El documento discute los desafíos de seguridad y privacidad relacionados con la adopción de la nube. Señala que la principal barrera para la adopción de la nube es la seguridad (87%) y que muchas empresas tienen preocupaciones sobre confiar en un tercero externo con sus datos (52%) o sobre posibles violaciones de seguridad al usar servicios de seguridad en la nube (41%). También menciona que la complejidad reduce la innovación y que se necesita un enfoque integral de gestión de riesgos para abordar vulnerabilidades
2. 87% Security main barrier to
cloud adoption
Source: IDC Enterprise Panel, 3Q09
52% Concerned with trusting an
outside 3rd party
Source: IDC Cloud Security Survey 2011`
41% Fear a security breach from
use of security SaaS
Source: IDC Cloud Security Survey, 2011
40% Compliance concerns
prevent use of SaaS
Source: IDC Cloud Security Survey, 2011
Cloud Computing saves costs but
reduces control, visibility and trust
3.
4.
5.
6.
7. Sin innovación, las empresas no tienen éxito
ESTAN CRECIENDO
Solo
Source: Why Companies Fail and the Information Imperatives to Help
Ensure Survivability, by Gregory P. Hackett.
8. Más del
90%
de las compañias
NO usan a TI para implementar innovación
11. DISTRIBUCIÓN DEL GASTO DE TI
63% 21%
PARA OPERAR
EL NEGOCIO
50% 25%
RUN
THE BUSINESS
25%
TRANSFORM
THE BUSINESS
GROW
THE BUSINESS
EN 2012
Source: Gartner
CRECER EL
NEGOCIO
16%
TRANSFORMAR EL
NEGOCIO
QUÉ PASARIA SI
PUDIERASMOS
CAMBIAR LA
FORMA EN LA
QUE GASTAMOS?
12. LOS EJECUTIVOS DE FINANCAS ESTAN
LISTOS
64% 76%
CLAVE EN EL ÉXITO DE
LAS EMPRESAS EN LOS
SIGUIENTES 12-18
MESES
REDUCE COSTOS
OPERATIVOS POR 20%
81%
MEJORARON LA
PRODUCTIVIDAD DE
SUS EMPLEADOS
Implementación
completa de
tecnología en la
nube
Source: CFO Research, The Business Value of Cloud Computing, A Survey of Senior Finance Executives, June 2012.
15. 1
5
“You are going to get hacked. The bad guy will get you. Whether you are
viewed as a success by your board of directors is going to depend on your
response.” Charles Blauner, Citigroup
18. Solo 6% De las empresas
Oracle Confidential –
Internal/Restricted/Highly Restricted
utilizan análisis de
datos para
minimizar el
impacto económico
del cibercrimen
18
http://www.pwc.com/gx/en/economic-crime-survey/downloads.jhtml
19. 66%
94% de los datos más
de los ataques
son contra los
sensibles estan
en
21. Los atacantes
hackean via
phishing a los
provedores
El Malware busca
información de
tarjetas en texto
claro (no cifrado)
El Malware envía
los datos de
tarjeta de credito
a los propios
servidores de
archivos
Buscan,
encuentran e
infectan los
servidores de
archivos
Los atacantes
usando
credenciales
robadas acceden
al portal de
Lopsr odvaetodso sreosn
extraidos vía
servidores de FTP
Encuentran e infectan
los puntos de venta
PERIMETRO (POS) con malware
21
22. Ataque a punto de venta (POS)
Ataque a aplicación web
Mal uso interno
Robo o perdida física
Errores varios
Software de criminales
Skimmers de tarjetas
Ataques de denegación de servicio
Ciber espionaje
26. Seguridad en cada
capa
Seguridad entre
capas
Seguridad entre
sistemas
27. Governance
Procesos y Roles
Controles de usuarios
Controles de red
Controles de host
Controles de aplicaciones
Controles a nivel datos
28. “La mayoría de las organizaciones
continúan enfocando de forma
inapropiada su atención en
vulnerabilidades de red y
herramientas reactivas, en lugar de
buenas prácticas de seguridad en
aplicaciones, PROACTIVAS.”
Forrester: The Evolution of IT Security
2010 to 2011
39. La unica forma de atender
las vulnerabilidades y
amenzas sin afectar al
negocio es tener una visión
Integral de riesgos
40.
41. Puntos importantes
• Programas basados en el estándar
ISO 27001:2005 & 27002:2005 y los
marcos de control
• La Directiva Europea 95/46/EU para
la Privacidad
• Controles claves de identificación,
mapea, gobierno y auditoria
• El cruce de marcos regulatorios
beneficia incluso a los programas
menos rigurosos
42. Autorización de los órganos de gobierno Interno del Banco
• Comité de Riesgos
• Comité de Auditoria
• Dirección
Modelo de servicio (SLA).
Documentación de soporte
• Prueba de concepto y Resultado de las pruebas
• Plan de recuperación en caso de desastre
• Esquema de seguridad
• Controles,
• Forma de auditar
• Confidencialidad de la información,
• Responsabilidad en case de multas, etc.
La CNBV puede requerir una certificación del auditor interno.
Información adicional puede ser solicitada por la CNBV en el proceso.
43. Tener y aplicar
políticas de
protección de datos
personales afines a los
principios y deberes
aplicables que
establece la Ley y el
presente Reglamento
Transparentar las
subcontrataciones
que involucren la
información sobre la
que se presta el
servicio
Abstenerse de incluir
condiciones en la
prestación del servicio
que le autoricen o
permitan asumir la
titularidad o
propiedad de la
información sobre la
que presta el servicio
Guardar
confidencialidad
respecto de los datos
personales sobre los
que se preste el
servicio
44. Dar a conocer cambios en sus
políticas de privacidad o
condiciones del servicio que
presta
Permitir al responsable limitar
el tipo de tratamiento de los
datos personales sobre los que
se presta el servicio
Establecer y mantener medidas
de seguridad adecuadas para la
protección de los datos personales
sobre los que se preste el servicio
Garantizar la supresión de los
datos personales una vez que
haya concluido el servicio
prestado, y que este último
haya podido recuperarlos
Impedir el acceso a los datos
personales a personas que no
cuenten con privilegios de
acceso
45.
46. 3 Preguntas técnicas para cualquier
proveedor de servicios en la nube
How many Datacenters
do the provider has?
Which of your
Applications
run on your cloud?
Is
Social & Mobile Included in
the offering?
47. 3 Preguntas Legales para contratar
servicios en la nube
Ya leiste el contrato? Ya leiste el contrato? Ya leiste el contrato?
48. 3 Pasos para la adopción de nube según el Harvard
Business Review .
Experimenta con
servicios de Software
Buscar un nuevo
Proyecto
en la nube
Buscar
Ayuda
49. Oracle Confidential –
Internal/Restricted/Highly
Restricted
4
9
El camino para una exitosa mezcla de
Privacidad, Seguridad y Nube
es
Planear, Hacer, Verificar y Actuar
basado en
Analisis de Riesgos
Notas del editor
I want to set some context for the talk by describing the dramatic changes in end user requirements. As we speak to customers we are amazed by how large an impact cloud computing play into their strategy for the future.
The Cloud is the biggest opportunity to reduce cost
The barrier to most of the cloud projects today is security …As we speak to customers in diverse verticals with regard to cloud – the feedback is that security is the number one barrier to unlocking the opportunity – lines of business complain about the loss of forensics , the loss of visibility and reporting and more importantly the compliance issues.
Cloud applications are enabling new business and IT models through hosted and flexible, scalable
applications. Yet, mass migration to cloud-delivered applications has been slowed due to concerns
about security. Key barriers to entry are focused around loss of control, lack of cloud access visibility, and enforcement of corporate governance and regulatory compliance.
Central to these concerns is that corporate users manage their own accounts for cloud applications, typically using weak passwords that are disconnected from the corporate identity infrastructure. User actions in these disconnected applications go without oversight or authorization, leading to risk of sensitive data loss and compliance violations. Additionally, the lack of standardized logging prevents administrators from monitoring and correlating cloud application user activity with internal audit repositories.
Today, as employees, partners, and customers increasingly relying on cloud applications to conduct business, the same password challenges take on another form of complication. Many cloud service provides support SAML to establish Federated Trust with customers’ enterprise IdP. So does Oracle Cloud applications.
Slide Transition: If you could pick one word to describe your company, what would it be?
There are many ways to describe innovation – whether it’s bringing incremental improvements to existing products or entering entirely new businesses with radically new offerings.
But the point is: Every company wants to be more innovative.
Which makes total sense because in a densely connected global economy, successful products and strategies are quickly copied.
But without relentless innovation, success can be fleeting.
Slide Transition: In fact, failure is the norm even at the largest firms.
The performance of the 1,000 largest US global companies over the past 40 years, the vast majority, in fact 80%, of these companies, are stagnating or in decline.
Only 21 percent of companies are actually growing.
Additional background:
What’s even more alarming is that companies are failing at a rate three times faster than they were 30 years ago.*
*Source: Why Companies Fail And the Information Imperatives to Help Ensure Survivability, Gregory P. Hackett, Goodyear Executive Professor, Kent State University; John Evans, Director Product Marketing, Kalido. Address objections in speaker notes: Companies aren’t declining b/c they didn’t innovate, it’s more a result of economic conditions.
Slide Transition: The reality is that companies are not fully harnessing IT to drive innovation.
The more complex the IT environment is, the less room there is for innovation.
It’s no wonder IT has a hard time keeping up with changing business needs.
Additional background:
The winners in today’s economy are using technology to power innovation in their organizations, whether it’s harnessing data to make better decisions, implementing changes into business processes, or quickly disseminating innovations throughout their business.*
Yet in most industries, 70, 80, 90 percent of the companies aren’t even close to leveraging IT in this way**
The question is what’s holding them back?
*Source: “Competing for growth: Winning in the new economy,” Ernst & Young, 2010
**Source: “Using IT to Drive Innovation,” Erik Brynjolfsson, MIT Technology Review, 2011
Slide Transition: So, why is this the case? Well, companies spend the majority of their IT budgets on maintaining current systems, rather than on adding new capabilities
Look at how IT resources are being spent today. In 2012, organizations estimate that they will spend 63% of their IT budget to run the day-to-day operations of the business; 21% to support the organic growth of the business; and 16% to support major new business transformations, new products, services or business models.*
[Click]
What would happen if you could change the mix? Would you be able to invest more in growth and innovation?
*Source: “IT Metrics: IT Spending and Staffing Report, 2012”, Gartner, 2012
Slide Transition: When it comes to your core ERP applications, nowhere is an enterprise-grade cloud solution more important
We all agree that areas like sales force automation and recruiting can be implemented as point solutions to get immediate ROI for a focused part of the organization. But finance executives are ready for complete implementations of cloud technology:
Sixty-four percent of finance executives say that a complete implementation of cloud technology would reduce their companies’ operational costs by up to 20%. *
Three quarters of finance executives (76%) agree that a solid cloud-computing strategy will be important for their company’s success within the next 12 to 18 months. *
Eighty-one percent of respondents say that a complete implementation of cloud-based systems would improve employee productivity. *
Source: CFO Research, The Business Value of Cloud Computing, A Survey of Senior Finance Executives, June 2012.
Additional background:
However, integration and data complexities are amplified when it comes to core business operations such as financial accounting, risk and control management, procurement, or project portfolio management.
Without an enterprise-grade cloud solution, these complexities result in fragmented systems with challenging integration between systems and a higher risk of security breaches.
This environment creates problems
These problems create a lot of negatives.
Excess capacity that’s unused – taking money away from profits or other areas of investment
Complexity and difficulty of management – which trades off with the ability of IT to focus on innovation and undermines their agility when trying to move quickly.
Give anecdotal customer example, or refer to problems customers face
Optional (can cut this slide to shorten)
This environment creates problems
These problems create a lot of negatives.
Excess capacity that’s unused – taking money away from profits or other areas of investment
Complexity and difficulty of management – which trades off with the ability of IT to focus on innovation and undermines their agility when trying to move quickly.
In addition, this silo'd, separate, and complex environment overloads and overwhelms the IT Operatons staff!
Data centers are built to resist physical attacks but the risks are inside.
94% of the breaches are against servers.. And 66% of all sensitive data is stored in databases within the data center. Focusing on the data center can greatly reduce your risk.
So Oracle’s approach is to start inside… and Engineer for security at every layer of the stack
While we can’t control how many hackers try to attack our business we can control the configuration of our system internally and the security of our infrastructure from the applications to storage.
First – we think about security inside each layer
At the apps level this means access to data and business transactions – proactively looking for fraud
At the middleware level it means integrating identity and access management horizontally across all components in middleware
At the VM level we incorporate security into Java so that in in memory databases and apps can be built on a foundation of security
At the OS layer it means VM isolation directly on Solaris and Trusted extensions for Solaris – trusted by the us military
At the Infrastructure later it means security without performance overhead so we include hardware acceleration for encryption
At the file system encryption on disk and ZFS
And in the ILM process we include symmetric encryption across multiple ILM tiers.
Second we secure between each later – because data flows up and down the stack… access control and data security is pervasive
We provide monitoring and patch management with Oracle Enterprise manager that allows the entire stack to be monitored patched for total controls. Hardware and software optimized together.
Third we secure between systems
The way data is passed to other systems portals etc. So that data is portable for example data masking that allows data to leave the data center masking private data and preserving relational integrity
In collaboration with Federated authentication and adaptive access to detect fraud and prevent intrusion
With SOA security at the middleware level to stop payloads from being breached
At the portal laver with document level security that addresses compliance and data privacy rules
The velocity of change and the pressure to comply has made businesses reactive. As an example after the RSA breach a survey of security professionals found that approximately 30% planned to increase security spending as a result of the breach.
The media attention on cyber security and hacking has shifted attention away from the real vulnerabilities. At UBS the trader that caused the billion dollar fraud was not a hacker from a rogue nation. This was an insider who was trusted and who gained excessive access because of the trust the bank placed on him
When criminals break in they go for the low hanging fruit or they come in with stolen credentials. Users with simple passwords and databases that are un-encrypted create more risk than a team of external hackers.
The cost of remediating a breach exceeds the cost of preventing a breach 10X .. And we need to start taking a proactive approach to it.
We need to put the right technologies in place so we don’t have to make excuses later to our customers and our upper management.