navigating the cloud
DESCRIPTION
Navigating the Cloud. Through fog or in fair weather?. Johan Bakker MSc CISSP ISSAP ISACA Round-table, 6 th of May, 2013. Every cloud has a silver lining…. Every cloud has a silver lining, but sometimes it is difficult to get it to the mint… Don Marquis. Risk - Loss of governance. - PowerPoint PPT PresentationTRANSCRIPT
Navigating the CloudThrough fog or in fair weather?
Johan Bakker MSc CISSP ISSAPISACA Round-table, 6th of May, 2013
Unified Vision @ ISACA
Every cloud has a silver lining…
6th of May, 2013
Every cloud has a silver lining, but sometimes it is difficult to get it to the mint…Don Marquis
Unified Vision @ ISACA6th of May, 2013
•Loss of governance•Vendor Lock-in•Isolation failure•Compliance risk
Risk - Loss of governance
If all you have left is a telephone number…to a help desk…
Unified Vision @ ISACA6th of May, 2013
Vendor lock-in
What if you want to move your data (and functionality) to another cloud provider or just back home?
Unified Vision @ ISACA6th of May, 2013
Data location, ownership and access
Where is your information stored, who owns it (!) and who will have access to it?
Unified Vision @ ISACA
Multi-tenancy & segregation risks
6th of May, 2013
With whom are are you sharing your front door and what else may you be sharing?
Unified Vision @ ISACA6th of May, 2013
Availability risk
Will you always have access to your cloud service when you need it?
Unified Vision @ ISACA6th of May, 2013
Compliance risk
Will you be able to comply with external customer, legal and regulatory requirements?
Unified Vision @ ISACA
Catastrophic loss of service
6th of May, 2013
What if the cloud provider can no longer provide its services?
Unified Vision @ ISACA
Are you still ready to jump in?
6th of May, 2013
Unified Vision @ ISACA
Being ready means…
6th of May, 2013
Understanding how cloud fits in your overall business and IT strategy…
Unified Vision @ ISACA
Being ready means…
6th of May, 2013
Understanding how cloud will impact your processes and the way IT is being used...
Unified Vision @ ISACA
Being ready means…
6th of May, 2013
Having insight into the value of your business information and your dependency on it…(Fortis-topman Filip Dierckx in De Pers)
Unified Vision @ ISACA
Being ready means…
6th of May, 2013
Having a clear view on business,governance, legal, contract, security & continuity risks and forthcoming requirements...
Unified Vision @ ISACA
Being ready means…
6th of May, 2013
Understanding the cloud deployment & service model that suites your needs…
Unified Vision @ ISACA
Being ready means…
6th of May, 2013
Having a complete business case, with accurate usage & license cost as well as all the factors mentioned before…
Unified Vision @ ISACA
How to enjoy the ride!
6th of May, 2013
Unified Vision @ ISACA6th of May, 2013
Clear set of requirements
Assess your risks and needs and document in detail what it is that you are looking for…
Unified Vision @ ISACA6th of May, 2013
Select deployment & service model
Select the service & deployment model that fits your needs, risks and requirements..
Unified Vision @ ISACA6th of May, 2013
Provider(s) selection
To whom will you trust your business information to?
Make it personal!
Unified Vision @ ISACA
Contract negotiation
Data ownership & jurisdiction
Portability & re-transition
Responsibilities & liability
Supply chain assurance
Security & ContinuityUsage & license
cost modelService Levels
Audits, TPM’s & certificates
Contract negotiations
6th of May, 2013
Cloud service contract, SLA and level of assurance
Unified Vision @ ISACA
Assurance
6th of May, 2013
Trust is good, proof is better; seeing is believing!
Unified Vision @ ISACA
Certificates & Frameworks
6th of May, 2013
Well-known frameworks to assist you:• ISO 9001 – Quality Management• ISO20000 – IT Service Management (and/or ITILv3)• ISO27001 – Information Security Management• ISO22301 – Business Continuity Management • Data Centre Tier I-IV certificate (Uptime Institute)• Service Organization Control – SOC2 (AICPA)• Cloud Control Matrix – CCM (CSA)• ISO27017/18/36 – ISO Cloud work in progress
Unified Vision @ ISACA
Summing up
6th of May, 2013
Unified Vision @ ISACA
Through fog or in fair weather?
6th of May, 2013
Ad hoc Uncontrolled Penny wise, pound foolish Accept any standard contract Lacking risk awareness
In for a shocker?
Unified Vision @ ISACA
Through fog or in fair weather?
6th of May, 2013
Part of overall IT strategy Clear risks & requirements Selecting the right provider Negotiating a solid contract Obtaining sufficient assurance
Less risk than in-house IT?
