Presentation to Irish ISSA Conference 12-May-11


Published on

Discussion of information Security risks in current business and technology environments.
presented to ISSA Ireland conference attendees in Dublin on 12 May 2011.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Deloitte,s Global Risk Management Survey – Seventh Edition
  • Deloitte,s Global Risk Management Survey – Seventh Edition
  • Security Art – 2011 Predictions
  • Global Status Report on the Governance of Enterprise IT (GEIT) 2011 – ISACA and IT Governance Institute
  • Ponemon Institute survey: More than 20% of Cloud providers view Security as a competitive advantage. 69% of providers think security is the users job. Only 35% of users think this !
  • Moving public stuff allows you to focus on the less sensitive stuff in house. Economies of Scale: Security is better and cheaper when implemented on a larger scale Multiple locations (redundancy) improves availability Staff specialisation and experience Updates rolled out more frequently Default images updated with latest patches
  • Harks back to the (ancient) use of Unix crypt to brute force decryption of /etc/password. Also Information Leakage was explored in 3 rd Party Compute Clouds in 2009. [U Cal and MIT paper]
  • Data protection: - Is very complicated where personal data is stored in countries outside the EU. – has many options including Safe Harbor for US. LEGAL: - Which countries laws apply if there is a dispute with your cloud provider. - What remedies do you have if there is a problem and the data is elsewhere.
  • See Cloud Security Alliance – Cloud Controls Matrix.
  • Example approach: SLA Criteria used to measure Relationship Management Relative responsibilities Tools used to monitor/manage Communications Problem management Relationship Management
  • ENISA Report, November 2009
  • See CSA. Amazon outage example – affecting Foursquare, Quora and Reddit.
  • CSA – see ‘Cloud Audit’
  • Evidence for work on gap analysis/remediation is to be found on the research and the work of concerned organisations. ENISA, NIST, CSA etc. Classic gap is Zero Day Vulnerabilities – Time frame getting shorter but ‘bad boy’ response is quicker.
  • Presentation to Irish ISSA Conference 12-May-11

    1. 1. Is information Security less of a risk now? In this economic climate business risks have changed. Has information security risk moved down the Internal Auditor’s priority list?
    2. 2. Risk <ul><li>Where does information security fit in the business risk universe? </li></ul><ul><ul><li>What do businesses think ? </li></ul></ul>
    3. 3. Top Business Risks <ul><li>Regulation and compliance </li></ul><ul><li>Access to credit </li></ul><ul><li>Slow recovery or double-dip recession </li></ul><ul><li>Managing talent </li></ul><ul><li>Emerging markets </li></ul><ul><li>Cost cutting </li></ul><ul><li>Non-traditional entrants </li></ul><ul><li>Radical greening </li></ul><ul><li>Social acceptance risk and CSR </li></ul><ul><li>Executing alliance and transactions </li></ul>Ernst & Young Business Risk Report 2010 Where do you see Information Security ?
    4. 4. Top Business Risks <ul><li>Regulation and compliance </li></ul><ul><li>Access to credit </li></ul><ul><li>Slow recovery or double-dip recession </li></ul><ul><li>Managing talent </li></ul><ul><li>Emerging markets </li></ul><ul><li>Cost cutting </li></ul><ul><li>Non-traditional entrants </li></ul><ul><li>Radical greening </li></ul><ul><li>Social acceptance risk and CSR </li></ul><ul><li>Executing alliance and transactions </li></ul>Ernst & Young Business Risk Report 2010 Where do you see Information Security ? Okay Okay Okay
    5. 5. Business risk Environment <ul><li>The Drivers : </li></ul><ul><li>Regulatory and Compliance seen as a major risk by Business </li></ul><ul><li>CEOs have seen a significant impact from regulatory change </li></ul><ul><ul><li>(raised capital levels and liquidity ratios) </li></ul></ul>Deloitte’s Global Risk Management Survey – Seventh Edition
    6. 6. Business risk Environment (2) <ul><li>The Result: </li></ul><ul><li>IT investment aimed at cost efficiency as well as growth. </li></ul><ul><li>Risk Management incorporated into formal strategic planning processes. </li></ul>Deloitte’s Global Risk Management Survey – Seventh Edition
    7. 7. Internal Audit (IA) trends <ul><li>Globalisation </li></ul><ul><li>More flexible integrated role for Internal Audit </li></ul><ul><li>Greater focus on risk management </li></ul><ul><li>Hunt for talent </li></ul><ul><li>Technology advances </li></ul>PwC ‘Internal Audit 2012’ Controls assurance. Risk based audit planning. Controls assurance. Evaluation of risk management also. Outsourcing and offshoring Recognised by IA and used to help IA
    8. 8. INFORMATION SECURITY VIEW Image thanks to
    9. 9. 2011 predictions <ul><li>Expanded digital domain </li></ul><ul><ul><li>(Smart phones & tablets) </li></ul></ul><ul><li>Broader scope of information security aided by cost cutting and optimisation in organisations </li></ul><ul><ul><li>(VOIP, Customised devices) </li></ul></ul><ul><li>Cybercrime – staying ahead of law enforcement </li></ul><ul><li>Monitoring at a whole new level </li></ul><ul><li>Social Media </li></ul><ul><ul><li>Consumer reality and hype </li></ul></ul>More new things – more complexity Drive for value from security
    10. 10. IT Governance view <ul><li>Value creation by IT is important </li></ul><ul><li>IT should be proactive </li></ul><ul><li>Greater focus on governance </li></ul><ul><li>Outsourcing </li></ul><ul><li>Cloud computing plans underway </li></ul><ul><li>Social Media is not highly prized. </li></ul>ISACA and IT Governance Institute - 2011
    11. 11. Outsourcing <ul><li>Not a new activity </li></ul><ul><li>History of business processes and IT applications outsourcing success or otherwise. </li></ul>19% of CEOs plan to ‘insource’ a business process or function in 2011, compared to 31% of the CEOs surveyed who plan to outsource. Source PWC 14 th Annual CEO Survey. 12 May 2011
    12. 12. The Cloud Private Public Community Hybrid Grid Computing Platform Virtualisation Utility Computing VM SaaS PaaS IaaS Automatic Security Management Cost savings Agile Scalable Resilient Service oriented Cloud computing is a new business model, a new way of delivering computing resources NOT a new technology Web 2.0
    13. 13. Cloud Security Benefits <ul><li>Moving public data to the cloud allows you to focus on sensitive data </li></ul><ul><li>Cloud homogeneity makes auditing & testing easier </li></ul><ul><li>Economies of scale </li></ul><ul><li>Resource concentration </li></ul><ul><li>Enable automated security management </li></ul><ul><li>Redundancy / disaster recovery </li></ul>Easier to mind eggs in one basket Works for security too
    14. 14. Cloud Security Issues <ul><li>Policy & Organisational </li></ul><ul><li>Technical </li></ul><ul><li>Legal </li></ul><ul><li>and TRUST </li></ul>
    15. 15. Policy & Organisational <ul><li>Going on the cloud to save money </li></ul><ul><li>Passing control to the cloud provider </li></ul><ul><li>Lock-in </li></ul>Simplistic and may blind you to need to manage. <ul><li>Security responsibility still there: </li></ul><ul><li>SLAs should be adequate, </li></ul><ul><li>Audit support needed. </li></ul>Limited support for data and service portability
    16. 16. Technical risks <ul><li>All the old technical risks, </li></ul><ul><li>and some... </li></ul>Server side protection Client side protections Hypervisor controls IAM Authentication controls Isolation : - Software - Stored data Encryption and Key management
    17. 17. Technical risks (2) <ul><li>Isolation failure </li></ul><ul><li>Protection of more data in transit </li></ul><ul><li>Greater reliance on communications links </li></ul>SunGuard noted that 25% of DR invocations were due to communications failure ! (UK figures for 2010) O/S Software and data Data persistence / data remnance Encryption & keys management
    18. 18. Technical risks (3) <ul><li>Example of used Cloud Computing resources to brute force WPA-PSK passphrases. </li></ul><ul><ul><li>The idea is not new, </li></ul></ul><ul><ul><li>The use of cloud compute resources is ! </li></ul></ul>
    19. 19. Legal / Compliance <ul><li>Data Protection </li></ul><ul><li>Applicable laws and jurisdiction </li></ul><ul><li>Electronic Discovery </li></ul><ul><li>Compliance </li></ul>Does your cloud provider store your HR data outside the EU? Intellectual Property protection. If there is a dispute with your cloud provider ... If there is a dispute with a customer ... Getting access to audit or getting evidence of the provider’s compliance
    20. 20. Trust <ul><li>Is it safe for companies to trust the cloud providers with their data which, </li></ul><ul><li>in some cases, </li></ul><ul><li>can include entire business infrastructure? </li></ul>
    21. 21. PERSPECTIVE Image thanks to
    22. 22. Cloud Security Problems <ul><li>Are not new... </li></ul><ul><ul><ul><li>The technical issues are tractable </li></ul></ul></ul><ul><ul><ul><li>The legal issues will probably be the hardest (read slowest) to get resolved. </li></ul></ul></ul><ul><ul><ul><li>Policy and organisational issues were encountered before. </li></ul></ul></ul>The cloud provides the opportunity to get them right this time. Small Player Problems
    23. 23. Approaches <ul><ul><li>For some it is Hope and pray ! </li></ul></ul><ul><ul><li>You can’t look under the hood </li></ul></ul><ul><ul><li>Maybe not, but there are other options ... </li></ul></ul><ul><li>Risk focus is elsewhere </li></ul><ul><li>Rely on the market </li></ul><ul><li>Cloud computing risks not attracting much attention. </li></ul>
    24. 24. Approach <ul><li>Look at how </li></ul><ul><li>offshore / outsource risks </li></ul><ul><li>are managed </li></ul>
    25. 25. It is said (by many) <ul><ul><li>You can ultimately outsource responsibility but you cannot outsource accountability ! </li></ul></ul><ul><ul><li>How do you exercise control ? </li></ul></ul>
    26. 26. Preparation <ul><li>Understand : </li></ul><ul><ul><ul><li>Policies and SLAs in place and your service expectations </li></ul></ul></ul><ul><ul><ul><li>Boundaries of responsibility </li></ul></ul></ul><ul><li>Communications including issue resolution </li></ul><ul><li>Change management </li></ul><ul><li>Security controls (on offer and applied) </li></ul><ul><li>Continuity – including your back-out plan </li></ul>What do you need to gain trust?
    27. 27. Assurance <ul><li>Certification </li></ul><ul><li>Audit controls, recoverability controls </li></ul><ul><li>Right to Audit </li></ul><ul><li>Cloud Provider’s history </li></ul><ul><ul><ul><li>Provider’s approach to data breach/security reporting </li></ul></ul></ul><ul><ul><ul><li>Reputation among your peers </li></ul></ul></ul><ul><ul><ul><li>Reputation in the blogosphere </li></ul></ul></ul>SAS70, ISO27001 certification BUT -understand the scope of certification ! Look for the EVIDENCE !
    28. 28. Final Thoughts <ul><li>Technology continues its advance </li></ul><ul><li>Vulnerability exploits and countermeasures continue to be developed </li></ul><ul><li>Policy, organisational and compliance issues occur as long as there is human involvement </li></ul><ul><li>There are gaps but the evidence shows these are being addressed. </li></ul>
    29. 29. <ul><li>[email_address] </li></ul><ul><li> </li></ul><ul><li>(+353) 87 28 38 667 </li></ul>Questions ?