cloud governance is not hard

Jirasek Consulting Services

Classification: Public 1

Supporting Business Agility

Cloud governance: Examples from trenches

Cloud and Mobile Compliance Summit

Vladimir JirasekJirasek Consulting Services

&Research Director, Cloud Security Alliance, UK chapter



Agenda

• What is Cloud Governance• Tips and Tricks• Bad examples• Good examples



Governance is:

• … the act of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists of either a separate process or part of decision-making or leadership processes

SOURCE: Wikipediahttp://en.wikipedia.org/wiki/Governance



Applied to Cloud

• Setting company policy for Cloud computing

• Risk based decision which Cloud provider, if any, to engage

• Assigning responsibilities for enforcing and monitoring of the policy compliance

• Set corrective actions for non-compliance



Cloud governance::Policy

• Cloud adopted typically by a) IT directors – managed relatively consistently and

mostly [I|P]aaSb) Business managers – less governance; typically SaaS

• Policy should state: It is a policy of …. to manage the usage of external Cloud computing services, taking into account risks to business processes, legal and regulatory compliance when using external services Cloud services. CIO is responsible for creating and communicating external Cloud computing strategy and standards.



Cloud standard structure• General statements

– Governance requirements for Cloud– Enterprise architecture to be ready for Cloud and Cloud services to plug-in (IAM, SIEM, Data

architecture, Forensic)– Discovery of Cloud service use

• Before Cloud project– Cloud service to comply with data classification– Encrypting all sensitive data in Cloud– Identity and Access management (AAA) link to Cloud service

• During Cloud project– Due diligence to be performed– Do not forget “right to audit”– Know locations of PII– Assess availability (SLA and DR) of Cloud provider– Assess Cloud provider security controls– Assess potential for forensic investigation by company’s team

• Running a Cloud service– Limit use of live data for development and testing– Monitor cloud provider’s security controls– Link Company’s SIEM with Cloud provider and monitor for incidents

• Moving out of Cloud– Data cleansing– Data portability




POOR EXAMPLES



Trust and do not verify

• Large manufacturer and very Large software company

• SaaS• No change to legal terms and conditions

allowed -> increased risk of non compliance• Decision to go ahead anyway

• Tip: The bigger the provider the less flexibility on contracts. Shopping around is not always possible.



Did you erase my data?

• Large media company “outsourced” CRM to SA company

• Standard contract conditions• Little assurance that the data has been

deleted when the contract ends -> security expert spent a week in SA “assessing”

• Tip: Negotiate “exit” before signing contract. Seek details on how the data is erased.



I have 1TB of CSV files, now what?

• Customer uses well know CRM in Cloud• SaaS designed to immerse clients into

well defined, bespoke CRM• No known data mode• Export of data in CSV.

• Tip: Portability is key in SaaS applications. Think about leaving the Cloud provider upfront. How will you take your data?



I take this rack “please”!

• Law enforcement has been slower to adapt to principles of Cloud computing

• Small cloud providers more vulnerable to seizing HW rather then using clever imaging/forensic techniques.

• SaaS generally more affected.

• Tip: Use reputable and strong cloud providers who have developed good relationship with law enforcement (ask upfront).




GOOD EXAMPLE



Scaling up/down development

• Large manufacture and service company

• Requirement to support development needs with seasonal demands – ideal case for [I|P]aaS

• Security team approached up-front to perform review

• “Live” data not uploaded to the provider before on-site sanitising



Summary

• Have a Cloud policy/standard and update risk management classification

• Engage with Procurement and Finance team – gatekeepers for any contracts an credit card spends

• Discover usage of Cloud services• Prepare you enterprise architecture to plug

Cloud services in IAM, SIEM, Key management• Think about Cloud exit upfront• Do not fear Cloud – another form of

outsourcing!!



Contact

• Vladimir Jirasek• [email protected]• www.jirasekconsulting.com• @vjirasek• About.me/Jirasek

mailto:[email protected]

http://www.jirasekconsulting.com/

cloud governance is not hard

Technology