misa cloud workshop_ security and risk mgmt

MISA Cloud Computing – 101 and Beyond

April 11, 2012

Brian Whitelaw, CISM, CRISC

Division Manager, GRC

City of London

CLOUD COMPUTING

AGENDA

• Cloud Computing Myths

• Information Security and Cloud Computing

• Risk Management and Cloud Computing

MULTIPLE FORMS OF CLOUD COMPUTING

• Large hosts such as IBM and Microsoft

• Hardware, platforms, applications

• Hosted Services

• Niche applications

• Online collaboration

THE #1 MYTH OF CLOUD COMPUTING

• Myths – cheaper, less secure

• Biggest myth – it’s new!

• Most of you have been using it for years

• Hosted solutions

• Online collaboration

HOSTED SERVICES AND CLOUD COMPUTING

• The City of London has close to 20 hosted solutions

• This is, in essence, cloud computing

• Hosted solutions include HR and Patient Care apps

(sensitive information)

• Other apps include EAP, Health Claims

• Our first hosted service was introduced 5 years ago

INFORMATION SECURITY AND CLOUD COMPUTING

• Information Security is only 1 area of Risk Management

• InfoSec issues include:

• Confidentiality, file sharing, loss of control

• Backups, vulnerabilities, access control

• Major security concerns

• Dropbox, YouSendIt, iCloud, SkyDrive

REASONS FOR BLOCKING CLOUD STORAGE

• Files leave the corporate network – you lose control

• Files may not be backed up

• Files obtained from online storage may contain

malware

• Files obtained from online storage may have copyright

• Some Terms of Use state that they now own the rights

to any document you upload

SECURING HOSTED APPLICATIONS

• Penetration Testing

• City of London’s first hosted pen test

• Agreement in place (signed by the right people)

• What are you allowed to test and how far?

• Business decision based on results

• Repeat pen test periodically

SECURING HOSTED APPLICATIONS

• Some vendors will not allow you to do pen testing

• Review policies

• Find out what their physical security is like

• Determine who has access to your data

• Get everything in writing (preferably in a contract before

services are purchased)

CLOUD COMPUTING AND RISK MANAGEMENT

• IBM and Microsoft cloud solutions are probably more secure than most municipalities

• It comes down to Risk Management

• Contracts and Underpinning Contracts

• Service Level Agreements/Availability

• Capacity and Bandwidth Management

• Policies

• Data Ownership

SUMMARY

• Information Security/Risk Management

• Confidentiality, Availability, Integrity

• Service Level Agreements are paramount

• Accountability remains with you