cloud governance is not hard
DESCRIPTION
Organisations are spending large amounts of resources to bring advanced IT controls (mostly preventative) to protect against advanced attacks. However, many organisations neglect basics, such as ensuring systems and applications are not vulnerable which would help reduce the attack surface. The session will look how to establish a patch policy and governance structures and processes. Furthermore we will show the best practices, acquired through years of designing and operating QualysGuard Enterprise, to use Qualys services to discover vulnerabilities in systems, manage the patch management process, and harden systems with secure configuration settings.TRANSCRIPT
Jirasek Consulting Services
Classification: Public 1
Supporting Business Agility
Cloud governance: Examples from trenches
Cloud and Mobile Compliance Summit
Vladimir JirasekJirasek Consulting Services
&Research Director, Cloud Security Alliance, UK chapter
Jirasek Consulting Services
Classification: Public 2
Agenda
• What is Cloud Governance• Tips and Tricks• Bad examples• Good examples
Jirasek Consulting Services
Classification: Public 3
Governance is:
• … the act of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists of either a separate process or part of decision-making or leadership processes
SOURCE: Wikipediahttp://en.wikipedia.org/wiki/Governance
Jirasek Consulting Services
Classification: Public 4
Applied to Cloud
• Setting company policy for Cloud computing
• Risk based decision which Cloud provider, if any, to engage
• Assigning responsibilities for enforcing and monitoring of the policy compliance
• Set corrective actions for non-compliance
Jirasek Consulting Services
Classification: Public 5
Cloud governance::Policy
• Cloud adopted typically by a) IT directors – managed relatively consistently and
mostly [I|P]aaSb) Business managers – less governance; typically SaaS
• Policy should state: It is a policy of …. to manage the usage of external Cloud computing services, taking into account risks to business processes, legal and regulatory compliance when using external services Cloud services. CIO is responsible for creating and communicating external Cloud computing strategy and standards.
Jirasek Consulting Services
Classification: Public 6
Cloud standard structure• General statements
– Governance requirements for Cloud– Enterprise architecture to be ready for Cloud and Cloud services to plug-in (IAM, SIEM, Data
architecture, Forensic)– Discovery of Cloud service use
• Before Cloud project– Cloud service to comply with data classification– Encrypting all sensitive data in Cloud– Identity and Access management (AAA) link to Cloud service
• During Cloud project– Due diligence to be performed– Do not forget “right to audit”– Know locations of PII– Assess availability (SLA and DR) of Cloud provider– Assess Cloud provider security controls– Assess potential for forensic investigation by company’s team
• Running a Cloud service– Limit use of live data for development and testing– Monitor cloud provider’s security controls– Link Company’s SIEM with Cloud provider and monitor for incidents
• Moving out of Cloud– Data cleansing– Data portability
Supporting Business Agility
Jirasek Consulting Services
Classification: Public 7
POOR EXAMPLES
Jirasek Consulting Services
Classification: Public 8
Trust and do not verify
• Large manufacturer and very Large software company
• SaaS• No change to legal terms and conditions
allowed -> increased risk of non compliance• Decision to go ahead anyway
• Tip: The bigger the provider the less flexibility on contracts. Shopping around is not always possible.
Jirasek Consulting Services
Classification: Public 9
Did you erase my data?
• Large media company “outsourced” CRM to SA company
• Standard contract conditions• Little assurance that the data has been
deleted when the contract ends -> security expert spent a week in SA “assessing”
• Tip: Negotiate “exit” before signing contract. Seek details on how the data is erased.
Jirasek Consulting Services
Classification: Public 10
I have 1TB of CSV files, now what?
• Customer uses well know CRM in Cloud• SaaS designed to immerse clients into
well defined, bespoke CRM• No known data mode• Export of data in CSV.
• Tip: Portability is key in SaaS applications. Think about leaving the Cloud provider upfront. How will you take your data?
Jirasek Consulting Services
Classification: Public 11
I take this rack “please”!
• Law enforcement has been slower to adapt to principles of Cloud computing
• Small cloud providers more vulnerable to seizing HW rather then using clever imaging/forensic techniques.
• SaaS generally more affected.
• Tip: Use reputable and strong cloud providers who have developed good relationship with law enforcement (ask upfront).
Supporting Business Agility
Jirasek Consulting Services
Classification: Public 12
GOOD EXAMPLE
Jirasek Consulting Services
Classification: Public 13
Scaling up/down development
• Large manufacture and service company
• Requirement to support development needs with seasonal demands – ideal case for [I|P]aaS
• Security team approached up-front to perform review
• “Live” data not uploaded to the provider before on-site sanitising
Jirasek Consulting Services
Classification: Public 14
Summary
• Have a Cloud policy/standard and update risk management classification
• Engage with Procurement and Finance team – gatekeepers for any contracts an credit card spends
• Discover usage of Cloud services• Prepare you enterprise architecture to plug
Cloud services in IAM, SIEM, Key management• Think about Cloud exit upfront• Do not fear Cloud – another form of
outsourcing!!
Jirasek Consulting Services
Classification: Public 15
Contact
• Vladimir Jirasek• [email protected]• www.jirasekconsulting.com• @vjirasek• About.me/Jirasek