misa cloud workshop_ security and risk mgmt
TRANSCRIPT
MISA Cloud Computing – 101 and Beyond
April 11, 2012
Brian Whitelaw, CISM, CRISC
Division Manager, GRC
City of London
CLOUD COMPUTING
AGENDA
• Cloud Computing Myths
• Information Security and Cloud Computing
• Risk Management and Cloud Computing
MULTIPLE FORMS OF CLOUD COMPUTING
• Large hosts such as IBM and Microsoft
• Hardware, platforms, applications
• Hosted Services
• Niche applications
• Online collaboration
THE #1 MYTH OF CLOUD COMPUTING
• Myths – cheaper, less secure
• Biggest myth – it’s new!
• Most of you have been using it for years
• Hosted solutions
• Online collaboration
HOSTED SERVICES AND CLOUD COMPUTING
• The City of London has close to 20 hosted solutions
• This is, in essence, cloud computing
• Hosted solutions include HR and Patient Care apps
(sensitive information)
• Other apps include EAP, Health Claims
• Our first hosted service was introduced 5 years ago
INFORMATION SECURITY AND CLOUD COMPUTING
• Information Security is only 1 area of Risk Management
• InfoSec issues include:
• Confidentiality, file sharing, loss of control
• Backups, vulnerabilities, access control
• Major security concerns
• Dropbox, YouSendIt, iCloud, SkyDrive
REASONS FOR BLOCKING CLOUD STORAGE
• Files leave the corporate network – you lose control
• Files may not be backed up
• Files obtained from online storage may contain
malware
• Files obtained from online storage may have copyright
• Some Terms of Use state that they now own the rights
to any document you upload
SECURING HOSTED APPLICATIONS
• Penetration Testing
• City of London’s first hosted pen test
• Agreement in place (signed by the right people)
• What are you allowed to test and how far?
• Business decision based on results
• Repeat pen test periodically
SECURING HOSTED APPLICATIONS
• Some vendors will not allow you to do pen testing
• Review policies
• Find out what their physical security is like
• Determine who has access to your data
• Get everything in writing (preferably in a contract before
services are purchased)
CLOUD COMPUTING AND RISK MANAGEMENT
• IBM and Microsoft cloud solutions are probably more secure than most municipalities
• It comes down to Risk Management
• Contracts and Underpinning Contracts
• Service Level Agreements/Availability
• Capacity and Bandwidth Management
• Policies
• Data Ownership
SUMMARY
• Information Security/Risk Management
• Confidentiality, Availability, Integrity
• Service Level Agreements are paramount
• Accountability remains with you