Embed Size (px)
Citation preview
Security in the Cloud Cloud Control 5 September 2013
The Procurement View
Carol-Anne Stonefield
Technology Procurement Manager
Direct Line Group
Topics for Today
• Why opt for cloud?
• Understanding the Risks
• Proliferation and Control
• Data and Security
• Disaster Recovery and Back-up
• Standardisation
• Capacity and Integration
• Term, Exit and Lock-in
• Reliability and Remedies
• Costs
• Conclusion
Why opt for cloud?
• Speed
• Flexibility
• Easy
• During periods of change/freeze
• Avoids direct infrastructure investment
• Bypass IT
Understanding the Risks
Understand what you are putting in the cloud!
Proliferation and Control
• How many cloud providers do you have? Are you sure?
• Duplication
• Who has your data?
• Due diligence
• Management and administration
• Tactical (long-term) solutions
CONTROL!
Data and Security
• How is the data stored?
• Who is storing the data?
• What type of data is stored?
• Where is the data stored?
• DPA, PCI and your organisation’s responsibilities
• Data retention
• Security testing and audits
• Reputational damage
Disaster Recovery and Back-up
• Provider’s DR processes
• Impact of a DR event
• DR recovery times
• DR location
• Back-up frequency obligations
Standardisation
One size does fit all!
Capacity and Integration
• Capacity
• Understand the limits
• Capacity overload – what happens next?
• Integration
• Is it really plug and play?
• Compatibility
• Upgrades
Term, Exit and Lock-in
• Choosing the right term
• Understanding the supplier’s investments
• Migration of data
• Return of data
• Exit obligations
Reliability and Remedies
• Reliability and availability
• Calculating availability
• Reporting
• Service credits
• Regulatory implications
• Reputational risk
Costs
• Understanding the complete package
• Volumes, users, capacity and set-up
• Committed volumes
• Flexible options
• Volume/capacity increases
• Reaching maximum capacity or volumes
• Term commitments
• Renewal fees
Advice from within
You’re not alone!
• IT Security
• Information specialists
• Project members
• Business users
• CIPS papers
Conclusion
Cloud solutions will continue to grow and evolve
Understand the risks
Go in with your eyes open!
The Legal View
Jason McQuillen
Principal at radiant.law
+44 751 358 5596
16
17
18
19
Encryption
Penetration testing
20
21
22
23
24
25
The art of the possible
Alex Hamilton
Principal at radiant.law
+44 7734 908 207
You can have any colour….
…. as long as it’s black
Private Cloud Public Cloud
£ Large/ High Leverage
£ Small/ Low Leverage
Private Cloud Public Cloud
£ Large/ High Leverage
IT Outsourcing Agreement - Negotiable
Customer paper
£ Small/ Low Leverage
IT Services Agreement - Negotiable
Supplier paper
Private Cloud Public Cloud
£ Large/ High Leverage
IT Outsourcing Agreement - Negotiable
Customer paper
£ Small/ Low Leverage
IT Services Agreement - Negotiable
Supplier paper
Risk analysis Supplier paper
Private Cloud Public Cloud
£ Large/ High Leverage
IT Outsourcing Agreement - Negotiable
Customer paper
Negotiable Supplier paper
£ Small/ Low Leverage
IT Services Agreement - Negotiable
Supplier paper
Risk analysis Supplier paper
Supplier Customer
standardisation policy requirements
Supplier Customer
standardisation policy requirements
margins total cost of ownership
Supplier Customer
standardisation policy requirements
margins total cost of ownership
systemic exposure material penalties
Supplier Customer
standardisation policy requirements
margins total cost of ownership
systemic exposure material penalties
guaranteed revenue flexibility
Supplier Customer
standardisation policy requirements
margins total cost of ownership
systemic exposure material penalties
guaranteed revenue flexibility
ability to evolve certainty
Supplier Customer
standardisation policy requirements
margins total cost of ownership
systemic exposure material penalties
guaranteed revenue flexibility
ability to evolve certainty
speed to contract fitness for purpose
Panel Discussion
• Khurram Ijaz
• Carol-Anne Stonefield
• Alex Hamilton
• Anna Cook
