Presented by:

Cristie Street

Managing Partner

Nextrio, LLC

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Characteristics On-demand self-service

Broad network access

Resource pooling

Rapid elasticity

Measured service

(NIST) National Institute of Standards and Technology/US Dept. of Commerce

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

Service Models:

Software as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

Deployment Models:

Private Cloud

Community Cloud

Public Cloud

Hybrid Cloud

Image Source: Wikipedia.org

You are in the

cloud now.

You will be

in the cloud.

Abstraction level and visibility

Assets (data and applications/processes) subject to:

Unavailability

Loss

Theft

Disclosure

Cost as a risk event

Privacy considerations

Healthcare Sector Cybersecurity Framework Implementation Guide (draft)

November 2015

National Institute of Standards (NIST) cyber security framework –“to allow organizations – regardless of size, degree of cyber risk or cybersecurity sophistication – to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. Step 1: Prioritize and Scope

Step 2: Get Oriented: Identify systems and existing risk management approaches within the scope

Step 3: Create a Target Profile

Step 4: Conduct a Risk Assessment

Step 5: Create a Current Profile (based on assessment results)

Step 6: Develop an Action Plan

Step 7: Implement the Action Plan

…rinse and repeat…

Break down by Function of the Categories and Subcategories:

Identify

Protect

Detect

Respond

Recover

Healthcare Sector Cybersecurity Framework Implementation Guide (draft)

November 2015

Many initiatives to create certification frameworks: Cloud Security Alliance

European Union Agency for Network and Information Security (ENISA)

CloudWATCH Consortium

ISO standards, 27018:2014 and 27017:2015

Virtualization vendors

Defense Information Systems Agency (DISA)

Center for Internet Security (CIS)

National Information Assurance Partnership (NIAP)

American Institute of CPAs SOC 2 report (AICPA)

Country-specific initiatives: US: Federal Risk and Authorization Management (FedRAMP)

UK: G-Cloud

Singapore: Multi-tier Cloud Security (MTCS)

Germany, France, Canada, Hong Kong, Australia, Israel, Turkey and Slovenia

ISACA: Security Considerations for Cloud Computing

SaaS: Software as a Service Risk-decreasing factors:

Improved security

Application patch management

Risk-increasing factors:

Data ownership

Data disposal

Lack of visibility into software systems development life cycle (SDLC)

Identity and access management

Exit strategy

Broad exposure of applications

Ease of contracting SaaS

Lack of control of the release management process

Browser vulnerabilities

Public Cloud: Risk-decreasing factors:

Public reputation

Risk-increasing factors:

Full sharing of the cloud (data pooling)

Collateral damage

Private Cloud: Risk-decreasing factors:

Can be built on-premises

Performance

Risk-increasing factors:

Application compatibility

Investments required

Cloud-IT skills required

Technical examples: Multitenancy visibility

Hypervisor attacks

Application attacks

Application compatibility

Regulatory examples: Asset ownership

Asset disposal

Asset location

Governance examples: Physical security/access

Media management

Purchasing/contractual misteps

Support for audit/forensic evaluations

Adopt a risk control framework, then test and verify Security

Availability

Processing integrity

Confidentiality and privacy

Monitor the financial position and market recognition of the vendor(s)

Discuss vendor’s business continuity plans, disaster recovery plans, backup procedures and redundancy plans

Qualify and quantify your own organization’s data classifications; policies, principles and frameworks; organizational expectations for ethics and risk behavior

Detail the explicit contracts, service level agreements, communication processes, roles and responsibilities

Local law of the enterprise

Local law of the CSP

Local law where data are stored

Local law where data are processed

Prepare your

internal environment

Select the cloud

service model

Select the cloud

deployment model

Select the cloud

provider

Migrate & review

continuously

Select a

FRAMEWORK

Re-evaluate

FRAMEWORK

Cristie Street: cbs@nextrio.com

ISACA: http://www.isaca.org/cyber/pages/state-of-cybersecurity-implications-for-2016.aspx and http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/security-considerations-for-cloud-computing.aspx

Cloud Security Alliance: https://cloudsecurityalliance.org/

Homeland Security: https://ics-cert.us-cert.gov/Assessments

NIST: http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf

NIST: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

HITRUST Alliance: https://hitrustalliance.net/content/uploads/2015/11/PrelimnaryDraftHPHCyberFrameworkImplementationGuide-20151110.pdf

OWASP: https://www.owasp.org/index.php/Main_Page

Stay Safe Online: http://www.staysafeonline.org/