Cyber security and risk in the cloud - HEAnet Ryan, Arthur...•cloud computing risk management rule setting: –model is commercially brutal –suppliers operate within tight commercial

© 2015 Grant Thornton Ireland. All rights reserved

Cyber security and risk in the

cloud

13 November 2015

Dr. Mike Harris

Partner

Grant Thornton

Pearse Ryan

Partner

Arthur Cox

© 2015 Grant Thornton Ireland. All rights reserved.

Agenda

• cyber threats

• corporate risk management

• anatomy of a cyber-incident


Cyber threats


Introduction to cyber security

• The economy depends on a stable, safe, and resilient

online environment

• A vast array of networks allows us to:

Communicate

and travel

Run our

economy

Power our

homes

Provide

government

services


Introduction to cyber security

Cyber attacks

have increased

dramatically over

the last decade

exposing:

Sensitive

personal and

business

information

Disrupting

critical

operations

High costs on

the economy

(estimated to

be €800 million

in Ireland)


Introduction

10 years ago, they looked like this…


Introduction

Now they look like this…


Ireland


Talk Talk


Big breaches


The damage


For sale!


More interesting


Even more interesting


Costs

Costs of genuine cybercrime Irish Est. UK Est. US Est. Global

Share of world GDP 0.23% 2.77% 18.82% 100%

Cost of genuine cybercrime €202.93 €1,510.32 €10,334.94 €54,915

Cost of transitional cybercrime €78.96 €955.21 €6,489.89 €34,484

Cost of cybercrime infrastructure €93.34 €1,124.12 €7,637.53 €40,582

Costs of traditional crimes becoming "cyber" €255.64 €3,078.80 €20,918.05 €111,148

Total cost of cybercrime €630.88 €6,668.45 €45,380.42 €241,129

Cost of genuine cybercrime

32%

Cost of transitional cybercrime

12%Cost of

cybercrime infrastructure

15%

Costs of traditional crimes becoming "cyber"

41%


Risk and

security in the

cloud


Cloud computing overview

• cloud computing v’s traditional delivery models

– what are traditional delivery models?

• software licensing

• remote managed service e.g. payroll

• ICT outsourcing (i.e. ICT resources given to

another to manage)


Cloud computing overview

• how does cloud computing differ?

– Internet\intranet accessible

– scalable (sometimes massively so) and user-configurable

computing resources- PaaS and IaaS

– multi-tenancy – customers share single s/w instance

– subscription or usage based payment – at least an element of pay-

for-what-you-use

– self-service model

– typically not location specific (this may change with MLE pressure)

– new concerns for the ICT security professional


The environment

• are there any norms in cloud computing?

− yes to the technical norms of service

− no to any commercial risk management or legal norms

• cloud computing risk management rule setting:

– model is commercially brutal – suppliers operate within tight commercial rulebook and accompany this with tight risk management model

– model is supplier led


Power relationship…

…is normally skewed in favour of suppliers.

Offerings are:

• without much similarity

• supplier drafted

• often carry over supplier business practices in real world business

areas (e.g. Microsoft)

• biased in favour of supplier (risk transfer point)

• typically immature in areas of risk management & liability

management from perspective of MLE but for the SaaS supplier the

logic of the business model is everything


The contract

• Queen Mary College, UL – 2011 Cloud study

• reviewed 31 contracts from 27 suppliers

• all the main suppliers contracts reviewed

• reviewed key criteria & examples:

– location of data – clear/unclear

– data confidentiality/integrity/availability – s/levels

– disputers jurisdiction – 15/31@US & 8/31@UK

– limitation of liability & remedies – s/credits & exclusions of LOL

– amending terms – by whom/how

– confidentiality/law enforcement


Enterprise risk issues

Cybersecurity

• here we look at security not as corporate operational issue but as corporate risk issue

Q: how bad can a contract be from a corporate risk management perspective?

A: so bad that by a combination of SLA and contract the supplier may have little or no responsibility and/or liability for loss\corruption of data due to its “default”

• thus – risk (being like water) flows to customer


However,

• the motives for going to the cloud are, more often than not,

financial

• the customer relies on the cloud provider to manage cyber

risk

• the provider is not contractually obligated to do so

• so cyber risk is "kicked under the carpet"


Cloud-specific cyber risk

• contracts – typically poor

• lack of visibility of security at hosting sites – audit

Q/SLA

• vulnerability to supplier IT staff

• vulnerabilities from other systems on same cloud

systems (segregation)

• JCB syndrome – dependent on comms


Cloud-specific cyber risk

• cloud provider technical failure (incl. DRP, BCP)

• cloud provider business failure – SaaS real risk

• provider Insolvency – data mess – retrieval and

ownership

• incident response restrictions

• litigation response issues

• data protection issues

• cyber insurance


Data Protection

• export of Personal Data outside the EEA only if: – consent is given to data exports; or

– the personal data is exported for the purpose of fulfilling a contract;

or

– the personal data is exported to countries which are deemed by the

EU Commission to have adequate data protection laws; or

– the company has put adequate privacy safeguards in place for the

transfer.

HOW DOES THE CLOUD PROVIDER COMPLY?

Forthcoming EU regulation


Jurisdiction?

• where is the data?

• international legal systems don't yet recognise "the

cloud". The data sits as magnetic patterns on disk

somewhere

• which is no guarantee that a large cloud provider

can find it, or keep track of its location. (Vmotion)

• issues like RAIC make things more complicated

still – where is data?


Microsoft


Incident response

in the cloud


Incident response

• Problem 1: your cloud contract may not allow you the level of

access you need to carry out a proper investigation

• Problem 2: your cloud provider may be unable / unwilling to

cooperate

• Problem 3: you may simply not have the search capacity /

bandwidth to find what you need

• In common law you must discover all relevant material in your

power, possession or procurement


Incident Response

Insurer

Legal Advisers

Cyber Security /

Forensics

Customer

Contact PR [others]

Insured – Incident


Questions

& feedback

Documents

Cyber security and risk in the cloud - HEAnet Ryan, Arthur...•cloud computing risk management rule setting: –model is commercially brutal –suppliers operate within tight commercial