In his presentation Erkan Kahraman will show his methods to address common customer concerns from a cloud service provider point of view and provide useful insight to the industry and what cloud users should consider when purchasing solutions.
1. Security, Trust
and Assurance.
Achieving confidence in the cloud.
Erkan Kahraman| CISO of Projectplace.com | erkank@projectplace.com
2. Agenda
• whois erkan.kahraman
• Top concerns for cloud computing.
• Security, trust and assurance ecosystem.
• Who to trust? Encryption and beyond.
• What this talk does not address and what to do
next.
3. TOP CUSTOMER CONCERNS1
• Add text here
LEGISLATION ACCOUNTABILITY PRIVACY CONFIDENTIALITY
• Add text here
INTEGRATION • Add RETENTION text here
PRIVACY SECURITY AVAILABILITY
LEGISLATION • EXIT Add text STRATEGIES here
EFFICIENCY
ENCRYPTION CONFIDENTIALIT
HIGHER PRODUCTIVITY
PRIVACY DATA INTEGRITY REGULATIONS DEMAND
RETENTION AVAILABI
ENCRYPTION CONFIDENTIALITY DATA OWNERSHIP EXIT STRAT
DATA INTEGRITY ACCCOUNTABILITY RETENTION INTEGRATION
INCREASED
COMPETITION
MULTIPLE
TEAMS
INTERNALLY
EXTERNALLY
1 According to ”2012 Cloud Computing Market Maturity” survey conducted jointly by Cloud
Security Alliance (CSA) and ISACA.
4. HOW TO ADDRESS CONCERNS
• Add text here
• Add text here
• Add text here ASSURANCE
• Add text here
BEST PRACTICES AND
INDUSTRY STANDARDS
(I.E. ISO 27001)
ACCREDITATION AND
CERTIFICATIONS
INDEPENDENT AUDITS
TRUST
APPLICABLE LEGISLATION
PRIVACY STATEMENT
DATA RETENTION &
OWNERSHIP
ESCROW AND EXIT
STRATEGIES
SECURITY
• CONFIDENTIALITY
• INTEGRITY
• AVAILABILITY
Security, Trust and Assurance ecosystem.
5. Traditional Security Triad
• Confidentiality
Perimeter security, Access control, Encryption, User Account
and Password Management
• Integrity
Physical and Environmental measures, protection against
malware, FIM, audit logging, monitoring and traceability
• Availability
SLA, RPO/RTO, Independent monitoring, redundancy,
Disaster Recovery and BCP, Backups and Restoration, Web
Accelerators
8. Trust
• Applicable legislation (Location, location, location)
• Data Ownership (Terms and Conditions)
• Data Retention (and data portability)
• Integration with existing systems (APIs, Single
Sign-on)
• Escrow and Exit strategies
• Privacy Statement, Cookie Information
12. Assurance
• Industry accepted standards such as ISO27001.
• SSAE-16 reports.
• Cloud Security Alliance STAR.
• Other technology certificates and seals.
• Independent audits.
13. How perceptions change by
experience
• 91% of SMBs said the security of their organization had
been positively impacted as a result of cloud adoption.
• 82% of SMBs have experienced improved service
availability since moving to the cloud
• 93% of SMBs said they are confident their cloud
provider can quickly and effectively restore services
during an outage.
Cloud Trust Study results for the U.K, June 2013.
14. What this talk did not cover…
• STA is to assess a single
cloud vendor, you should
have an overall strategy
and processes to manage
all your cloud providers.
• Do not forget the human
factor. Educate and train
your users.
Headquarters of the NSA (Fort Meade) and UK GCHQ (Cheltenham, Gloucestershire)
When no longer using the service, archiving can be done offline. The service also features data portability, which provides users with tools to facilitate easy data exports; needless to say, access control rules apply.
The Director of the National Security Agency Gen. Keith Alexander during his speech at the 2013 black hat conference earlier this year.