trust in the cloud

1 © Copyright 2011 EMC Corporation. All rights reserved.

Trust in the Cloud

Sam Curry Chief Technical Officer (GTM) RSA, the Security Division of EMC

Copyright © 2011 EMC Corporation. All rights reserved.


Organizations around the world have high hopes for the cloud’s

ability to transform IT infrastructures, applications, and information

management. They truly believe it

can revolutionize business.

But, before they can trust that the cloud is safe for

real business, they need a secure foundation of dynamic controls and trustworthy measurement.

Trust in the Cloud: Proof Not Promises


Challenges for Trust in the Cloud

Sustaining Compliance in an environment with numerous and complex requirements

Enabling Business growth and evolving eGRC needs

Resource Constraints

Improving Operational and IT Effectiveness Acquiring skills,

knowledge and expertise


Increasing Compliance Requirements

4

PCI DSS SOX Regulation

We made it through SOX, then PCI. But I’m faced with more and more

regulations. We need a more efficient way to manage compliance with multiple

regulations and standards. ”

“

State, Federal & International

Privacy Mandates

Forecast Calls for

More Regulation


Negative Consequences of Inadequate GRC

Lack of consensus leading to

underfunded initiatives

“ ”

Attrition and missed deadlines “ ”

Higher Implementation

costs and solution performance

issues

“

”

Reduced Operational effectiveness with inefficient workflows and processes

“ ”

Potential for failed audits and

assessments

“ ”


Implications of Challenges

Security and compliance

concerns stall the adoption of virtualization

Missing opportunity for “better than physical”

security

CISOs need to manage security and compliance

across virtual and physical IT


eGRC Strategy can Help

7

Achieve Consensus

Business Process Automation

Clear Priorities

ROI


Business Impact without eGRC

Compliance initiatives are tackled as individual projects

“ ”

Managers struggle to prioritize resources to mitigate risks and deficiencies based on risk exposure.

“

”

Compliance data scattered across multiple silos

“ ”

Resources are wasted manually collecting and re-assembling data rather than analyzing the impact of the data on the business

“

”Business is assessed multiple times for the same requirements

“

”


Business Outcomes Business Impacts

Solution Outcomes

Transparency and accountability: Knowing the status or exceptions and unresolved issues

“

”

Threats are identified and remediation actions are easily prioritized and tracked

“

”

Partnerships and consistency across business silos

“

”

Isolated data is transformed into sustainable processes

“

”

Compliance initiatives are tackled as individual projects

“ ”

Managers struggle to prioritize threats by their potential impact to the business.

“

”

Compliance data scattered across multiple silos

“ ”

Policy exceptions go untracked and pose risk to the business

“

”

Ask once, Answer Many: Reduction or elimination of redundant assessments

“

”

9

Visibility Collaboration Accountability Automation Efficiency

Compliance reporting is stored in spreadsheets and represent one point-in-time

“

”


Enabling the Cycle of Risk and Compliance

Remediate Findings and Manage Exceptions

Consolidate and Visualize

Compliance Efforts

Prioritize Deficiencies and

Risks

10

Document Your Control Framework and Identify Risks


Enabling GRC

11


The Case for eGRC Strategy Planning

Applications Information Infrastructure

Databases

Operations

Personnel Procedures Workflow Management

Business (Finance & Legal)

IT & Technology

Laws Regulations Business Optimization

eGRC Strategy Planning aligns requirements

across organizational functions with different

and sometimes competing or conflicting

priorities


Bringing in the Business Context

13

Business Domains

eGRC facilitates the processes, information, technology and people required to recognize

context that enables business decisions

BUSINESS DRIVERS OPERATIONAL

INFRASTRUCTURE

Applications

Databases

Devices

Workstations

Vendors

Information

Customers

Regulations

Business Objectives

Threats

Laws

Legal

IT

Finance

Operations


Success Metrics

14

Where before we managed work in two or three places, with RSA Archer you have one place to

manage all of your work. People are completing assessments and mitigating risks,

not focusing on administrative tasks. ”

“

Time to prepare monthly reporting

Time to demonstrate compliance

with new regulations

# regulatory requirements

met

# closed findings

Decreasing risk of

regulatory audit fines


Achieving Trust

Right Information Right People Trusted Infrastructure


Realizing This Goal Has Become Exponentially Harder

Information Grows

Access Points Proliferate

Risks Multiply

Infrastructure Evolves


The Result?

A dangerous void of trust has

opened up, standing squarely

between organizations and

their ability to reap the cloud’s

well documented benefits.


What’s Needed: Proof

Auditors Regulators

Management


Facets of Multi-Tenancy

Trusted Multi-tenancy model is built on the following six foundational elements: • Secure separation • Service assurance • Security and compliance • Availability and data protection • Tenant management and control • Service provider management and control


Solving the Trust Equation


Inspect and Monitor…


Using the CSA domains

Cloud Architecture

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud Security Alliance’s 13 domains of focus for cloud computing

Assessing Service Provider Compliance


In Fact…

The cloud presents

opportunities to strengthen

information security and

streamline compliance

beyond anything we’ve

ever seen before.


Virtualization Transforms Control & Visibility


Policies Regulations Best Practices

Built-in and Automated


What’s Needed

Synergy of expertise

We’ve integrated our domain

expertise to see what others don’t see and to create

new value.

Power of virtualization

Our deep insight into the virtual layer greatly

enhances the visibility and

control possible in the cloud.

Proof through verification

Our services and solutions are focused on

providing proof, not promises.


Regulations, standards

Generalized security controls

VMware-specific security controls

VMware cloud infrastructure

Virtualization Ecosystem

RSA enVision

Automated assessment

Configuration State

Security Events

Visibility Across Physical & Virtual Environments Cloud Security Alliance Questions and Policies


Achieving that Goal Securely Means…


Identities Infrastructure Information

Security & Compliance

Delivered Within an Ecosystem of Trust


THANK YOU

trust in the cloud

Technology

emc corporation

business decisions13

virtualization copyright

grc11 copyright

individual projects

safe forreal business

impact of business isthe

compliance document