The document discusses cloud computing. It defines cloud computing as a pay-as-you-go model for using applications, development platforms, and IT infrastructure. It outlines some of the key domains in cloud computing including architecture, governance, compliance, security, and operations. It also discusses some of the key drivers and challenges of cloud computing. Finally, it discusses frameworks that can be used for assurance in the cloud such as COBIT, SOC reports, ISO27001, and others.
The document provides an overview of cloud computing risks from an assurance perspective. It discusses cloud computing terminology, major public cloud services, assessing public cloud risk, trends and issues. The presentation covers cloud service models, deployment models, benefits and risks of public clouds, assurance frameworks like CSA's Cloud Controls Matrix, and key controls in areas like compliance, data governance, facility security, information security, and operations management.
The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part.
The document discusses threats and risks associated with cloud computing. It begins by defining cloud computing as a pay-as-you-go model for using applications, platforms, and infrastructure. It then outlines some key cloud security problems including lack of transparency from providers, data leakage and loss, insecure cloud software, and account hijacking. Finally, it provides 10 questions organizations should ask cloud providers to evaluate security, such as how identity and access is managed, where data will be located, and what security certifications the provider has.
Cloud Security for U.S. Military AgenciesNJVC, LLC
NJVC is an IT contractor that specializes in providing secure IT solutions, including designing, implementing, and maintaining secure cloud architectures for government agencies. NJVC has over a decade of experience hosting hundreds of mission systems and migrating systems between data center environments. Securing systems in the cloud presents unique challenges compared to traditional IT environments due to the shared nature of cloud resources. NJVC outlines a strategic framework for assessing, planning, transitioning, and sustaining secure cloud operations. This includes understanding security responsibilities, implementing necessary security services, properly transitioning systems to the cloud according to best practices, and establishing agreements and continuing authorization to maintain security.
This presentation was given at GRC Conference in Boston (October 2010) and explains the interesting triad of not only People, Process & Technology but also Culture, Structure & Strategy. Besides, it moves beyond the 'alignment' idea and goes deep into the 'synchronization' needs of today's companies
The document discusses cloud computing. It defines cloud computing as a pay-as-you-go model for using applications, development platforms, and IT infrastructure. It outlines some of the key domains in cloud computing including architecture, governance, compliance, security, and operations. It also discusses some of the key drivers and challenges of cloud computing. Finally, it discusses frameworks that can be used for assurance in the cloud such as COBIT, SOC reports, ISO27001, and others.
The document provides an overview of cloud computing risks from an assurance perspective. It discusses cloud computing terminology, major public cloud services, assessing public cloud risk, trends and issues. The presentation covers cloud service models, deployment models, benefits and risks of public clouds, assurance frameworks like CSA's Cloud Controls Matrix, and key controls in areas like compliance, data governance, facility security, information security, and operations management.
The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part.
The document discusses threats and risks associated with cloud computing. It begins by defining cloud computing as a pay-as-you-go model for using applications, platforms, and infrastructure. It then outlines some key cloud security problems including lack of transparency from providers, data leakage and loss, insecure cloud software, and account hijacking. Finally, it provides 10 questions organizations should ask cloud providers to evaluate security, such as how identity and access is managed, where data will be located, and what security certifications the provider has.
Cloud Security for U.S. Military AgenciesNJVC, LLC
NJVC is an IT contractor that specializes in providing secure IT solutions, including designing, implementing, and maintaining secure cloud architectures for government agencies. NJVC has over a decade of experience hosting hundreds of mission systems and migrating systems between data center environments. Securing systems in the cloud presents unique challenges compared to traditional IT environments due to the shared nature of cloud resources. NJVC outlines a strategic framework for assessing, planning, transitioning, and sustaining secure cloud operations. This includes understanding security responsibilities, implementing necessary security services, properly transitioning systems to the cloud according to best practices, and establishing agreements and continuing authorization to maintain security.
This presentation was given at GRC Conference in Boston (October 2010) and explains the interesting triad of not only People, Process & Technology but also Culture, Structure & Strategy. Besides, it moves beyond the 'alignment' idea and goes deep into the 'synchronization' needs of today's companies
Cloud computing is set of resources and services offered through the Internet. Cloud
services are delivered from data centers located throughout the world. Cloud computing
facilitates its consumers by providing virtual resources via internet. The biggest challenge in
cloud computing is the security and privacy problems caused by its multi-tenancy nature and the
outsourcing of infrastructure, sensitive data and critical applications. Enterprises are rapidly adopting
cloud services for their businesses, measures need to be developed so that organizations can be assured
of security in their businesses and can choose a suitable vendor for their computing needs. Cloud
computing depends on the internet as a medium for users to access the required services at any time on
pay-per-use pattern. However this technology is still in its initial stages of development, as it suffers
from threats and vulnerabilities that prevent the users from trusting it. Various malicious activities
from illegal users have threatened this technology such as data misuse, inflexible access control and
limited monitoring. The occurrence of these threats may result into damaging or illegal access of
critical and confidential data of users. In this paper we identify the most vulnerable security
threats/attacks in cloud computing, which will enable both end users and vendors to know a bout
the k ey security threats associated with cloud computing and propose relevant solution directives to
strengthen security in the Cloud environment. We also propose secure cloud architecture for
organizations to strengthen the security.
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
The document provides an overview of cloud risk management and auditing. It discusses cloud fundamentals, models, and frameworks such as OpenStack, CSA Cloud Control Matrix, and DMTF Cloud Auditing Data Federation. It also covers risks, challenges, and the 10 steps to manage cloud security from CSCC. The objective is to introduce cloud risk management and audit topics.
BCT4MAS - Blockchain for Multi-Agent Systems - NTN invited talkDavide Calvaresi
This document summarizes a presentation on blockchain for multi-agent systems regarding trust, reputation, and ethics. It discusses how blockchain can be used to manage trust and reputation in multi-agent systems. It presents an example case study of a startup assessment platform using blockchain and agents. It also outlines some open technological and ethical challenges around integrating blockchain and multi-agent systems, such as scalability, standardization, privacy, and liability.
This document discusses how IT operations are becoming more complex with the rise of cloud computing and virtualization. It notes that managing technologies across on-premises and cloud environments introduces challenges around monitoring, automation, and maintaining processes. The document also discusses how NetEnrich provides services to help companies operationalize their virtual and cloud environments through consulting, monitoring, security, and managing the full lifecycle of virtual machines and cloud workloads.
Along with accessibility and convenience, cloud-based IT resources also bring risk. This webinar provides you with a brief introduction on the development of cloud computing and the related business risks. Additionally, you will learn questions to ask to determine if your company is using cloud-based IT resources along with information on the formal assurance frameworks that exist and can be effectively employed by both cloud consumers and providers without specialized training.
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
The document provides an overview of the Certificate of Cloud Security Knowledge (CCSK) certification. It discusses the history and purpose of the CCSK, which was created by the Cloud Security Alliance to promote best practices for security in cloud computing. The CCSK certification tests knowledge across 15 domains related to cloud security and is intended to help both consumers and vendors discuss security risks and assurances. To become certified, candidates must pass an online multiple choice exam that covers all domains and must be completed within 90 minutes with a score of 80% or higher.
Risk Factory: PCI Compliance in the CloudRisk Crew
The document discusses PCI compliance in the cloud. It begins with an overview of cloud computing models including IaaS, PaaS, and SaaS. It then discusses the PCI Data Security Standard and some of the challenges in implementing it in the cloud. Key points for cloud compliance are scoping requirements carefully, using service level agreements, and implementing compensating controls where needed. The document provides advice for both cloud clients and vendors in achieving PCI compliance.
Security issue in cloud by himanshu tiwaribhanu krishna
The document discusses security issues in cloud computing. It begins with an overview of cloud computing models and characteristics. It then identifies three main problems associated with cloud security - loss of control, lack of trust, and multi-tenancy issues that arise from sharing resources. Several approaches are proposed to help address these issues, including minimizing loss of control through monitoring, utilizing multiple clouds, and improved access control management. Strong isolation techniques and policy specification are suggested to help minimize multi-tenancy problems.
mandate from senior management
This document discusses the relationship between information security and compliance teams and how their alignment is important for managing risks when using cloud computing. It notes that security and compliance teams sometimes have differing priorities that can cause friction. However, the use of cloud computing, where many security controls are managed by external providers, requires close coordination between the two functions. The document provides recommendations for how security and compliance teams can forge a stronger alliance, including through the use of cross-functional "tiger teams" and toolset standardization. Close collaboration is needed to effectively evaluate cloud security and ensure regulatory compliance.
Home
Editor’s Note
Risk Management
Frameworks
for Cloud Security
Managed services involve transferring day-to-day management responsibilities to a service provider as a strategic method for improved operations. For RFID, managed services can include device/equipment management, line-of-business applications, and database/data management delivered as software-as-a-service, leasing/financing outsourcing services, or hybrid deployments that bundle hardware and software. Adoption of managed services models for RFID addresses problems with large legacy systems by shifting capital expenditures to operating expenditures and risks to the service provider while providing varied service cost models and support/upgrades included in costs. However, barriers to adoption include concerns over relinquishing control and risks associated with new business models.
Increase your it agility and cost efficiency with hds cloud solutions webinarHitachi Vantara
Find out how to build and use clouds to support your business objectives. Learn about new HDS cloud solutions and services that help you create clouds for infrastructure, content and information. Simplify and accelerate your transition to clouds.
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
This presentation was given at ISRM Conference in Las Vegas (September 2010) and shows the shift in perception from Technology Risk to Enterprise Risk and how businesses and TI need to embrace that new frontier
2011 Digital Summit - Not So Cloudy - AgcaoiliPhil Agcaoili
The document discusses key security risks and concerns regarding cloud computing including lack of transparency from providers, data leakage and loss, insecure software, and account hijacking. It introduces several industry initiatives to address these issues such as the Cloud Security Alliance, Cloud Controls Matrix, Consensus Assessment Initiative, CloudAudit, and CSA Governance, Risk, and Compliance Stack which provide best practices, frameworks, and tools to assess security risks and help assure the safe use of cloud services.
The document discusses why proper governance is important for multi-sourcing IT workloads. Effective governance simplifies multi-vendor management, improves collaboration and performance, and controls costs. Without governance, organizations typically realize only a fraction of expected benefits from multi-sourcing due to ineffective management. Key components of governance include aligning workloads with sourcing models, clarifying accountability, and strengthening relationships to improve communication. The document concludes that a flexible sourcing model combined with governance enables organizations to benefit from modern IT sourcing opportunities.
Jambey Clinkscales gave presentation on "The Value of Cloud in the Business Technology Ecosystem" at the 2011 BDPA Technology Conference in Chicago.
Jambey shared his thoughts on the workshop during BDPA iRadio Show interview held on August 28, 2011 --> http://www.blogtalkradio.com/bdpa/2011/08/29/bdpa-iradio-workshop-presenters
Workshop Presenter:
Jambey Clinkscales
Capabilites and Program Manager, HP Enterprise Services
Topic: The Value of the Cloud in the Business Technology Ecology
BDPA New York Chapter
This document summarizes a webinar on cloud computing basics for busy executives. It includes an agenda that covers cloud market maturity and sizing, the basics of cloud for C-level staff, factors influencing cloud decisions, current expectations and issues, and resources for future webinars. Key takeaways are that a one-size approach does not fit all cloud needs, cloud solutions are not always plug-and-play, and processes need to be realigned for new cloud environments.
The document discusses cloud security risks and threats identified by the Cloud Security Alliance (CSA). The CSA is a non-profit organization focused on best practices for cloud security. The top 7 cloud security threats according to a CSA survey are: 1) data loss/leakage, 2) abuse and nefarious use of cloud computing, 3) insecure APIs, 4) malicious insiders, 5) account/service and traffic hijacking, 6) unknown risk profiles, and 7) shared technology vulnerabilities. The CSA guidance provides best practices to help secure cloud computing.
Cloud computing is set of resources and services offered through the Internet. Cloud
services are delivered from data centers located throughout the world. Cloud computing
facilitates its consumers by providing virtual resources via internet. The biggest challenge in
cloud computing is the security and privacy problems caused by its multi-tenancy nature and the
outsourcing of infrastructure, sensitive data and critical applications. Enterprises are rapidly adopting
cloud services for their businesses, measures need to be developed so that organizations can be assured
of security in their businesses and can choose a suitable vendor for their computing needs. Cloud
computing depends on the internet as a medium for users to access the required services at any time on
pay-per-use pattern. However this technology is still in its initial stages of development, as it suffers
from threats and vulnerabilities that prevent the users from trusting it. Various malicious activities
from illegal users have threatened this technology such as data misuse, inflexible access control and
limited monitoring. The occurrence of these threats may result into damaging or illegal access of
critical and confidential data of users. In this paper we identify the most vulnerable security
threats/attacks in cloud computing, which will enable both end users and vendors to know a bout
the k ey security threats associated with cloud computing and propose relevant solution directives to
strengthen security in the Cloud environment. We also propose secure cloud architecture for
organizations to strengthen the security.
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
The document provides an overview of cloud risk management and auditing. It discusses cloud fundamentals, models, and frameworks such as OpenStack, CSA Cloud Control Matrix, and DMTF Cloud Auditing Data Federation. It also covers risks, challenges, and the 10 steps to manage cloud security from CSCC. The objective is to introduce cloud risk management and audit topics.
BCT4MAS - Blockchain for Multi-Agent Systems - NTN invited talkDavide Calvaresi
This document summarizes a presentation on blockchain for multi-agent systems regarding trust, reputation, and ethics. It discusses how blockchain can be used to manage trust and reputation in multi-agent systems. It presents an example case study of a startup assessment platform using blockchain and agents. It also outlines some open technological and ethical challenges around integrating blockchain and multi-agent systems, such as scalability, standardization, privacy, and liability.
This document discusses how IT operations are becoming more complex with the rise of cloud computing and virtualization. It notes that managing technologies across on-premises and cloud environments introduces challenges around monitoring, automation, and maintaining processes. The document also discusses how NetEnrich provides services to help companies operationalize their virtual and cloud environments through consulting, monitoring, security, and managing the full lifecycle of virtual machines and cloud workloads.
Along with accessibility and convenience, cloud-based IT resources also bring risk. This webinar provides you with a brief introduction on the development of cloud computing and the related business risks. Additionally, you will learn questions to ask to determine if your company is using cloud-based IT resources along with information on the formal assurance frameworks that exist and can be effectively employed by both cloud consumers and providers without specialized training.
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
The document provides an overview of the Certificate of Cloud Security Knowledge (CCSK) certification. It discusses the history and purpose of the CCSK, which was created by the Cloud Security Alliance to promote best practices for security in cloud computing. The CCSK certification tests knowledge across 15 domains related to cloud security and is intended to help both consumers and vendors discuss security risks and assurances. To become certified, candidates must pass an online multiple choice exam that covers all domains and must be completed within 90 minutes with a score of 80% or higher.
Risk Factory: PCI Compliance in the CloudRisk Crew
The document discusses PCI compliance in the cloud. It begins with an overview of cloud computing models including IaaS, PaaS, and SaaS. It then discusses the PCI Data Security Standard and some of the challenges in implementing it in the cloud. Key points for cloud compliance are scoping requirements carefully, using service level agreements, and implementing compensating controls where needed. The document provides advice for both cloud clients and vendors in achieving PCI compliance.
Security issue in cloud by himanshu tiwaribhanu krishna
The document discusses security issues in cloud computing. It begins with an overview of cloud computing models and characteristics. It then identifies three main problems associated with cloud security - loss of control, lack of trust, and multi-tenancy issues that arise from sharing resources. Several approaches are proposed to help address these issues, including minimizing loss of control through monitoring, utilizing multiple clouds, and improved access control management. Strong isolation techniques and policy specification are suggested to help minimize multi-tenancy problems.
mandate from senior management
This document discusses the relationship between information security and compliance teams and how their alignment is important for managing risks when using cloud computing. It notes that security and compliance teams sometimes have differing priorities that can cause friction. However, the use of cloud computing, where many security controls are managed by external providers, requires close coordination between the two functions. The document provides recommendations for how security and compliance teams can forge a stronger alliance, including through the use of cross-functional "tiger teams" and toolset standardization. Close collaboration is needed to effectively evaluate cloud security and ensure regulatory compliance.
Home
Editor’s Note
Risk Management
Frameworks
for Cloud Security
Managed services involve transferring day-to-day management responsibilities to a service provider as a strategic method for improved operations. For RFID, managed services can include device/equipment management, line-of-business applications, and database/data management delivered as software-as-a-service, leasing/financing outsourcing services, or hybrid deployments that bundle hardware and software. Adoption of managed services models for RFID addresses problems with large legacy systems by shifting capital expenditures to operating expenditures and risks to the service provider while providing varied service cost models and support/upgrades included in costs. However, barriers to adoption include concerns over relinquishing control and risks associated with new business models.
Increase your it agility and cost efficiency with hds cloud solutions webinarHitachi Vantara
Find out how to build and use clouds to support your business objectives. Learn about new HDS cloud solutions and services that help you create clouds for infrastructure, content and information. Simplify and accelerate your transition to clouds.
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
This presentation was given at ISRM Conference in Las Vegas (September 2010) and shows the shift in perception from Technology Risk to Enterprise Risk and how businesses and TI need to embrace that new frontier
2011 Digital Summit - Not So Cloudy - AgcaoiliPhil Agcaoili
The document discusses key security risks and concerns regarding cloud computing including lack of transparency from providers, data leakage and loss, insecure software, and account hijacking. It introduces several industry initiatives to address these issues such as the Cloud Security Alliance, Cloud Controls Matrix, Consensus Assessment Initiative, CloudAudit, and CSA Governance, Risk, and Compliance Stack which provide best practices, frameworks, and tools to assess security risks and help assure the safe use of cloud services.
The document discusses why proper governance is important for multi-sourcing IT workloads. Effective governance simplifies multi-vendor management, improves collaboration and performance, and controls costs. Without governance, organizations typically realize only a fraction of expected benefits from multi-sourcing due to ineffective management. Key components of governance include aligning workloads with sourcing models, clarifying accountability, and strengthening relationships to improve communication. The document concludes that a flexible sourcing model combined with governance enables organizations to benefit from modern IT sourcing opportunities.
Jambey Clinkscales gave presentation on "The Value of Cloud in the Business Technology Ecosystem" at the 2011 BDPA Technology Conference in Chicago.
Jambey shared his thoughts on the workshop during BDPA iRadio Show interview held on August 28, 2011 --> http://www.blogtalkradio.com/bdpa/2011/08/29/bdpa-iradio-workshop-presenters
Workshop Presenter:
Jambey Clinkscales
Capabilites and Program Manager, HP Enterprise Services
Topic: The Value of the Cloud in the Business Technology Ecology
BDPA New York Chapter
This document summarizes a webinar on cloud computing basics for busy executives. It includes an agenda that covers cloud market maturity and sizing, the basics of cloud for C-level staff, factors influencing cloud decisions, current expectations and issues, and resources for future webinars. Key takeaways are that a one-size approach does not fit all cloud needs, cloud solutions are not always plug-and-play, and processes need to be realigned for new cloud environments.
The document discusses cloud security risks and threats identified by the Cloud Security Alliance (CSA). The CSA is a non-profit organization focused on best practices for cloud security. The top 7 cloud security threats according to a CSA survey are: 1) data loss/leakage, 2) abuse and nefarious use of cloud computing, 3) insecure APIs, 4) malicious insiders, 5) account/service and traffic hijacking, 6) unknown risk profiles, and 7) shared technology vulnerabilities. The CSA guidance provides best practices to help secure cloud computing.
The document discusses a presentation on auditing in the subscription economy. It covers topics like understanding the subscription economy, cloud computing concepts, risks and challenges of cloud computing, the role of CAEs and internal audit, and a case study on "Democratizing Governance". The agenda includes understanding the subscription economy, cloud computing concepts, risks and challenges of cloud migration, the role of the Chief Audit Executive (CAE) and how internal audit can help govern cloud environments.
Cloud Computing: Hindernisse und Chancen für GroßunternehmenJohn Rhoton
The document discusses cloud computing, including definitions, benefits, challenges, and considerations for large enterprises adopting cloud solutions. Cloud computing offers potential cost savings and flexibility but also risks regarding security, compliance, and vendor viability. Migrating applications requires evaluating their suitability for the cloud and modernizing architectures. A phased, hybrid approach can help enterprises transition while ensuring current IT environments remain future-proofed.
The document summarizes a seminar on cloud computing security presented by Hogan Kusnadi. It discusses the rapid development of information and communication technology including cloud computing. It outlines cloud computing models and types of cloud services. It also discusses key cloud security risks like data breaches, denial of service attacks, and insider threats. Finally, it provides an overview of the Cloud Security Alliance, an organization focused on cloud security best practices.
1. The document discusses 10 reasons why organizations may be ready for a secure managed cloud service, including wanting built-in security capabilities, customized service, and a proactive partner.
2. It describes what a managed cloud service entails and differentiates secure managed cloud services from typical cloud services. Secure managed cloud services take on more security responsibilities.
3. The best secure managed cloud services provide benefits like 24/7 monitoring and maintenance of cloud workloads, reduced costs, faster deployment times, unique capabilities, lower risk, and assistance with compliance requirements.
This document discusses identity and security in discontinuous cloud infrastructure. It outlines an agenda covering what identity means in the cloud, cloud security models from an identity and access management perspective, and how security models relate to compliance. The document also discusses how cloud, security and identity intersect, the transition from identity in the cloud to cloud identity, and the opportunity around identity in the cloud.
The document discusses cloud computing and security considerations for moving to the cloud. Some key points:
1) It defines cloud computing based on NIST definitions and emphasizes automation, elasticity, and flexible costing as core benefits of the cloud.
2) It notes that while cost savings are often cited, security and privacy are often overlooked but critical considerations for moving to the cloud.
3) It provides an overview of cloud security elements including identity and access management, data security, encryption, network security, and ensuring secure cloud architecture and design.
This document summarizes the work of the Cloud Security Alliance (CSA), a global non-profit organization focused on promoting best practices for security in cloud computing. The CSA has over 10,000 individual members from various industries and expertise areas working on cloud security issues. Some of the CSA's key initiatives include developing a Cloud Controls Matrix to help organizations assess security risks in cloud environments, as well as research projects on cloud metrics and the Consensus Assessments Initiative. The document outlines the top threats to cloud computing such as data leakage, malicious insiders, and insecure APIs. It also provides highlights from the CSA's guidance on best practices for governance and operating in the cloud.
AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...Amazon Web Services
Warren Wu, Sr Director, Global Product Marketing, Cloud Security, Fortinet
Organizations are migrating their on-premise data center and application environments to public cloud to accelerate digital business. AWS enables agility and elasticity for digital workloads and DevOps teams, but the expanded digital attack surface across the hybrid cloud needs to be protected in order to ensure secure interactions and data. We discuss best practices for securing hybrid cloud environments, and how AWS and Fortinet are working together to build and integrate trust and security natively into the cloud.
An educational overview of the Cloud Computing Ecosystem or Framework. This presentation is geared toward those who are just beginning to understand Cloud Computing.
The document summarizes key points from a presentation on cloud computing security best practices. It discusses auditing practices from several organizations, including ENISA, CSA, and Microsoft. ENISA recommendations include personnel security practices, supply chain assurance, operational security controls like change management and logging, and software integrity protections. The presentation provides an overview of cloud computing concepts and case studies on government and commercial cloud users.
Navigating the Cloud: Trends and Technologies Shaping Security and ComplianceUrolime Technologies
Explore the dynamic realm of cloud security and compliance with a focus on AWS Consulting Services. Stay ahead of the curve as we delve into the latest trends and technologies shaping the landscape, ensuring your organization harnesses the full potential of AWS while maintaining robust security and compliance measures.
The document discusses a study that aimed to evaluate the transparency of cloud providers' security, privacy, auditability, and service level agreements. It developed a Cloud Provider Transparency Scorecard to assess information from cloud providers' websites. It conducted a preassessment of six cloud providers to evaluate available information and then performed a detailed assessment using the scorecard. The assessment focused on policies, procedures, certifications, audits and service level agreements published on providers' websites.
The document discusses security and compliance challenges related to cloud adoption, including concerns around data security, regulatory compliance, and lack of visibility and control over cloud infrastructure. It analyzes predictions that cloud adoption will continue growing rapidly but security concerns will remain a hindrance. Recommendations are provided around conducting risk assessments, deciding what assets to move to the cloud based on sensitivity, and strategies for managing security, compliance, and service level agreements with cloud providers.
The document discusses how to gain comfort using cloud computing. It begins by defining key cloud concepts like deployment models, service models, and characteristics from NIST. It then addresses common questions around security and compliance in the cloud. Existing frameworks are discussed for assessing cloud providers, but they are not standardized and don't scale well. Resources from NIST, ENISA, and the Cloud Security Alliance can help, such as cloud security guidance and continuous monitoring tools. Overall the document provides context around cloud definitions and outlines challenges in securing the cloud while identifying available guidance materials.
Unleash the key benefits of Agile Compliance. Gain insights on how Agile tools have an edge over Conventional tools in the dynamically changing Business Landscape, from GRC Leader Bhavesh Bhagat and Industry Expert Jay Crossland.
The first of the four part webinar series on Agile Compliance presented by Confident Governance Chairman Bhavesh Bhagat and Crossland Advisors Founder Jay Crossland. The webinar talks about the significant challenges faced by Compliance officers worldwide.
This document discusses governance best practices for health IT compliance. It recommends coordinating internal departments responsible for compliance, evaluating their roles, investigating risks, and avoiding redundant efforts. Departments should independently report compliance information to the board. Best practices include mobility for anytime reporting, collaboration tools, executive dashboards, and robust reporting on various compliance frameworks. The board must have access to compliance data and set expectations for management reports. Identifying and auditing risk areas is important, as is encouraging a culture of accountability.
Confident Governance Chairman and Co-Founder, Bhavesh Bhagat, delivers an awe-inspiring Session titled "Awakening the hidden "Risk" Giant within you : Bigger, Better, Bolder - Re-thinking your Personal Brand ", at the ISACA NCAC Summit 2015. The Summit was spanned across two days, May 26th and May 27th. After the very successful Keynote Session on May 26th, Bhavesh Bhagat, also hosted a Millennials Panel on May 27th. The Session was titled " Millennials Panel - The New Direction of Audit"
Glean insights on where the world is headed in the era of emerging technologies. The keynote was presented by Global Governance expert and Security and risk technology visionary, Confident Governance Founder Bhavesh Bhagat as the IIA/ISACA GRC Opening Keynote. #GRC13
Want to know what all learnings are in waiting for you at #GRC13 ISACA and IIA conference?
Glean some points here and don't forget to catch @bbhagat tom speaking about how GRC needs to adapt new strategies in the emerging technologies world.
The cloud market is currently in the early stages of adoption, characterized by both skepticism and euphoria among business and consumer users. While consumer adoption has led so far, driven by convenience over security, business adoption is more cautious but growing rapidly. In the near future, cloud computing will disrupt existing business models and democratize data access, fueled by big data. Adoption rates will continue increasing significantly as cloud becomes further ingrained, though challenges around data governance, security, and transparency remain.
i. The webinar discussed cloud contracts and service level agreements (SLAs) with a focus on governance.
ii. It covered the scope and control of cloud services, SLA definitions, risk factors for cloud SLAs, and what providers say about cloud adoption drivers and security responsibilities.
iii. Key recommendations included examining a provider's subcontractors, forming a committee to develop contract requirements, and reviewing existing controls to identify issues to include in contracts and SLAs.
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs
1. ConfidentNOW
Global Governance Webinar Series
Cloud Contracts and SLAs
Mastering SLA Governance
Speaker – Dr. Ken Stavinoha, PhD, Cisco
Mr. John Messina, Computer Scientist, NIST
Host – Bhavesh C. Bhagat, EnCrisp - ConfidentGovernance.com
CGEIT, CISM, MBA, BE
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
2. Today’s Presenters
Dr. Ken Stavinoha, PhD, CISM, CISSP
– Cisco
Mr. John Messina, Computer Scientist
-NIST
Bhavesh C. Bhagat, CISM, CGEIT, MBA, BE –
EnCrisp – ConfidentGovernance.com
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
3. is an INC 500 award winning global leader in
providing “business driven” solutions enhancing trust, governance,
cyber security and risk transparency since 2004.
EnCrisp’ s Confident Governance® is award winning
“Governance as a Service®- Cloud Governance™ Company.
2011 Global Entrepreneurship (GEW50) Kauffman 50 Global
Awardee
Governance, Security, Risk, Audit and Social Compliance
Collaboration platform that you access over the Internet and
pay-as-you-go.
AWARDS – INC 500, 2011 Global Entrepreneurship Kauffman 50 Start-Ups, 2011
NVTC, Hot Ticket Hottest Buzz, 2011 GovTek Best Cloud Government Solution,
2010, Business Insurance Risk Technology
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
4. Cloud Contracts And SLA
Governance
i. Intro to Service Level Agreement
ii. Cloud Services Scope and Control
iii. SLA NIST Contracts
iv. Risk Factors Affecting Cloud SLAs
v. Resources and Next Webinar…
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
5. Cloud Services Scope and Control
Source: NIST SP800-144 Draft
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
6. SLA Definition
Service Agreement: known as “Terms of Service” ,“Terms and
Conditions” A
legal document specifying the rules of the
legal contract between the cloud user and the cloud
provider.
Service-Level Agreement: A document stating the
technical performance promises made by the cloud
provider, how disputes are to be discovered and
handled, and any remedies for performance failures.
(NIST SP 800-146)
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
7. Cloud Computing Risks
Source: Ernst & Young 2010 Global Information Security Survey
Differences in Scope and Control among Cloud Service Models
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
8. Cloud Risk Mitigation
Source: Ernst & Young 2011 Global Information Security Survey
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
9. What Providers Say:
Cloud Adoption Drivers
Source: 2011 Ponemon Insititute Security of Cloud Computing Providers Study
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
10. What Providers Say:
Cloud Security Risk Mitigation
Source: 2011 Ponemon Institute Security of Cloud Computing Providers Study
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
11. What Providers Say:
Who is Responsible for Cloud Security
Source: 2011 Ponemon Institute Security of Cloud Computing Providers Study
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
12. NIST CC Public Working Groups
NIST’s Goal: Accelerate the federal government’s
adoption of cloud computing
– Lead efforts to develop standards and guidelines in close
consultation and collaboration with standards bodies, the
private sector, and other stakeholders
Voluntary Working Groups with industry, SDOs, USG,
academia (launched Nov. 5, 2010)
• 5 Working Groups (Reference Architecture / Taxonomy,
Security, Standards Roadmap, …)
• 300+ registered members per working group
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
13. Contract/SLA Subgroup
• RATAX working group was asked to identify additional
areas of cloud computing that could be better defined
through the development of appropriate taxonomies
• SLA sub-group focused on identifying if there was any
suitable existing SLA format or guide that could be used
to identify all the key elements that should go into a
Cloud SLA
• Existing contracts and research examined for
commonalities and relationships in form and content
• Collected/formulated definitions pertinent to cloud
contracts and SLAs
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
14. Role of Contracts and SLAs
Contracts and service level agreements play a key role in
the procurement of cloud computing services.
The consumer may have an agreement with one provider,
but the service may be delivered via a myriad of
subcontractors or other dependencies who have no
contractual obligation directly with the consumer.
Consumer may have no knowledge of these third parties
unless the provider chooses, or is otherwise required, to
disclose them, and yet these entities may incur risk for
which the consumer could ultimately be liable.
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
15. Agency Compliance
Requirements
• Computer Fraud and Abuse Act [PL 99-474, 18 USC 1030]
• E-Authentication Guidance for Federal Agencies [OMB M-04-04]
• Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347]
• Freedom of Information Act as Amended in 2002 [PL 104-232, 5 USC 552]
• Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy [OMB M-01-
05]
• Homeland Security Presidential Directive-7, Critical Infrastructure Identification,
Prioritization, and Protection [HSPD-7]
• Internal Control Systems [OMB Circular A-123]
• Management of Federal Information Resources [OMB Circular A-130]
• Management’s Responsibility for Internal Control [OMB Circular A-123, Revised 12/21/2004]
• Privacy Act of 1974 as amended [5 USC 552a]
• Protection of Sensitive Agency Information [OMB M-06-16]
• Records Management by Federal Agencies [44 USC 31]
• Rehabilitation Act of 1973 [Section 508 Amendment]
• Responsibilities for the Maintenance of Records About Individuals by Federal Agencies [OMB
Circular A-108, as amended]
• Security of Federal Automated Information Systems [OMB Circular A-130, Appendix III]
• The Federal Risk and Authorization Management Program (FedRAMP)
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
16. Four Pillars of SLA Governance
Contract
Legal Cloud
Landscape SLA Service
Provider
Metrics
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
17. Cloud MSA Mind Map
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
18. Cloud SLA Mind Map
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
20. Ongoing Work of NIST CC
Contract and SLA Subgroup
• Analyze negotiated SLAs/Contracts
• Complete the NIST RA Cloud Contract/SLA
draft document and present for public
comment
• Collaboration with the Cloud Metrics team
• Participation in the ISO/IET JTC SC38 effort on
cloud SLAs
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
21. THREE KEY TAKEAWAYS
Look Before You Leap - Consumers need to
perform reasonable due diligence in examining
cloud providers and their subcontractors
Solicit Input- A committee, rather than one or two
individuals, should formulate the requirements for
cloud contracts – including SLAs
Don’t Reinvent the Wheel - Organizations
should examine existing controls to identify key
issues to include in cloud service contracts and
SLAs
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
22. RESOURCES
www.confidentgovernance.com/confidentnow
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf
http://collaborate.nist.gov/twiki-cloud-
computing/pub/CloudComputing/RATax_Jan20_2012/NIST_CC_WG_ContractSLA_Deliverable_Dra
ft_v1.9.pdf
http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/RATax_CloudMetrics
http://www.ca.com/~/media/Files/IndustryResearch/security-of-cloud-computing-providers-final-
april-2011.pdf
http://www.ey.com/GL/en/Services/Advisory/IT-Risk-and-Assurance/13th-Global-Information-
Security-Survey-2010---Information-technology--friend-or-foe-
http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
http://csrc.nist.gov/publications/PubsSPs.html.
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
23. Questions & Comments
For additional Information:
Ken E. Stavinoha, PhD
NIST CC RA Contracts/SLA Sub-team Leader
kstavino@mail.com
John Messina
Chair, NIST CC RA Working Group
John.messina@nist.gov
Bhavesh C. Bhagat
Co-Founder, EnCrisp and ConfidentGovernance.com
bb@encrisp.com
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
24. ConfidentNOW
Global Governance Webinar Series
NEXT WEBINAR IN SERIES
Cloud Encryption
DATE: Feb.28, 2013
TIME:11.00-11.45 A.M
Speaker – Dr. Ken Stavinoha, Cisco System
Dr. Sarbari Gupta, Electrosoft
Host – Bhavesh C. Bhagat, EnCrisp – ConfidentGovernance.com
Register Now: : http://bit.ly/WyH7R8
http://www.confidentgovernance.com/events/88-webinar
ConfidentGovernance.com- Award winning Cloud migration experts
Patent pending “Governance as a Service®” innovators
Bhavesh to introduce Speakers and Thank EnCrisp and CG for hosting this series of webinars.
EnCrisp CG Safe Harbor Disclosure
Bhavesh to layout Agenda and discuss why Service Level Agreements and controls around them are something every executive in IT and Governance needs to be concerned about especially in Subscription Economy.
Q for Ken – SO Ken - What we are seeing is tremendous amounts of market interest in moving towards the Cloud. can you please describe in a layman's term what these concepts mean before we dig too deep and why SLA is important in Cloud?And how do you define these terms for business executive who is not a lawyer.
Ken – That’s excellent now from a risk point of view why are SLA and governance around it so important what is he risk perspective around this. And I know we will get into some risk mitigation approaches later, but lets discuss the overall scenario here.
Ken
Ken – This is good but what are Cloud provoiders saying about this SLA and metrics. Are they providing enough tracking for SLAs to be able to track and measure. We are working with Carnegie Mellon University whwre we are doing some exciting reasearch in automating this and we will dicuss this in future webinars.
ken
Bhavesh - It appears that SLAs and its importance only increses as you move down the stack I Cloud from SAAS to IAAS so vendor metric and transparency are key. Can you provide some thoughts around this.
Bhavesh and John: Introduce NIST and the Sub Groups around Governance of Cloud.
John
John
Bhavesh Q – for John – So John this is great and thank to you and your team for continuing to push forward in this regards can you please describe some immediate tangible reasons why SLA are so important seems to me that most people think this is options , but its not so flexible, some of the regulations mandate that we have to think of this now?
John So John what the key risk areas to look at when we see SLA Governance and what are some of the tools NIST has developed to assist in helping in this regards.
Bhavesh – This seems very unique in its approach, can you please describe the usefulness of Mind Maps in Governance. How deep should one go when we build these for an organization
John
Ken – So Ken how does one monitor this. We will be doing a special Automating FedRAMP CIS seminar in March where we will discuss the tool also, but from SLA point of view what do we need to think of in terms of documenting the process.
John
Bhavesh So Ken and John if you were to Summarize what are the three key points that we need to remember.