CISO PLATFORM ANNUAL SUMMIT

Mitigating the Security Risks
of Cloud Service Adoption

Wayne Tufek
CISO Platform Annual Sum...
AGENDA
•
•
•
•
•
•
•

Introductions
Overview
What is the Cloud?
What are the Risks?
A Process
Summary
Questions
Overview
• What is this presentation about?
• What won’t be covered?
What is the Cloud?

• “A scalable, multi-tenant, multiplatform, multi-network method
of delivering information
technology ...
What are the Risks?
•
•
•
•
•
•

Data security
Network availability
Cloud provider viability
Security incident handling
Bu...
What are the Risks?
• Risk transparency
• Risk management and control
responsibilities between the Cloud
Service Provider ...
What are the Risks?

Source: Gartner (March 2013)
Process – Who are the
Players?
•
•
•
•
•
•

Data owner
IT Department
Project team (if one exists)
Legal
Vendor management
...
Process
1. Confirm the data
2. Engage the data
owner
3. Understand process
4. Other considerations
5. Assess risk

6. Eval...
Process – Start With the Data
•
•
•
•
•

Identify the CSP
Identify exactly what the data is
Understand the business proces...
Process – How Critical is the
Data?
• Consider the business value of the
process vs. the importance of the
information

So...
Process – Other
Considerations
• Integrations/web services
• Support and maintenance processes
• Development/test and prod...
Process – How Critical is the
Data?
• Does moving to the Cloud still make
sense?
• Does the proposed business process
need...
Process – Assess the CSP
• Ask questions about the controls in
place
• Cloud security control guidance
–
–
–
–
–

Cloud Se...
Process – Assess the CSP
• Is the CSP independently assessed?
–
–
–
–

ISO 27001
ISO 27017 and 27018 (Draft)
PCI DSS
SSAE ...
Assess the CSP
• Understand the controls in place
–
–
–
–

Ask questions
Review documentation
Conduct interviews
Site visi...
Process – Review the
Contract
• Contractual considerations
–
–
–
–

List controls and processes
Include regular formal thi...
Process – Review the
Contract
• Service Level Agreements
– Define RTO and RPO
– Immediate notification of a security breac...
Process - Monitor
• Results of security assessments
• Vendor management function
• Assess the risk
Summary
1. Confirm the data
6. Evaluate the CSP
2. Engage the data
7. Assess risk
owner
8. Negotiate the contract
3. Under...
Questions?
Contact
• wtufek@unimelb.edu.au
• LinkedIn
• http://www.linkedin.com/pub/wayne-tufek/0/338/312
Upcoming SlideShare
Loading in...5
×

ciso-platform-annual-summit-2013-Mitigating the security risks of cloud service v2

129

Published on

Presented by Wayne Tufek at CISO Platform Annual Summit, 2013. Wayne Tufek is currently the IT Security and Risk Manager at the University of Melbourne. His career spans over 17 years as an active hands on practitioner of information security and technology risk management. He has worked in the public sector, Big 4, financial services, consumer products and education sectors.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
129
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ciso-platform-annual-summit-2013-Mitigating the security risks of cloud service v2

  1. 1. CISO PLATFORM ANNUAL SUMMIT Mitigating the Security Risks of Cloud Service Adoption Wayne Tufek CISO Platform Annual Summit November 15-16 Hyatt Regency Mumbai
  2. 2. AGENDA • • • • • • • Introductions Overview What is the Cloud? What are the Risks? A Process Summary Questions
  3. 3. Overview • What is this presentation about? • What won’t be covered?
  4. 4. What is the Cloud? • “A scalable, multi-tenant, multiplatform, multi-network method of delivering information technology services.” • Why the Cloud?
  5. 5. What are the Risks? • • • • • • Data security Network availability Cloud provider viability Security incident handling Business continuity Legal or regulatory compliance
  6. 6. What are the Risks? • Risk transparency • Risk management and control responsibilities between the Cloud Service Provider (CSP) and the customer vary according to the cloud model
  7. 7. What are the Risks? Source: Gartner (March 2013)
  8. 8. Process – Who are the Players? • • • • • • Data owner IT Department Project team (if one exists) Legal Vendor management CSP
  9. 9. Process 1. Confirm the data 2. Engage the data owner 3. Understand process 4. Other considerations 5. Assess risk 6. Evaluate the CSP 7. Assess risk 8. Negotiate the contract 9. Assess risk 10.Monitor and assess risk
  10. 10. Process – Start With the Data • • • • • Identify the CSP Identify exactly what the data is Understand the business process(es) Engage with the data owner Perform a risk assessment
  11. 11. Process – How Critical is the Data? • Consider the business value of the process vs. the importance of the information Source: Gartner 2013
  12. 12. Process – Other Considerations • Integrations/web services • Support and maintenance processes • Development/test and production? – Data masking requirements
  13. 13. Process – How Critical is the Data? • Does moving to the Cloud still make sense? • Does the proposed business process need to change? • Assess the risk
  14. 14. Process – Assess the CSP • Ask questions about the controls in place • Cloud security control guidance – – – – – Cloud Security Alliance (CSA) and STAR Defence Signals Directorate (DSD) Common Assurance Maturity Model (CAMM) The Shared Assessments Program The European Network and Information Security Agency
  15. 15. Process – Assess the CSP • Is the CSP independently assessed? – – – – ISO 27001 ISO 27017 and 27018 (Draft) PCI DSS SSAE 16 (SOC 1, 2 and 3) –> replaced SAS 70
  16. 16. Assess the CSP • Understand the controls in place – – – – Ask questions Review documentation Conduct interviews Site visit • Assess the risk
  17. 17. Process – Review the Contract • Contractual considerations – – – – List controls and processes Include regular formal third party assessments Gartner (G00247574) Gartner (G00211616)
  18. 18. Process – Review the Contract • Service Level Agreements – Define RTO and RPO – Immediate notification of a security breach – Increase liability limits • Assess the risk
  19. 19. Process - Monitor • Results of security assessments • Vendor management function • Assess the risk
  20. 20. Summary 1. Confirm the data 6. Evaluate the CSP 2. Engage the data 7. Assess risk owner 8. Negotiate the contract 3. Understand process 9. Assess risk 4. Other considerations 10.Monitor and assess 5. Assess risk risk
  21. 21. Questions?
  22. 22. Contact • wtufek@unimelb.edu.au • LinkedIn • http://www.linkedin.com/pub/wayne-tufek/0/338/312

×