1. Calming the Storm{ Quinn Shamblin | Kevin McLaughlin

2. Quinn R. Shamblin EXIN USA Executive Director & Information Security Officer Boston University CISM, CISSP, ITIL (previously PMP, GIAC Certified Forensic Analyst)Kevin L. McLaughlin Senior Information System Security Manager Whirlpool Corporation CISM, CISSP, PMP, ITIL Master Certified GIAC Security Leadership Certificate (GSLC), CRISC 3. Boston University Research University Rankings in 2012-2013 51st in the U.S. (US News and World Reports) 54rd in the World (Times Higher Education) 64th in the world (QS World University Rankings)Whirlpool Corporation Consumer Home Appliances Fortune 125 $ 10B Market Cap 4. A storm has been building 5. We will explore What the storm is and some common attitudes What tools, standards and best practices exist to calm the storm How they interrelate Considerations when analyzing a cloud service How you can get more information and expertise on those tools, standards and best practices 6. Fears of Cloud Computing Control of features/functions Data protection Enforcement of security policies Data loss Vendor stability/trustworthiness Job security in IT 7. Cloud Computing Benefits Business benefits delivered by the cloud Capability / features Cost Redundancy / availability Consumer and workforce demand BYOD, Tablets (File and Information Sync)Organizations are regaining control over their information management 8. How Organizations use the Cloud Application hosting34%Email/messaging34%Data storage29%Collaboration software25%App dev/testing23% 9. Moores Law Throughout the history of computing hardware, the number of transistors on integrated circuits has doubled approximately every 18-24 months, Day 20 If something doubles 10 times it is 1000 times bigger. 10. Bit Torrent > NetflixWith respect to computing power in the cloud, what day do you think we are on? 11. Cloud Computing is more an evolution than a revolution. 12. Security is often excluded Perception of the security department Dr. No Business Prevention DepartmentSecurity professionals need to be involved Gartner on the security of server virtualization: 60% of virtualized servers were less secure than the original ones 40% of organizations had not involved security specialists in their projects 13. The reality of security risk What is substantively different about the cloud Are the security risks really that different? Dont ignore risk, but dont assign more risk than is really there You absolutely must still understand and mitigate risk just as you do now 14. Interlinked Considerations Modern business requires the security professional to have a balanced mindset and supporting knowledge Business needs (functional and fiscal) Service management (how services were built and are supported) Information security considerations (regulatory requirements, technical issues)Cloud Computing makes a seamless integration of these even more urgent. 15. Guiding International Standards ISO/IEC 20000 Service Management ISO/IEC 27001 Information Security Management SystemsISO/IEC 27002 Code of Practice for Information Security ManagementISO/IEC 27017 Code of Practice for information security controls for cloud computing services based on ISO/IEC 27002 16. The Businesss Security Needs What level of security does the business need? Do you need complete control of the data? Who can look at it and who can forward it Be able revoke access Mandatory Access Control (MAC)Is discretionary control acceptable ? Policies ContractsWantsMUST HAVE!Needs 17. The Right Question Wrong question: Is this service secure?Right questions: Is this service suitable for this particular business use? If the answer is yes then how do we make it secure enough? 18. High (value of Service)Benefit to the BusinessChoosing Your BattlesSay Yes MedAnalyze Risk (Document and get formal acceptance)LowNo LowMedRisk to the Business (Sensitivity of Data/Process)High 19. Analysis of the Service Terms of service Types of cloud services Ability to negotiateSecurity review Certifications for cloud providers Provider security self-assessments 20. From the Providers Point of View Direct / On-premises / Private Cloud 1-to-1 relationship Negotiating a contract directly Agreement may be highly customizedShared Cloud Services 1-to-100 / 1000 / 10000 / 1000000+ All customers using the same service The provider will be much less willing or even able to customize their service just for you. 21. How organizations verify security Third party attestation Conduct own assessment Joint vulnerability testing with the provider35% 28%16%Accept word of provider7%We don't verify7%Follow the lead of similar company5% 22. Certifications for Cloud Providers SAS70 and SOC 1 Are not evaluations of security Evaluates financial reporting controlsSOC 2 and SOC 3 Are security evaluations Based on ISO/IEC 27000 23. Provider Security Self-assessments Cloud Security Alliance (CSA) Not-for-profit organization Promote best practices for providing security assurance within Cloud Computing Provide vendor assessments based on wellrespected standardsSharedAssessments.org 24. Provider Security Self-assessments CSA Security, Trust & Assurance Registry (STAR) Consensus Assessments Initiative Questionnaire (CAIQ), Cloud Controls Matrix (CCM) Maps assessment answers to respected standards COBIT 4.1, HIPAA, ISO/IEC 27001-2005, NIST SP800-53 R3, PCI DSS v2.0, Shared Assessments SIG v6.0 and AUP v5.0, GAPP (Aug 2009), Jericho Forum, NERC CIP, AICPA Trust Service Criteria (SOC 2SM Report) 25. Important Contract Considerations Terms of service Make sure they have a contractual commitment to maintain security certification Consider end of life How does the TOC relates to the contract Make sure they dont own your contentWhat if they go out of business? What happens to your data?Service Level Agreements 26. Monitoring & Auditing Verify expectations are being fulfilled Monitoring Financial Health of the provider Periodic revision of internal assumptions 27. Skills required to weather the storm The cloud need not be seen as a destructive force Companies want leaders to be generalists with: Solid knowledge in adjacent domains Training in the standards 28. EXIN Training & Certification Training in all these interrelated areas Cloud Computing Information Security IT Service Management MoreCovers core competencies and intersections Developed in cooperation with international experts in their specific field 29. Certified Integrator Secure Cloud ServicesOne title that includes three elements: Business concerns (Information Security) New technological developments (Cloud Computing) Best practices (Service Management) 30. Cloud Computing Foundations Vendor-neutral Non-technical Focus areas management, structure, people, and processes concepts, benefits, risks, infrastructure and governance 31. EXIN Information Security EXIN Information Security Foundation Focuses on operational security matters The first level of the three-level program which is based on ISO/IEC 27002. 32. IT Service Management ITSM ITIL - IT Infrastructure Library The most recognized and accepted framework for IT Service ManagementEXIN Service Management Based on ISO/IEC 20000 Concise and practical Customer- and service-orientation Focuses on the things you should do instead of all the things you could do 33. Applicability to the Cloud Based on strong understanding of IT services in general ISO/IEC 20000 the core of good services management Availability, security, continuity of servicesService Level Agreements control design and delivery of services 34. Working from standards Having similar training Understanding the same concepts Speaking the same service languageCommunication: Clearing away the storm of confusion 35. The sky is looking much clearer. 36. Quinn Shamblin Boston University qrs@bu.edu +1 617 358 - 6310Milena Andrade EXIN Brasil milena.andrade@EXIN.com +55 11 3032 - 4111Permitanos Avanzar! Vamos aMove! Lets proceder!