Cloud Essentials - ISACA CPE Meeting

Cloud EssentialsCloud EssentialsBenefits, Risks and ControlsBenefits, Risks and Controls

How many of you are using Cloud Services at your organization?

How many of you are planning / evaluating Cloud Solutions?

How many of you are Cloud Service Providers?

04/12/23 Global Success Systems FZ LLC 2

Lighter side of Cloud






Agenda


Some Predictions

“By 2020 more than a third of the Digital Universe will either live in or pass through the cloud.” -- IDC, May 2010

“Four out of every five new commercial enterprise applications are deployed on cloud platforms, according to industry

research, and more than half of Global 1000 companies will store customer-sensitive data in the public cloud by the end

of 2016.” - Dimensional Research for Host Analytics (DRHA)

“Cloud delivery has increased by 33.6% year on year for 2012 in UAE ” – IDC Jan 2013

c


What is Cloud ?

“Cloud computing, method of running application software and storing related data in central computer systems and providing customers or other users access to them

through the Internet”.Encyclopedia Britannica (eb.com, 2012)

04/12/23 Global Success Systems FZ LLC 8Image Copyright EXIN

What is Cloud ?

“Cloud computing, is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources, that can be rapidly provisioned and released with minimum

management effort or service provider interaction”- NIST

04/12/23 Global Success Systems FZ LLC 9Image Copyright EXIN

Cloud Computing is About


5 Characteristics

Service Models

Deployment Models

Image Copyright NIST

Cloud Benefits Reduced Cost (the pay-per-use, economics of

scale) Automated (updates, security patches, backups,

…) On demand (Flexibility + Scalability = Elasticity) More Mobility ( "any time, any place, any device”) Shared Resources (multi-tenancy) Back to core business

“Everything gets faster, cheaper, more flexible by using Cloud” - Werner Vogets CTO, Amazon


Recommendations to Adopt Cloud

Business drivers Flexibility & Time to market (TTM) Costs

Capex vs. Opex TCO for 3 to 5 Year & ROI Operational Beneift , Support Cost

Service Level Agreements (SLA) Service Performance

Easy to navigate Transaction posting time Quality of Service

Support SLA ( Incidents, problems) Architecture - Integration (PaaS), migration

Green(er) computing04/12/23 Global Success Systems FZ LLC 13

Compliance and Governance

Understand the providers capabilities and compliances Data Center Certifications Average uptime Regulations & international standards Multiple sites and locations Backup mechanisms & Data storage Provider’s Supplier Details High security components like firewalls, a DMZ and internet

security software 4 Ps of Service Management (People, Process, Products &

Partners) Have a clear SLA


Try before you Buy

Demand a Trail Period and TEST Thoroughly Don’t commit untill the service works the way you

want

Have a Road Map for your Cloud Adoption


Risks Management

Organizational Risk

Difficulty knowing where data is stored Technical failures that could destroy the stored data Unauthorized access of data by others Failure of Cloud Service due to New Technology,

Competitors, Lack of Financial Support Issues around data retrieval if a cloud provider goes

out of business Vendor Lock-In


Risk Management

Validation of credentialsActive monitoring of trafficStrong authenticationGood SLAs and AuditOperations proceduresOperational security practicesConsult a lawyer, specialized in

international legislationStaff vetting, etc.


Cloud Controls and Auditing

Personal Identifiable Information (PII)

Forms of identification: SSN, passport, fingerprints Occupational: job title, company name Financial: bank numbers, credit records Health care: insurance, genetic Online activity: log-ins Demographic: ethnicity Contact: phone, e-mail

PII Standards The Privacy Act 1974, federal laws HIPAA & GLBA

and Safe harbor - USA Personal Information Protection Law and Law for

Protection of Computer Processed Data Held by Administrative Organs (1988) – Japan

PIPEDA (Personal Information Protection and Electronic Data Act 2008) and Privacy Act (1983) – Canada

Laws and privacy standards of the member countries, EU Internet Privacy Law (DIRECTIVE 2002/58/EC, 2002) and EU Data Protection Directive (1998) - EU


Cloud Controls Matrix (CCM)

Controls baselined and mapped to:COBIT BITS Shared AssessmentsHIPAA/HITECH Act Jericho ForumISO/IEC 27001-2005 NERC CIPNISTSP800-53PCI DSSv2.0

22 © 2011 Cloud Security Alliance, Inc. All rights

reserved.

Cloud Controls Matrix (CCM)First ever baseline control framework specifically designed for

managing risk in the Cloud Supply Chain

23 © 2011 Cloud Security Alliance, Inc. All rights

reserved.

1. Compliance (CO)

2. Data Governance (DG)

3. Facility Security (FS)

4. Human Resources (HR)

5. Information Security (IS)

6. Legal (LG)

7. Operations Management (OM)

8. Risk Management (RI)

9. Release Management (RM)

10. Resiliency (RS)

11.Security Architecture (SA)

CCM – 98 Controls

© 2011 Cloud Security Alliance, Inc. All rights reserved.

Auditing Cloud

Types of Audits you need to consider Regulatory compliance audit Disaster Recovery/Business Continuity (DR/BC) Security audit Performance and Reliability audit (SLA) Benefit Realization audit (ROI)


Summary

Understand your business needs Have a clear road map for Cloud Adoption Understand provider’s capability and

regulations Pilot the cloud solution and ensure it is

meeting your business needs Have good control , monitoring and

auditing mechanism Enjoy the benefit of Cloud Opportunities


Thank you

Questions ?

Sreechith RadhakrishnanEmail : [email protected] In : www.linkedin.com/in/sreechithWeb : www.gssgrouponline.com


mailto:[email protected]

http://www.linkedin.com/in/sreechith

http://www.gssgrouponline.com/