© 2015, Fiatech

Security in the Cloud: Is it an Oxymoron?Compelling

Image Here(If Possible)

Gail Coury CISA, CISSP, CISMVice President, Risk ManagementOracle Managed Cloud Services

© 2015, Fiatech

The Changing Threat Landscape

What constitutes good “Due Diligence” and Provider selection?

So you bought a Cloud service – now what?

“Trust but Verify”

Looking Ahead

Contact & More Information

Agenda

© 2015, Fiatech

• Businesses are increasingly dependent on IT in order to deliver products and services

• Intellectual property and business records are becoming wholly digital

• Business collaboration and cloud adoption is driving a disappearing perimeter

• On-demand computing requires anywhere & anytime access

• Stealth & targeted attacks challenge our defenses• Information has value – hacking is profitable

Changing Landscape

© 2015, Fiatech

1. Make security everyone’s business

2. Cyber risk = business risk

3. Be the change agent

4. Have a business-centric vision

5. Anticipate a “cyber 9/11” event

CIOs at the Journal’s CIO Network event came together to create a prioritized set of recommendations to drive business and policy in the coming year.

Wall Street Journal / CIO JournalFebruary 3, 2015

CIOs Name Their Top 5 Strategic Priorities

© 2015, Fiatech

Cloud Computing Top ThreatsCloud: Friend or Foe for the Enterprise CISO?

1. Data Breaches2. Data Loss3. Account Hijacking4. Insecure APIs5. Denial of Service6. Malicious Insiders7. Abuse of Cloud Services8. Insufficient Due Diligence9. Shared Technology Issues

The Notorious Nine: Cloud Computing Top Threats in 2013

© 2015, Fiatech

A risk management approach…

“As attractive as cloud environments can be, they also come with new types of risks. Executives are asking whether external providers can protect sensitive data and also ensure compliance with regulations about where certain data can be stored and who can access the data.”

“Both public- and private-cloud solutions can provide data-protection advantages compared with traditional, subscale technology environments.”

Source: McKinsey, “Protecting information in the cloud” January 2013

to leveraging the cloud

© 2015, Fiatech

MaturityEstablished security & privacy program reinforced by independent certifications

FlexibilityA rich feature set to meet immediate and future security, privacy & compliance needs

PerformanceConfidence in network and computing resources to meet & scale to enterprise business demands without impact to availability

ResiliencyRedundancy & protections to protect from business impacting events and disasters

CommitmentAn experienced security function with a willingness to collaborate on security & risk topics

Capabilities to Look for in a Cloud Provider

“Building a Hybrid Cloud: Five Decision Criteria for Evaluating And Selecting Hybrid Cloud Solutions”,Irfan Saif, Principal, Deloitte & Touche; Oracle Profit Magazine, August 2013

© 2015, Fiatech

• Understand the criticality & sensitivity of the data you are looking to move to the Cloud

• Be clear about your regulatory requirements – you can outsource the processing but not the responsibility

• Request documentation regarding baseline controls, certifications & audit reports you can review

• Map your requirements to this baseline & highlight any gaps

• Evaluate whether the Provider has optional services to close those gaps

Due Diligence

© 2015, Fiatech

So you bought a Cloud service – now what?

© 2015, Fiatech

Security Strategy Security Architecture Reviews

Security Technical Design Reviews

Security Assessments and Penetration Tests

Security Technologies Security Information Event Management (SIEM)

Secure Web Gateways

End Point Security (AV/HIDS/Disk Encryption)

Intrusion Detection/Prevention

Backup Encryption

Multi-Factor Authentication

Segregated Networks

Privileged Access Management

Security Services PCI DSS Services

HIPAA Security Services

Enhanced Security Services

Government Security Services

21 CFR Part 11 Validation Support Services

Identity Management Services (SSO, Provisioning,…)

Database Security Services

Disaster Recovery Services

Governance Objective 3rd Party Opinion via Audits (ISAE 3402 / SSAE 16)

ISO 27001 Certification / ISO 27002 Conformance

Formal Risk Assessments

Self Testing or Pen Testing

Security Training for Administrators

Customer Right to Audit

Is there Layered Defense in Depth?

© 2015, Fiatech

Legal Compliance

HumanResources

Security

Physical & Environmental

Security Incident

Management

Privileged Access Control

Business Continuity

& DR

Security Organization

Operations Management

System Acquisition & Maintenance

Security Policy Asset Management

Adoption of Security Standards?

ISO 27000 Series

© 2015, Fiatech

A Data Processing Agreement Self-certification to the US/European Union Safe Harbor &

US/Swiss Safe Harbor & Independently Verified Support for Model Clauses / Intercompany Agreements

for EEA Operations Do Standard Services include:

– Data-in-Transit Encryption– Tape Backup Encryption– Encrypted protocols for administrative access– Endpoint Encryption for Provider Administrators

Are Optional Services available:– Encryption at Rest– Data Masking of sensitive data in Non-Prod environments

Has Data Privacy Been Addressed?

© 2015, Fiatech

24x7 Armed Security Guards Biometrics/Retina Scanner X-ray, Metal Detectors Interior and Exterior CCTV System Digital Video Recording Systems Global Anti-Passback (in/out) Card

Readers Single Point of Access/Embassy Grade

Mantrap Building Perimeter:

• Onsite Guards• Electronic Intrusion Detection Systems• Glass protected by “BlastGARD”

Employee Background Checks

Data Center Physical Security?

© 2015, Fiatech

Network Security?

Isolation and Segmentation

Intrusion Detection

Granular Access

Security Information Event Management (SIEM)

© 2015, Fiatech

• Assist Customer to create the Disaster Recovery Plan

• Review Customer’s Disaster Recovery Plan on a regular basis

• Coordinate activities related to Disaster Recovery testing

• Work with Customer to conduct up to two failover tests per year

• In the event of a Disaster, Provider and Customer will execute the Disaster Recovery Plan

Disaster Recovery SolutionsAre they flexible to meet your needs?

© 2015, Fiatech

• Understand your contract – what’s included and what’s not

• Be clear about your responsibilities as a customer

• Know how to report service interruptions or outages

• Develop a plan to respond to a potential security incident in the Cloud

How to engage your Provider if you suspect an incident Understand how your Provider will engage with you

should they identify an incident

• Ensure access provisioning and de-provisioning of your users is timely

• Know how to request specifics your auditors may require

Engage with your Cloud Provider

© 2015, Fiatech

• ISAE 3402 (International) SSAE 16 (US)• Supports Financial Reporting & External Audit Requirements

• NIST (FISMA) & DIACAP (DoD) MAC Level & Sensitivity • Federal Risk and Authorization Management Program (FedRAMP)

ISO Certification / Compliance

Healthcare

• Validation of Compliant Service Provider Level

• Validation of Payment Application (if applicable)

• Assists the Customer to meet its legal obligations under HIPAA

• Ensures compliance with HITECH as a Business Associate

Service Organization Controls Report 1 (SOC1)

Federal Certification & Accreditation (C&A) & FedRAMP

Payment Card Industry (PCI)

• FDA 21 CFR Part 11 for System Validation

Life Sciences

• Non-Financial Reporting Controls Based upon Trust Services Principles • Relevant to Security, Availability, Processing Integrity, Confidentiality

or Privacy

Service Organization Controls Reports 2 &3 (SOC2/SOC3)

Lastly “Trust but Verify”

• ISO 27001 Certification• ISO 27002 Conformance• ISO 27017 Cloud Security (Draft)• ISO 27018 Cloud Privacy

© 2015, Fiatech

• Confirm if your contract terms permit a “right to audit”

• Determine if the Cloud Provider performs regular penetration tests of the service and if you can review the results

• Validate vulnerability management is in place and effective

Right to Audit

© 2015, Fiatech REGULATIONMore & More LegislationIncreased Effort to Prove

Compliance

Looking Ahead

SECURITY BASELINE‘Due Diligence’ High Water Mark

Continues to Rise

THREATSComplex & Stealth Attack Vectors

GrowingCommercial Hacking is Big Business

© 2015, Fiatech

Thank You… Are There Any Questions?

Gail Coury CISA, CISSP, CISMVice President, Risk ManagementOracle Managed Cloud Servicesgail.coury@oracle.com

Photo

Security in the Cloud: Is it an Oxymoron?