Post on 20-Jan-2016
© 2015, Fiatech
Security in the Cloud: Is it an Oxymoron?Compelling
Image Here(If Possible)
Gail Coury CISA, CISSP, CISMVice President, Risk ManagementOracle Managed Cloud Services
© 2015, Fiatech
The Changing Threat Landscape
What constitutes good “Due Diligence” and Provider selection?
So you bought a Cloud service – now what?
“Trust but Verify”
Looking Ahead
Contact & More Information
Agenda
© 2015, Fiatech
• Businesses are increasingly dependent on IT in order to deliver products and services
• Intellectual property and business records are becoming wholly digital
• Business collaboration and cloud adoption is driving a disappearing perimeter
• On-demand computing requires anywhere & anytime access
• Stealth & targeted attacks challenge our defenses• Information has value – hacking is profitable
Changing Landscape
© 2015, Fiatech
1. Make security everyone’s business
2. Cyber risk = business risk
3. Be the change agent
4. Have a business-centric vision
5. Anticipate a “cyber 9/11” event
CIOs at the Journal’s CIO Network event came together to create a prioritized set of recommendations to drive business and policy in the coming year.
Wall Street Journal / CIO JournalFebruary 3, 2015
CIOs Name Their Top 5 Strategic Priorities
© 2015, Fiatech
Cloud Computing Top ThreatsCloud: Friend or Foe for the Enterprise CISO?
1. Data Breaches2. Data Loss3. Account Hijacking4. Insecure APIs5. Denial of Service6. Malicious Insiders7. Abuse of Cloud Services8. Insufficient Due Diligence9. Shared Technology Issues
The Notorious Nine: Cloud Computing Top Threats in 2013
© 2015, Fiatech
A risk management approach…
“As attractive as cloud environments can be, they also come with new types of risks. Executives are asking whether external providers can protect sensitive data and also ensure compliance with regulations about where certain data can be stored and who can access the data.”
“Both public- and private-cloud solutions can provide data-protection advantages compared with traditional, subscale technology environments.”
Source: McKinsey, “Protecting information in the cloud” January 2013
to leveraging the cloud
© 2015, Fiatech
MaturityEstablished security & privacy program reinforced by independent certifications
FlexibilityA rich feature set to meet immediate and future security, privacy & compliance needs
PerformanceConfidence in network and computing resources to meet & scale to enterprise business demands without impact to availability
ResiliencyRedundancy & protections to protect from business impacting events and disasters
CommitmentAn experienced security function with a willingness to collaborate on security & risk topics
Capabilities to Look for in a Cloud Provider
“Building a Hybrid Cloud: Five Decision Criteria for Evaluating And Selecting Hybrid Cloud Solutions”,Irfan Saif, Principal, Deloitte & Touche; Oracle Profit Magazine, August 2013
© 2015, Fiatech
• Understand the criticality & sensitivity of the data you are looking to move to the Cloud
• Be clear about your regulatory requirements – you can outsource the processing but not the responsibility
• Request documentation regarding baseline controls, certifications & audit reports you can review
• Map your requirements to this baseline & highlight any gaps
• Evaluate whether the Provider has optional services to close those gaps
Due Diligence
© 2015, Fiatech
So you bought a Cloud service – now what?
© 2015, Fiatech
Security Strategy Security Architecture Reviews
Security Technical Design Reviews
Security Assessments and Penetration Tests
Security Technologies Security Information Event Management (SIEM)
Secure Web Gateways
End Point Security (AV/HIDS/Disk Encryption)
Intrusion Detection/Prevention
Backup Encryption
Multi-Factor Authentication
Segregated Networks
Privileged Access Management
Security Services PCI DSS Services
HIPAA Security Services
Enhanced Security Services
Government Security Services
21 CFR Part 11 Validation Support Services
Identity Management Services (SSO, Provisioning,…)
Database Security Services
Disaster Recovery Services
Governance Objective 3rd Party Opinion via Audits (ISAE 3402 / SSAE 16)
ISO 27001 Certification / ISO 27002 Conformance
Formal Risk Assessments
Self Testing or Pen Testing
Security Training for Administrators
Customer Right to Audit
Is there Layered Defense in Depth?
© 2015, Fiatech
Legal Compliance
HumanResources
Security
Physical & Environmental
Security Incident
Management
Privileged Access Control
Business Continuity
& DR
Security Organization
Operations Management
System Acquisition & Maintenance
Security Policy Asset Management
Adoption of Security Standards?
ISO 27000 Series
© 2015, Fiatech
A Data Processing Agreement Self-certification to the US/European Union Safe Harbor &
US/Swiss Safe Harbor & Independently Verified Support for Model Clauses / Intercompany Agreements
for EEA Operations Do Standard Services include:
– Data-in-Transit Encryption– Tape Backup Encryption– Encrypted protocols for administrative access– Endpoint Encryption for Provider Administrators
Are Optional Services available:– Encryption at Rest– Data Masking of sensitive data in Non-Prod environments
Has Data Privacy Been Addressed?
© 2015, Fiatech
24x7 Armed Security Guards Biometrics/Retina Scanner X-ray, Metal Detectors Interior and Exterior CCTV System Digital Video Recording Systems Global Anti-Passback (in/out) Card
Readers Single Point of Access/Embassy Grade
Mantrap Building Perimeter:
• Onsite Guards• Electronic Intrusion Detection Systems• Glass protected by “BlastGARD”
Employee Background Checks
Data Center Physical Security?
© 2015, Fiatech
Network Security?
Isolation and Segmentation
Intrusion Detection
Granular Access
Security Information Event Management (SIEM)
© 2015, Fiatech
• Assist Customer to create the Disaster Recovery Plan
• Review Customer’s Disaster Recovery Plan on a regular basis
• Coordinate activities related to Disaster Recovery testing
• Work with Customer to conduct up to two failover tests per year
• In the event of a Disaster, Provider and Customer will execute the Disaster Recovery Plan
Disaster Recovery SolutionsAre they flexible to meet your needs?
© 2015, Fiatech
• Understand your contract – what’s included and what’s not
• Be clear about your responsibilities as a customer
• Know how to report service interruptions or outages
• Develop a plan to respond to a potential security incident in the Cloud
How to engage your Provider if you suspect an incident Understand how your Provider will engage with you
should they identify an incident
• Ensure access provisioning and de-provisioning of your users is timely
• Know how to request specifics your auditors may require
Engage with your Cloud Provider
© 2015, Fiatech
• ISAE 3402 (International) SSAE 16 (US)• Supports Financial Reporting & External Audit Requirements
• NIST (FISMA) & DIACAP (DoD) MAC Level & Sensitivity • Federal Risk and Authorization Management Program (FedRAMP)
ISO Certification / Compliance
Healthcare
• Validation of Compliant Service Provider Level
• Validation of Payment Application (if applicable)
• Assists the Customer to meet its legal obligations under HIPAA
• Ensures compliance with HITECH as a Business Associate
Service Organization Controls Report 1 (SOC1)
Federal Certification & Accreditation (C&A) & FedRAMP
Payment Card Industry (PCI)
• FDA 21 CFR Part 11 for System Validation
Life Sciences
• Non-Financial Reporting Controls Based upon Trust Services Principles • Relevant to Security, Availability, Processing Integrity, Confidentiality
or Privacy
Service Organization Controls Reports 2 &3 (SOC2/SOC3)
Lastly “Trust but Verify”
• ISO 27001 Certification• ISO 27002 Conformance• ISO 27017 Cloud Security (Draft)• ISO 27018 Cloud Privacy
© 2015, Fiatech
• Confirm if your contract terms permit a “right to audit”
• Determine if the Cloud Provider performs regular penetration tests of the service and if you can review the results
• Validate vulnerability management is in place and effective
Right to Audit
© 2015, Fiatech REGULATIONMore & More LegislationIncreased Effort to Prove
Compliance
Looking Ahead
SECURITY BASELINE‘Due Diligence’ High Water Mark
Continues to Rise
THREATSComplex & Stealth Attack Vectors
GrowingCommercial Hacking is Big Business
© 2015, Fiatech
Thank You… Are There Any Questions?
Gail Coury CISA, CISSP, CISMVice President, Risk ManagementOracle Managed Cloud Servicesgail.coury@oracle.com
Photo
Security in the Cloud: Is it an Oxymoron?