Cloud Risk Management
2012 October 3 © Penelope Gordon 2012
Mary Beth Borgwing, Standish Risk Management
Penelope Everall Gordon, 1Plug Corporation
John Howie, Cloud Security Alliance
Virginia “Ginny” Lee, Intel Corporation
2
Why Cloud Risk Management?
Cloud Applications to reach $150B by 2013 Data Privacy and Security top risk for 21st Century Enterprise needs remediation for loss of investment for stakeholders & partners
Financial risk of data loss & security of intrusion need mitigation beyond SLA’s
SEC and other regulation will require disclosure of loss and description of relevant insurance coverage by Enterprises into 2013
Risk Transfer Solutions and the race to provide them will be the next instantiation of the commerce of Cloud
2012 October 3 © Penelope Gordon 2012
3© Penelope Gordon 2012
Identify: Look beyond the technology Assess: Determine costs of mitigating and not mitigating Balance: Weigh mitigation costs against benefits Mitigate: Implement risk reduction measures
As-sess
Bal-ance
Mit-igat
e
Iden-tify
Risk Management Process
2012 October 3
4
What’s at risk? Where should we look for risk? Who’s responsible for identifying risks? How do the risks differ between private and public
cloud? Are some forms of cloud riskier than others? How do the risks differ between traditional
outsourcing / out-tasking and public cloud?
Risk Not Just a Tech Issue
2012 October 3 © Penelope Gordon 2012
5© Penelope Gordon 2012
What is threat and risk assessment? How do cloud and non-cloud IT risk assessment
differ? Who should assess and how? What are common mistakes? How do you convince LoB execs and investors of
assessment accuracy?
Not All Outages Are Equal
2012 October 3
6© Penelope Gordon 2012
What are the most common methods for buyers to mitigate risk? The most promising?
What are the most common methods for vendors and providers to mitigate risk? The most promising?
How do you evaluate the costs of mitigation? How should you account for your supplier’s mitigation
costs?
TCO of Security
2012 October 3
7© Penelope Gordon 2012
What should you consider in prioritizing risks? What is “acceptable risk” and how do you sell that to
your stakeholders and/or buyers? How can you create a mutually beneficial transaction
between buyer/consumer and vendor/provider?
Do You Really Want 5 9s?
2012 October 3
8© Penelope Gordon 2012
Who should monitor and report on realized threats and/or mitigation outcomes? What should trigger a report?
What do you need to do to get compensated for a realized threat?
How and when should you refine your risk management strategy?
Monitoring Risk Mitigation
2012 October 3
9
Contacts
Mary Beth Borgwing, Standish Risk Management
Katalin Bartfai-Walcott, Intel [email protected]
Penelope Everall Gordon, 1Plug Corporation
John Howie, Cloud Security Alliance
Virginia “Ginny” Lee, Intel Corporation
2012 October 3 © Penelope Gordon 2012
10
Backup
2012 October 3 © Penelope Gordon 2012
11
A patchwork of agreements necessary to cover risk• Terms of Service, SLAs, etc.• Depends on the Service model and type of application
Data location and Global Implications• Transferring data internationally has obligations
Cyber Risk Insurance – one size does not fit all• Data Breach coverage
Legal Risk Mitigation
2012 October 3 © Penelope Gordon 2012
122012 October 3 © Penelope Gordon 2012