the old ways are new again”...cloud computing “the old ways are new again” ... •cloud today...
TRANSCRIPT
Public Information
Jeff Rowland, Vice President, USAA IT/Security Audit Services
CLOUD COMPUTING “The Old Ways Are New Again”
Public Information 2
Our Mission
The mission of the association is to
facilitate the financial security of its
members, associates, and their families
through provision of a full range of
highly competitive financial products
and services; in so doing, USAA
seeks to be the provider of choice
for the military community.
Our Core Values
Service Loyalty Honesty Integrity Passionate
Member Advocacy
Financial Strength
& Wisdom
Shared Military Values
Our Brand Pillars
GOING ABOVE Our Brand Promise
FOR THOSE WHO HAVE GONE BEYOND
Who We Are
As of Oct. 2014
Public Information 3
• The contents of this presentation do not necessarily reflect any approach used by USAA.
• The contents of this presentation reflect my opinions only, and not necessarily those of my employer.
• Following the steps outlined herein does not guarantee any particular outcome, express or implied.
Disclaimers
Public Information 4
• Background – Understand how companies used Technology Service Providers (TSPs) before the internet, and the risks we had to mitigate.
• Cloud today – Understand how the use of TSPs have changed, and how that impacts the current risk environment.
• Parallels – Understand how the risks of today parallel those we used to face.
• Strategies – Strategies others have utilized that can be applied to help mitigate today’s risks.
Learning Objectives
Public Information 5
“Those who don’t know history are destined to repeat it.”
Why is it important to understand the background?
by Edmund Burke (1729 -1797)
Learning Objective: Background
Public Information 6
Companies in the News?
IT Opportunities and Risks
Learning Objective: Background
Public Information 7
“Good” old days – Business processes were generally supported by IT
• 1970s - “Dumb” terminals
IT - primarily used for data storage and managing large volumes of information
Frequent manual interfaces between IT and business areas
Mainframe based technology
Early “cloud” concepts (i.e. VM o/s, RJE)
• 1980s – “Personal Computers”
3270 “emulators”
DOS, Lotus 123, WordPerfect
• 1990s – Internet
Dialup
Primary risks we had to manage?
• IT Change Management (Dev, Test, Prod)
• Access Controls
• Disaster Recovery
The rise of the Machines
Source: Wikipedia, “History
of IBM Magnetic Disk Drives”
Key Point!
Learning Objective: Background
Public Information 8
• IBM – International Business Machines
• DEC – Digital Equipment Corporation
• EDS – Electronic Data Systems (Acquired by HP)
• Perot Systems (Acquired by Dell)
• ACS – Affiliated Computer Services
Some early Technology Service Providers (TSPs)
Learning Objective: Background
Public Information 9
• Speed of change (Faster / Better/ Cheaper)
• Social Media
• Work anywhere, anytime (i.e. BYOD)
• Active / Active
• Cloud Computing – Decisions Decisions…
Public -vs.- Private?
Software as a Service (SaaS) ?
Infrastructure as a Service (IaaS) ?
Platform as a Services (PaaS) ?
“Every two days, we create more information than we did from the dawn of civilization up until 2003.” *
Current Industry Trends
* Source: Eric Schmidt (Google CEO from 2001 – 2011)
Primary risks we have to manage?
• IT Change Management (Dev, Test, Prod)
• Access Controls
• Disaster Recovery
So why is this hard?
Learning Objective: Cloud Today
Public Information 10
Availability • Who would have thought a dropped anchor would cut a telecom cable? (Middle East 2008, Africa 2012)
“Big Data”
BYOD – “Bring Your Own Device”
Cloud computing
• “If you run with dogs, you’ll get fleas”
Model Risk
Social Media
Regulatory Oversight
Third party Reliance • Coding • Data
Emerging Risks
Information Technology
Learning Objective: Cloud Today
Public Information 11
Emerging Risks
Black Hat Attendee Survey From Black Hat USA 2015
What concerns would have been so pre-Internet?
Learning Objective: Parallels
Public Information 12
Cloud Controls Matrix (CCM)
Application & Interface Security
Audit Assurance & Compliance
Business Continuity
Management & Operational Resilience
Change Control & Configuration Management
Data Security & Information
Lifecycle Management
Datacenter Security Encryption & Key
Management Governance and
Risk Management
Human Resources Identity & Access
Management
Infrastructure & Virtualization
Security
Interoperability & Portability
Mobile Security
Security Incident Management, E-
Discovery & Cloud Forensics
Supply Chain Management,
Transparency and Accountability
Threat and Vulnerability Management
16 Control Domains
• Based on established standards
(e.g. ISO, NIST, COBIT, ISA, FFIEC, FedRAMP)
Source: Cloud Security Alliance
New
Learning Objective: Parallels
Public Information 13
Companies in the News?
IT Opportunities and Risks
Learning Objective: Strategies
Public Information 14
Co
ntr
ac
t
Lif
ec
yc
le
Op
era
tio
nal
Fac
tors
Bu
sin
es
s
Ob
jec
tive
s
Cloud Risk Management
Contract Financial Compliance &
Legal Information
Security Business Continuity
Data/
Transaction Integrity
Reputation Geopolitical & Regulatory
Strategic
Growth Ease of Use / Convenience
Security
Exit Strategy Manage & Monitor
(Ongoing) Contract Initiation
Plan, Evaluate,
Select
Cloud Drivers & Risks
Sta
ke
ho
lders
Board of Directors
Management / Process Owners
Investors Regulators Cloud Providers Customers
Cost Containment /
Competitive Edge
Learning Objective: Strategies
Control Strategies
Public Information 15
Control Reqmt
Key Considerations (Not all inclusive)
Data Classification
Data at
Rest
Data in Flight
Encryption & Key Mgmt
Software Dev
4th Party + Mgmt
Logs / DLP
Breach Notification
Access Mgmt ? ? ? ? ? ? ?
Change Mgmt ? ? ? ? ? ? ?
BC / DR ? ? ? ? ? ? ?
Company/Stakeholder Risk Tolerance
Learning Objective: Strategies
Supplier Due-Diligence
Public Information 16
Know yourself
Know your partner(s)
• Trust, but Verify
• Know the risks
• Have an Exit Strategy
5 Essential elements of your Cloud strategy
Learning Objective: Strategies
Public Information 17
Questions
?
Public Information