Your SlideShare is downloading. ×
0
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

What the Cloud Vendors Don't Want You to Know

975

Published on

Companies are moving key business processes to the cloud at breakneck speed. Can you advise your constituents on the risks inherent in transferring these operations to a third party? This session will …

Companies are moving key business processes to the cloud at breakneck speed. Can you advise your constituents on the risks inherent in transferring these operations to a third party? This session will offer a "behind the scenes" look at the risks that typically are only known to the vendor, and what tools you can use to help your organization identify & manage these risks. Attendees will also receive a Risk Management Checklist for use when evaluating and procuring managed services.

Published in: Business, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
975
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Risk Behind the Silver Lining What the cloud vendors don’t want you to know.
  • 2. Agenda <ul><li>A True Story </li></ul><ul><li>What They Don’t Want You to Know </li></ul><ul><ul><li>14 Examples </li></ul></ul><ul><li>Cloud Risk Management </li></ul><ul><ul><li>Process </li></ul></ul><ul><ul><li>Impact Analysis </li></ul></ul><ul><ul><li>Supporting Elements </li></ul></ul><ul><ul><li>Metrics </li></ul></ul>
  • 3. A True Story
  • 4. &nbsp;
  • 5. What are the Issues? <ul><li>Architecture / Design </li></ul><ul><li>Exception Policy (SSL issue) </li></ul><ul><li>Third Party operational process </li></ul><ul><li>Assurance / Right to Audit </li></ul><ul><li>Incident Response </li></ul><ul><li>Legal culpability </li></ul><ul><li>Law Enforcement </li></ul>
  • 6. What They Don’t Want You to Know
  • 7. My Firms’ Operations are Not as Polished as My Marketing Portrays. <ul><li>Risk: Operational gaps will affect your service quality </li></ul><ul><li>Mitigation: Look for evidence of process maturity </li></ul><ul><li>Assessment Tools: ITIL / ISO 20000 / SAS70 / Audit Documentation </li></ul><ul><li>Enforcement Tools: Service Level Agreement </li></ul>
  • 8. I Have a History of Outages. <ul><li>Risk: Operational gaps will affect your service quality </li></ul><ul><li>Mitigation: Look for evidence of process maturity </li></ul><ul><li>Assessment Tools: Service Monitoring History </li></ul><ul><li>Enforcement Tools: SLA, Service Monitoring </li></ul>
  • 9. &nbsp;
  • 10. My Standard SLA is Not Always Standard. <ul><li>Risk: A Vendor’s Standard SLA may not offer sufficient performance, metrics, communication, or remedies. </li></ul><ul><li>Mitigation: Evaluate the SLA to ensure alignment with your business requirements. </li></ul><ul><li>Assessment Tools: De-identified versions of other SLAs they have agreed to. Your own SLA, driven by the business requirements. </li></ul><ul><li>Enforcement Tools: Appropriate remedies &amp; penalties </li></ul>
  • 11. I Routinely Short Staff Operations. <ul><li>Risk: Increases the chance of service degradation. </li></ul><ul><li>Mitigation: Understand staffing levels of key processes and how that relates to your account. How is automation relied upon? </li></ul><ul><li>Assessment Tools: Vendor process and staffing documentation. </li></ul><ul><li>Enforcement Tools: Contract provisions, spot audits. </li></ul>
  • 12. I Rely Heavily on Offshore Resources. <ul><li>Risk: May affect your compliance depending on types of data involved. </li></ul><ul><li>Mitigation: Know how your service is staffed. </li></ul><ul><li>Assessment Tools: Vendor documentation </li></ul><ul><li>Enforcement Tools: Contract provisions, spot audits. </li></ul>
  • 13. Your #1 Competitor is One of My Best Customers. <ul><li>Risk: Vendor personnel may come in contact with sensitive proprietary data. </li></ul><ul><li>Mitigation: Understand internal process architecture and staffing, and whether cross-pollination risk exists. </li></ul><ul><li>Assessment Tools: Vendor customer list. </li></ul><ul><li>Enforcement Tools: Contractual account separation, separate staffing provisions. Periodic account list reviews. </li></ul>
  • 14. My Implementation Timelines are Optimistic. <ul><li>Risk: Vendor representations about implementation timelines may not be accurate and may induce risk of timely project execution. </li></ul><ul><li>Mitigation: Require vendor timeline commitments </li></ul><ul><li>Assessment Tools: Talk to existing clients about their experiences. </li></ul><ul><li>Enforcement Tools: Contractual completion milestones with incentives / penalties </li></ul>
  • 15. I Rely Heavily on Cloud Services. <ul><li>Risk: Increases your exposure to third party risk. </li></ul><ul><li>Mitigation: Understand any externally delivered components of the service. </li></ul><ul><li>Assessment Tools: Vendor documentation </li></ul><ul><li>Enforcement Tools: Include Third Party Risk in Audit Program. Contract “flow-through” provisions. </li></ul>
  • 16. I Don’t Really Monitor Your Account Very Well. <ul><li>Risk: Increases the chance of service degradation. </li></ul><ul><li>Mitigation: Understand vendor monitoring processes. Understand how client accounts are formally prioritized. Work with vendors where you are a critical account. </li></ul><ul><li>Assessment Tools: Understand how your deal size fits in the range of typical accounts. Understand the Human vs. Automated balance. </li></ul><ul><li>Enforcement Tools: Require regular account reviews and operation status reports. </li></ul>
  • 17. I Had a Security Breach Last Week. And You’ll Never Know. <ul><li>Risk: Indicators of vendor issues can be difficult to discover. </li></ul><ul><li>Mitigation: Require reporting of all exception events, even those not directly related to your account. </li></ul><ul><li>Assessment Tools: Document prior exception events and remediation measures taken. </li></ul><ul><li>Enforcement Tools: Contractual requirement to report any exception events vendor-wide to you. </li></ul>
  • 18. My Third Shift Server Admin Recently Moved. (From a Gated Community.) <ul><li>Risk: Your data may be exposed to individuals with criminal records. </li></ul><ul><li>Mitigation: Ensure visibility into vendor hiring procedures. </li></ul><ul><li>Assessment Tools: Understand vendor hiring / retention procedures. </li></ul><ul><li>Enforcement Tools: Contractual requirement of background / credit checks and termination for cause. </li></ul>
  • 19. Our Next Release Removes a Key Feature. <ul><li>Risk: Evolving vendor platforms may remove a feature key to your use of the service. </li></ul><ul><li>Mitigation: Review roadmap documentation and understand service direction and corporate strategy. </li></ul><ul><li>Assessment Tools: Document any past feature removal. Get current roadmap documentation. </li></ul><ul><li>Enforcement Tools: Contractual language allowing for contract termination in the event of key feature removal. </li></ul>
  • 20. I’m Not Really the Service Provider. <ul><li>Risk: White label / OEM Agreements may true end obscure service provider. </li></ul><ul><li>Mitigation: Understand if the vendor is the end provider of the service. </li></ul><ul><li>Assessment Tools: Determine all third party components of the service. </li></ul><ul><li>Enforcement Tools: Require language asserting that the vendor is (and always will be) the provider of the service. </li></ul>
  • 21. We are Totally Winging It. <ul><li>Risk: Vendor operational maturity may not support your business objectives. </li></ul><ul><li>Mitigation: Ensure vendor operational maturity is appropriate for the service being contracted. </li></ul><ul><li>Assessment Tools: Review vendor internal process documentation. </li></ul><ul><li>Enforcement Tools: Require contract language allowing for periodic audit of process toward certification. Require certification by deadline date. </li></ul>
  • 22. Cloud Risk Management Taking a Proactive Approach
  • 23. Process <ul><li>Define Business Driver(s) </li></ul><ul><li>Complete Business Impact Analysis </li></ul><ul><li>Identify supporting elements </li></ul><ul><li>Develop metrics for these elements </li></ul><ul><li>Collect metrics </li></ul><ul><li>Manage to metrics </li></ul>
  • 24. Business Impact Analysis <ul><li>How would we be harmed if the asset became widely public and widely distributed? </li></ul><ul><li>How would we be harmed if an employee of our cloud provider accessed the asset? </li></ul><ul><li>How would we be harmed if the process or function were manipulated by an outsider? </li></ul><ul><li>How would we be harmed if the process or function failed to provide expected results? </li></ul><ul><li>How would we be harmed if the information/data were unexpectedly changed? </li></ul><ul><li>How would we be harmed if the asset were unavailable for a period of time? </li></ul>&amp;quot;Security Guidance for Critical Areas of Focus in Cloud Computing V2.1.” December, 2009.http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf (accessed 9/1/2010)
  • 25. Supporting Element Contexts <ul><li>Functionality </li></ul><ul><li>Performance </li></ul><ul><li>Availability </li></ul><ul><li>Confidentiality </li></ul><ul><li>Integrity </li></ul><ul><li>Portability </li></ul><ul><li>Transparency </li></ul><ul><li>Cost </li></ul><ul><li>ITIL Service Management Processes </li></ul><ul><li>Service Level Management </li></ul><ul><li>Capacity Management </li></ul><ul><li>IT Service Continuity Management </li></ul><ul><li>Availability Management </li></ul><ul><li>Financial Management </li></ul>
  • 26. Develop Metrics <ul><li>Functionality: Report Delivery availability </li></ul><ul><li>Performance: User Interface Response Times </li></ul><ul><li>Availability: Uptime </li></ul><ul><li>Confidentiality: Records breached </li></ul><ul><li>Integrity: Reported instances of corruption </li></ul><ul><li>Portability: Time required to export and deliver data, cost of switching </li></ul><ul><li>Transparency : Audits completed </li></ul><ul><li>Cost: Cost as a percentage to deliver internally </li></ul>
  • 27. References <ul><li>ISACA Cloud Whitepapers, forthcoming book </li></ul><ul><li>ITIL Service Delivery Library </li></ul><ul><li>ISO 20000 Series </li></ul><ul><ul><li>ISO 20000: Service Management </li></ul></ul><ul><ul><li>ISO 27000-7 Information Security Management Systems </li></ul></ul><ul><li>Center for Internet Security </li></ul><ul><li>NIST 800 Series </li></ul><ul><li>A6 / CloudAudit.org </li></ul><ul><li>Cloud Security Alliance </li></ul>
  • 28. Questions? Comments? <ul><li>Email: [email_address] </li></ul><ul><li>Twitter: @chrisbmullins </li></ul>
  • 29. About the Presenter <ul><li>Chris Mullins, Alert Logic </li></ul><ul><li>Chris Mullins is an experienced software industry executive with a strong competency in regulatory compliance and information security. Mr. Mullins has spoken throughout the world on topics such as consumer privacy, regulatory compliance, and continuous controls auditing. </li></ul><ul><li>Mr. Mullins founded the Compliance business unit for BindView (now Symantec) and was an early employee at Approva corporation, where he managed the firm&apos;s audit firm relationships. He is currently employed with Alert Logic and focused on enabling technology partners and services providers as they look to improve their client&apos;s security &amp; compliance. </li></ul>
  • 30. Abstract Companies are moving key business processes to the cloud at breakneck speed. Can you advise your constituents on the risks inherent in transferring these operations to a third party? This session will offer a &amp;quot;behind the scenes&amp;quot; look at the risks that typically are only known to the vendor, and what tools you can use to help your organization identify &amp; manage these risks. Attendees will also receive a Risk Management Checklist for use when evaluating and procuring managed services.

×