1 / 18

Cloud Computing

Cloud Computing. Information Security and Privacy Considerations Mike Hay June 2014. Agenda. Background Emergence of cloud computing Increased security and privacy awareness Government ICT Strategy & Action Plan ICT Assurance in Relation to Cloud Computing Cabinet decision

merv
Download Presentation

Cloud Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Computing Information Security and Privacy Considerations Mike Hay June 2014

  2. Agenda • Background • Emergence of cloud computing • Increased security and privacy awareness • Government ICT Strategy & Action Plan • ICT Assurance in Relation to Cloud Computing • Cabinet decision • Risk assessment process • InfoSec and privacy considerations • System Certification and Accreditation • Putting this all together • Where to go for more help

  3. Emergence of Cloud Computing August 2012 Cabinet paper recognised that: • Cloud computing is pervasively changing the nature of global information and ICT service delivery by shifting ownership of technology assets to service providers • Use of cloud computing would enable public sector ICT investment to be reduced, improve productivity and innovation and ultimately contribute to improved service delivery and strategic organisational change and agreed that: • An all-of-government ‘cloud first’ approach is taken for the Government’s adoption of cloud computing and that GCIO lead work to establish common foundational capability, appropriate policy frameworks and standards and a service deployment strategy

  4. Security & Privacy Awareness • Security and privacy breaches have had an adverse impact on the public’s perception of how government manages and protects its information • Cabinet directed that the GCIO would, as part of the ICT functional leadership role, have responsibility for coordinated oversight and delivery of system-wide ICT assurance which would include coordinating, developing and mandating common ICT assurance and information management standards

  5. ICT Strategy & Action Plan • Addresses persistent issues with government ICT and reflects the additional imperatives of the Better Public Services programme • There are four core principles of the ICT Strategy & Action Plan; • services are digital by default • information is managed as an asset • investment & capability are shared • leadership and culture deliver change • System assurance activities are not presented as a separate focus area, instead they are integrated into each of the four core principles

  6. ICT Strategy & Action Plan (2) Future government ICT information-centric transcending agency boundaries and being characterised by (amongst other things): • Security and privacy requirements being integrated into design of all new services • Information being open by default and sharing being widespread • Agencies focusing on their unique business systems and buying in common capabilities • Non-core / commodity ICT assets being eliminated from agency balance sheets • Standardised cloud computing platforms providing majority of government’s computing resource

  7. ICT Strategy & Action Plan (2) System assurance • To be strengthened to manage information and technology risks and the quality of government’s ICT-enabled projects and services • Will apply across the spectrum of investment decision making, development, operations, benefits tracking, replacement and decommissioning • Accountabilities to be clarified • GCIO central point for coordination and reporting

  8. GCIO Oversight and Co-ordination of System-Wide ICT Assurance • Issued February 2014, consisting of: • ICT Operations Assurance Framework • ICT Projects and Programmes Assurance Framework • Risk Assessment Process • Risk Assessment Template • Cloud Computing Risk and Assurance Framework

  9. GCIO Oversight and Co-ordination of System-Wide ICT Assurance (2) • The objectives of the Frameworks and associated guidance are to: • Provide a system wide view of ICT risks (operational and projects) • Provide stakeholders with confidence that ICT risks are identified and effectively managed • Improve system-wide ICT risk management and assurance by lifting capability • Basic tenet is that risks are identified and managed

  10. Risk Assessment Process • The process enables agencies to systematically identify, analyse and evaluate the information security risks associated with an information system or service together with the controls required to manage the identified risks • The output from the process captures the information security risks associated with the information system or service taking into consideration the agency’s business context and identifies the controls required to manage or mitigate the identified risks

  11. Risk Assessment Process (2) The risk assessment is informed by the business context of the planned system or service, to do this need to establish and define: • Information classification of data being handled • Business processes supported • Users of the system • Security and compliance requirements • Information protection priorities

  12. Risk Assessment Process (3) Process also informed by the technical context to provide a basic understanding of the security posture which will involve input from the: • Service owner • Enterprise or solution architect • Subject matter experts Focus on identifying the • Logical architecture • System components

  13. Cloud Computing Risk and Assurance Framework • Issued by GCIO as part of mandate to provide guidance and advice • Describes the core considerations for any agency planning a deployment of a cloud computing service • Assist agencies in developing a robust assessment of their risk position in relation to any proposed service • All cloud computing decisions to be made in the context of the published ICT assurance process

  14. Agency Adoption of Cloud Computing: Key Points • Decisions on cloud computing to be made on a case-by-case basis • No data above RESTRICTED in public cloud • Agencies must follow GCIO mandated risk assessment process when considering cloud solutions • There is no requirement that solutions must be onshore • GCIO will provide guidance and advice • Agency chief executives ultimately responsible for decisions made • Mandatory for public service and non-public service departments

  15. System Certification & Accreditation of Cloud Services • Any cloud service must be InfoSec certified and accredited before it can be used by an agency (effective requirement of ICT assurance process) • Certification is a review of required security controls as implemented by the service provider; the required controls are identified as a by-product of the risk assessment process • Accreditation is the formal authority for a service to be used; the accreditation process is informed by outputs from the certification process (CISO)

  16. Putting it all Together: What does it mean when considering a new ICT investment • Need to consider the ‘cloud first’ directive • When acquiring a new system the InfoSec requirements need to be ‘baked in’ from the outset – retrofitting will generally be problematic creating delays and leading to additional cost • Involve someone with InfoSec expertise when determining requirements • Conduct a formal risk assessment (from DIA security & risk team or a resource from the Security Panel) and use this process to inform the requirements • Understand that the service will have to be InfoSec certified and accredited before it can be used

  17. Where to go for More Help GCIO role is delivered and supported by Service & System Transformation, key contacts and areas of responsibility are: • John Roberts, Director Relationship Management – agency engagement • Alison Schulze, Director ICT Assurance • Duncan Reed, GM System Transformation – investment strategy, four-year plans, oversight of ICT Strategy & Action Plan • Chris Webb, GM Commercial Strategy and Development – ICT Common Capabilities DIA Security and Risk Team • Mike Jordan, Manager Security & Risk

  18. Questions

More Related