1 / 10

Risk Management & Legal Issues in Cloud Practice

Risk Management & Legal Issues in Cloud Practice. Christopher Dodorico Director, PricewaterhouseCoopers Wednesday, October 10, 2012. Cloud Computing in the US Federal Government – Where are we today?. The pace of cloud adoption by federal agencies is picking up

Download Presentation

Risk Management & Legal Issues in Cloud Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Risk Management & Legal Issues in Cloud Practice Christopher Dodorico Director, PricewaterhouseCoopers Wednesday, October 10, 2012

  2. Cloud Computing in the US Federal Government – Where are we today? The pace of cloud adoption by federal agencies is picking up • Agencies are starting to “dip their toe in the water” and “learn as they go” • Embracing the possibilities of cost savings and efficiencies • Federal agencies see positive movement in the long-awaited framework for cloud providers to address security concerns in a homogenous manner, with a common controls framework

  3. Cloud Computing in the US Federal Government – Where are we at today? Despite this positive initial movement, agencies are still concerned about security of the cloud • Issues of working with service providers to manage a myriad of compliance requirements, data location, multi-tenancy, and security continue to concern federal agencies contemplating a movement to the cloud • Agencies should not rely solely on FedRAMP for information assurance • Need for automated audit and assessment tools, as well as continuous monitoring • Initial migration of lower-risk and “less mission-critical” operations to the cloud, as a first step

  4. Cloud Computing in the US Federal Government – Where are we at today? However, the outlook is still bright • The combination of education, experience and emerging standards should increase cloud adoption in government • Security concerns may decrease over time due to continuous process improvement • Harmonizing multiple, overlapping regulatory requirements through Integrated Compliance are critical • Patience and Strategy are key – as cloud computing technology, security and cost savings mature, federal agencies will become more comfortable with placing key information in the cloud

  5. Cloud Security Compliance - FedRAMP • The Federal Risk and Authorization Management Program (FedRAMP) establishes the first regulatory program to provide: • A standard, mandatory commoncontrols framework for federal Cloud Service Providers (CSPs) • A standard approach for conducting security assessments of cloud-based systems by Third Party Assessment Organization (3PAO) • Published controls that are entry into market • Positive trend toward reuse/reapplication Yet another compliance requirement?

  6. Integrated ComplianceIntegrate Cloud Compliance with Existing Control Frameworks Taking Requirements….. Identifying Common Controls or Processes…. FISMA / FedRAMP Access Controls PCI Passwords HIPAA Encryption ISO Training Other Requirements Risk Assessments Execute Integrated Program Identify Data Sources Integrated Control Framework Define & Assess Risk Develop & Implement Controls Audit and Correct Enforce, Monitor & Support Executing the program with the integrated framework. Documenting policy, controls , and criteria that meet minimum requirements across standards…. 6

  7. Critical Success Factors for Cloud Compliance • Cloud environments, and more so public cloud environments, present a unique challenge with respect to the sharing of responsibilities for security controls between the CSP and the user organization • Appropriate scoping of the environment, location of data, boundary definition, security controls demarcation and clarity about responsibility is critical!

  8. Critical Success Factors for Cloud Compliance • Understanding data access controls, specifically: • How is data classified in a multi-tenant environment? • How is data classified if multiple organizations are stored in the same data set? • How is logical access granted to specific data sets? • What access control mechanisms are used? • Development, deployment and ongoing management of a cloud environment require significant attention to governance. • A cloud environment by nature cannot be static as customers and capabilities are changing constantly, and must scale to meet changing business objectives and regulatory requirements.

  9. Critical Success Factors for Cloud Compliance • Definition of what qualifies as a “Significant Change” • CSPs and their customers each have a point of view • Dialogue between CSPs and their customers to come to joint agreement on what might trigger re-accreditation or re-assessment • Collaboration between subscribers (federal agencies), CSPs, authoritative bodies, assessors/auditors, member organizations and software vendors is critical to the success of federal cloud computing • Design and development of robust SLAs, legal agreements • Agreement on applicable control requirements and areas where “scale-up” may be necessary • Government is doing good job of outreach

  10. PwC’s Washington Federal Practice assists our federal and commercial clients with their IT regulatory and cloud compliance challenges Christopher P. Dodorico, Director christopher.p.dodorico@us.pwc.com 703-861-2205

More Related