© Copyright 2012 – All Rights Reserved.
Is Governance Really Possible in a Cloud World?
Ken Smith CISSP CISA CCSKSenior Security Solutions Architect
Agenda
GRC todayProblems created by cloudManaging governanceLevels of control (Iaas, PaaS,
SaaS)Compliance in the cloud
More Bad Security Stock Images!
Current State of GRC
Enterprises lead in adoption Tools in place Staff to manage program Management support
Midsized orgs dabbling Some tools Limited staff Mixed management support
Current State of GRC (cont’d)
Most small organizations [This section intentionally blank]
GRC Problems Created By CloudExisting tools may no longer
workSome visibility is taken awaySome access is taken
awayWarm & fuzzy knowing
that data is in your own data center taken away
Existing contract language that you know & love will likely need to be reworked
What Do We Do?
A. Grant cloud solutions an exemption from our governance program & assume the provider will take care of everything
B. Don't adopt cloud because we can't manage GRC
C. Adapt existing governance programs to account for cloud-based solutions
Source: Cloud Security Alliance Security Guidance
Cloud Security Integration
Managing Governance In The Cloud
It's going to take some upfront work
Much heavier dependence on trusting that the cloud provider is doing the right thing
Much heavier dependence on service level agreements & contract language
Lawyers!
Managing Governance In The Cloud
Audits will be more complex
Compliance assessments will be “interesting”
Compensating controls are key
Varying Responsibility
PaaS• More dependent on
provider• Less control• Providers technology
IaaS• Less dependent on provider• You have more control• More of your own technology
Compliance In The Cloud“Out of the box”
Meet your policies & governance requirements? Very unlikely today
Meet PCI DSS or HIPAA requirements? No
Is This Possible?
Compensating controls Technology: encryption, tokenization,
data masking, segmentation Adapting your governance program Contract language Lawyers!
Great Reading & Resources
Cloud Security Alliance (CSA) www.cloudsecurityalliance.org Security Guidance for Critical Areas of Focus in Cloud
Computing
The CSA Mission Statement:To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.
Great Reading & Resources (cont’d)
European Network and Information Security Agency (ENISA) www.enisa.europa.eu Benefits, risks and recommendations for information
security
© Copyright 2012 – All Rights Reserved.
Thank You
Ken Smith, CISSP, CISA, CCSKSenior Security Solutions [email protected]@ken5m1th