cyber security and risk in the cloud - heanet ryan, arthur...•cloud computing risk management rule...
TRANSCRIPT
© 2015 Grant Thornton Ireland. All rights reserved
Cyber security and risk in the
cloud
13 November 2015
Dr. Mike Harris
Partner
Grant Thornton
Pearse Ryan
Partner
Arthur Cox
© 2015 Grant Thornton Ireland. All rights reserved.
Agenda
• cyber threats
• corporate risk management
• anatomy of a cyber-incident
© 2015 Grant Thornton Ireland. All rights reserved.
Introduction to cyber security
• The economy depends on a stable, safe, and resilient
online environment
• A vast array of networks allows us to:
Communicate
and travel
Run our
economy
Power our
homes
Provide
government
services
© 2015 Grant Thornton Ireland. All rights reserved.
Introduction to cyber security
Cyber attacks
have increased
dramatically over
the last decade
exposing:
Sensitive
personal and
business
information
Disrupting
critical
operations
High costs on
the economy
(estimated to
be €800 million
in Ireland)
© 2015 Grant Thornton Ireland. All rights reserved.
Introduction
10 years ago, they looked like this…
© 2015 Grant Thornton Ireland. All rights reserved.
Costs
Costs of genuine cybercrime Irish Est. UK Est. US Est. Global
Share of world GDP 0.23% 2.77% 18.82% 100%
Cost of genuine cybercrime €202.93 €1,510.32 €10,334.94 €54,915
Cost of transitional cybercrime €78.96 €955.21 €6,489.89 €34,484
Cost of cybercrime infrastructure €93.34 €1,124.12 €7,637.53 €40,582
Costs of traditional crimes becoming "cyber" €255.64 €3,078.80 €20,918.05 €111,148
Total cost of cybercrime €630.88 €6,668.45 €45,380.42 €241,129
Cost of genuine cybercrime
32%
Cost of transitional cybercrime
12%Cost of
cybercrime infrastructure
15%
Costs of traditional crimes becoming "cyber"
41%
© 2015 Grant Thornton Ireland. All rights reserved.
Cloud computing overview
• cloud computing v’s traditional delivery models
– what are traditional delivery models?
• software licensing
• remote managed service e.g. payroll
• ICT outsourcing (i.e. ICT resources given to
another to manage)
© 2015 Grant Thornton Ireland. All rights reserved.
Cloud computing overview
• how does cloud computing differ?
– Internet\intranet accessible
– scalable (sometimes massively so) and user-configurable
computing resources- PaaS and IaaS
– multi-tenancy – customers share single s/w instance
– subscription or usage based payment – at least an element of pay-
for-what-you-use
– self-service model
– typically not location specific (this may change with MLE pressure)
– new concerns for the ICT security professional
© 2015 Grant Thornton Ireland. All rights reserved.
The environment
• are there any norms in cloud computing?
− yes to the technical norms of service
− no to any commercial risk management or legal norms
• cloud computing risk management rule setting:
– model is commercially brutal – suppliers operate within tight commercial rulebook and accompany this with tight risk management model
– model is supplier led
© 2015 Grant Thornton Ireland. All rights reserved.
Power relationship…
…is normally skewed in favour of suppliers.
Offerings are:
• without much similarity
• supplier drafted
• often carry over supplier business practices in real world business
areas (e.g. Microsoft)
• biased in favour of supplier (risk transfer point)
• typically immature in areas of risk management & liability
management from perspective of MLE but for the SaaS supplier the
logic of the business model is everything
© 2015 Grant Thornton Ireland. All rights reserved.
The contract
• Queen Mary College, UL – 2011 Cloud study
• reviewed 31 contracts from 27 suppliers
• all the main suppliers contracts reviewed
• reviewed key criteria & examples:
– location of data – clear/unclear
– data confidentiality/integrity/availability – s/levels
– disputers jurisdiction – 15/31@US & 8/31@UK
– limitation of liability & remedies – s/credits & exclusions of LOL
– amending terms – by whom/how
– confidentiality/law enforcement
© 2015 Grant Thornton Ireland. All rights reserved.
Enterprise risk issues
Cybersecurity
• here we look at security not as corporate operational issue but as corporate risk issue
Q: how bad can a contract be from a corporate risk management perspective?
A: so bad that by a combination of SLA and contract the supplier may have little or no responsibility and/or liability for loss\corruption of data due to its “default”
• thus – risk (being like water) flows to customer
© 2015 Grant Thornton Ireland. All rights reserved.
However,
• the motives for going to the cloud are, more often than not,
financial
• the customer relies on the cloud provider to manage cyber
risk
• the provider is not contractually obligated to do so
• so cyber risk is "kicked under the carpet"
© 2015 Grant Thornton Ireland. All rights reserved.
Cloud-specific cyber risk
• contracts – typically poor
• lack of visibility of security at hosting sites – audit
Q/SLA
• vulnerability to supplier IT staff
• vulnerabilities from other systems on same cloud
systems (segregation)
• JCB syndrome – dependent on comms
© 2015 Grant Thornton Ireland. All rights reserved.
Cloud-specific cyber risk
• cloud provider technical failure (incl. DRP, BCP)
• cloud provider business failure – SaaS real risk
• provider Insolvency – data mess – retrieval and
ownership
• incident response restrictions
• litigation response issues
• data protection issues
• cyber insurance
© 2015 Grant Thornton Ireland. All rights reserved.
Data Protection
• export of Personal Data outside the EEA only if: – consent is given to data exports; or
– the personal data is exported for the purpose of fulfilling a contract;
or
– the personal data is exported to countries which are deemed by the
EU Commission to have adequate data protection laws; or
– the company has put adequate privacy safeguards in place for the
transfer.
HOW DOES THE CLOUD PROVIDER COMPLY?
Forthcoming EU regulation
© 2015 Grant Thornton Ireland. All rights reserved.
Jurisdiction?
• where is the data?
• international legal systems don't yet recognise "the
cloud". The data sits as magnetic patterns on disk
somewhere
• which is no guarantee that a large cloud provider
can find it, or keep track of its location. (Vmotion)
• issues like RAIC make things more complicated
still – where is data?
© 2015 Grant Thornton Ireland. All rights reserved.
Incident response
• Problem 1: your cloud contract may not allow you the level of
access you need to carry out a proper investigation
• Problem 2: your cloud provider may be unable / unwilling to
cooperate
• Problem 3: you may simply not have the search capacity /
bandwidth to find what you need
• In common law you must discover all relevant material in your
power, possession or procurement
© 2015 Grant Thornton Ireland. All rights reserved.
Incident Response
Insurer
Legal Advisers
Cyber Security /
Forensics
Customer
Contact PR [others]
Insured – Incident