c-level tools for cloud security
TRANSCRIPT
@CSAUKResearchCloud Security Alliance, UK chapter https://cloudsecurityalliance.org.uk
Everyone is in Cloud, shouldn't we be too?”
Tools C-level can use to make informed decisions
Cloud World Forum 2015, 25 June 2015Vladimir Jirasek, CSA UK Research
@CSAUKResearchCloud Security Alliance, UK chapter https://cloudsecurityalliance.org.uk
Case study
@CSAUKResearchCloud Security Alliance, UK chapter https://cloudsecurityalliance.org.uk
Your organisation stakeholders and Cloud
Customers Business managers, CEO/CFO
CIO Legal Security
Is my data safe and available?Happiness 😀
Customer satisfaction, ROI, EBITDA
ROI, System architecture,Migrations
Legality of data processing and locations, Privacy
Security architecture, Cyber threats, Monitoring
@CSAUKResearchCloud Security Alliance, UK chapter https://cloudsecurityalliance.org.uk
Prepare your organisation for Cloud deployments
People training & awareness
Processes & Governance
Technology architecture & controls
@CSAUKResearchCloud Security Alliance, UK chapter https://cloudsecurityalliance.org.uk
Does you organisation have a Cloud policy?
Generic requirements• Requirement 1: Discover Cloud services being used in
organisation
• Requirement 2: Alignment of organisation enterprise and security architectures with the Cloud
Before a Cloud service procurement • Requirement 3: Comply with organisation data classification
requirements
• Requirement 4: Encrypt all sensitive data processed in the Cloud
• Requirement 5: Link the Cloud service into the organisation Identity and Access architecture and monitoring of activities of users
During a Cloud service procurement• Requirement 6: Perform due diligence activities before the
contract is signed
During a Cloud service procurement (contd)• Requirement 7: Require “Right to audit” clause in the contract
• Requirement 8: Know locations of personal identifiable information in the cloud
• Requirement 9: Assess the availability of the Cloud services
• Requirement 10: Assess the cloud provider’s security arrangements
• Requirement 11: Assess the Cloud provider’s ability to comply with the organisation forensic investigations
Running a Cloud service• Requirement 12: Limit the use of live data for testing and development
purposes
• Requirement 13: Monitor Cloud providers security arrangements
Decommissioning a Cloud service• Requirement 14: Destroy sensitive information when not required
@CSAUKResearchCloud Security Alliance, UK chapter https://cloudsecurityalliance.org.uk
Cloud Security Alliance offers multiple tools
https://cloudsecurityalliance.org/star/
http://www.nist.gov/itl/cloud/
@CSAUKResearchCloud Security Alliance, UK chapter https://cloudsecurityalliance.org.uk
Get involved! Share knowledge and push towards transparency and standards
Call for contributors for a new version of CSA Cloud Guidance, opened on Monday, June 8, for 6 weekshttps://cloudsecurityalliance.org/media/news/call-for-volunteers-security-guidance-for-critical-areas-of-focus-in-cloud-computing/