Embed Size (px)
Citation preview
Cloud Computing:Your Fiduciary ResponsibilityOctober 1, 2018
Today’s Topics
►What is Cloud Computing?►Business Drivers►Cloud Models►Regulations►Cloud Contracts►Risk and the Cloud►Key Takeaways
2
Learning Objectives
►Understanding the intricacies of cloud contracts and where responsibility lies
3
►Overview of cloud computing, different cloud computing models and current federal/state regulations affecting them
►How to identify the top cloud-related risks at your agency
What is Cloud Computing?
Cloud computing is an expression used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication networksuch as the Internet.
5
What is Cloud Computing?A BASIC DEFINITION
http://en.wikipedia.org/wiki/Cloud_computing
►Provisions resources as a service over the Internet
►Often provides common business applications online that are accessed from a web browser» Software and data are stored on the
servers►Resources are shared by multiple uses
» Re-allocated based on demand6
What is Cloud Computing?KEY DEFINING ASPECTS
What’s in the Cloud?
» Social media
» Emails
» Picture/videos
» Music
» Documents
» Healthcare data
» Banking/financial data
» Taxes
» Calendar
7
» Contact information
» Passwords
» Personal preferences (i.e. favorite sports teams)
» Other account information
Personal Data
What’s in the Cloud?
» Email/calendar/contacts
» Media (picture/videos/ social)
» Documents (public, sensitive & private)
» Healthcare data
» Banking/financial data
» Accounting data
» Payroll
» Sales platform
8
» Customer information
» Sales data
» Passwords
» Other company information
Organization Data
Business Drivers
► Increase scalability, availability and strength►Focus resources on core competencies►Right-size capacity and demand
►Reduce deployment times
► Improve backup & recovery
►Reduce costs►Enhance collaboration
and integration
Business DriversWHY ARE BUSINESS MOVING TO THE CLOUD?
►Complexity► Increased attack risk (public cloud)►Multi-tenancy► Internet facing►Control of data and system►Regulation► Trust
11
Cloud Challenges KEY BARRIERS TO ADOPTION
Cloud Models
12
13
Cloud ModelsTACO BAR SERVICE
14
Cloud Models
15
Cloud Types
• Single organization• Internally or externally
hosted
• Shared by several organizations
• Typically externally hosted, but not always
• Two or more clouds• Remain unique entities, but
are bound• Internally and externally
hosted• Combined benefits of
multiple deployment models
• Provisioned for open use by the public or a particular organization that hosts the service
Regulations
16
17
Regulatory Considerations
►U.S. regulations
►International issues (E.U., Japan, etc.)
►Contractual responsibility vs. regulatory responsibility
KEY US. REGULATIONS
• Cardholder information (PCI)
• Protected Health Information (HIPAA/HITECH), Texas Medical Records Privacy Act
• Breach notification (Red Flags)
• Publicly traded companies (SOX)
• Personally identifiable information (GLBA)
• Federal Information Security Management (FISMA)
• Texas Administrative Code Chapter 202 (TAC 202)
• Texas DIR Policies
►AICPA SOC Reporting
► ISO 27001
►CSA CCM
►HITRUST CSF
►PCI DSS ROC
►FedRAMP: NIST 800-53
► TAC 20218
Assurance in the CloudKEY ASSURANCE
19
Assurance in the CloudKEY ASSURANCE
Cloud Contracts
20
21
Cloud ContractsKEY CONSIDERATIONS
►Service Level Agreements» Guaranteed uptime; downtime
protocols
» Missed SLA consequences
►Regulation/Security Compliance» Specific Security standard compliance
(not general statements)
» HIPAA, PCI, and other Regulation compliance
» Requirements for annual audit (i.e. SOC2 Report)
22
Cloud ContractsKEY CONSIDERATIONS
►Renewal Reminder►Data Ownership
» The organization should be the sole owner of the data; not the service provider
►Privacy Provision» Data should not be disclosed without proper authorization
►Data Center Location» The location of the data should be specified to align with
your BCP and regulatory obligations
23
Cloud ContractsKEY CONSIDERATIONS
►Allowance/disallowance of sub-contractors
►Defining “inappropriate use” and other violation conditions» This includes the ability to respond a
potential violation of contract and clear terms of what constitutes a violation
Risk and the Cloud
24
25
Key Risks
26
Is data more or less secure in the cloud?
QUESTION
27
Risk and the Cloud
►Depends on the type of cloud service being utilized
► Traditional IT risk areas apply to cloud computing» Security» Processing Integrity» Availability» Confidentiality» Privacy
►Denial of service concerns► Targets for breach►Added emphasis on
confidentiality/privacy
28
Unique Cloud Risks
►Multi-tenancy►Virtual exploits►Availability*►Ownership*►Responsibilities*►Business continuity/disaster recovery planning*►Authentication, authorization and access►Usage/billing*►Service level agreements (SLAs)*►Regulatory compliance*►Compatibility
29
Unique Cloud RisksAVAILABILITY
►Are you aware of data redundancy that is in place?
►What happens if your data is lost?
►What is the uptime commitment?
►What redundancy is in place regarding your internet service provider?
30
Unique Cloud RisksOWNERSHIP
►Does your contract share ownership with the cloud provider?
►Who owns your data and what can the cloud provider do with it?
31
Unique Cloud RisksRESPONSIBILITY
►How do you define the responsibilities between the organization and the cloud service provider?
►How are the roles within the organization defined for cloud selection, build, use, policy setting, and cost management?
►What are the processes to monitor the effectiveness of the service provider? To perform the user control requirements shared by the service provider?
32
Unique Cloud RisksBUSINESS CONTINUITY/DISASTER RECOVERY
►What is your disaster recover plan if the service provider is not available?
►How are you going to recover services in line with business requirements?
►What is the organization’s business continuity, disaster recovery and backup strategy?
33
Unique Cloud RisksTHE NEED FOR A BACK-OUT PLAN
34
Unique Cloud RisksUSAGE/BILLING
►How are you using the resources purchased? Are you getting what you paid for?
►What is the a process to evaluate the accuracy and completeness of the bills from your service provider?
►Does the cloud provider operating as agreed?
35
Unique Cloud RisksSERVICE LEVEL AGREEMENTS (SLAs)
►How are you monitoring the service provider’s compliance with the contract?
►What is the process to recover from the service provider for failure to meet service level agreements?
►Who is defining the service level obligations –you or the service provider?
36
Unique Cloud RisksREGULATORY & COMPLIANCE
►How are you assessing your cloud service provider for compliance to the regulations and internal policies?
►When selecting a provider, did you or are you assessing their compliance with your regulatory obligations?
Key Takeaways
37
38
Key Steps for Users
►Determine the type of cloud service being utilized and what matters to your organization from an operations and regulatory requirement.
►Get as much transparency as possible; if nothing else, at least get a copy of the last relevant audit report.
Source: Bloomberg Businessweek
39
Key Steps for Users
►Familiarize yourself with the limits of the cloud vendor's responsibility.
►As with any other service provider, make sure there are solid agreements in place that protect you as a user.
►Make sure you have recourse and the service provider has some ‘skin’ in the game.
Source: Bloomberg Businessweek
Questions & Discussion
