How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23....
-
Upload
lewis-johnson -
Category
Documents
-
view
237 -
download
3
Transcript of How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23....
![Page 1: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/1.jpg)
How to Gain Comfort in Losing Control to the Cloud
Randolph Barr
CSO - Qualys, Inc
SourceBoston, 23. April 2010
![Page 2: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/2.jpg)
At a Glance
NIST Definition Cloud Challenge Cloud Concern Added Security Concerns Security Transition Is Cloud ready for you Available Resources Where to start
![Page 3: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/3.jpg)
NIST Definition Cloud
http://csrc.nist.gov/groups/SNS/cloud-computing/
![Page 4: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/4.jpg)
4
Cloud Challenge
![Page 5: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/5.jpg)
“In our February 2010 survey of 518 business technology pros, security concerns again led the
list of reasons not to use cloud services, while on the roster of drivers, 77% cited cost savings.”
-- Information Week
http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=224202319
![Page 6: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/6.jpg)
Cloud Security Incident
“In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.”
• Attackers are ignoring the front door• Current Anti-Virus Solutions are not
working• Patching sometimes is not enough• You might be playing in the big leagues
• http://googleblog.blogspot.com/2010/01/new-approach-to-china.html• http://www.qualys.com/aurora
![Page 7: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/7.jpg)
Added Security Concerns
Business Unit bypass IT and Security Individuals using cloud How can IT / Security get in front of decisions
to use cloud Must do a better job managing risk
![Page 8: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/8.jpg)
Cloud Security Shift
Customer Options Security is a business
enabler Raise cloud user
comfort Provide transparency Collaboration
Focus on business and not security
Business disabler Cloud Provider knows
how to implement security
Not transparent
![Page 9: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/9.jpg)
Security Transition
Lessons Learned Customer Concerns Security Questionnaires
Response to questions varied Increased of questionnaires Request of evidence
![Page 10: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/10.jpg)
Critical Challenges for Cloud Security
Security Program
Questionnaires
Follow up Reviews
Regulatory Compliance
Customer Reviews
External and Internal Reviews
10
Security Budgets
Staffing/ Resources
Reduce Confusion
![Page 11: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/11.jpg)
Enterprise CIO Strategies — IT Security Needs to be Aligned
11
(February 2010)
• Link Business and IT strategies and plans
• Deliver projects and enable business growth
• Cloud Computing• Web 2.0• Virtulization
![Page 12: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/12.jpg)
Is Cloud Ready for You
Determine business need Will the Cloud Provider be around What data will be stored Where will it be stored What is your classification and control
requirements for that data
![Page 13: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/13.jpg)
Is Cloud Ready for You
What controls does the provider implement
Who is responsible for security Are there third party validations Right to Audit Process for removing data Incident Response How often do you need to review?
![Page 14: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/14.jpg)
Resources Available to Cloud Users
Cloud Security Alliance CSA Guide (guide your approach internal legal /
business UNIT) also recommendations for users and providers
Top Threats to Cloud Security (underwritten by HP) ENISA
Security Benefits of Cloud and Risks Make recommendations on risks and maximize the
benefits
![Page 15: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/15.jpg)
Resources Available to Cloud Users Shared Assessments
Target Data Tracker Self Information Gathering (SIG) – Level I, Level II AUP Business Continuity Questions, Privacy Questions,
Other tools Jericho Forum
Cloud Cube Model Self-Assessment
![Page 16: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/16.jpg)
What Will Be Stored
Know your provider Ask them what data is
required to be stored Verify with your
internal business team
![Page 17: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/17.jpg)
Where Will it be Stored
Request for their locations
Validate that all locations are accounted for
Request they describe the types of controls in place
![Page 18: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/18.jpg)
How to Verify
Target your questionnaire
Questions should clearly identify internal versus production questions
No and N/A should have comments section completed
![Page 20: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/20.jpg)
Other Options Security Questionnaires OnSite Review ISO 27002 SAS-70 Type II ISAE 3402 SysTrust PCI Third Party Penetration Test Emerging Cloud Certifications / Assessments
![Page 21: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/21.jpg)
Moving Forward
Provider security maturing Continuous Assessment Transparency Vendor Cooperation Collaboration Community
![Page 22: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/22.jpg)
Available to Cloud Users Qualys
http://www.qualys.com/products/qg_suite/malware_detection/ http://www.qualys.com/aurora
Cloud Security Alliance http://www.cloudsecurityalliance.org/
JERICHO Forum http://www.opengroup.org/jericho/
Shared Assessments http://www.sharedassessments.org/
ISAE 3402 http://www.ifac.org/MediaCenter/?q=node/view/687
![Page 23: How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.](https://reader037.fdocuments.us/reader037/viewer/2022102801/56649e695503460f94b66e6c/html5/thumbnails/23.jpg)
Thank [email protected]