Security and Privacy Services Cloud computing point of view

1. Security and Privacy ServicesCloud computing point of view October 2012

2. Cloud Opportunities • Beyond apparent security and risk challenges, Cloud computing will lead to… New Security Opportunities Disposable environment - turn it off when not in use to keep security efficiency high Leverage Cloud solutions to realize better efficiency within security management program Privacy Regulatory Cyber Threat Cloud Security Strategy Resiliency and Availability Identity, and Access Mgmt ERP Security Operations Opportunity to implement stronger security than legacy on premise security models App Development Reduce vulnerabilities by ‘rightsizing’ resources in use through dynamic provisioning capability

3. Regulations Using integrated frameworks to help comply with regulatory requirements WHAT YOU NEED TO KNOW: CHALLENGES: SOLUTION: Some regulations have not been updated Since cloud computing is relatively new, many regulatory agencies have not updated the requirements for the cloud. As regulations change, companies may not know each of the requirements needed to comply before they use cloud computing. Often, the regulatory and security requirements come after the fact. Security operations Resiliency and availability App development Cloud Security Strategy There are strategies for managing multiple requirements Companies are at different levels of maturity, requiring strategies for prioritization and remediation. Companies are concerned with various unknowns, including the rapid development of many new products, technologies, and services available for the cloud. ERP Cyber threat Privacy Identity, and access mgmt Depending on the cloud computing solution, using certain cloud service providers may actually increase or change the regulatory requirements that a company traditionally needs to comply with. Standards and leading practices are too new Cloud computing does not yet have an established “standard” and many leading practices are still evolving. Regulatory • Perform a regulatory analysis of your cloud computing adoptions to understand what requirements are needed. • Establish an integrated framework for the current and even upcoming requirements. • Consider a GRC (Governance, Risk and Compliance) strategy that allows an “Assess Once, Test Once, Satisfy Many” model. • Identifying the current and upcoming regulatory requirements should be part of the design and selection of the cloud solution. • Use an integrated framework that rationalizes the various regulatory requirements as the assessment and tracking mechanism for the various regulatory requirements. • Create strategies for managing and prioritizing remediation efforts. • Use a risk-based approach for managing risk. Next steps What to include in your regulatory strategy

4. Application Security How to enable secure application development WHAT YOU NEED TO KNOW: CHALLENGES: SOLUTION: • Operation Software Development Life Cycle • SaaS applications should follow a specific Software Development Lifecycle (SDLC) model and operational release management process (e.g., security-focused user acceptance testing). Operational SDLC for SaaS services may not mature. CSP’s SDLC process may not include operational testing, throughput put, and data transfer/failover capabilities via PaaS/IaaS. Privacy Regulatory Cyber Threat Cloud Security Strategy • Secure Configuration and Vulnerability Testing • SaaS applications need be configured in accordance to a published common configuration management guide as well as use common security benchmarks (e.g., OWASP Top 10 , CIS Configuration Benchmarks, and NIST SCAPs). Cloud application hosting can involve several outsourced services (e.g., PaaS and IaaS), which can create difficulties for aligning security practices, response and patch, and vulnerability management capabilities throughout the service offering. Resiliency and availability Identity, and access mgmt. ERP Security operations • Migrating Legacy Applications • Many companies are recognizing the value of migrating legacy applications to a PaaS model to reduce cost and avoid expensive hardware costs for the upkeep of less active applications. App development Application release cycle and patch and vulnerability management can be difficult based on CSP capabilities, terms, and service operations. The cycle of version changes may not always be known and sometimes can change without warning. • Create and define application security requirements and regulatory expectations for moving to the cloud. • Define SDLC approach and expectation for use of an operational software application hosted by a CSP. • Update and document patch and vulnerability management expectations for hosted applications to include support services. • Create a data and application access strategy, which aligns to existing data access security policies. • Create an application deployment roadmap for moving to a CSP based on risk exposure, reduction, and deployment capability. • Develop a security evaluation criterion to evaluate application environments to include evaluations for support PaaS and IaaS. • Outline service-level expectation within SLA along with an ISA, which outlines security expectation (e.g., uptime, upgrades, and response capabilities). Next steps What to include in your App Development strategy