cloud and compliance rex
Post on 12-Jan-2017
196 Views
Preview:
TRANSCRIPT
Cloud & Compliance
SCOR experience
Les jeudis de l’Afai2d of June, 2016
Henri Guiheux, Group CISO
2
Cloud & ComplianceAgenda
1 Cloud evolution and Regulatory pressure over the past 5 years
2 Cloud Experience of SCOR
3 Cloud Trends
3
Cloud & ComplianceCloud evolution and Regulatory pressure over the past 5 years
IT Infrastructure models Traditional architectures: In premises, Co-location, Outsourcing, Cloud Infrastructure: Public, Private, Hybrid, Sovereign Cloud, IAAS, PAAS, SAAS Big Cloud players: AWS Amazon, Google, Microsoft Azure, ..
Increase of Data leakage and Cyber attacks Wikileaks, Snowden, Sony, Target, Anthem, Ashley Madison, T-Mobile, US government agency …
Global environment highly regulated for SCOR Directives & standards: Solvency II, HIPAA, GLBA, U.S. Privacy Shield, General Data Protection
Regulation Financial authorities: Autorité des marchés financiers, (AMF), Autorité de contrôle prudentiel et de
résolution: L'ACPR, Financial Industry Regulatory Authority, Inc. (FINRA), Monetary Authority of Singapore (MAS), Swiss Financial Market Supervisory Authority (FINMA), China Insurance Regulatory Commission (CIRC), Prudential Regulation Authority (PRA) …
Appearance of Security assurances to provide trust from Cloud providers BSI 27001, SSAE16, ISAE 3402, SOC1 Type 1, SOC 2 Type 2
4
Agenda of the meeting
1 Cloud evolution and Regulatory pressure
2 Cloud Experience of SCOR
3 Cloud Trends
5
Cloud & ComplianceSCOR Experience: Approach
SCOR cloud strategy Develop digital with same SCOR IT resources Use Centralized Private Cloud if applicable for IAAS or PAAS Select Cloud SAAS if appropriate
SCOR Implementations since 2012 Move servers from SCOR premises or co-location datacenters to centralized private cloud Keep into SCOR premises minimum equipment strictly requiring proximity. Promote SAAS solutions implementation
SCOR security & compliance Asses and monitor security of Cloud providers Enforce SCOR IT internal control using COBIT Framework and including cloud environment Align SCOR IT internal control with regulator security requirements and client security & data
privacy commitments Move toward SOC1 and SOC2 certifications for services provided to its clients.
6
Cloud & ComplianceSCOR Experience: SAAS implementation
Corporate services Time tracking, general expenses, purchase to pay, e-learning, security awareness, …
Collaborative services institutional web site, social network, streaming video
Security services mail security gateway, authentication, security operation center
Business services Marketing, CRM, Specialized Risk Expertise services.
Additional services to come Messaging, Business Continuity (mass notification maessage), Privacy Compliance service, …
7
Cloud & ComplianceSCOR Experience: Lessons learned
Cloud is not magic and simple.
Different level of maturity of security and compliance are observed from cloud based
service providers.
Risk Assessment during selection and contractual clauses (compliance, security, audit,
intellectual property, reversibility, SLA, …) are key steps.
Transfer of IT activity to the cloud involves IT management transformation moving from
doer role to controlling/monitoring role with capacity of formalization.
Network and technical architecture become critical to avoid:
Performance, reliability and quality issues
Interfacing issues with other IT Systems
Hidden costs related to configuration and integration must be anticipated
A strong internal control framework must be established to enable quality and performance
conformance and compliance with external requirements (Cobit 5 very valuable)
8
Agenda of the meeting
1 Cloud evolution and Regulatory pressure
2 Cloud Experience of SCOR
3 Cloud Trends
9
Cloud & ComplianceCloud Trends Key to Monitor cloud players in a very competitive and moving industry
Increase of Private Cloud offers to be competitive with Public Cloud offers
Cloud evolution driven by IoT
Key to watch disruptive cloud technology more economic, secure and productive
Data encryption at rest
application containers (data isolation)
Container hypervisors
Software Modelling enabling complex configuration :
ready to use
Dynamically Scalable,
Highly automated,
Fully traceable
top related