© Copyright 2012 – All Rights Reserved.

Is Governance Really Possible in a Cloud World?

Ken Smith CISSP CISA CCSKSenior Security Solutions Architect

Agenda

GRC todayProblems created by cloudManaging governanceLevels of control (Iaas, PaaS,

SaaS)Compliance in the cloud

More Bad Security Stock Images!

Current State of GRC

Enterprises lead in adoption Tools in place Staff to manage program Management support

Midsized orgs dabbling Some tools Limited staff Mixed management support

Current State of GRC (cont’d)

Most small organizations [This section intentionally blank]

GRC Problems Created By CloudExisting tools may no longer

workSome visibility is taken awaySome access is taken

awayWarm & fuzzy knowing

that data is in your own data center taken away

Existing contract language that you know & love will likely need to be reworked

What Do We Do?

A. Grant cloud solutions an exemption from our governance program & assume the provider will take care of everything

B. Don't adopt cloud because we can't manage GRC

C. Adapt existing governance programs to account for cloud-based solutions

Source: Cloud Security Alliance Security Guidance

Cloud Security Integration

Managing Governance In The Cloud

It's going to take some upfront work

Much heavier dependence on trusting that the cloud provider is doing the right thing

Much heavier dependence on service level agreements & contract language

Lawyers!

Managing Governance In The Cloud

Audits will be more complex

Compliance assessments will be “interesting”

Compensating controls are key

Varying Responsibility

PaaS• More dependent on

provider• Less control• Providers technology

IaaS• Less dependent on provider• You have more control• More of your own technology

Compliance In The Cloud“Out of the box”

Meet your policies & governance requirements? Very unlikely today

Meet PCI DSS or HIPAA requirements? No

Is This Possible?

Compensating controls Technology: encryption, tokenization,

data masking, segmentation Adapting your governance program Contract language Lawyers!

Great Reading & Resources

Cloud Security Alliance (CSA) www.cloudsecurityalliance.org Security Guidance for Critical Areas of Focus in Cloud

Computing

The CSA Mission Statement:To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

Great Reading & Resources (cont’d)

European Network and Information Security Agency (ENISA) www.enisa.europa.eu Benefits, risks and recommendations for information

security

© Copyright 2012 – All Rights Reserved.

Thank You

Ken Smith, CISSP, CISA, CCSKSenior Security Solutions Architectksmith@greenpages.com@ken5m1th