the old ways are new again”...cloud computing “the old ways are new again” ... •cloud today...

Public Information

Jeff Rowland, Vice President, USAA IT/Security Audit Services

CLOUD COMPUTING “The Old Ways Are New Again”

Public Information 2

Our Mission

The mission of the association is to

facilitate the financial security of its

members, associates, and their families

through provision of a full range of

highly competitive financial products

and services; in so doing, USAA

seeks to be the provider of choice

for the military community.

Our Core Values

Service Loyalty Honesty Integrity Passionate

Member Advocacy

Financial Strength

& Wisdom

Shared Military Values

Our Brand Pillars

GOING ABOVE Our Brand Promise

FOR THOSE WHO HAVE GONE BEYOND

Who We Are

As of Oct. 2014


• The contents of this presentation do not necessarily reflect any approach used by USAA.

• The contents of this presentation reflect my opinions only, and not necessarily those of my employer.

• Following the steps outlined herein does not guarantee any particular outcome, express or implied.

Disclaimers


• Background – Understand how companies used Technology Service Providers (TSPs) before the internet, and the risks we had to mitigate.

• Cloud today – Understand how the use of TSPs have changed, and how that impacts the current risk environment.

• Parallels – Understand how the risks of today parallel those we used to face.

• Strategies – Strategies others have utilized that can be applied to help mitigate today’s risks.

Learning Objectives


“Those who don’t know history are destined to repeat it.”

Why is it important to understand the background?

by Edmund Burke (1729 -1797)

Learning Objective: Background


Companies in the News?

IT Opportunities and Risks



“Good” old days – Business processes were generally supported by IT

• 1970s - “Dumb” terminals

IT - primarily used for data storage and managing large volumes of information

Frequent manual interfaces between IT and business areas

Mainframe based technology

Early “cloud” concepts (i.e. VM o/s, RJE)

• 1980s – “Personal Computers”

3270 “emulators”

DOS, Lotus 123, WordPerfect

• 1990s – Internet

Dialup

Primary risks we had to manage?

• IT Change Management (Dev, Test, Prod)

• Access Controls

• Disaster Recovery

The rise of the Machines

Source: Wikipedia, “History

of IBM Magnetic Disk Drives”

Key Point!



• IBM – International Business Machines

• DEC – Digital Equipment Corporation

• EDS – Electronic Data Systems (Acquired by HP)

• Perot Systems (Acquired by Dell)

• ACS – Affiliated Computer Services

Some early Technology Service Providers (TSPs)



• Speed of change (Faster / Better/ Cheaper)

• Social Media

• Work anywhere, anytime (i.e. BYOD)

• Active / Active

• Cloud Computing – Decisions Decisions…

Public -vs.- Private?

Software as a Service (SaaS) ?

Infrastructure as a Service (IaaS) ?

Platform as a Services (PaaS) ?

“Every two days, we create more information than we did from the dawn of civilization up until 2003.” *

Current Industry Trends

* Source: Eric Schmidt (Google CEO from 2001 – 2011)

Primary risks we have to manage?

• IT Change Management (Dev, Test, Prod)

• Access Controls

• Disaster Recovery

So why is this hard?

Learning Objective: Cloud Today


Availability • Who would have thought a dropped anchor would cut a telecom cable? (Middle East 2008, Africa 2012)

“Big Data”

BYOD – “Bring Your Own Device”

Cloud computing

• “If you run with dogs, you’ll get fleas”

Model Risk

Social Media

Regulatory Oversight

Third party Reliance • Coding • Data

Emerging Risks

Information Technology

Learning Objective: Cloud Today


Emerging Risks

Black Hat Attendee Survey From Black Hat USA 2015

What concerns would have been so pre-Internet?

Learning Objective: Parallels


Cloud Controls Matrix (CCM)

Application & Interface Security

Audit Assurance & Compliance

Business Continuity

Management & Operational Resilience

Change Control & Configuration Management

Data Security & Information

Lifecycle Management

Datacenter Security Encryption & Key

Management Governance and

Risk Management

Human Resources Identity & Access

Management

Infrastructure & Virtualization

Security

Interoperability & Portability

Mobile Security

Security Incident Management, E-

Discovery & Cloud Forensics

Supply Chain Management,

Transparency and Accountability

Threat and Vulnerability Management

16 Control Domains

• Based on established standards

(e.g. ISO, NIST, COBIT, ISA, FFIEC, FedRAMP)

Source: Cloud Security Alliance

New

Learning Objective: Parallels


Companies in the News?

IT Opportunities and Risks

Learning Objective: Strategies


Co

ntr

ac

t

Lif

ec

yc

le

Op

era

tio

nal

Fac

tors

Bu

sin

es

s

Ob

jec

tive

s

Cloud Risk Management

Contract Financial Compliance &

Legal Information

Security Business Continuity

Data/

Transaction Integrity

Reputation Geopolitical & Regulatory

Strategic

Growth Ease of Use / Convenience

Security

Exit Strategy Manage & Monitor

(Ongoing) Contract Initiation

Plan, Evaluate,

Select

Cloud Drivers & Risks

Sta

ke

ho

lders

Board of Directors

Management / Process Owners

Investors Regulators Cloud Providers Customers

Cost Containment /

Competitive Edge


Control Strategies


Control Reqmt

Key Considerations (Not all inclusive)

Data Classification

Data at

Rest

Data in Flight

Encryption & Key Mgmt

Software Dev

4th Party + Mgmt

Logs / DLP

Breach Notification

Access Mgmt ? ? ? ? ? ? ?

Change Mgmt ? ? ? ? ? ? ?

BC / DR ? ? ? ? ? ? ?

Company/Stakeholder Risk Tolerance


Supplier Due-Diligence


Know yourself

Know your partner(s)

• Trust, but Verify

• Know the risks

• Have an Exit Strategy

5 Essential elements of your Cloud strategy



Questions

?

Public Information

the old ways are new again”...cloud computing “the old ways are new again” ... •cloud today...

Documents