To Cloud or Not To Cloud ? презентация

ISACA HK / CSA HKM

2015 (Forrester Research)

private clouds are as secure as you make them
Typically, cloud-based systems can be more secure than existing internal systems if you do the upfront work required

accountability
Lack of transparency / clarity in SLA / interoperability / awareness and expertise

*

DR Plan

Few tools, procedures or standard formats available for data and service portability

Service level affects confidentiality and availability

The needs to protect the intellectual property, trade secrets, personal data; complied to regulations / laws in different geographical regions

Business continuity and disaster recovery plans must be well documented and tested

Service and contractual risks

Allocation

How to integrate the in-house systems to the Cloud ?
High speed bandwidth ready ?

Speedy encryption / decryption – in transit, at rest, destruction;
Identity management

Provider may not allow you to do thorough PEN test, audit;
Are there good monitoring tools available ?

Overbooking, underbooking;
Handling of DOS attack; Payment cap

Technology risks

the business case
SLO (and then SLA)
Availability, reliability, accessibility, performance and security
Along with what best practices
People, processes, change management etc.
Along with what technologies, services, vendors
Servers, storage, network, software etc.

infrastructure to the cloud
You are not outsourcing to vendor, the …
Risk,
Accountability and
Compliance obligations
Find the right Cloud Services Provider – qualified, Security Standards compliance

Security Standards the answer ?

Task Force
ENISA = European Network and Information Security Agency
ETSI = European Telecommunications Standards Institute
IEC = International Electrotechnical Commission
IEEE = Institute of Electrical and Electronics Engineers
INCITS = International Committee for Information Technology Standards
ISO = International Organization for Standardization
ITU-T = International Telecommunication Union – Telecom
NIST = National Institute for Standards and Technology
OASIS = Organization for the Advancement of Structured Information Standards
SNIA = Storage Networking Industry Association
TCG = Trusted Computing Group

Alphabet Soup

a professional’s knowledge and skills in Security, Governance and Cloud technology
Committing the effort and resources to obtain certification indicates seriousness of prospective companies and individuals

responsibility
Review your current set up and the Cloud Services Provider with guidelines
Focus in the SLO and SLA
Ask for expert help from services providers, and professional organizations