1 / 16

Is Governance Really Possible in a Cloud World?

Is Governance Really Possible in a Cloud World?. Ken Smith CISSP CISA CCSK Senior Security Solutions Architect. Agenda. GRC today Problems created by cloud Managing governance Levels of control ( Iaas , PaaS , SaaS ) Compliance in the cloud. More Bad Security Stock Images!.

naomi
Download Presentation

Is Governance Really Possible in a Cloud World?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Is Governance Really Possible in a Cloud World? Ken Smith CISSP CISA CCSK Senior Security Solutions Architect

  2. Agenda GRC today Problems created by cloud Managing governance Levels of control (Iaas, PaaS, SaaS) Compliance in the cloud

  3. More Bad Security Stock Images!

  4. Current State of GRC Enterprises lead in adoption • Tools in place • Staff to manage program • Management support Midsized orgs dabbling • Some tools • Limited staff • Mixed management support

  5. Current State of GRC (cont’d) Most small organizations • [This section intentionally blank]

  6. GRC Problems Created By Cloud Existing tools may no longer work Some visibility is taken away Some access is takenaway Warm & fuzzy knowing that data is in your own data center taken away Existing contract language that you know & love will likely need to be reworked

  7. What Do We Do? Grant cloud solutions an exemption from our governance program & assume the provider will take care of everything Don't adopt cloud because we can't manage GRC Adapt existing governance programs to account for cloud-based solutions

  8. Cloud Security Integration Source: Cloud Security Alliance Security Guidance

  9. Managing Governance In The Cloud It's going to take some upfront work Much heavier dependence on trusting that the cloud provider is doing the right thing Much heavier dependence on service level agreements & contract language Lawyers!

  10. Managing Governance In The Cloud Audits will be more complex Compliance assessments will be “interesting” Compensating controls are key

  11. Varying Responsibility

  12. Compliance In The Cloud “Out of the box” Meet your policies & governance requirements? • Very unlikely today Meet PCI DSS or HIPAA requirements? • No

  13. Is This Possible? • Compensating controls • Technology: encryption, tokenization, data masking, segmentation • Adapting your governance program • Contract language • Lawyers!

  14. Great Reading & Resources Cloud Security Alliance (CSA) www.cloudsecurityalliance.org • Security Guidance for Critical Areas of Focus in Cloud Computing The CSA Mission Statement: To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

  15. Great Reading& Resources (cont’d) European Network and Information Security Agency (ENISA) www.enisa.europa.eu • Benefits, risks and recommendations for information security

  16. Thank You Ken Smith, CISSP, CISA, CCSK Senior Security Solutions Architect ksmith@greenpages.com @ken5m1th

More Related