Discussion of information Security risks in current business and technology environments.
presented to ISSA Ireland conference attendees in Dublin on 12 May 2011.
2. Is information Security less of a risk now? In this economic climate business risks have changed. Has information security risk moved down the Internal Auditor’s priority list?
13. The Cloud Private Public Community Hybrid Grid Computing Platform Virtualisation Utility Computing VM SaaS PaaS IaaS Automatic Security Management Cost savings Agile Scalable Resilient Service oriented Cloud computing is a new business model, a new way of delivering computing resources NOT a new technology Web 2.0
Deloitte,s Global Risk Management Survey – Seventh Edition
Deloitte,s Global Risk Management Survey – Seventh Edition
Security Art – 2011 Predictions
Global Status Report on the Governance of Enterprise IT (GEIT) 2011 – ISACA and IT Governance Institute
Ponemon Institute survey: More than 20% of Cloud providers view Security as a competitive advantage. 69% of providers think security is the users job. Only 35% of users think this !
Moving public stuff allows you to focus on the less sensitive stuff in house. Economies of Scale: Security is better and cheaper when implemented on a larger scale Multiple locations (redundancy) improves availability Staff specialisation and experience Updates rolled out more frequently Default images updated with latest patches
Harks back to the (ancient) use of Unix crypt to brute force decryption of /etc/password. Also Information Leakage was explored in 3 rd Party Compute Clouds in 2009. [U Cal and MIT paper]
Data protection: - Is very complicated where personal data is stored in countries outside the EU. – has many options including Safe Harbor for US. LEGAL: - Which countries laws apply if there is a dispute with your cloud provider. - What remedies do you have if there is a problem and the data is elsewhere.
See Cloud Security Alliance – Cloud Controls Matrix.
Example approach: SLA Criteria used to measure Relationship Management Relative responsibilities Tools used to monitor/manage Communications Problem management Relationship Management
ENISA Report, November 2009
See CSA. Amazon outage example – affecting Foursquare, Quora and Reddit.
CSA – see ‘Cloud Audit’
Evidence for work on gap analysis/remediation is to be found on the research and the work of concerned organisations. ENISA, NIST, CSA etc. Classic gap is Zero Day Vulnerabilities – Time frame getting shorter but ‘bad boy’ response is quicker.