2011-NovemberISACA Valencia - V Congress

The Perfect Storm:Threats and Risks in the Cloud

Ramsés GallegoCISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt

Security Strategist & EvangelistQuest Software

ISACA’s Guidance & Practices Committee Member

Right to Audit

Privacy

User Access

Emerging

IdentitySurety

TrustIsolation

TraceabilityArchitectures

Competitive Advantage

Web ServicesEvidence gathering

Data Location

Compliance

Confidence

Web 2.0

MetricsWorkflow

VirtualizationDispute resolution

Incident handling

Data Segregation

Recovery

Resilience

ForensicsMaturity Models

2011-NovemberISACA Valencia - V Congress

Number 1 on the list of ‘10 strategic technologies’ of all the analysts

The biggest evolution in technology that can have an impact similar to the birth of the Internet

‘Unless you’ve been under a rock recently, you’ve probably heard Cloud Computing as the next revolution in IT’ - CFO Magazine

What is Cloud?

A pay-as-you-go model for using applications, development platforms and/or IT infrastructure

7

What is Cloud?

8

Manage operational and business risk

Manage risk

• Compliance• Asset protection• Continuity Management

Better CAPEX and OPEX management

Manage cost

• Optimize resources• Automate processes

Align investments with corporate objectives

Align IT investments

• IT Portfolio Management• Value Management• Process Management

Optimal value providing effective and efficient

services

Improve service

• Service Availability• Service Management

Corporate mandates

2011-NovemberISACA Valencia - V Congress

Optimized use of infrastructure

Cost savings

Dynamic scalability

Optimized software development lifecycle

Reduced deployment time

Cloud Benefits

2011-NovemberISACA Valencia - V Congress

Data locationShared infrastructureTransparency on policies and proceduresOwnership of dataPropietary APIs and vendor lock-inInformation protection for forensic analysisIdentity and Access ManagementLegal requirementsData deletion on SaaS or PaaS

Cloud Challenges

Source: ISACA – Global Status Report on the Governance of Enterprise IT (GEIT) - 2011

Reasons for not using Cloud

79%

12%

9%

Cloud Adoption

Security concerns Manageability Cost

15

30

45

6059%

27%

17%

7%Priorities

Security ManagementMonitoring Availability

Sources: IBM survey 2010, Ponemon Institute, CA Technologies, ISACA, ENISA, CSA

15

Business-driven

Cloud domains

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Business Continuity and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud Architecture

Ope

ratin

g in

the

Clo

udG

overning the Cloud

2011-NovemberISACA Valencia - V Congress

Cloud Management Frameworks

2011-NovemberISACA Valencia - V Congress

2011-NovemberISACA Valencia - V Congress

2011-NovemberISACA Valencia - V Congress

From CSA Top Threats ResearchTrust: Lack of Provider transparency. Impacts Governance, Risk & Compliance Data: Leakage, Loss or Storage in unfriendly geographyInsecure Cloud softwareMalicious use of Cloud servicesAccount/Service HijackingMalicious InsidersCloud-specific attacks

Key Cloud Security problems

2011-NovemberISACA Valencia - V Congress

2011-NovemberISACA Valencia - V Congress

2011-NovemberISACA Valencia - V Congress

What?Who?

Where?How?

When?Why?

2011-NovemberISACA Valencia - V Congress

Example of Control Objectives

2011-NovemberISACA Valencia - V Congress

Assurance in the Cloud

2011-NovemberISACA Valencia - V Congress

Security is paramount

Training and education

Useful resources

2011-NovemberISACA Valencia - V Congress

How is identity and access managed in the Cloud? Where will my data be geographically located? How securely is my data handled? How is access by privileged users controlled? How is data protected against privileged user abuse? What levels of isolation are supported? How is my data protected in virtual environments? How are the systems protected against Internet threats? How are activities monitored and logged? What kind of information security certification do you have?

10 questions to ask to the Cloud

THANK YOURamsés Gallego

CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black BeltSecurity Strategist & Evangelist - Quest Software

ramses.gallego@quest.com

2011-NovemberISACA Valencia - V Congress

THANK YOUGRACIAS

Ramsés GallegoCISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt

Security Strategist & EvangelistQuest Software

ramses.gallego@quest.com