Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

To Cloud or Not To Cloud

3,757 views

Published on

It's easy to say "No" to cloud computing, but then again, "Why not ?"

That's the slide deck presented in the ISACA China Hong Kong Chapter AsiaCACS 2015.

Published in: Technology
  • Be the first to comment

To Cloud or Not To Cloud

  1. 1. To Cloud or Not To Cloud ? Michael Yung Immediate Past President - ISACA HK / CSA HKM
  2. 2. Why ?
  3. 3. Why Not ?
  4. 4. Myth # 1 - Cloud is Too New
  5. 5. Not Quite Coined by Compaq Executive George Favaloro back in 1996
  6. 6. Myth # 2 - Cloud is Just a Fad
  7. 7. Not Quite We are talking about US$ 100B Public Cloud spending in 2015 (Forrester Research)
  8. 8. Myth # 3 - Cloud is Costly
  9. 9. Cloud Services Characteristics  On-demand self-services  Resource Pooling  Rapid elasticity  Measured services Source : AWS
  10. 10. Capacity – Traditional Ways Source : AWS
  11. 11. Capacity – Wastages and Dissatisfactions Source : AWS
  12. 12. Elastic Capacity – The Cloud Ways Source : AWS
  13. 13. Myth # 4 - Cloud is Not Secure
  14. 14. Insecure ? Truth is that data and systems residing in public or private clouds are as secure as you make them Typically, cloud-based systems can be more secure than existing internal systems if you do the upfront work required
  15. 15. Barriers • Perceived Loss of control • Lack of clarity around responsibilities, liabilities and accountability • Lack of transparency / clarity in SLA / interoperability / awareness and expertise
  16. 16. Cloud … is not New is not a Fad is more Cost Effective is Secure *
  17. 17. To Jump or Not to Jump ?
  18. 18. Next Step ? Proper Risk Assessment
  19. 19. Risks and Security Concerns Vendor Lock In Poor SLA 3rd Party access to Data Poor DR Plan  Few tools, procedures or standard formats available for data and service portability  Service level affects confidentiality and availability  The needs to protect the intellectual property, trade secrets, personal data; complied to regulations / laws in different geographical regions  Business continuity and disaster recovery plans must be well documented and tested Service and contractual risks
  20. 20. Risks and Security Concerns Integration / Bandwidth Encryption and Identity Mgnt Testing and Monitoring Resource Allocation  How to integrate the in-house systems to the Cloud ?  High speed bandwidth ready ?  Speedy encryption / decryption – in transit, at rest, destruction;  Identity management  Provider may not allow you to do thorough PEN test, audit;  Are there good monitoring tools available ?  Overbooking, underbooking;  Handling of DOS attack; Payment cap Technology risks
  21. 21. Questions To Ask …  When and where to use the cloud – the business case  SLO (and then SLA)  Availability, reliability, accessibility, performance and security  Along with what best practices  People, processes, change management etc.  Along with what technologies, services, vendors  Servers, storage, network, software etc.
  22. 22. Bear In Mind …  Even though you are outsourcing some of your infrastructure to the cloud  You are not outsourcing to vendor, the …  Risk,  Accountability and  Compliance obligations  Find the right Cloud Services Provider – qualified, Security Standards compliance
  23. 23. ISO 27001, 27002, 27017, 27018, 29100 SSAE 16, HIPAA, FedRAMP, FISMA. PCI-DSS Are Security Standards the answer ?
  24. 24. Standards Development / Setting Organizations (SDO / SSO)  DMTF = Distributed Management Task Force  ENISA = European Network and Information Security Agency  ETSI = European Telecommunications Standards Institute  IEC = International Electrotechnical Commission  IEEE = Institute of Electrical and Electronics Engineers  INCITS = International Committee for Information Technology Standards  ISO = International Organization for Standardization  ITU-T = International Telecommunication Union – Telecom  NIST = National Institute for Standards and Technology  OASIS = Organization for the Advancement of Structured Information Standards  SNIA = Storage Networking Industry Association  TCG = Trusted Computing Group Alphabet Soup
  25. 25. SDO / SSO Relationships Alphabet and Spaghetti Soup
  26. 26. Any Pointers ?
  27. 27. Do Our Homework … Self Assessment
  28. 28. Get Help from Professionals  Companies and individuals with certifications  An objective measurement of a professional’s knowledge and skills in Security, Governance and Cloud technology  Committing the effort and resources to obtain certification indicates seriousness of prospective companies and individuals
  29. 29. Take Away Messages Credit : Ching Yiu
  30. 30. Take Away Messages  Cloud is real and here to stay  Take ownership and responsibility  Review your current set up and the Cloud Services Provider with guidelines  Focus in the SLO and SLA  Ask for expert help from services providers, and professional organizations
  31. 31. To Cloud or Not To Cloud ? mail@michaelyung.com
  32. 32. Thank You !!

×