cloud computing risk & challenges
DESCRIPTION
My presentation at the 3rd Annual Asian Governance, Risk Management, Compliance and IT-Security (GRC) summit in Bangalore, IndiaTRANSCRIPT
16 JULY 2014 PARAG DEODHAR ‐ 3rd Annual Asian GRC & IT Security Conference 2014 2
Private
Public
Hybrid
FINANCIAL MANAGEMENT
• CAPEX to OPEX • Capital can be on used for growth
of business.
16 JULY 2014 PARAG DEODHAR ‐ 3rd Annual Asian GRC & IT Security Conference 2014 3
Opportunities
• Cloud may create a permanent establishment (PE) for:– Service provider through its infrastructure– Client through the use of servers in a territory outside the
home jurisdiction.
• A business conducted in the cloud creates practical difficulties in determining where that income was sourced.– Cloud uses shared resources, servers can be located in
multiple jurisdictions, a simple transaction may be processed in multiple countries.
– The place where a transaction takes place is difficult to ascertain in these circumstances, as only part of a transaction may be completed in any one jurisdiction.
• Consumption‐based taxes – GST / VAT apply where the service is consumed or content is delivered
• Organizations that transfer data, software and other Cloud services across border need to be aware of the potential liability to export controls.
16 JULY 2014 PARAG DEODHAR ‐ 3rd Annual Asian GRC & IT Security Conference 2014 4
Businesses risk getting taxed in more than one place
LEAKING CLOUDS?
16 JULY 2014 PARAG DEODHAR ‐ 3rd Annual Asian GRC & IT Security Conference 2014 5
SECURITY AND PRIVACY
16 JULY 2014 PARAG DEODHAR ‐ 3rd Annual Asian GRC & IT Security Conference 2014 6
For a large, regulated
organization: it may be a
nightmare…
For a small organization: it
may offer much better security
Private
Public
Hybrid
SECURITY
16 JULY 2014 PARAG DEODHAR ‐ 3rd Annual Asian GRC & IT Security Conference 2014 7
IDENTITY & ACCESS ENCRYPTION STORAGE
COLLATERAL DAMAGE
AVAILABILITY & DESTRUCTION HUMAN THREAT
OPERATIONAL CHALLENGES
Control and Governance
SLA
Change Management
BCP & DR
Investigations and Audit
16 JULY 2014 PARAG DEODHAR ‐ 3rd Annual Asian GRC & IT Security Conference 2014 8
REGULATIONS & COMPLIANCE Data Privacy Laws and Regulations
IT Act, RBI / IRDA regulations… Encryption / Lawful interception
Who owns the data? Under the ITA, a corporate entity when transferring sensitive personal
information to another entity should ensure, that the entity to whom such information is being transferred should have similar security practices to protect such information.
Further, a corporate entity in possession of sensitive personal information should ensure that the provider of such information is aware of the agency collecting and retaining information, the intended recipients of the information and the purpose for which the information shall be used.
As per ITA, data security audits need to be carried by companies through approved auditors at least once a year or when significant changes / upgrades happen.
16 JULY 2014 PARAG DEODHAR ‐ 3rd Annual Asian GRC & IT Security Conference 2014 9
16 JULY 2014 PARAG DEODHAR ‐ 3rd Annual Asian GRC & IT Security Conference 2014 10