Is a newer standard that extends 27002 to the Cloud Copies of the standards are available from ISO and other sources, but most people find that the text of the standard is not enough. For most people, targeted training on the standards is crucial if they are to really understand the standard and how to implement it. [When I first studied Project Management, I thought I could just pick up the PMBOK and learn it. I found that almost useless on its own. But once I completed a training course on it, I understood how to use it as an invaluable reference.]Notes: Links to the standards:ISO/IEC 20000-1:2011 27002:2005 WD 27017 -
  • To find out what the business really needs, we need to have direct conversations with them. ITIL calls this BRM (Business Relationship Management). It involves collaborating with the business to make sure that we both understand which items are truly needs and which are wants.We need to help them understand the real cost of what they want. (A lot of what ITIL does is allow the business to understand the true cost of technology and the service & support of that technology. ) Do they really want/need the biggest/best/most expensive? Do they need the Mercedes or will the Toyota work just as well?For example, if a company is dealing with a highly sensitive data and must be able to absolutely control access to it, that company needs a technology that enforces mandatory access control. Many security professionals these days would say that the company has no choice but to never allow sensitive data to be accessed through a smartphone. The risk is that if person is ever allowed to save company data to their smart phone, that data may now be backed up to that person’s personal computer or personal cloud storage; so even if the company initiates a wipe on that phone, the data still exists and can be restored from the backup. However, there are technologies out there that allow a company to prevent this, technologies that enforce mandatory access controls even in a BYOD world. Those technologies typically involve having the client login through an access portal (like Citrix) or encrypt the file using encryption keys owned by the company and enforcing access control directly on the files themselves (like WatchDox). It is cloud services that enable us to do this. Cloud services that allow us to provide to our customers the flexibility to do their jobs in a variety of ways while still maintaining the level of security required. On the other hand, it may be that when you present these options and their costs to the business, the business may decide that discretionary access control, backed up by company policies and employment contracts are sufficient to control the risk and may decide not to take on the complexity and cost associated with deploying one of these more rigorous technologies. Within the limits of legal requirements, the business is allowed to make the choice to accept the risk.
  • Like I said, as a security professional is my job to consider the business goal and help the business find how to safely do what it needs to do. If I cannot come up with good, solid solutions to meet a business need, I have failed as an information security professional. In order to do this, we need to help our clients understand all aspects of what they’re trying to do. Working them through questions to help them understand their real needs and their options and impacts:What are they really trying to achieve, from a business perspective? (forgetting technology for the moment)Which service are the looking at that they think may meet their goal? Are they aware of this or that factor?(a legal requirement or a limitation or problem with their suggested service) Does that change what they’d like to do? Have they considered other services? Are they aware that this other service does something very similar but also includes other features which may be desirable? Collaborate with them on developing security practices and policies that will allow the use of the chosen technology in a way that is secure enough.The business is allowed to accept the risk; it is my job to minimize that risk to a reasonable level and to make sure they understand and accept the risk that remains.That does not mean that we don’t have proper controls, and it doesn’t mean that “no” is not in our vocabulary. If they are considering something and it turns out to be illegal or against regulatory requirements, the answer is of course “no”, but when it comes to a legitimate business goal, we should be smart enough to come up with an approach to enable that goal.Notes: Photo Credit [Accessed: June 10, 2013]
  • So, “No” is a possible answer, but you need to use it appropriately and very rarely. No security office has time or resources to conduct in-depth evaluations of every single request. So you need to triage your requests and dig deeply only into those areas that represent good opportunity but also carry risk that must be annalyzed. If the risk to the business is low – this whole green area – a security officer really doesn’t need to spend time on it. Allow the standard risk management mechanisms built into your procurement and contract review processes deal with it.Similarly, if the proposal has a high or very high risk (for example puts trade secrets on a cloud service with no protections or is illegal) and a low benefit to the business, why would the business even want to do it? While I put “no” on the slide, I almost never use term; instead I give the business additional information about what it is they’re trying to do, question the business very, very strongly about why they want to do this and work to get them to see that it’s not a good idea.Where you want to spend your time is analyzing opportunities that have real value to the business but also represent a level of risk (the yellow area). In these cases, you work to mitigate that risk as much as you can through configuration of the solution, through company policies governing the use of the solution, and through contractual remedies with the provider. Then document the remaining anticipated risks and ensure management understands them fully and accepts them. Notes: S – A Gartner concept: Presented by Jay Heiser “Practicing safe SaaS” (June 7, 2013)
  • When analyzing the service itself, carefully review the terms of service. These are the starting points for negotiation. But they might be the ending point as well. Different services have different willingness to negotiate. For many services, your only choice is take it or leave it. Which might be fine, depending on your needsWork with your general counsel and procurement departments to determine what type of security certification or validation will be required by your company for cloud providersNotes: Photo Credit [Accessed: June 10, 2013]
  • Something you need to keep in mind, is that this is a different sort of relationship.Under traditional models of contract for service, you deal directly with a company and build a 1:1 relationship. Under such models, a large degree of flexibility may be available. In the cloud, you will be one of 100 customers or 10,000 or a million. Most cloud providers either do not have the ability or are not willing to make concessions or modifications for any single customer. No matter how big and important you are, you probably do not add up to the sum of all of their other customers. That said, many providers do have capabilities built into their solutions that allow you to customize things a great deal. Notes: Photo Credit [Accessed: June 10, 2013]
  • Another important consideration is how you will verify the security claims made by a cloud provider. CSC did a survey and found that most organizations currently rely on a third party or conduct their own on-site assessment. I expect the second approach to decrease as the industry matures. As companies attract more and more customers, they will be less and less willing or able to entertain individual security reviews; rather they will rely on third party certifications or other one-to-many approaches for verifying security. Notes: S -
  • Let’s talk about third-party reviews or attestationsSOC2 is a commonly trusted third-party assessment of a service’s controls. There are others, but this one is pretty well known.Something to be aware of: Sometimes when asked to provide a security certification, a company will try to invoke SAS70. There are two things wrong with that: Firstly, SAS70 is no longer a thing. It has been replaced by SOC1. Secondly and more importantly, neither SAS70 nor SOC1 are actually security evaluations at all. They evaluate internal control over financial reporting. That’s all they evaluate. If this is a low risk application, or my business wants to use it for a low risk function, this doesn’t make any difference. But if my business wants to use it for a moderate or high risk purpose, this is important to know.What you are looking for is SOC2 or SOC3. They do evaluate security controls. SOC2 is the detailed report, SOC3 is a short form of the report suitable for distribution. KPMG has put together a nice report that describes the differences between the SOC reports. Notes: 1 - Credit [Accessed: June 10, 2013]
  • Another method of evaluating an organization’s security is through self-assessments conducted by the company using a standard methodology. A few years ago, a number of industry leaders got together to try to solve the problem of answering security questions posed by customers while not overburdening a provider with waves of requests from individual companies.They created the Cloud Security Alliance, a non-profit organization with the mission of promoting best practices for providing security assurance within Cloud Computing.Another group doing something similar is sharedassessments.orgNotes: Credit [Accessed: June 10, 2013]
  • The CSA created a self-assessment tool called CAIQ (‘cake’), containing a series of security questions to be answered by the cloud service provider. Those questions are mapped in the cloud controls matrix to the standards that you can see here on the slide. A company provides answers to those questions to help you assess whether that company meets your security needs. This is similar to conducting an RFI or RFP, you would present them with a series of questions which they would then answer; but this way the company can answer the questions just once and everyone else can read those answers, as opposed to having to answer them over and over for every single clientThe CSA maintains a registry of completed self-assessments that you can go download when evaluating a cloud service.The CSA is also influencing the development of ISO 27017 The notes section of this slide provides links to all of these resources including the standards.Notes: CSA Security, Trust & Assurance Registry (STAR) & Consensus Assessments Initiative Questionnaire (CAIQ) - Controls Matrix (CCM) - 4.1 - - 27001 (2005) - SP800-53 R3 - DSS v2.0 - Assessments SIG v6.0 and AUP v5.0 - (Aug 2009) - Forum - CIP (Critical Infrastructure Protection) - Trust Service Criteria (SOC 2SM Report) -
  • There are many considerations that are important when reviewing the contract. Many people have been surprised by the fact that web-based services own any content created on the system or uploaded by a user. Facebook, YouTube, most of the other consumer services, etc. Be certain you know the answer to this question if you engage a cloud service at an enterprise level.What country does the company do business in? Where will your data be stored? The US has a regulation called ITAR which governed arms and munitions. It prohibits certain kinds of information from being stored outside the borders of the United States. Your countries probably have something similar. Most cloud providers will not guarantee where your information will be stored and therefore cannot be used to store this kind of information. Microsoft is one of the few that I know that will guarantee physical location.There are also cultural issues to consider. For example, there are several cultures on the Pacific Rim with the cultural norm that leads them to look at information and data as nothing more than another resource that may be freely shared and used. Storing your data in such countries entails a greater than average risk that it will be accessed and used without your permission. You need to be aware of this when doing business with companies that store information in those countries.What about end of life? What if you decide to leave their service? Can you get your data out easily? What if that company goes out of business? Are they obligated to provide your data back to you before they pull the plug or can they just walk away? How much of a warning will you get?What if that company has a data breach - are they obligated to inform you? Do you have any remedy in such an event? Are they obligated to pay for notification or credit repair services for your customers that are impacted?
  • Once you are in the relationship, you need to keep an eye on things.Monitor and audit the company’s continued support of their agreed service levels, Hopefully you were able to build into the contract that they must renew their security certifications annually and that a copy of the new certificate/report is automatically provided to you, but if not, make sure you ask for them. Maintain copies of the old ones.Same thing for the terms of service. If they change, get a copy of the new ones and keep the old ones, noting when each was in force.Just as important, is monitoring the financial health of the provider. Make sure you understand how they are doing, so that you aren’t taken by surprise by the unexpected.And don’t just keep an eye on the provider, continue to work with your clients. Monitor your internal business needs. Business needs change. Policies change. Regulations change. All of these things evolve and they have a bearing on the continued use of a given provider.Notes: Photo Credit [Accessed: June 10, 2013]
  • As a hiring manager, when I look for leaders, I look for talented generalists who understand and can competently deal with all these considerations. I look for people with a good track record across multiple areas. I look for people that have certifications like the CISSP or CISM or those provided by EXIN. I want people who have understanding across multiple areas, who can understand multiple points of view, multiple issues and design business-focused solutions to deal with issues that span the organization. Specialists are crucial, but are very focused on one thing. Generalists see the big picture and bring in the specialist for their specific expertise. The pastry chef doesn’t cook the entree, the sauté cook, the saucier…, all are important, but it is the head chef that makes sure the meal comes together by working with all the specialists… That is what we need from information security professionals: the understanding and ability to bring everything together.The future lies in developing individuals and providing them with the skills and the essential mindset for building great organizations. The next generation of professionals in Information Security and IT Management, will need a non-IT-centric approach. They will need the right knowledge, skills and attitude to ensure a more efficient and effective performance by their organization, to explore possibilities of new ways of conducting business, and to establish new businesses.This kind of work is done by knowledgeable and talented generalists, and it is these kinds of people that I look for.But how do we foster that kind of mindset and attitude? How do we develop the knowledge and skills required? This is where the ISO standards come into play, along with quality training in those standards provided by companies like EXIN.Notes: Photo Credit [Accessed: June 10, 2013]
  • One of the first things I look for on a resume is certifications and training that I know and respect. Obviously certification doesn’t mean that they’re going to know everything; but it does mean that they have a baseline level of knowledge and, more importantly, that we will use the same words to mean the same things and will better understand each other. EXIN is a good example of this. EXIN provides certifications in the core knowledge and competencies in all three standards that are crucial to success of an information security professional working in the modern world: information security, cloud computing, and IT service management. But the differentiator for EXIN training is that it not only provides the core knowledge base but pays special attention to the intersections between one body of knowledge and another related body of knowledge. There is also a practical component EXIN certifications; students are required to complete practical assignments in addition to demonstrating command of the body of knowledge.EXIN works with people who are international experts in their fields to develop and maintain their training.Notes:
  • EXIN offers a certification that pulls together the three disciplines we have been discussing: the Certified Integrator of Secure Cloud Services EXIN provides this certification to individuals who complete certifications in:(1) IT service management best practices (2) Information security and (3) cloud computing integratorBasically, when you finish your third certification, EXIN automatically provides this additional certification with no further charge.Notes:
  • The First component is the cloud computing integrator certification It is available in Foundation, Advanced, and Expert levels.The foundation level is vendor-neutral and non-technical; it focuses on people, process, management, structure, governance and other high-level considerations.Notes:
  • Someone wishing to competently deal with cloud computing must also understand at least the foundations of information security The foundation level focuses on operational security matters and is useful for many other roles as well: service desk employees, project managers, and the change, configuration and release managers.Notes:
  • EXIN also offers advanced and expert level training in information security:The advanced level focuses on Tactical information security concerns and is helpful to security managers, consultants, specialists, project managers and service managers The expert level includes strategic concerns and is intended for your information security leaders: the chief information security officer, Information security managers, lead implementers and architects
  • The final leg of the Certified Integrator: Secure Cloud Services is IT Service Management.This certification is based on ISO 20000 and provides the best practices for running an IT organization. It provides concise and practical information on how to build a customer-oriented information technology service. You might think that good IT management is well understood these days, but there are many recommendations made in ISO 20000 and ITIL that IT organizations across the world—even those in some of the largest and most well-known organizations—do not follow. One very common example is that ITIL recommends that the IT service desk (help center) be staffed with advanced IT personnel—people with experience and expertise in IT, those you would normally think of as level 2 or level 3 people—not people just out of school or low-skill churn-and-burn kind of talent. Notes:
  • If it is important for an Information Security professional to understand how world-class IT services are built and delivered if they are going to properly evaluate a Cloud Computing service.A fully implemented IT SM program will, by its very nature, result in a more secure and more reliable organization.Availability, security and continuity are all ITSM concepts that are also crucial to good information security.Another ITSM concept, Service Level Agreements, also plays a major role in dealing with Cloud Services. Implementing ITIL enables organizations to learn from their experience and mistakes, to adjust and improve in ever changing circumstances.
  • {Stress this point} The real power of standards and certifications is that they allow us to communicate. They give us a common vocabulary and common understanding across a wide variety of areas, allowing the information security professional, IT professional, cloud provider and business to talk to each other and align on goals. To enable the business to get what it needs and agree on how to get there.When we can talk to one another and mean the same thing, we remove the storm of confusion, dis-information, doubt and, yes, fear. We can start with the premise that a solution is available and work together to find it.Notes:Photo Credit [Accessed: June 10, 2013]
  • The sky is looking clearer. This storm that so many are afraid of—the cloud—is the direction that technology is going. This is the future. Eventually everything will be in the cloud. (Remember the lily pads.) We have to understand that. We have to accept that. We have to be ready to work within that environment. It is OK that everything will be in the cloud.  The cloud is enhancing people’s usage and understanding of technology, giving them access to cost effective—even free—services with tremendous power. Of course they’re going to leverage those opportunities.Things are going to be moving much faster now. We have reached the point that we can innovate not just within our own companies, but across companies, across the globe!, leveraging capabilities we haven’t yet dreamed up. We can find that new thing that gives us an advantage and leverage it instantly because it is designed from the ground up to integrate with and leverage cloud technologies available to anyone, anywhere, any time. At the same time, we can provide to our organizations the appropriate levels of protection. Make appropriate choices as to how to leverage cloud technologies. This is not a storm. Cloud computing is not a storm. It is something to embrace! And the way to embrace it is to prepare, to make sure you have the understanding, the attitude and the training to take advantage of the opportunity’s it represents. Education, training and certifications—like those available from EXIN—will not only help to prepare you, but help you to embrace the future.Notes:Photo Credit [Accessed: June 10, 2013]
  • Let’s get out there, and help our companies move!Notes:Photo Credit [Accessed: June 10, 2013] Credit: “Going For a Ride” David Newman. Soundtrack from Serenity (2005).
  • Calming the storm

    1. 1. Calming the Storm { Quinn Shamblin | Kevin McLaughlin
    2. 2. Quinn R. Shamblin EXIN USA Executive Director & Information Security Officer Boston University CISM, CISSP, ITIL (previously PMP, GIAC Certified Forensic Analyst) Kevin L. McLaughlin Senior Information System Security Manager Whirlpool Corporation CISM, CISSP, PMP, ITIL Master Certified GIAC Security Leadership Certificate (GSLC), CRISC
    3. 3. Boston University Research University Rankings in 2012-2013    51st in the U.S. (US News and World Reports) 54rd in the World (Times Higher Education) 64th in the world (QS World University Rankings) Whirlpool Corporation Consumer Home Appliances Fortune 125 $ 10B Market Cap
    4. 4. A storm has been building
    5. 5. We will explore      What the storm is and some common attitudes What tools, standards and best practices exist to calm the storm How they interrelate Considerations when analyzing a cloud service How you can get more information and expertise on those tools, standards and best practices
    6. 6. Fears of Cloud Computing       Control of features/functions Data protection Enforcement of security policies Data loss Vendor stability/trustworthiness Job security in IT
    7. 7. Cloud Computing Benefits  Business benefits delivered by the cloud       Capability / features Cost Redundancy / availability Consumer and workforce demand BYOD, Tablets (File and Information Sync) Organizations are regaining control over their information management
    8. 8. How Organizations use the Cloud Application hosting 34% Email/messaging 34% Data storage 29% Collaboration software 25% App dev/testing 23%
    9. 9. Moore’s Law   Throughout the history of computing hardware, the number of transistors on integrated circuits has doubled approximately every 18-24 months, Day 20…  If something doubles 10 times… …it is 1000 times bigger.
    10. 10. Bit Torrent > Netflix  With respect to computing power in the cloud, what day do you think we are on?
    11. 11. Cloud Computing is more an evolution than a revolution.
    12. 12. Security is often excluded  Perception of the security department     “Dr. No” “Business Prevention Department” Security professionals need to be involved Gartner on the security of server virtualization:   60% of virtualized servers were less secure than the original ones 40% of organizations had not involved security specialists in their projects
    13. 13. The reality of security risk    What is substantively different about the cloud Are the security risks really that different? Don’t ignore risk, but don’t assign more risk than is really there   You absolutely must still understand and mitigate risk… …just as you do now
    14. 14. Interlinked Considerations  Modern business requires the security professional to have a balanced mindset and supporting knowledge     Business needs (functional and fiscal) Service management (how services were built and are supported) Information security considerations (regulatory requirements, technical issues) Cloud Computing makes a seamless integration of these even more urgent.
    15. 15. Guiding International Standards   ISO/IEC 20000 – Service Management ISO/IEC 27001 – Information Security Management Systems  ISO/IEC 27002 – Code of Practice for Information Security Management  ISO/IEC 27017 – Code of Practice for information security controls for cloud computing services based on ISO/IEC 27002
    16. 16. The Business’s Security Needs  What level of security does the business need? Do you need complete control of the data?     Who can look at it and who can forward it Be able revoke access Mandatory Access Control (MAC) Is discretionary control acceptable ?   Policies Contracts Wants MUST HAVE!  Needs
    17. 17. The Right Question  Wrong question:   “Is this service secure?” Right questions:   “Is this service suitable for this particular business use? If the answer is yes then how do we make it secure enough?
    18. 18. High (value of Service) Benefit to the Business Choosing Your Battles Say “Yes” Med Analyze Risk (Document and get formal acceptance) Low No Low Med Risk to the Business (Sensitivity of Data/Process) High
    19. 19. Analysis of the Service   Terms of service Types of cloud services   Ability to negotiate Security review   Certifications for cloud providers Provider security self-assessments
    20. 20. From the Provider’s Point of View  Direct / On-premises / Private Cloud     1-to-1 relationship Negotiating a contract directly Agreement may be highly customized Shared Cloud Services    1-to-100 / 1000 / 10000 / 1000000+ All customers using the same service The provider will be much less willing – or even able –to customize their service just for you.
    21. 21. How organizations verify security Third party attestation Conduct own assessment Joint vulnerability testing with the provider 35% 28% 16% Accept word of provider 7% We don't verify 7% Follow the lead of similar company 5%
    22. 22. Certifications for Cloud Providers  SAS70 and SOC 1    Are not evaluations of security Evaluates financial reporting controls SOC 2 and SOC 3   Are security evaluations Based on ISO/IEC 27000
    23. 23. Provider Security Self-assessments  Cloud Security Alliance (CSA)     Not-for-profit organization Promote best practices for providing security assurance within Cloud Computing Provide vendor assessments based on wellrespected standards
    24. 24. Provider Security Self-assessments  CSA Security, Trust & Assurance Registry (STAR)   Consensus Assessments Initiative Questionnaire (CAIQ), Cloud Controls Matrix (CCM)   Maps assessment answers to respected standards COBIT 4.1, HIPAA, ISO/IEC 27001-2005, NIST SP800-53 R3, PCI DSS v2.0, Shared Assessments SIG v6.0 and AUP v5.0, GAPP (Aug 2009), Jericho Forum, NERC CIP, AICPA Trust Service Criteria (SOC 2SM Report)
    25. 25. Important Contract Considerations  Terms of service     Make sure they have a contractual commitment to maintain security certification Consider end of life    How does the TOC relates to the contract Make sure they don’t own your content What if they go out of business? What happens to your data? Service Level Agreements
    26. 26. Monitoring & Auditing    Verify expectations are being fulfilled Monitoring Financial Health of the provider Periodic revision of internal assumptions
    27. 27. Skills required to weather the storm   The cloud need not be seen as a destructive force Companies want leaders to be generalists with:   Solid knowledge in adjacent domains Training in the standards
    28. 28. EXIN Training & Certification  Training in all these interrelated areas       Cloud Computing Information Security IT Service Management More… Covers core competencies and intersections Developed in cooperation with international experts in their specific field
    29. 29. Certified Integrator Secure Cloud Services  One title that includes three elements:    Business concerns (Information Security) New technological developments (Cloud Computing) Best practices (Service Management)
    30. 30. Cloud Computing Foundations    Vendor-neutral Non-technical Focus areas   management, structure, people, and processes concepts, benefits, risks, infrastructure and governance
    31. 31. EXIN Information Security  EXIN Information Security Foundation   Focuses on operational security matters The first level of the three-level program which is based on ISO/IEC 27002.
    32. 32. IT Service Management   ITSM ITIL® - IT Infrastructure Library   The most recognized and accepted framework for IT Service Management EXIN Service Management     Based on ISO/IEC 20000 Concise and practical Customer- and service-orientation Focuses on the things you should do instead of all the things you could do
    33. 33. Applicability to the Cloud  Based on strong understanding of IT services in general    ISO/IEC 20000 – the core of good services management Availability, security, continuity of services Service Level Agreements control design and delivery of services
    34. 34.     Working from standards Having similar training Understanding the same concepts Speaking the same service language Communication: Clearing away the storm of confusion
    35. 35. The sky is looking much clearer.
    36. 36. Quinn Shamblin Boston University +1 617 358 - 6310 Milena Andrade EXIN Brasil +55 11 3032 - 4111 ¡Permitanos Avanzar! ¡Vamos aMove! Let’s proceder!
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.