MISA Cloud workshop_ Security and risk mgmt
Upcoming SlideShare
Loading in...5

MISA Cloud workshop_ Security and risk mgmt






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

MISA Cloud workshop_ Security and risk mgmt MISA Cloud workshop_ Security and risk mgmt Presentation Transcript

  • CLOUD COMPUTINGMISA Cloud Computing – 101 and Beyond April 11, 2012 Brian Whitelaw, CISM, CRISC Division Manager, GRC City of London
  • AGENDA• Cloud Computing Myths• Information Security and Cloud Computing• Risk Management and Cloud Computing
  • MULTIPLE FORMS OF CLOUD COMPUTING• Large hosts such as IBM and Microsoft • Hardware, platforms, applications• Hosted Services • Niche applications• Online collaboration
  • THE #1 MYTH OF CLOUD COMPUTING• Myths – cheaper, less secure• Biggest myth – it’s new!• Most of you have been using it for years• Hosted solutions• Online collaboration
  • HOSTED SERVICES AND CLOUD COMPUTING• The City of London has close to 20 hosted solutions • This is, in essence, cloud computing • Hosted solutions include HR and Patient Care apps (sensitive information) • Other apps include EAP, Health Claims• Our first hosted service was introduced 5 years ago
  • INFORMATION SECURITY AND CLOUD COMPUTING• Information Security is only 1 area of Risk Management• InfoSec issues include: • Confidentiality, file sharing, loss of control • Backups, vulnerabilities, access control• Major security concerns • Dropbox, YouSendIt, iCloud, SkyDrive
  • REASONS FOR BLOCKING CLOUD STORAGE• Files leave the corporate network – you lose control• Files may not be backed up• Files obtained from online storage may contain malware• Files obtained from online storage may have copyright• Some Terms of Use state that they now own the rights to any document you upload
  • SECURING HOSTED APPLICATIONS• Penetration Testing • City of London’s first hosted pen test • Agreement in place (signed by the right people) • What are you allowed to test and how far? • Business decision based on results • Repeat pen test periodically
  • SECURING HOSTED APPLICATIONS• Some vendors will not allow you to do pen testing• Review policies• Find out what their physical security is like• Determine who has access to your data• Get everything in writing (preferably in a contract before services are purchased)
  • CLOUD COMPUTING AND RISK MANAGEMENT• IBM and Microsoft cloud solutions are probably more secure than most municipalities• It comes down to Risk Management• Contracts and Underpinning Contracts• Service Level Agreements/Availability• Capacity and Bandwidth Management• Policies• Data Ownership
  • SUMMARY• Information Security/Risk Management • Confidentiality, Availability, Integrity • Service Level Agreements are paramount • Accountability remains with you