Fearing the cloud: why the life sciences shouldn't fret
-
Upload
cornerstone-ondemand -
Category
Recruiting & HR
-
view
90 -
download
0
Transcript of Fearing the cloud: why the life sciences shouldn't fret
Fearing the Cloud:Why the Life Sciences Shouldn’t Fret
Michael OsburnDirector, Risk &Compliance Advisory Services
Cornerstone OnDemand
Nyla ReedFounding PartnerThe Educe Group
Cloud Computing Defined
Cloud computing is Internet-based computing, where computing resources (servers, services, applications, data storage, buildings and/or staff) are provided to users on demand as a product offered by a company.
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015 2
Cloud Computing Defined
►It typically involves over-the-Internet provision of dynamically scalable and often virtualized computing resources Virtualization allows
the same computing hardware to be shared by multiple clients or customers
3Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Cloud Computing Defined
►Fees are typically based on the total amount of computing resources used Think about how we access, use and pay for electricity
from the power grid. The cloud model is similar. You use what you need, pay for it accordingly, and it is always available
4Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
The NIST Cloud Model
► The cloud model can be thought of as being composed of five essential characteristics, three service models and, four deployment models.
► A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
5
Public Private Hybrid Community
Broad Network Access
Rapid Elasticity Measured ServiceOn-Demand Self-Service
Resource Pooling
Essential Characteristics
Deployment Models
Software as a Service (SasS)
Platform as a Service (PasS)
Infrastructure as a Service (IasS)
ServiceMethods
Source: NIST: National Institute of Standards and Technology
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Essential Characteristics of Cloud
MULTI-TENANCY
6
Not called out by NIST, but considered another essential characteristic of Cloud.
Multi-tenancy in its simplest form implies use of same resources or application by multiple consumers that may belong to same organization or different organization.
The impact of multi-tenancy is visibility of residual data or trace of operations by other user or tenant.
Source: http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Cloud Deployment Models
7
PublicCloud
PrivateCloud
Hybrid Cloud
Community
Cloud
Systems and services are delivered and managed within an organization in a shared services model. Organization has greater/complete control over data and systems.
The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities bound together by standardized or proprietary technology enabling data and application portability.
The cloud infrastructure is shared by several organizations and supporting communities that share concerns (i.e., mission, security requirements, or policy)
The cloud infrastructure available to the general public or a large industry group and owned by an organization selling cloud services
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Cloud Service Models
THE SPI SERVICE MODELS
8Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Cloud Service Models - SPI
9
PublicCloud
. Capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based e-mail).
Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider.
Capability to provision processing, storage, networks and other fundamental computing resources, offering the customer the ability to deploy and run arbitrary software, which can include operating systems and applications. IaaS puts these IT operations into the hands of a third party.
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Cloud Computing
CLOUD SERVICE MODELS – FACTORS TO CONSIDER
10
Source: ISACA Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives [October 2009 ]
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Cloud Computing
CLOUD DEPLOYMENT MODELS – FACTORS TO CONSIDER
11Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Is Cloud for Us ?
Here’s a quick method for evaluating your tolerance for moving an asset to various cloud computing models.
Work through the following steps:
Identify the asset for cloud deployment
Evaluate the asset
Map the asset to potential cloud deployment models
Evaluate potential cloud service models and providers
Map out the potential data flow
Conclude
Documented within CSA’s publication: “Security guidance for critical areas of focus in Cloud Computing v3.0”
ARE WE WILLING TO ACCEPT THE RISK ?
12Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Is Cloud for Us ?
How sensitive is the asset ?
How important an application / function / process is ?
Ask the following questions for each asset:
1. How would we be harmed if the asset became widely public and widely distributed?
2. How would we be harmed if an employee of our cloud provider accessed the asset?
3. How would we be harmed if the process or function were manipulated by an outsider?
4. How would we be harmed if the process or function failed to provide expected results?
5. How would we be harmed if the information/data were unexpectedly changed?
6. How would we be harmed if the asset were unavailable for a period of time ?
EVALUATE THE ASSET
13Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Is Cloud for Us ?
Essentially we are assessing confidentiality, integrity, and availability requirements for the asset; and how the risk changes if all or part of the asset is handled in the cloud
EVALUATE THE ASSET
14Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Is Cloud for Us ?
Which deployment models we are comfortable with?
Can we accept the risks implicit to the various deployment models: private, public, community, or hybrid; and hosting scenarios: internal, external, or combined ?
For the asset, determine if you are willing to accept the following options:
1. Public.
2. Private, internal/on-premises.
3. Private, external (including dedicated or shared infrastructure).
4. Community; taking into account the hosting location, potential service provider, and identification of other community members.
5. Hybrid. To effectively evaluate a potential hybrid deployment, you must have in mind at least a rough architecture of where components, functions, and data will reside
MAP THE ASSET TO CLOUD DEPLOYMENT MODELS
15Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Is Cloud for Us ?
In this step focus on the degree of control you’ll have at each SPI tier to implement any required risk management.
If you are evaluating a specific offering, at this point you might switch to a fuller risk assessment
Your focus will be on the degree of control you have to implement risk mitigations in the different SPI tiers.
We’ll cover the evaluation of providers later.
EVALUATE POTENTIAL CLOUD SERVICE MODELS AND PROVIDERS
16Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Is Cloud for Us ?
If you are evaluating a specific deployment option, map out the data flow between your organization, the cloud service, and any customers/other nodes.
It’s absolutely essential to understand whether, and how, data can move in and out of the cloud.
If you have yet to decide on a particular offering, you’ll want to sketch out the rough data flow for any options on your acceptable list. This is to insure that as you make final decisions, you’ll be able to identify risk exposure points..
MAP OUT THE POTENTIAL DATA FLOW
17Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Evaluating Cloud Service Providers
Choose a CSP that best serves business needs whilst minimizing potential risk
Consider size – smaller CSP vs established larger CSPs, Larger CSPs:
Will have references, comparable use cases etc
Will be more experienced with running cloud infrastructures, adapting to change and generally faster in responding to an incident or threat, thus being able to maintain stability more efficiently.
But a larger CSP will likely be stricter toward its offerings, which will greatly reduce the possibility of fine-tuning services not fully compatible with the enterprise needs
WHEN EVALUATING A CLOUD SERVICE PROVIDER (CSP)
18
Source: Controls and Assurance in the Cloud: Using COBIT® 5
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Evaluating Cloud Service Providers
Vendor expertise
The enterprise needs expert knowledge or a broader perspective and experience with similar enterprises to effectively and efficiently handle certain activities.
Vendor capacity
The enterprise does not have the resources to handle the work related to a specific product or service. The vendor can supply the resources to support the entire operation or to supplement in-house resources.
Vendor assuming risk
The enterprise outsources activities to leverage a vendor’s experience with operational risk and corresponding risk mitigation services. However, the accountability for the adequate performance of those activities can never be delegated and stays with the enterprise.
Vendor leveraging scale
Vendors can offer services at a lower cost because working for multiple customers allows vendors to leverage scale.
FACTORS THAN CAN INFLUENCE SELECTION OF A CSP
19Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Evaluating Cloud Service Providers
Vendor location (storage and processing centers) is of key importance for legal reasons. Laws are applicable locally, which can result in a multitude of different law systems applicable to data or business processes stored in the cloud.
We need to consider:
Local Law of the Enterprise
Local law of the CSP
Local law where data is stored
Local law where data is processed
.
LEGAL IMPLICATIONS
20Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Evaluating Cloud Service Providers
An effective Vendor Management Process with clear goals and objectives can help to ensure:
Vendor selection and management strategy is consistent with enterprise goals.
Effective cooperation and governance models are in place.
Service, quality, cost and business goals are clear.
All parties perform as agreed.
Vendor risk is assessed and properly addressed.
Vendor relationships are working effectively, as measured according to service objectives.
Many key stakeholders will be involved:
IT and business process owners solely,
Legal to help define requirements and writing contracts.
Compliance and audit should be consulted when reviewing service agreements and vendor compliance assessments.
Risk management and business continuity should analyze vendor-related risk, etc.
:
VENDOR MANAGEMENT PROCESS
21Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Evaluating Cloud Service Providers
A formal information gathering process should be followed and key questions answered across the following topics. These should include topics such as:
RFI / INFORMATION GATHERING QUESTIONNAIRE
22
Source: SIG (Standardized Information Gathering Questionnaire) v7.0 / The Santa Fe Group / http://www.sharedassessments.org
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Evaluating Cloud Service Providers
Cloud specific questions..
What service model (SaaS, PaaS, IaaS) ? What deployment model (Private, Public..) ?
Where is the Cloud infrastructure hosted ?
Is there a Cloud Audit Program to address client audit and assessment requirements ?
Is there a formal Development Methodology in operation ?
Is there a formal process to ensure clients are notified prior to changes being made which may impact their service ?
Is there a scheduled maintenance window ?
RFI / INFORMATION GATHERING QUESTIONNAIRE
23
Source: SIG (Standardized Information Gathering Questionnaire) v7.0 / The Santa Fe Group / http://www.sharedassessments.org
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Evaluating Cloud Service Providers
Increasingly common for CSPs to elect to undergo an audit/review/assessment from an independent auditor/assessor and share the report/certification.
Most commonly used reports are:
SSAE 16 (SOC 1, SOC 2, SOC 3)
ISAE 3402 (SOC 1)
ISO/IEC 27001
AICPA / CICA Trust Services (SOC 2 and SOC 3) reports
INDEPENDENT ASSURANCE OF CSP
24
Source: Controls and Assurance in the Cloud: Using COBIT® 5
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
What does this mean to you?
DEPLOYMENT CHANGES
25
Area of Responsibility Behind the Firewall Cloud
Infrastructure and Architecture
Hardware and Software installation - Integrations- SSO- Extensions (web services)
Application Level Changes
- Full access to enable/disable functionality and change system settings- Customizations
- Some system settings changed by vendor only- Configuration only
Reporting - Ability to access database directly - Reporting and Analytics- Export functionality
Performance - Performance monitoring- Bandwidth limitations
- Opportunities to optimize for growth/peak periods- Leverage CDNs
Release Management - Upgrades- Client-based scheduling of changes
- Release cycle determined by vendor- Client determines enable/disable settings
Say goodbye to… The new normal…
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
What does this mean to you?
IMPLEMENTATION APPROACH
26
Area of Responsibility Behind the Firewall Cloud
Validation Strategy Created by client Leverage vendor documentation
Requirements --- ---
Business Process Definition --- ---
Configuration Performed by client Responsibility split: client/vendor
Testing Performed by client Leverage vendor, customer base
Help Desk Client establishes SLAs SLAs need to be aligned with vendor
Governance Vendor may participate in some meetings Greater partnership with vendor
Technical – Content Client manages content servers Choice of content location
Technical - Infrastructure Installations affect project plan Infrastructure readily available
Say goodbye to… The new normal…
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
What does this mean to you?
RELEASE MANAGEMENT
27
Identify internal resources to manage periodic release process
Review vendor release notes and determine what functionality changes will affect you
Create testing plan to regression test existing processes
Leverage existing vendor resources
Testing environment
Customer community
Pre-release webinars
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
Contractual Provisions
Overview of important contractual provisions that an enterprise should consider when contracting with a CSP.
These include:
1. Scope of Services
2. Core Obligations of Parties
3. End of Contract
4. Custody and Ownership
5. Security, Privacy and Access
6. Fees and Payment Terms and Modalities
7. Performance
8. Term and Termination Possibilities
9. Liabilities
10.Dispute Resolution and Applicable Law
11.Business Continuity, Data Disposal and Exit Strategy
WHEN CONTRACTING WITH A CLOUD SERVICE PROVIDER (CSP)
28
Source: Controls and Assurance in the Cloud: Using COBIT® 5
Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015
References
Key Organisations:
NIST – National Institute of Standards and Technology (www.nist.gov)
CSA – Cloud Security Alliance (www.cloudsecurityalliance.org)
ISACA – www.isaca.org
Shared Assessments Program – (https://sharedassessments.org)
Key document references:
The NIST Definition of Cloud Computing (NIST Special Publication 800-145, Feb 2011)
Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives (ISACA Emerging technologies white paper, Oct 2009)
Controls and Assurance in the Cloud: Using COBIT® 5 (ISACA, 2014)
Cloud Governance: Questions Boards of Directors Need to Ask (ISACA, 2013)
Guiding Principles for Cloud Computing Adoption and Use (ISACA Cloud Computing Vision Series White Paper, February 2012)
Security Guidance for Critical Areas of Focus in Cloud Computing v3.0 (CSA, 2011) [http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf]
Standardized Information Gathering Questionnaire (SIG) (https://sharedassessments.org/)
29Fearing the Cloud: Why the Life Sciences Shouldn’t Fret | July 29, 2015