Cloud governance is not hard


Published on

Organisations are spending large amounts of resources to bring advanced IT controls (mostly preventative) to protect against advanced attacks. However, many organisations neglect basics, such as ensuring systems and applications are not vulnerable which would help reduce the attack surface.

The session will look how to establish a patch policy and governance structures and processes.

Furthermore we will show the best practices, acquired through years of designing and operating QualysGuard Enterprise, to use Qualys services to discover vulnerabilities in systems, manage the patch management process, and harden systems with secure configuration settings.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud governance is not hard

  1. 1. Jirasek Consulting ServicesClassification: Public 1Supporting Business AgilityCloud governance: Examplesfrom trenchesCloud and Mobile Compliance SummitVladimir JirasekJirasek Consulting Services&Research Director, Cloud Security Alliance, UK chapter
  2. 2. Jirasek Consulting ServicesClassification: Public 2Agenda• What is Cloud Governance• Tips and Tricks• Bad examples• Good examples
  3. 3. Jirasek Consulting ServicesClassification: Public 3Governance is:• … the act of governing. It relates todecisions that define expectations, grantpower, or verify performance. It consists ofeither a separate process or part ofdecision-making or leadership processesSOURCE: Wikipedia
  4. 4. Jirasek Consulting ServicesClassification: Public 4Applied to Cloud• Setting company policy for Cloudcomputing• Risk based decision which Cloud provider,if any, to engage• Assigning responsibilities for enforcingand monitoring of the policy compliance• Set corrective actions for non-compliance
  5. 5. Jirasek Consulting ServicesClassification: Public 5Cloud governance::Policy• Cloud adopted typically bya) IT directors – managed relatively consistently andmostly [I|P]aaSb) Business managers – less governance; typicallySaaS• Policy should state: It is a policy of …. to managethe usage of external Cloud computing services,taking into account risks to business processes,legal and regulatory compliance when usingexternal services Cloud services. CIO isresponsible for creating and communicatingexternal Cloud computing strategy andstandards.
  6. 6. Jirasek Consulting ServicesClassification: Public 6Cloud standard structure• General statements– Governance requirements for Cloud– Enterprise architecture to be ready for Cloud and Cloud services to plug-in (IAM, SIEM, Data architecture, Forensic)– Discovery of Cloud service use• Before Cloud project– Cloud service to comply with data classification– Encrypting all sensitive data in Cloud– Identity and Access management (AAA) link to Cloud service• During Cloud project– Due diligence to be performed– Do not forget “right to audit”– Know locations of PII– Assess availability (SLA and DR) of Cloud provider– Assess Cloud provider security controls– Assess potential for forensic investigation by company’s team• Running a Cloud service– Limit use of live data for development and testing– Monitor cloud provider’s security controls– Link Company’s SIEM with Cloud provider and monitor for incidents• Moving out of Cloud– Data cleansing– Data portability
  7. 7. Supporting Business AgilityJirasek Consulting ServicesClassification: Public 7POOR EXAMPLES
  8. 8. Jirasek Consulting ServicesClassification: Public 8Trust and do not verify• Large manufacturer and very Large softwarecompany• SaaS• No change to legal terms and conditionsallowed -> increased risk of non compliance• Decision to go ahead anyway• Tip: The bigger the provider the less flexibilityon contracts. Shopping around is not alwayspossible.
  9. 9. Jirasek Consulting ServicesClassification: Public 9Did you erase my data?• Large media company “outsourced” CRM toSA company• Standard contract conditions• Little assurance that the data has beendeleted when the contract ends -> securityexpert spent a week in SA “assessing”• Tip: Negotiate “exit” before signing contract.Seek details on how the data is erased.
  10. 10. Jirasek Consulting ServicesClassification: Public 10I have 1TB of CSV files, now what?• Customer uses well know CRM in Cloud• SaaS designed to immerse clients into welldefined, bespoke CRM• No known data mode• Export of data in CSV.• Tip: Portability is key in SaaS applications.Think about leaving the Cloud providerupfront. How will you take your data?
  11. 11. Jirasek Consulting ServicesClassification: Public 11I take this rack “please”!• Law enforcement has been slower to adapt toprinciples of Cloud computing• Small cloud providers more vulnerable toseizing HW rather then using cleverimaging/forensic techniques.• SaaS generally more affected.• Tip: Use reputable and strong cloud providerswho have developed good relationship withlaw enforcement (ask upfront).
  12. 12. Supporting Business AgilityJirasek Consulting ServicesClassification: Public 12GOOD EXAMPLE
  13. 13. Jirasek Consulting ServicesClassification: Public 13Scaling up/down development• Large manufacture and service company• Requirement to support developmentneeds with seasonal demands – idealcase for [I|P]aaS• Security team approached up-front toperform review• “Live” data not uploaded to the providerbefore on-site sanitising
  14. 14. Jirasek Consulting ServicesClassification: Public 14Summary• Have a Cloud policy/standard and update riskmanagement classification• Engage with Procurement and Finance team –gatekeepers for any contracts an credit cardspends• Discover usage of Cloud services• Prepare you enterprise architecture to plug Cloudservices in IAM, SIEM, Key management• Think about Cloud exit upfront• Do not fear Cloud – another form of outsourcing!!
  15. 15. Jirasek Consulting ServicesClassification: Public 15Contact• Vladimir Jirasek••• @vjirasek•