Your SlideShare is downloading. ×
Presentation to Irish ISSA Conference 12-May-11
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Presentation to Irish ISSA Conference 12-May-11

202
views

Published on

Discussion of information Security risks in current business and technology environments. …

Discussion of information Security risks in current business and technology environments.
presented to ISSA Ireland conference attendees in Dublin on 12 May 2011.

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
202
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Deloitte,s Global Risk Management Survey – Seventh Edition
  • Deloitte,s Global Risk Management Survey – Seventh Edition
  • Security Art – 2011 Predictions
  • Global Status Report on the Governance of Enterprise IT (GEIT) 2011 – ISACA and IT Governance Institute
  • Ponemon Institute survey: More than 20% of Cloud providers view Security as a competitive advantage. 69% of providers think security is the users job. Only 35% of users think this !
  • Moving public stuff allows you to focus on the less sensitive stuff in house. Economies of Scale: Security is better and cheaper when implemented on a larger scale Multiple locations (redundancy) improves availability Staff specialisation and experience Updates rolled out more frequently Default images updated with latest patches
  • Harks back to the (ancient) use of Unix crypt to brute force decryption of /etc/password. Also Information Leakage was explored in 3 rd Party Compute Clouds in 2009. [U Cal and MIT paper]
  • Data protection: - Is very complicated where personal data is stored in countries outside the EU. – has many options including Safe Harbor for US. LEGAL: - Which countries laws apply if there is a dispute with your cloud provider. - What remedies do you have if there is a problem and the data is elsewhere.
  • See Cloud Security Alliance – Cloud Controls Matrix.
  • Example approach: SLA Criteria used to measure Relationship Management Relative responsibilities Tools used to monitor/manage Communications Problem management Relationship Management
  • ENISA Report, November 2009
  • See CSA. Amazon outage example – affecting Foursquare, Quora and Reddit.
  • CSA – see ‘Cloud Audit’
  • Evidence for work on gap analysis/remediation is to be found on the research and the work of concerned organisations. ENISA, NIST, CSA etc. Classic gap is Zero Day Vulnerabilities – Time frame getting shorter but ‘bad boy’ response is quicker.
  • Transcript

    • 1. Is information Security less of a risk now? In this economic climate business risks have changed. Has information security risk moved down the Internal Auditor’s priority list?
    • 2. Risk
      • Where does information security fit in the business risk universe?
        • What do businesses think ?
    • 3. Top Business Risks
      • Regulation and compliance
      • Access to credit
      • Slow recovery or double-dip recession
      • Managing talent
      • Emerging markets
      • Cost cutting
      • Non-traditional entrants
      • Radical greening
      • Social acceptance risk and CSR
      • Executing alliance and transactions
      Ernst & Young Business Risk Report 2010 Where do you see Information Security ?
    • 4. Top Business Risks
      • Regulation and compliance
      • Access to credit
      • Slow recovery or double-dip recession
      • Managing talent
      • Emerging markets
      • Cost cutting
      • Non-traditional entrants
      • Radical greening
      • Social acceptance risk and CSR
      • Executing alliance and transactions
      Ernst & Young Business Risk Report 2010 Where do you see Information Security ? Okay Okay Okay
    • 5. Business risk Environment
      • The Drivers :
      • Regulatory and Compliance seen as a major risk by Business
      • CEOs have seen a significant impact from regulatory change
        • (raised capital levels and liquidity ratios)
      Deloitte’s Global Risk Management Survey – Seventh Edition
    • 6. Business risk Environment (2)
      • The Result:
      • IT investment aimed at cost efficiency as well as growth.
      • Risk Management incorporated into formal strategic planning processes.
      Deloitte’s Global Risk Management Survey – Seventh Edition
    • 7. Internal Audit (IA) trends
      • Globalisation
      • More flexible integrated role for Internal Audit
      • Greater focus on risk management
      • Hunt for talent
      • Technology advances
      PwC ‘Internal Audit 2012’ Controls assurance. Risk based audit planning. Controls assurance. Evaluation of risk management also. Outsourcing and offshoring Recognised by IA and used to help IA
    • 8. INFORMATION SECURITY VIEW Image thanks to www.xkcd.org
    • 9. 2011 predictions
      • Expanded digital domain
        • (Smart phones & tablets)
      • Broader scope of information security aided by cost cutting and optimisation in organisations
        • (VOIP, Customised devices)
      • Cybercrime – staying ahead of law enforcement
      • Monitoring at a whole new level
      • Social Media
        • Consumer reality and hype
      More new things – more complexity Drive for value from security
    • 10. IT Governance view
      • Value creation by IT is important
      • IT should be proactive
      • Greater focus on governance
      • Outsourcing
      • Cloud computing plans underway
      • Social Media is not highly prized.
      ISACA and IT Governance Institute - 2011
    • 11. Outsourcing
      • Not a new activity
      • History of business processes and IT applications outsourcing success or otherwise.
      19% of CEOs plan to ‘insource’ a business process or function in 2011, compared to 31% of the CEOs surveyed who plan to outsource. Source PWC 14 th Annual CEO Survey. 12 May 2011
    • 12. The Cloud Private Public Community Hybrid Grid Computing Platform Virtualisation Utility Computing VM SaaS PaaS IaaS Automatic Security Management Cost savings Agile Scalable Resilient Service oriented Cloud computing is a new business model, a new way of delivering computing resources NOT a new technology Web 2.0
    • 13. Cloud Security Benefits
      • Moving public data to the cloud allows you to focus on sensitive data
      • Cloud homogeneity makes auditing & testing easier
      • Economies of scale
      • Resource concentration
      • Enable automated security management
      • Redundancy / disaster recovery
      Easier to mind eggs in one basket Works for security too
    • 14. Cloud Security Issues
      • Policy & Organisational
      • Technical
      • Legal
      • and TRUST
    • 15. Policy & Organisational
      • Going on the cloud to save money
      • Passing control to the cloud provider
      • Lock-in
      Simplistic and may blind you to need to manage.
      • Security responsibility still there:
      • SLAs should be adequate,
      • Audit support needed.
      Limited support for data and service portability
    • 16. Technical risks
      • All the old technical risks,
      • and some...
      Server side protection Client side protections Hypervisor controls IAM Authentication controls Isolation : - Software - Stored data Encryption and Key management
    • 17. Technical risks (2)
      • Isolation failure
      • Protection of more data in transit
      • Greater reliance on communications links
      SunGuard noted that 25% of DR invocations were due to communications failure ! (UK figures for 2010) O/S Software and data Data persistence / data remnance Encryption & keys management
    • 18. Technical risks (3)
      • Example of used Cloud Computing resources to brute force WPA-PSK passphrases.
        • The idea is not new,
        • The use of cloud compute resources is !
    • 19. Legal / Compliance
      • Data Protection
      • Applicable laws and jurisdiction
      • Electronic Discovery
      • Compliance
      Does your cloud provider store your HR data outside the EU? Intellectual Property protection. If there is a dispute with your cloud provider ... If there is a dispute with a customer ... Getting access to audit or getting evidence of the provider’s compliance
    • 20. Trust
      • Is it safe for companies to trust the cloud providers with their data which,
      • in some cases,
      • can include entire business infrastructure?
    • 21. PERSPECTIVE Image thanks to www.xkcd.org
    • 22. Cloud Security Problems
      • Are not new...
          • The technical issues are tractable
          • The legal issues will probably be the hardest (read slowest) to get resolved.
          • Policy and organisational issues were encountered before.
      The cloud provides the opportunity to get them right this time. Small Player Problems
    • 23. Approaches
        • For some it is Hope and pray !
        • You can’t look under the hood
        • Maybe not, but there are other options ...
      • Risk focus is elsewhere
      • Rely on the market
      • Cloud computing risks not attracting much attention.
    • 24. Approach
      • Look at how
      • offshore / outsource risks
      • are managed
    • 25. It is said (by many)
        • You can ultimately outsource responsibility but you cannot outsource accountability !
        • How do you exercise control ?
    • 26. Preparation
      • Understand :
          • Policies and SLAs in place and your service expectations
          • Boundaries of responsibility
      • Communications including issue resolution
      • Change management
      • Security controls (on offer and applied)
      • Continuity – including your back-out plan
      What do you need to gain trust?
    • 27. Assurance
      • Certification
      • Audit controls, recoverability controls
      • Right to Audit
      • Cloud Provider’s history
          • Provider’s approach to data breach/security reporting
          • Reputation among your peers
          • Reputation in the blogosphere
      SAS70, ISO27001 certification BUT -understand the scope of certification ! Look for the EVIDENCE !
    • 28. Final Thoughts
      • Technology continues its advance
      • Vulnerability exploits and countermeasures continue to be developed
      • Policy, organisational and compliance issues occur as long as there is human involvement
      • There are gaps but the evidence shows these are being addressed.
    • 29.
      • [email_address]
      • www.ofassociates.com
      • (+353) 87 28 38 667
      Questions ?

    ×